fix: resolve lint issues for make check compliance

fix: increase API token entropy from 128 to 256 bits
Change token random bytes from 16 to 32, producing tokens with upaas_ prefix + 64 hex characters instead of 32.
2026-02-19 23:43:41 -08:00 · 2026-02-19 23:43:22 -08:00 · 2026-02-19 23:43:22 -08:00 · 2026-02-19 23:43:22 -08:00 · 2026-02-20 05:37:49 +01:00 · 2026-02-19 20:36:22 -08:00
27 changed files with 2547 additions and 428 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -1,312 +0,0 @@
 # UPAAS Implementation Plan
 ## Feature Roadmap
 ### Core Infrastructure
 - [x] Uber fx dependency injection
 - [x] Chi router integration
 - [x] Structured logging (slog) with TTY detection
 - [x] Configuration via Viper (env vars, config files)
 - [x] SQLite database with embedded migrations
 - [x] Embedded templates (html/template)
 - [x] Embedded static assets (Tailwind CSS, JS)
 - [x] Server startup (`Server.Run()`)
 - [x] Graceful shutdown (`Server.Shutdown()`)
 - [x] Route wiring (`SetupRoutes()`)
 ### Authentication & Authorization
 - [x] Single admin user model
 - [x] Argon2id password hashing
 - [x] Initial setup flow (create admin on first run)
 - [x] Cookie-based session management (gorilla/sessions)
 - [x] Session middleware for protected routes
 - [x] Login/logout handlers
 - [ ] API token authentication (for JSON API)
 ### App Management
 - [x] Create apps with name, repo URL, branch, Dockerfile path
 - [x] Edit app configuration
 - [x] Delete apps (cascades to related entities)
 - [x] List all apps on dashboard
 - [x] View app details
 - [x] Per-app SSH keypair generation (Ed25519)
 - [x] Per-app webhook secret (UUID)
 ### Container Configuration
 - [x] Environment variables (add, delete per app)
 - [x] Docker labels (add, delete per app)
 - [x] Volume mounts (add, delete per app, with read-only option)
 - [x] Docker network configuration per app
 - [ ] Edit existing environment variables
 - [ ] Edit existing labels
 - [ ] Edit existing volume mounts
 - [ ] CPU/memory resource limits
 ### Deployment Pipeline
 - [x] Manual deploy trigger from UI
 - [x] Repository cloning via Docker git container
 - [x] SSH key authentication for private repos
 - [x] Docker image building with configurable Dockerfile
 - [x] Container creation with env vars, labels, volumes
 - [x] Old container removal before new deployment
 - [x] Deployment status tracking (building, deploying, success, failed)
 - [x] Deployment logs storage
 - [x] View deployment history per app
 - [x] Container logs viewing
 - [ ] Deployment rollback to previous image
 - [ ] Deployment cancellation
 ### Manual Container Controls
 - [x] Restart container
 - [x] Stop container
 - [x] Start stopped container
 ### Webhook Integration
 - [x] Gitea webhook endpoint (`/webhook/:secret`)
 - [x] Push event parsing
 - [x] Branch extraction from refs
 - [x] Branch matching (only deploy configured branch)
 - [x] Webhook event audit log
 - [x] Automatic deployment on matching webhook
 - [ ] Webhook event history UI
 - [ ] GitHub webhook support
 - [ ] GitLab webhook support
 ### Health Monitoring
 - [x] Health check endpoint (`/health`)
 - [x] Application uptime tracking
 - [x] Docker container health status checking
 - [x] Post-deployment health verification (60s delay)
 - [ ] Custom health check commands per app
 ### Notifications
 - [x] ntfy integration (HTTP POST)
 - [x] Slack-compatible webhook integration
 - [x] Build start/success/failure notifications
 - [x] Deploy success/failure notifications
 - [x] Priority mapping for notification urgency
 ### Observability
 - [x] Request logging middleware
 - [x] Request ID generation
 - [x] Sentry error reporting (optional)
 - [x] Prometheus metrics endpoint (optional, with basic auth)
 - [ ] Structured logging for all operations
 - [ ] Deployment count/duration metrics
 - [ ] Container health status metrics
 - [ ] Webhook event metrics
 - [ ] Audit log table for user actions
 ### API
 - [ ] JSON API (`/api/v1/*`)
 - [ ] List apps endpoint
 - [ ] Get app details endpoint
 - [ ] Create app endpoint
 - [ ] Delete app endpoint
 - [ ] Trigger deploy endpoint
 - [ ] List deployments endpoint
 - [ ] API documentation
