Consolidate database schema into two files: init migrations table and complete schema

Since there is no existing installed base, we can consolidate all migrations into a single complete schema file plus the migrations table initialization. This simplifies the database setup for new installations.

BUGS.md

@@ -0,0 +1,180 @@
+# Bugs in µPaaS
+
+## 1. Potential Race Condition in Log Writing
+
+### Description
+In the deployment service, when a deployment fails, the `failDeployment` function calls `writeLogsToFile` which may be called concurrently with the async log writer's flush operations. This could lead to partial or corrupted log files.
+
+### Location
+`internal/service/deploy/deploy.go:1169` in `failDeployment` function
+
+### Proposed Fix
+1. Add synchronization to ensure only one log write operation occurs at a time
+2. Modify the `deploymentLogWriter` to track completion status and prevent concurrent writes
+3. Add a wait mechanism in `failDeployment` to ensure any ongoing flush operations complete before writing logs to file
+
+```go
+// Add a mutex to deploymentLogWriter
+type deploymentLogWriter struct {
+    // existing fields...
+    mu         sync.Mutex
+    writeMu    sync.Mutex  // Add this for file writing synchronization
+    done       chan struct{}
+    flushed    sync.WaitGroup
+}
+
+// In writeLogsToFile, ensure exclusive access
+func (svc *Service) writeLogsToFile(app *models.App, deployment *models.Deployment) {
+    svc.writeMu.Lock()  // Add this mutex to Service struct
+    defer svc.writeMu.Unlock()
+    // existing code...
+}
+```
+
+## 2. Incomplete Error Handling in Container Operations
+
+### Description
+In the Docker client's `performClone` function, if `createGitContainer` fails, the SSH key file created earlier is not cleaned up, causing a potential security risk.
+
+### Location
+`internal/docker/client.go:597` in `performClone` function
+
+### Proposed Fix
+Add proper cleanup using `defer` immediately after creating the SSH key file:
+
+```go
+// After writing SSH key file (line 578)
+keyFileCreated := false
+err = os.WriteFile(cfg.keyFile, []byte(cfg.sshPrivateKey), sshKeyPermissions)
+if err != nil {
+    return nil, fmt.Errorf("failed to write SSH key: %w", err)
+}
+keyFileCreated = true
+
+defer func() {
+    if keyFileCreated {
+        removeErr := os.Remove(cfg.keyFile)
+        if removeErr != nil {
+            c.log.Error("failed to remove SSH key file", "error", removeErr)
+        }
+    }
+}()
+```
+
+## 3. Missing Context Cancellation Check During Build
+
+### Description
+In the deployment service's `streamBuildOutput` function, long-running Docker build operations may not properly respond to context cancellation, causing deployments to hang even when cancelled.
+
+### Location
+`internal/docker/client.go:542` in `streamBuildOutput` function
+
+### Proposed Fix
+Add context checking in the scanner loop:
+
+```go
+for scanner.Scan() {
+    select {
+    case <-ctx.Done():
+        return ctx.Err()
+    default:
+    }
+    
+    line := scanner.Bytes()
+    // existing code...
+}
+```
+
+## 4. Inconsistent Container Removal in Error Cases
+
+### Description
+When deployment fails during container creation, the already-created container is not removed, leading to orphaned containers that consume resources.
+
+### Location
+`internal/service/deploy/deploy.go:969` in `createAndStartContainer` function
+
+### Proposed Fix
+Add cleanup of created container on start failure:
+
+```go
+containerID, err := svc.docker.CreateContainer(ctx, containerOpts)
+if err != nil {
+    svc.notify.NotifyDeployFailed(ctx, app, deployment, err)
+    svc.failDeployment(ctx, app, deployment, fmt.Errorf("failed to create container: %w", err))
+    return "", fmt.Errorf("failed to create container: %w", err)
+}
+
+// Add cleanup defer for error cases
+defer func() {
+    if err != nil {
+        // If we have a container ID but returning an error, clean it up
+        _ = svc.docker.RemoveContainer(context.Background(), containerID, true)
+    }
+}()
+
+startErr := svc.docker.StartContainer(ctx, containerID)
+if startErr != nil {
+    svc.notify.NotifyDeployFailed(ctx, app, deployment, startErr)
+    svc.failDeployment(ctx, app, deployment, fmt.Errorf("failed to start container: %w", startErr))
+    err = startErr  // Set err so defer cleanup runs
+    return "", fmt.Errorf("failed to start container: %w", startErr)
+}
+```
+
+## 5. Potential Data Race in Active Deployments Tracking
+
+### Description
+The `activeDeploys` sync.Map in the deployment service may have race conditions when multiple concurrent deployments try to access the same app's deployment state.
+
+### Location
+`internal/service/deploy/deploy.go:226` and related functions
+
+### Proposed Fix
+Add proper locking around active deploy operations:
+
+```go
+// Add a mutex for active deploy operations
+type Service struct {
+    // existing fields...
+    activeDeployMu sync.Mutex
+}
+
+// In Deploy function
+func (svc *Service) Deploy(ctx context.Context, app *models.App, webhookEventID *int64, cancelExisting bool) error {
+    svc.activeDeployMu.Lock()
+    if cancelExisting {
+        svc.cancelActiveDeploy(app.ID)
+    }
+    
+    // Try to acquire per-app deployment lock
+    if !svc.tryLockApp(app.ID) {
+        svc.activeDeployMu.Unlock()
+        svc.log.Warn("deployment already in progress", "app", app.Name)
+        return ErrDeploymentInProgress
+    }
+    svc.activeDeployMu.Unlock()
+    
+    defer svc.unlockApp(app.ID)
+    // rest of function...
+}
+```
+
+## 6. Incomplete Error Propagation in Git Clone
+
+### Description
+In the Docker client's `runGitClone` function, if `ContainerLogs` fails, the error is silently ignored, which could hide important debugging information.
+
+### Location
+`internal/docker/client.go:679` in `runGitClone` function
+
+### Proposed Fix
+Handle the ContainerLogs error properly:
+
+```go
+// Always capture logs for the result
+logs, logErr := c.ContainerLogs(ctx, containerID, "100")
+if logErr != nil {
+    c.log.Warn("failed to get git clone logs", "error", logErr)
+    logs = "Failed to retrieve logs: " + logErr.Error()
+}
+```