 ### UI Features
 - [x] Server-rendered HTML templates
 - [x] Dashboard with app list
 - [x] App creation form
 - [x] App detail view with all configurations
 - [x] App edit form
 - [x] Deployment history page
 - [x] Login page
 - [x] Setup page
 - [ ] Container logs page
 - [ ] Webhook event history page
 - [ ] Settings page (webhook secret, SSH public key)
 - [ ] Real-time deployment log streaming (WebSocket/SSE)
 ### Future Considerations
 - [ ] Multi-user support with roles
 - [ ] Private Docker registry authentication
 - [ ] Scheduled deployments
 - [ ] Backup/restore of app configurations
 ---
 ## Phase 1: Critical (Application Cannot Start)
 ### 1.1 Server Startup Infrastructure
 - [x] Implement `Server.Run()` in `internal/server/server.go`
  - Start HTTP server with configured address/port
  - Handle TLS if configured
  - Block until shutdown signal received
 - [x] Implement `Server.Shutdown()` in `internal/server/server.go`
  - Graceful shutdown with context timeout
  - Close database connections
  - Stop running containers gracefully (optional)
 - [x] Implement `SetupRoutes()` in `internal/server/routes.go`
  - Wire up chi router with all handlers
  - Apply middleware (logging, auth, CORS, metrics)
  - Define public vs protected route groups
  - Serve static assets and templates
 ### 1.2 Route Configuration
 ```
 Public Routes:
  GET  /health
  GET  /setup, POST /setup
  GET  /login, POST /login
  POST /webhook/:secret
 Protected Routes (require auth):
  GET  /logout
  GET  /dashboard
  GET  /apps/new, POST /apps
  GET  /apps/:id, POST /apps/:id, DELETE /apps/:id
  GET  /apps/:id/edit, POST /apps/:id/edit
  GET  /apps/:id/deployments
  GET  /apps/:id/logs
  POST /apps/:id/env-vars, DELETE /apps/:id/env-vars/:id
  POST /apps/:id/labels, DELETE /apps/:id/labels/:id
  POST /apps/:id/volumes, DELETE /apps/:id/volumes/:id
  POST /apps/:id/deploy
 ```
 ## Phase 2: High Priority (Core Functionality Gaps)
 ### 2.1 Container Logs
 - [x] Implement `HandleAppLogs()` in `internal/handlers/app.go`
  - Fetch logs via Docker API (`ContainerLogs`)
  - Support tail parameter (last N lines)
  - Stream logs with SSE or chunked response
 - [x] Add Docker client method `GetContainerLogs(containerID, tail int) (io.Reader, error)`
 ### 2.2 Manual Container Controls
 - [x] Add `POST /apps/:id/restart` endpoint
  - Stop and start container
  - Record restart in deployment log
 - [x] Add `POST /apps/:id/stop` endpoint
  - Stop container without deleting
  - Update app status
 - [x] Add `POST /apps/:id/start` endpoint
  - Start stopped container
  - Run health check
 ## Phase 3: Medium Priority (UX Improvements)
 ### 3.1 Edit Operations for Related Entities
 - [ ] Add `PUT /apps/:id/env-vars/:id` endpoint
  - Update existing environment variable value
  - Trigger container restart with new env
 - [ ] Add `PUT /apps/:id/labels/:id` endpoint
  - Update existing Docker label
 - [ ] Add `PUT /apps/:id/volumes/:id` endpoint
  - Update volume mount paths
  - Validate paths before saving
 ### 3.2 Deployment Rollback
 - [ ] Add `previous_image_id` column to apps table
  - Store last successful image ID before new deploy
 - [ ] Add `POST /apps/:id/rollback` endpoint
  - Stop current container
  - Start container with previous image
  - Create deployment record for rollback
 - [ ] Update deploy service to save previous image before building new one
 ### 3.3 Deployment Cancellation
 - [ ] Add cancellation context to deploy service
 - [ ] Add `POST /apps/:id/deployments/:id/cancel` endpoint
 - [ ] Handle cleanup of partial builds/containers
 ## Phase 4: Lower Priority (Nice to Have)
 ### 4.1 JSON API
 - [ ] Add `/api/v1` route group with JSON responses
 - [ ] Implement API endpoints mirroring web routes:
  - `GET /api/v1/apps` - list apps
  - `POST /api/v1/apps` - create app
  - `GET /api/v1/apps/:id` - get app details
  - `DELETE /api/v1/apps/:id` - delete app
  - `POST /api/v1/apps/:id/deploy` - trigger deploy
  - `GET /api/v1/apps/:id/deployments` - list deployments
 - [ ] Add API token authentication (separate from session auth)
 - [ ] Document API in README
 ### 4.2 Resource Limits
 - [ ] Add `cpu_limit` and `memory_limit` columns to apps table
 - [ ] Add fields to app edit form
 - [ ] Pass limits to Docker container create
 ### 4.3 UI Improvements
 - [ ] Add webhook event history page
  - Show received webhooks per app
  - Display match/no-match status
 - [ ] Add settings page
  - View/regenerate webhook secret
  - View SSH public key
 - [ ] Add real-time deployment log streaming
  - WebSocket or SSE for live build output
 ### 4.4 Observability
 - [ ] Add structured logging for all operations
 - [ ] Add Prometheus metrics for:
  - Deployment count/duration
  - Container health status
  - Webhook events received
 - [ ] Add audit log table for user actions
 ## Phase 5: Future Considerations
 - [ ] Multi-user support with roles
 - [ ] Private Docker registry authentication
 - [ ] Custom health check commands per app
 - [ ] Scheduled deployments
 - [ ] Backup/restore of app configurations
 - [ ] GitHub/GitLab webhook support (in addition to Gitea)
 ---
 ## Implementation Notes
 ### Server.Run() Example
 ```go
 func (s *Server) Run() error {
    s.SetupRoutes()
    srv := &http.Server{
        Addr:    s.config.ListenAddr,
        Handler: s.router,
    }
    go func() {
        <-s.shutdownCh
        ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
        defer cancel()
        srv.Shutdown(ctx)
    }()
    return srv.ListenAndServe()
 }
 ```
 ### SetupRoutes() Structure
 ```go
 func (s *Server) SetupRoutes() {
    r := chi.NewRouter()
    // Global middleware
    r.Use(s.middleware.RequestID)
    r.Use(s.middleware.Logger)
    r.Use(s.middleware.Recoverer)
    // Public routes
    r.Get("/health", s.handlers.HandleHealthCheck())
    r.Get("/login", s.handlers.HandleLoginPage())
    // ...
    // Protected routes
    r.Group(func(r chi.Router) {
        r.Use(s.middleware.SessionAuth)
        r.Get("/dashboard", s.handlers.HandleDashboard())
        // ...
    })
    s.router = r
 }
 ```
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -51,7 +51,8 @@ type Config struct {
 	MaintenanceMode bool
 	MetricsUsername string
 	MetricsPassword string
-	SessionSecret   string
+	SessionSecret   string //nolint:gosec // not a hardcoded credential, loaded from env/file
 	CORSOrigins     string
 	params          *Params
 	log             *slog.Logger
 }
@@ -102,6 +103,7 @@ func setupViper(name string) {
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
 	viper.SetDefault("SESSION_SECRET", "")
 	viper.SetDefault("CORS_ORIGINS", "")
 }
 func buildConfig(log *slog.Logger, params *Params) (*Config, error) {
@@ -136,6 +138,7 @@ func buildConfig(log *slog.Logger, params *Params) (*Config, error) {
 		MetricsUsername: viper.GetString("METRICS_USERNAME"),
 		MetricsPassword: viper.GetString("METRICS_PASSWORD"),
 		SessionSecret:   viper.GetString("SESSION_SECRET"),
 		CORSOrigins:     viper.GetString("CORS_ORIGINS"),
 		params:          params,
 		log:             log,
 	}
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -176,6 +176,13 @@ func HashWebhookSecret(secret string) string {
 	return hex.EncodeToString(sum[:])
 }
 // HashAPIToken returns the hex-encoded SHA-256 hash of an API token.
 func HashAPIToken(token string) string {
 	sum := sha256.Sum256([]byte(token))
 	return hex.EncodeToString(sum[:])
 }
 func (d *Database) backfillWebhookSecretHashes(ctx context.Context) error {
 	rows, err := d.database.QueryContext(ctx,
 		"SELECT id, webhook_secret FROM apps WHERE webhook_secret_hash = '' AND webhook_secret != ''")
--- a/internal/database/migrations/007_add_api_tokens.sql
+++ b/internal/database/migrations/007_add_api_tokens.sql
@@ -0,0 +1,12 @@
 CREATE TABLE IF NOT EXISTS api_tokens (
    id TEXT PRIMARY KEY,
    user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
    name TEXT NOT NULL,
    token_hash TEXT NOT NULL,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    expires_at DATETIME,
    last_used_at DATETIME
 );
 CREATE INDEX idx_api_tokens_user_id ON api_tokens(user_id);
 CREATE INDEX idx_api_tokens_token_hash ON api_tokens(token_hash);
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -17,6 +17,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
@@ -479,6 +480,20 @@ func (c *Client) CloneRepo(
 	return c.performClone(ctx, cfg)
 }
 // RemoveImage removes a Docker image by ID or tag.