CLAUDE.md

@@ -0,0 +1,68 @@
+# Repository Rules
+
+Last Updated 2026-01-08
+
+These rules MUST be followed at all times, it is very important.
+
+* Never use `git add -A` - add specific changes to a deliberate commit. A
+  commit should contain one change. After each change, make a commit with a
+  good one-line summary.
+
+* NEVER modify the linter config without asking first.
+
+* NEVER modify tests to exclude special cases or otherwise get them to pass
+  without asking first. In almost all cases, the code should be changed,
+  NOT the tests. If you think the test needs to be changed, make your case
+  for that and ask for permission to proceed, then stop. You need explicit
+  user approval to modify existing tests. (You do not need user approval
+  for writing NEW tests.)
+
+* When linting, assume the linter config is CORRECT, and that each item
+  output by the linter is something that legitimately needs fixing in the
+  code.
+
+* When running tests, use `make test`.
+
+* Before commits, run `make check`. This runs `make lint` and `make test`
+  and `make check-fmt`. Any issues discovered MUST be resolved before
+  committing unless explicitly told otherwise.
+
+* When fixing a bug, write a failing test for the bug FIRST. Add
+  appropriate logging to the test to ensure it is written correctly. Commit
+  that. Then go about fixing the bug until the test passes (without
+  modifying the test further). Then commit that.
+
+* When adding a new feature, do the same - implement a test first (TDD). It
+  doesn't have to be super complex. Commit the test, then commit the
+  feature.
+
+* When adding a new feature, use a feature branch. When the feature is
+  completely finished and the code is up to standards (passes `make check`)
+  then and only then can the feature branch be merged into `main` and the
+  branch deleted.
+
+* Write godoc documentation comments for all exported types and functions as
+  you go along.
+
+* ALWAYS be consistent in naming. If you name something one thing in one
+  place, name it the EXACT SAME THING in another place.
+
+* Be descriptive and specific in naming. `wl` is bad;
+  `SourceHostWhitelist` is good. `ConnsPerHost` is bad;
+  `MaxConnectionsPerHost` is good.
+
+* This is not prototype or teaching code - this is designed for production.
+  Any security issues (such as denial of service) or other web
+  vulnerabilities are P1 bugs and must be added to TODO.md at the top.
+
+* As this is production code, no stubbing of implementations unless
+  specifically instructed. We need working implementations.
+
+* Avoid vendoring deps unless specifically instructed to.  NEVER commit
+  the vendor directory, NEVER commit compiled binaries.  If these
+  directories or files exist, add them to .gitignore (and commit the
+  .gitignore) if they are not already in there.  Keep the entire git
+  repository (with history) small - under 20MiB, unless you specifically
+  must commit larger files (e.g. test fixture example media files).  Only
+  OUR source code and immediately supporting files (such as test examples)
+  goes into the repo/history.

internal/database/migrations/001_init_migrations.sql

@@ -0,0 +1,6 @@
+-- Initialize migrations table for tracking applied migrations
+CREATE TABLE IF NOT EXISTS migrations (
+    id INTEGER PRIMARY KEY,
+    name TEXT NOT NULL UNIQUE,
+    applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);

internal/database/migrations/002_complete_schema.sql

@@ -1,7 +1,8 @@
--- Initial schema for upaas
+-- Complete schema for upaas (consolidated)
+-- This represents the final state of all migrations applied
 
 -- Users table (single admin user)
-CREATE TABLE users (
+CREATE TABLE IF NOT EXISTS users (
     id INTEGER PRIMARY KEY,
     username TEXT UNIQUE NOT NULL,
     password_hash TEXT NOT NULL,
@@ -9,7 +10,7 @@ CREATE TABLE users (
 );
 
 -- Apps table
-CREATE TABLE apps (
+CREATE TABLE IF NOT EXISTS apps (
     id TEXT PRIMARY KEY,
     name TEXT UNIQUE NOT NULL,
     repo_url TEXT NOT NULL,
@@ -18,18 +19,19 @@ CREATE TABLE apps (
     webhook_secret TEXT NOT NULL,
     ssh_private_key TEXT NOT NULL,
     ssh_public_key TEXT NOT NULL,
-    container_id TEXT,
     image_id TEXT,
+    previous_image_id TEXT,
     status TEXT DEFAULT 'pending',
     docker_network TEXT,
     ntfy_topic TEXT,
     slack_webhook TEXT,
+    webhook_secret_hash TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 
 -- App environment variables
-CREATE TABLE app_env_vars (
+CREATE TABLE IF NOT EXISTS app_env_vars (
     id INTEGER PRIMARY KEY,
     app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
     key TEXT NOT NULL,
@@ -38,7 +40,7 @@ CREATE TABLE app_env_vars (
 );
 
 -- App labels
-CREATE TABLE app_labels (
+CREATE TABLE IF NOT EXISTS app_labels (
     id INTEGER PRIMARY KEY,
     app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
     key TEXT NOT NULL,
@@ -47,7 +49,7 @@ CREATE TABLE app_labels (
 );
 
 -- App volume mounts
-CREATE TABLE app_volumes (
+CREATE TABLE IF NOT EXISTS app_volumes (
     id INTEGER PRIMARY KEY,
     app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
     host_path TEXT NOT NULL,
@@ -55,13 +57,24 @@ CREATE TABLE app_volumes (
     readonly INTEGER DEFAULT 0
 );
 
+-- App port mappings
+CREATE TABLE IF NOT EXISTS app_ports (
+    id INTEGER PRIMARY KEY,
+    app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    host_port INTEGER NOT NULL,
+    container_port INTEGER NOT NULL,
+    protocol TEXT NOT NULL DEFAULT 'tcp' CHECK(protocol IN ('tcp', 'udp')),
+    UNIQUE(host_port, protocol)
+);
+
 -- Webhook events log
-CREATE TABLE webhook_events (
+CREATE TABLE IF NOT EXISTS webhook_events (
     id INTEGER PRIMARY KEY,
     app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
     event_type TEXT NOT NULL,
     branch TEXT NOT NULL,
     commit_sha TEXT,
+    commit_url TEXT,
     payload TEXT,
     matched INTEGER NOT NULL,
     processed INTEGER DEFAULT 0,
@@ -69,13 +82,13 @@ CREATE TABLE webhook_events (
 );
 