 // It returns nil if the image was successfully removed or does not exist.
 func (c *Client) RemoveImage(ctx context.Context, imageID string) error {
 	_, err := c.docker.ImageRemove(ctx, imageID, image.RemoveOptions{
 		Force:         true,
 		PruneChildren: true,
 	})
 	if err != nil && !client.IsErrNotFound(err) {
 		return fmt.Errorf("failed to remove image %s: %w", imageID, err)
 	}
 	return nil
 }
 func (c *Client) performBuild(
 	ctx context.Context,
 	opts BuildImageOptions,
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -0,0 +1,377 @@
 package handlers
 import (
 	"encoding/json"
 	"net/http"
 	"strconv"
 	"github.com/go-chi/chi/v5"
 	"git.eeqj.de/sneak/upaas/internal/models"
 	"git.eeqj.de/sneak/upaas/internal/service/app"
 )
 // apiAppResponse is the JSON representation of an app.
 type apiAppResponse struct {
 	ID             string `json:"id"`
 	Name           string `json:"name"`
 	RepoURL        string `json:"repoUrl"`
 	Branch         string `json:"branch"`
 	DockerfilePath string `json:"dockerfilePath"`
 	Status         string `json:"status"`
 	WebhookSecret  string `json:"webhookSecret"`
 	SSHPublicKey   string `json:"sshPublicKey"`
 	CreatedAt      string `json:"createdAt"`
 	UpdatedAt      string `json:"updatedAt"`
 }
 // apiDeploymentResponse is the JSON representation of a deployment.
 type apiDeploymentResponse struct {
 	ID         int64  `json:"id"`
 	AppID      string `json:"appId"`
 	CommitSHA  string `json:"commitSha,omitempty"`
 	Status     string `json:"status"`
 	Duration   string `json:"duration,omitempty"`
 	StartedAt  string `json:"startedAt"`
 	FinishedAt string `json:"finishedAt,omitempty"`
 }
 func appToAPI(a *models.App) apiAppResponse {
 	return apiAppResponse{
 		ID:             a.ID,
 		Name:           a.Name,
 		RepoURL:        a.RepoURL,
 		Branch:         a.Branch,
 		DockerfilePath: a.DockerfilePath,
 		Status:         string(a.Status),
 		WebhookSecret:  a.WebhookSecret,
 		SSHPublicKey:   a.SSHPublicKey,
 		CreatedAt:      a.CreatedAt.Format("2006-01-02T15:04:05Z"),
 		UpdatedAt:      a.UpdatedAt.Format("2006-01-02T15:04:05Z"),
 	}
 }
 func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
 	resp := apiDeploymentResponse{
 		ID:        d.ID,
 		AppID:     d.AppID,
 		Status:    string(d.Status),
 		Duration:  d.Duration(),
 		StartedAt: d.StartedAt.Format("2006-01-02T15:04:05Z"),
 	}
 	if d.CommitSHA.Valid {
 		resp.CommitSHA = d.CommitSHA.String
 	}
 	if d.FinishedAt.Valid {
 		resp.FinishedAt = d.FinishedAt.Time.Format("2006-01-02T15:04:05Z")
 	}
 	return resp
 }
 // HandleAPILoginPOST returns a handler that authenticates via JSON credentials
 // and sets a session cookie.
 func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 	type loginRequest struct {
 		Username string `json:"username"`
 		Password string `json:"password"` //nolint:gosec // request field, not a hardcoded credential
 	}
 	type loginResponse struct {
 		UserID   int64  `json:"userId"`
 		Username string `json:"username"`
 	}
 	return func(writer http.ResponseWriter, request *http.Request) {
 		var req loginRequest
 		decodeErr := json.NewDecoder(request.Body).Decode(&req)
 		if decodeErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid JSON body"},
 				http.StatusBadRequest)
 			return
 		}
 		if req.Username == "" || req.Password == "" {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "username and password are required"},
 				http.StatusBadRequest)
 			return
 		}
 		user, authErr := h.auth.Authenticate(request.Context(), req.Username, req.Password)
 		if authErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid credentials"},
 				http.StatusUnauthorized)
 			return
 		}
 		sessionErr := h.auth.CreateSession(writer, request, user)
 		if sessionErr != nil {
 			h.log.Error("api: failed to create session", "error", sessionErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to create session"},
 				http.StatusInternalServerError)
 			return
 		}
 		h.respondJSON(writer, request, loginResponse{
 			UserID:   user.ID,
 			Username: user.Username,
 		}, http.StatusOK)
 	}
 }
 // HandleAPIListApps returns a handler that lists all apps as JSON.