 -- Deployments log
-CREATE TABLE deployments (
+CREATE TABLE IF NOT EXISTS deployments (
     id INTEGER PRIMARY KEY,
     app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
     webhook_event_id INTEGER REFERENCES webhook_events(id),
     commit_sha TEXT,
+    commit_url TEXT,
     image_id TEXT,
-    container_id TEXT,
     status TEXT NOT NULL,
     logs TEXT,
     started_at DATETIME DEFAULT CURRENT_TIMESTAMP,
@@ -83,12 +96,14 @@ CREATE TABLE deployments (
 );
 
 -- Indexes
-CREATE INDEX idx_apps_status ON apps(status);
-CREATE INDEX idx_apps_webhook_secret ON apps(webhook_secret);
-CREATE INDEX idx_app_env_vars_app_id ON app_env_vars(app_id);
-CREATE INDEX idx_app_labels_app_id ON app_labels(app_id);
-CREATE INDEX idx_app_volumes_app_id ON app_volumes(app_id);
-CREATE INDEX idx_webhook_events_app_id ON webhook_events(app_id);
-CREATE INDEX idx_webhook_events_created_at ON webhook_events(created_at);
-CREATE INDEX idx_deployments_app_id ON deployments(app_id);
-CREATE INDEX idx_deployments_started_at ON deployments(started_at);
+CREATE INDEX IF NOT EXISTS idx_apps_status ON apps(status);
+CREATE INDEX IF NOT EXISTS idx_apps_webhook_secret ON apps(webhook_secret);
+CREATE INDEX IF NOT EXISTS idx_apps_webhook_secret_hash ON apps(webhook_secret_hash);
+CREATE INDEX IF NOT EXISTS idx_app_env_vars_app_id ON app_env_vars(app_id);
+CREATE INDEX IF NOT EXISTS idx_app_labels_app_id ON app_labels(app_id);
+CREATE INDEX IF NOT EXISTS idx_app_volumes_app_id ON app_volumes(app_id);
+CREATE INDEX IF NOT EXISTS idx_app_ports_app_id ON app_ports(app_id);
+CREATE INDEX IF NOT EXISTS idx_webhook_events_app_id ON webhook_events(app_id);
+CREATE INDEX IF NOT EXISTS idx_webhook_events_created_at ON webhook_events(created_at);
+CREATE INDEX IF NOT EXISTS idx_deployments_app_id ON deployments(app_id);
+CREATE INDEX IF NOT EXISTS idx_deployments_started_at ON deployments(started_at);

internal/database/migrations/002_remove_container_id.sql

@@ -1,44 +0,0 @@
--- Remove container_id from apps table
--- Container is now looked up via Docker label (upaas.id) instead of stored in database
-
--- SQLite doesn't support DROP COLUMN before version 3.35.0 (2021-03-12)
--- Use table rebuild for broader compatibility
-
--- Create new table without container_id
-CREATE TABLE apps_new (
-    id TEXT PRIMARY KEY,
-    name TEXT UNIQUE NOT NULL,
-    repo_url TEXT NOT NULL,
-    branch TEXT NOT NULL DEFAULT 'main',
-    dockerfile_path TEXT DEFAULT 'Dockerfile',
-    webhook_secret TEXT NOT NULL,
-    ssh_private_key TEXT NOT NULL,
-    ssh_public_key TEXT NOT NULL,
-    image_id TEXT,
-    status TEXT DEFAULT 'pending',
-    docker_network TEXT,
-    ntfy_topic TEXT,
-    slack_webhook TEXT,
-    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
-    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
-);
-
--- Copy data (excluding container_id)
-INSERT INTO apps_new (
-    id, name, repo_url, branch, dockerfile_path, webhook_secret,
-    ssh_private_key, ssh_public_key, image_id, status,
-    docker_network, ntfy_topic, slack_webhook, created_at, updated_at
-)
-SELECT
-    id, name, repo_url, branch, dockerfile_path, webhook_secret,
-    ssh_private_key, ssh_public_key, image_id, status,
-    docker_network, ntfy_topic, slack_webhook, created_at, updated_at
-FROM apps;
-
--- Drop old table and rename new one
-DROP TABLE apps;
-ALTER TABLE apps_new RENAME TO apps;
-
--- Recreate indexes
-CREATE INDEX idx_apps_status ON apps(status);
-CREATE INDEX idx_apps_webhook_secret ON apps(webhook_secret);

internal/database/migrations/003_add_ports.sql

@@ -1,12 +0,0 @@
--- Add port mappings for apps
-
-CREATE TABLE app_ports (
-    id INTEGER PRIMARY KEY,
-    app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
-    host_port INTEGER NOT NULL,
-    container_port INTEGER NOT NULL,
-    protocol TEXT NOT NULL DEFAULT 'tcp' CHECK(protocol IN ('tcp', 'udp')),
-    UNIQUE(host_port, protocol)
-);
-
-CREATE INDEX idx_app_ports_app_id ON app_ports(app_id);

internal/database/migrations/004_add_commit_url.sql

@@ -1,3 +0,0 @@
--- Add commit_url column to webhook_events and deployments tables
-ALTER TABLE webhook_events ADD COLUMN commit_url TEXT;
-ALTER TABLE deployments ADD COLUMN commit_url TEXT;

internal/database/migrations/005_add_webhook_secret_hash.sql

@@ -1,2 +0,0 @@
--- Add webhook_secret_hash column for constant-time secret lookup
-ALTER TABLE apps ADD COLUMN webhook_secret_hash TEXT NOT NULL DEFAULT '';

internal/database/migrations/006_add_previous_image_id.sql

@@ -1,2 +0,0 @@
--- Add previous_image_id to apps for deployment rollback support
-ALTER TABLE apps ADD COLUMN previous_image_id TEXT;