 func (h *Handlers) HandleAPIListApps() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		apps, err := h.appService.ListApps(request.Context())
 		if err != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to list apps"},
 				http.StatusInternalServerError)
 			return
 		}
 		result := make([]apiAppResponse, 0, len(apps))
 		for _, a := range apps {
 			result = append(result, appToAPI(a))
 		}
 		h.respondJSON(writer, request, result, http.StatusOK)
 	}
 }
 // HandleAPIGetApp returns a handler that gets a single app by ID.
 func (h *Handlers) HandleAPIGetApp() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, err := h.appService.GetApp(request.Context(), appID)
 		if err != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "internal server error"},
 				http.StatusInternalServerError)
 			return
 		}
 		if application == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "app not found"},
 				http.StatusNotFound)
 			return
 		}
 		h.respondJSON(writer, request, appToAPI(application), http.StatusOK)
 	}
 }
 // HandleAPICreateApp returns a handler that creates a new app.
 func (h *Handlers) HandleAPICreateApp() http.HandlerFunc {
 	type createRequest struct {
 		Name           string `json:"name"`
 		RepoURL        string `json:"repoUrl"`
 		Branch         string `json:"branch"`
 		DockerfilePath string `json:"dockerfilePath"`
 		DockerNetwork  string `json:"dockerNetwork"`
 		NtfyTopic      string `json:"ntfyTopic"`
 		SlackWebhook   string `json:"slackWebhook"`
 	}
 	return func(writer http.ResponseWriter, request *http.Request) {
 		var req createRequest
 		decodeErr := json.NewDecoder(request.Body).Decode(&req)
 		if decodeErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid JSON body"},
 				http.StatusBadRequest)
 			return
 		}
 		if req.Name == "" || req.RepoURL == "" {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "name and repo_url are required"},
 				http.StatusBadRequest)
 			return
 		}
 		nameErr := validateAppName(req.Name)
 		if nameErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid app name: " + nameErr.Error()},
 				http.StatusBadRequest)
 			return
 		}
 		createdApp, createErr := h.appService.CreateApp(request.Context(), app.CreateAppInput{
 			Name:           req.Name,
 			RepoURL:        req.RepoURL,
 			Branch:         req.Branch,
 			DockerfilePath: req.DockerfilePath,
 			DockerNetwork:  req.DockerNetwork,
 			NtfyTopic:      req.NtfyTopic,
 			SlackWebhook:   req.SlackWebhook,
 		})
 		if createErr != nil {
 			h.log.Error("api: failed to create app", "error", createErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to create app"},
 				http.StatusInternalServerError)
 			return
 		}
 		h.respondJSON(writer, request, appToAPI(createdApp), http.StatusCreated)
 	}
 }
 // HandleAPIDeleteApp returns a handler that deletes an app.
 func (h *Handlers) HandleAPIDeleteApp() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, err := h.appService.GetApp(request.Context(), appID)
 		if err != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "internal server error"},
 				http.StatusInternalServerError)
 			return
 		}
 		if application == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "app not found"},
 				http.StatusNotFound)
 			return
 		}
 		deleteErr := h.appService.DeleteApp(request.Context(), application)
 		if deleteErr != nil {
 			h.log.Error("api: failed to delete app", "error", deleteErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to delete app"},
 				http.StatusInternalServerError)
 			return
 		}
 		h.respondJSON(writer, request,
 			map[string]string{"status": "deleted"}, http.StatusOK)
 	}
 }
 // deploymentsPageLimit is the default number of deployments per page.
 const deploymentsPageLimit = 20
 // HandleAPIListDeployments returns a handler that lists deployments for an app.
 func (h *Handlers) HandleAPIListDeployments() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, err := h.appService.GetApp(request.Context(), appID)
 		if err != nil || application == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "app not found"},
 				http.StatusNotFound)
 			return
 		}
 		limit := deploymentsPageLimit
 		if l := request.URL.Query().Get("limit"); l != "" {
 			parsed, parseErr := strconv.Atoi(l)
 			if parseErr == nil && parsed > 0 {
 				limit = parsed
 			}
 		}
 		deployments, deployErr := application.GetDeployments(
 			request.Context(), limit,
 		)
 		if deployErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to list deployments"},
 				http.StatusInternalServerError)
 			return
 		}
 		result := make([]apiDeploymentResponse, 0, len(deployments))
 		for _, d := range deployments {
 			result = append(result, deploymentToAPI(d))
 		}
 		h.respondJSON(writer, request, result, http.StatusOK)
 	}
 }
 // HandleAPITriggerDeploy returns a handler that triggers a deployment for an app.