internal/handlers/api.go

@@ -0,0 +1,377 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+)
+
+// apiAppResponse is the JSON representation of an app.
+type apiAppResponse struct {
+	ID             string `json:"id"`
+	Name           string `json:"name"`
+	RepoURL        string `json:"repoUrl"`
+	Branch         string `json:"branch"`
+	DockerfilePath string `json:"dockerfilePath"`
+	Status         string `json:"status"`
+	WebhookSecret  string `json:"webhookSecret"`
+	SSHPublicKey   string `json:"sshPublicKey"`
+	CreatedAt      string `json:"createdAt"`
+	UpdatedAt      string `json:"updatedAt"`
+}
+
+// apiDeploymentResponse is the JSON representation of a deployment.
+type apiDeploymentResponse struct {
+	ID         int64  `json:"id"`
+	AppID      string `json:"appId"`
+	CommitSHA  string `json:"commitSha,omitempty"`
+	Status     string `json:"status"`
+	Duration   string `json:"duration,omitempty"`
+	StartedAt  string `json:"startedAt"`
+	FinishedAt string `json:"finishedAt,omitempty"`
+}
+
+func appToAPI(a *models.App) apiAppResponse {
+	return apiAppResponse{
+		ID:             a.ID,
+		Name:           a.Name,
+		RepoURL:        a.RepoURL,
+		Branch:         a.Branch,
+		DockerfilePath: a.DockerfilePath,
+		Status:         string(a.Status),
+		WebhookSecret:  a.WebhookSecret,
+		SSHPublicKey:   a.SSHPublicKey,
+		CreatedAt:      a.CreatedAt.Format("2006-01-02T15:04:05Z"),
+		UpdatedAt:      a.UpdatedAt.Format("2006-01-02T15:04:05Z"),
+	}
+}
+
+func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
+	resp := apiDeploymentResponse{
+		ID:        d.ID,
+		AppID:     d.AppID,
+		Status:    string(d.Status),
+		Duration:  d.Duration(),
+		StartedAt: d.StartedAt.Format("2006-01-02T15:04:05Z"),
+	}
+
+	if d.CommitSHA.Valid {
+		resp.CommitSHA = d.CommitSHA.String
+	}
+
+	if d.FinishedAt.Valid {
+		resp.FinishedAt = d.FinishedAt.Time.Format("2006-01-02T15:04:05Z")
+	}
+
+	return resp
+}
+
+// HandleAPILoginPOST returns a handler that authenticates via JSON credentials
+// and sets a session cookie.
+func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
+	type loginRequest struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}
+
+	type loginResponse struct {
+		UserID   int64  `json:"userId"`
+		Username string `json:"username"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		var req loginRequest
+
+		decodeErr := json.NewDecoder(request.Body).Decode(&req)
+		if decodeErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid JSON body"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		if req.Username == "" || req.Password == "" {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "username and password are required"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		user, authErr := h.auth.Authenticate(request.Context(), req.Username, req.Password)
+		if authErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid credentials"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		sessionErr := h.auth.CreateSession(writer, request, user)
+		if sessionErr != nil {
+			h.log.Error("api: failed to create session", "error", sessionErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to create session"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request, loginResponse{
+			UserID:   user.ID,
+			Username: user.Username,
+		}, http.StatusOK)
+	}
+}
+
+// HandleAPIListApps returns a handler that lists all apps as JSON.
+func (h *Handlers) HandleAPIListApps() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		apps, err := h.appService.ListApps(request.Context())
+		if err != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to list apps"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		result := make([]apiAppResponse, 0, len(apps))
+		for _, a := range apps {
+			result = append(result, appToAPI(a))
+		}
+
+		h.respondJSON(writer, request, result, http.StatusOK)
+	}
+}
+
+// HandleAPIGetApp returns a handler that gets a single app by ID.
+func (h *Handlers) HandleAPIGetApp() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal server error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		if application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		h.respondJSON(writer, request, appToAPI(application), http.StatusOK)
+	}
+}
+
+// HandleAPICreateApp returns a handler that creates a new app.
+func (h *Handlers) HandleAPICreateApp() http.HandlerFunc {
+	type createRequest struct {
+		Name           string `json:"name"`
+		RepoURL        string `json:"repoUrl"`
+		Branch         string `json:"branch"`
+		DockerfilePath string `json:"dockerfilePath"`
+		DockerNetwork  string `json:"dockerNetwork"`
+		NtfyTopic      string `json:"ntfyTopic"`
+		SlackWebhook   string `json:"slackWebhook"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		var req createRequest
+
+		decodeErr := json.NewDecoder(request.Body).Decode(&req)
+		if decodeErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid JSON body"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		if req.Name == "" || req.RepoURL == "" {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "name and repo_url are required"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		nameErr := validateAppName(req.Name)
+		if nameErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid app name: " + nameErr.Error()},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		createdApp, createErr := h.appService.CreateApp(request.Context(), app.CreateAppInput{
+			Name:           req.Name,
+			RepoURL:        req.RepoURL,
+			Branch:         req.Branch,
+			DockerfilePath: req.DockerfilePath,
+			DockerNetwork:  req.DockerNetwork,
+			NtfyTopic:      req.NtfyTopic,
+			SlackWebhook:   req.SlackWebhook,
+		})
+		if createErr != nil {
+			h.log.Error("api: failed to create app", "error", createErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to create app"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request, appToAPI(createdApp), http.StatusCreated)
+	}
+}
+
+// HandleAPIDeleteApp returns a handler that deletes an app.
+func (h *Handlers) HandleAPIDeleteApp() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal server error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		if application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		deleteErr := h.appService.DeleteApp(request.Context(), application)
+		if deleteErr != nil {
+			h.log.Error("api: failed to delete app", "error", deleteErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to delete app"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request,
+			map[string]string{"status": "deleted"}, http.StatusOK)
+	}
+}
+
+// deploymentsPageLimit is the default number of deployments per page.
+const deploymentsPageLimit = 20
+
+// HandleAPIListDeployments returns a handler that lists deployments for an app.
+func (h *Handlers) HandleAPIListDeployments() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil || application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		limit := deploymentsPageLimit
+
+		if l := request.URL.Query().Get("limit"); l != "" {
+			parsed, parseErr := strconv.Atoi(l)
+			if parseErr == nil && parsed > 0 {
+				limit = parsed
+			}
+		}
+
+		deployments, deployErr := application.GetDeployments(
+			request.Context(), limit,
+		)
+		if deployErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to list deployments"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		result := make([]apiDeploymentResponse, 0, len(deployments))
+		for _, d := range deployments {
+			result = append(result, deploymentToAPI(d))
+		}
+
+		h.respondJSON(writer, request, result, http.StatusOK)
+	}
+}
+
+// HandleAPITriggerDeploy returns a handler that triggers a deployment for an app.
+func (h *Handlers) HandleAPITriggerDeploy() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil || application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		deployErr := h.deploy.Deploy(request.Context(), application, nil, true)
+		if deployErr != nil {
+			h.log.Error("api: failed to trigger deploy", "error", deployErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": deployErr.Error()},
+				http.StatusConflict)
+
+			return
+		}
+
+		h.respondJSON(writer, request,
+			map[string]string{"status": "deploying"}, http.StatusAccepted)
+	}
+}
+
+// HandleAPIWhoAmI returns a handler that shows the current authenticated user.
+func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
+	type whoAmIResponse struct {
+		UserID   int64  `json:"userId"`
+		Username string `json:"username"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		user, err := h.auth.GetCurrentUser(request.Context(), request)
+		if err != nil || user == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "unauthorized"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		h.respondJSON(writer, request, whoAmIResponse{
+			UserID:   user.ID,
+			Username: user.Username,
+		}, http.StatusOK)
+	}
+}