 func (h *Handlers) HandleAPITriggerDeploy() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, err := h.appService.GetApp(request.Context(), appID)
 		if err != nil || application == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "app not found"},
 				http.StatusNotFound)
 			return
 		}
 		deployErr := h.deploy.Deploy(request.Context(), application, nil, true)
 		if deployErr != nil {
 			h.log.Error("api: failed to trigger deploy", "error", deployErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": deployErr.Error()},
 				http.StatusConflict)
 			return
 		}
 		h.respondJSON(writer, request,
 			map[string]string{"status": "deploying"}, http.StatusAccepted)
 	}
 }
 // HandleAPIWhoAmI returns a handler that shows the current authenticated user.
 func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
 	type whoAmIResponse struct {
 		UserID   int64  `json:"userId"`
 		Username string `json:"username"`
 	}
 	return func(writer http.ResponseWriter, request *http.Request) {
 		user, err := h.auth.GetCurrentUser(request.Context(), request)
 		if err != nil || user == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "unauthorized"},
 				http.StatusUnauthorized)
 			return
 		}
 		h.respondJSON(writer, request, whoAmIResponse{
 			UserID:   user.ID,
 			Username: user.Username,
 		}, http.StatusOK)
 	}
 }
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -0,0 +1,299 @@
 package handlers_test
 import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // apiRouter builds a chi router with the API routes using session auth middleware.
 func apiRouter(tc *testContext) http.Handler {
 	r := chi.NewRouter()
 	r.Route("/api/v1", func(apiR chi.Router) {
 		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
 		apiR.Group(func(apiR chi.Router) {
 			apiR.Use(tc.middleware.APISessionAuth())
 			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
 			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
 			apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
 			apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
 			apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
 			apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
 			apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
 		})
 	})
 	return r
 }
 // setupAPITest creates a test context with a user and returns session cookies.
 func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
 	t.Helper()
 	tc := setupTestHandlers(t)
 	// Create a user.
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)
 	// Login via the API to get session cookies.
 	r := apiRouter(tc)
 	loginBody := `{"username":"admin","password":"password123"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	require.Equal(t, http.StatusOK, rr.Code)
 	cookies := rr.Result().Cookies()
 	require.NotEmpty(t, cookies, "login should return session cookies")
 	return tc, cookies
 }
 // apiRequest makes an authenticated API request using session cookies.
 func apiRequest(
 	t *testing.T,
 	tc *testContext,
 	cookies []*http.Cookie,
 	method, path string,
 	body string,
 ) *httptest.ResponseRecorder {
 	t.Helper()
 	var req *http.Request
 	if body != "" {
 		req = httptest.NewRequest(method, path, strings.NewReader(body))
 		req.Header.Set("Content-Type", "application/json")
 	} else {
 		req = httptest.NewRequest(method, path, nil)
 	}
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r := apiRouter(tc)
 	r.ServeHTTP(rr, req)
 	return rr
 }
 func TestAPILoginSuccess(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)
 	r := apiRouter(tc)
 	body := `{"username":"admin","password":"password123"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var resp map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
 	assert.Equal(t, "admin", resp["username"])
 	// Should have a Set-Cookie header.
 	assert.NotEmpty(t, rr.Result().Cookies())
 }
 func TestAPILoginInvalidCredentials(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)
 	r := apiRouter(tc)
 	body := `{"username":"admin","password":"wrong"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 func TestAPILoginMissingFields(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	r := apiRouter(tc)
 	body := `{"username":"","password":""}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }
 func TestAPIRejectsUnauthenticated(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	r := apiRouter(tc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 func TestAPIWhoAmI(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/whoami", "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var resp map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
 	assert.Equal(t, "admin", resp["username"])
 }
 func TestAPIListAppsEmpty(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps", "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var apps []any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &apps))
 	assert.Empty(t, apps)
 }
 func TestAPICreateApp(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
 	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	assert.Equal(t, http.StatusCreated, rr.Code)
 	var app map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
 	assert.Equal(t, "test-app", app["name"])
 	assert.Equal(t, "pending", app["status"])
 }
 func TestAPICreateAppValidation(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	body := `{"name":"","repoUrl":""}`
 	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }
 func TestAPIGetApp(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
 	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)
 	var created map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
 	appID, ok := created["id"].(string)
 	require.True(t, ok)
 	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var app map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
 	assert.Equal(t, "my-app", app["name"])
 }
 func TestAPIGetAppNotFound(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/nonexistent", "")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }
 func TestAPIDeleteApp(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
 	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)
 	var created map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
 	appID, ok := created["id"].(string)
 	require.True(t, ok)
 	rr = apiRequest(t, tc, cookies, http.MethodDelete, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }
 func TestAPIListDeployments(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
 	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)
 	var created map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
 	appID, ok := created["id"].(string)
 	require.True(t, ok)
 	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var deployments []any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
 	assert.Empty(t, deployments)
 }
--- a/internal/handlers/api_token_test.go
+++ b/internal/handlers/api_token_test.go
@@ -0,0 +1,293 @@
 package handlers_test
 import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // tokenRouter builds a chi router with token + app API routes.