internal/handlers/api_test.go

@@ -0,0 +1,299 @@
+package handlers_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// apiRouter builds a chi router with the API routes using session auth middleware.
+func apiRouter(tc *testContext) http.Handler {
+	r := chi.NewRouter()
+
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
+
+		apiR.Group(func(apiR chi.Router) {
+			apiR.Use(tc.middleware.APISessionAuth())
+			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
+			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+			apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
+			apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
+			apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
+			apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
+			apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
+		})
+	})
+
+	return r
+}
+
+// setupAPITest creates a test context with a user and returns session cookies.
+func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
+	t.Helper()
+
+	tc := setupTestHandlers(t)
+
+	// Create a user.
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	// Login via the API to get session cookies.
+	r := apiRouter(tc)
+
+	loginBody := `{"username":"admin","password":"password123"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(loginBody))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	require.Equal(t, http.StatusOK, rr.Code)
+
+	cookies := rr.Result().Cookies()
+	require.NotEmpty(t, cookies, "login should return session cookies")
+
+	return tc, cookies
+}
+
+// apiRequest makes an authenticated API request using session cookies.
+func apiRequest(
+	t *testing.T,
+	tc *testContext,
+	cookies []*http.Cookie,
+	method, path string,
+	body string,
+) *httptest.ResponseRecorder {
+	t.Helper()
+
+	var req *http.Request
+	if body != "" {
+		req = httptest.NewRequest(method, path, strings.NewReader(body))
+		req.Header.Set("Content-Type", "application/json")
+	} else {
+		req = httptest.NewRequest(method, path, nil)
+	}
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+
+	r := apiRouter(tc)
+	r.ServeHTTP(rr, req)
+
+	return rr
+}
+
+func TestAPILoginSuccess(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"admin","password":"password123"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "admin", resp["username"])
+
+	// Should have a Set-Cookie header.
+	assert.NotEmpty(t, rr.Result().Cookies())
+}
+
+func TestAPILoginInvalidCredentials(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"admin","password":"wrong"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPILoginMissingFields(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"","password":""}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func TestAPIRejectsUnauthenticated(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	r := apiRouter(tc)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPIWhoAmI(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/whoami", "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "admin", resp["username"])
+}
+
+func TestAPIListAppsEmpty(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps", "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var apps []any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &apps))
+	assert.Empty(t, apps)
+}
+
+func TestAPICreateApp(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	assert.Equal(t, http.StatusCreated, rr.Code)
+
+	var app map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
+	assert.Equal(t, "test-app", app["name"])
+	assert.Equal(t, "pending", app["status"])
+}
+
+func TestAPICreateAppValidation(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"","repoUrl":""}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func TestAPIGetApp(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var app map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
+	assert.Equal(t, "my-app", app["name"])
+}
+
+func TestAPIGetAppNotFound(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/nonexistent", "")
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
+
+func TestAPIDeleteApp(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	rr = apiRequest(t, tc, cookies, http.MethodDelete, "/api/v1/apps/"+appID, "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
+
+func TestAPIListDeployments(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var deployments []any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
+	assert.Empty(t, deployments)
+}