 func tokenRouter(tc *testContext) http.Handler {
 	r := chi.NewRouter()
 	r.Route("/api/v1", func(apiR chi.Router) {
 		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
 		apiR.Group(func(apiR chi.Router) {
 			apiR.Use(tc.middleware.APISessionAuth())
 			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
 			apiR.Post("/tokens", tc.handlers.HandleAPICreateToken())
 			apiR.Get("/tokens", tc.handlers.HandleAPIListTokens())
 			apiR.Delete(
 				"/tokens/{tokenID}",
 				tc.handlers.HandleAPIDeleteToken(),
 			)
 			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
 		})
 	})
 	return r
 }
 func TestAPICreateToken(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	r := tokenRouter(tc)
 	body := `{"name":"my-ci-token"}`
 	req := httptest.NewRequest(
 		http.MethodPost, "/api/v1/tokens",
 		strings.NewReader(body),
 	)
 	req.Header.Set("Content-Type", "application/json")
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusCreated, rr.Code)
 	var resp map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
 	assert.Equal(t, "my-ci-token", resp["name"])
 	assert.Contains(t, resp["token"], "upaas_")
 	assert.NotEmpty(t, resp["id"])
 }
 func TestAPICreateTokenMissingName(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	r := tokenRouter(tc)
 	body := `{"name":""}`
 	req := httptest.NewRequest(
 		http.MethodPost, "/api/v1/tokens",
 		strings.NewReader(body),
 	)
 	req.Header.Set("Content-Type", "application/json")
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }
 func TestAPIListTokens(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	r := tokenRouter(tc)
 	// Create two tokens.
 	for _, name := range []string{"token-a", "token-b"} {
 		body := `{"name":"` + name + `"}`
 		req := httptest.NewRequest(
 			http.MethodPost, "/api/v1/tokens",
 			strings.NewReader(body),
 		)
 		req.Header.Set("Content-Type", "application/json")
 		for _, c := range cookies {
 			req.AddCookie(c)
 		}
 		rr := httptest.NewRecorder()
 		r.ServeHTTP(rr, req)
 		require.Equal(t, http.StatusCreated, rr.Code)
 	}
 	// List tokens.
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/tokens", nil)
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var tokens []map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &tokens))
 	assert.Len(t, tokens, 2)
 	// Plaintext token must NOT appear in list.
 	for _, tok := range tokens {
 		assert.Nil(t, tok["token"])
 	}
 }
 func TestAPIDeleteToken(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	r := tokenRouter(tc)
 	// Create a token.
 	body := `{"name":"delete-me"}`
 	req := httptest.NewRequest(
 		http.MethodPost, "/api/v1/tokens",
 		strings.NewReader(body),
 	)
 	req.Header.Set("Content-Type", "application/json")
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	require.Equal(t, http.StatusCreated, rr.Code)
 	var created map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
 	tokenID, ok := created["id"].(string)
 	require.True(t, ok)
 	// Delete it.
 	req = httptest.NewRequest(
 		http.MethodDelete, "/api/v1/tokens/"+tokenID, nil,
 	)
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr = httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code)
 	// List should be empty.
 	req = httptest.NewRequest(http.MethodGet, "/api/v1/tokens", nil)
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr = httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	var tokens []map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &tokens))
 	assert.Empty(t, tokens)
 }
 func TestAPIBearerTokenAuth(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	r := tokenRouter(tc)
 	// Create a token via session auth.
 	body := `{"name":"bearer-test"}`
 	req := httptest.NewRequest(
 		http.MethodPost, "/api/v1/tokens",
 		strings.NewReader(body),
 	)
 	req.Header.Set("Content-Type", "application/json")
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	require.Equal(t, http.StatusCreated, rr.Code)
 	var created map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
 	plaintext, ok := created["token"].(string)
 	require.True(t, ok)
 	// Use Bearer token to access an authenticated endpoint.
 	req = httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
 	req.Header.Set("Authorization", "Bearer "+plaintext)
 	rr = httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code)
 }
 func TestAPIBearerTokenInvalid(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	r := tokenRouter(tc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
 	req.Header.Set("Authorization", "Bearer upaas_invalidtoken1234567890ab")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 func TestAPIBearerTokenRevoked(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	r := tokenRouter(tc)
 	// Create then delete a token.