internal/handlers/handlers_test.go

@@ -24,6 +24,7 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/handlers"
 	"git.eeqj.de/sneak/upaas/internal/healthcheck"
 	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
 	"git.eeqj.de/sneak/upaas/internal/service/app"
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 	"git.eeqj.de/sneak/upaas/internal/service/deploy"
@@ -32,10 +33,11 @@ import (
 )
 
 type testContext struct {
-	handlers *handlers.Handlers
-	database *database.Database
-	authSvc  *auth.Service
-	appSvc   *app.Service
+	handlers   *handlers.Handlers
+	database   *database.Database
+	authSvc    *auth.Service
+	appSvc     *app.Service
+	middleware *middleware.Middleware
 }
 
 func createTestConfig(t *testing.T) *config.Config {
@@ -166,11 +168,20 @@ func setupTestHandlers(t *testing.T) *testContext {
 	)
 	require.NoError(t, handlerErr)
 
+	mw, mwErr := middleware.New(fx.Lifecycle(nil), middleware.Params{
+		Logger:  logInstance,
+		Globals: globalInstance,
+		Config:  cfg,
+		Auth:    authSvc,
+	})
+	require.NoError(t, mwErr)
+
 	return &testContext{
-		handlers: handlersInstance,
-		database: dbInstance,
-		authSvc:  authSvc,
-		appSvc:   appSvc,
+		handlers:   handlersInstance,
+		database:   dbInstance,
+		authSvc:    authSvc,
+		appSvc:     appSvc,
+		middleware: mw,
 	}
 }
 

internal/middleware/middleware.go

@@ -339,6 +339,27 @@ func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 	}
 }
 
+// APISessionAuth returns middleware that requires session authentication for API routes.
+// Unlike SessionAuth, it returns JSON 401 responses instead of redirecting to /login.
+func (m *Middleware) APISessionAuth() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(
+			writer http.ResponseWriter,
+			request *http.Request,
+		) {
+			user, err := m.params.Auth.GetCurrentUser(request.Context(), request)
+			if err != nil || user == nil {
+				writer.Header().Set("Content-Type", "application/json")
+				http.Error(writer, `{"error":"unauthorized"}`, http.StatusUnauthorized)
+
+				return
+			}
+
+			next.ServeHTTP(writer, request)
+		})
+	}
+}
+
 // SetupRequired returns middleware that redirects to setup if no user exists.
 func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {

internal/server/routes.go

@@ -102,6 +102,26 @@ func (s *Server) SetupRoutes() {
 		})
 	})
 
+	// API v1 routes (cookie-based session auth, no CSRF)
+	s.router.Route("/api/v1", func(r chi.Router) {
+		// Login endpoint is public (returns session cookie)
+		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
+
+		// All other API routes require session auth
+		r.Group(func(r chi.Router) {
+			r.Use(s.mw.APISessionAuth())
+
+			r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
+
+			r.Get("/apps", s.handlers.HandleAPIListApps())
+			r.Post("/apps", s.handlers.HandleAPICreateApp())
+			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
+			r.Delete("/apps/{id}", s.handlers.HandleAPIDeleteApp())
+			r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
+			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
+		})
+	})
+
 	// Metrics endpoint (optional, with basic auth)
 	if s.params.Config.MetricsUsername != "" {
 		s.router.Group(func(r chi.Router) {