 	body := `{"name":"revoke-test"}`
 	req := httptest.NewRequest(
 		http.MethodPost, "/api/v1/tokens",
 		strings.NewReader(body),
 	)
 	req.Header.Set("Content-Type", "application/json")
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	require.Equal(t, http.StatusCreated, rr.Code)
 	var created map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
 	plaintext, ok := created["token"].(string)
 	require.True(t, ok)
 	tokenID, ok := created["id"].(string)
 	require.True(t, ok)
 	// Delete (revoke) the token.
 	req = httptest.NewRequest(
 		http.MethodDelete, "/api/v1/tokens/"+tokenID, nil,
 	)
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr = httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	require.Equal(t, http.StatusOK, rr.Code)
 	// Try to use the revoked token.
 	req = httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
 	req.Header.Set("Authorization", "Bearer "+plaintext)
 	rr = httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
--- a/internal/handlers/api_tokens.go
+++ b/internal/handlers/api_tokens.go
@@ -0,0 +1,220 @@
 package handlers
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"github.com/go-chi/chi/v5"
 	"git.eeqj.de/sneak/upaas/internal/database"
 	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // apiTokenResponse is the JSON representation of an API token.
 type apiTokenResponse struct {
 	ID         string  `json:"id"`
 	Name       string  `json:"name"`
 	CreatedAt  string  `json:"createdAt"`
 	ExpiresAt  *string `json:"expiresAt,omitempty"`
 	LastUsedAt *string `json:"lastUsedAt,omitempty"`
 }
 // apiTokenCreateResponse includes the plaintext token (shown once).
 type apiTokenCreateResponse struct {
 	apiTokenResponse
 	Token string `json:"token"`
 }
 func tokenToAPI(t *models.APIToken) apiTokenResponse {
 	resp := apiTokenResponse{
 		ID:        t.ID,
 		Name:      t.Name,
 		CreatedAt: t.CreatedAt.Format("2006-01-02T15:04:05Z"),
 	}
 	if t.ExpiresAt.Valid {
 		s := t.ExpiresAt.Time.Format("2006-01-02T15:04:05Z")
 		resp.ExpiresAt = &s
 	}
 	if t.LastUsedAt.Valid {
 		s := t.LastUsedAt.Time.Format("2006-01-02T15:04:05Z")
 		resp.LastUsedAt = &s
 	}
 	return resp
 }
 // createTokenRequest is the JSON body for token creation.
 type createTokenRequest struct {
 	Name string `json:"name"`
 }
 // createAndSaveToken generates a token, saves it, and returns
 // the plaintext and model.
 func (h *Handlers) createAndSaveToken(
 	ctx context.Context,
 	userID int64,
 	name string,
 ) (string, *models.APIToken, error) {
 	plaintext, err := models.GenerateToken()
 	if err != nil {
 		return "", nil, fmt.Errorf("generating: %w", err)
 	}
 	token := models.NewAPIToken(h.db)
 	token.UserID = userID
 	token.Name = name
 	token.TokenHash = database.HashAPIToken(plaintext)
 	saveErr := token.Save(ctx)
 	if saveErr != nil {
 		return "", nil, fmt.Errorf("saving: %w", saveErr)
 	}
 	return plaintext, token, nil
 }
 // HandleAPICreateToken returns a handler that creates an API token.
 func (h *Handlers) HandleAPICreateToken() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		user, err := h.auth.GetCurrentUser(
 			request.Context(), request,
 		)
 		if err != nil || user == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "unauthorized"},
 				http.StatusUnauthorized)
 			return
 		}
 		var req createTokenRequest
 		decodeErr := json.NewDecoder(request.Body).Decode(&req)
 		if decodeErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid JSON body"},
 				http.StatusBadRequest)
 			return
 		}
 		if req.Name == "" {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "name is required"},
 				http.StatusBadRequest)
 			return
 		}
 		plaintext, token, createErr := h.createAndSaveToken(
 			request.Context(), user.ID, req.Name,
 		)
 		if createErr != nil {
 			h.log.Error("api: token creation failed",
 				"error", createErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "internal error"},
 				http.StatusInternalServerError)
 			return
 		}
 		h.respondJSON(writer, request, apiTokenCreateResponse{
 			apiTokenResponse: tokenToAPI(token),
 			Token:            plaintext,
 		}, http.StatusCreated)
 	}
 }
 // HandleAPIListTokens returns a handler that lists API tokens.
 func (h *Handlers) HandleAPIListTokens() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		user, err := h.auth.GetCurrentUser(
 			request.Context(), request,
 		)
 		if err != nil || user == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "unauthorized"},
 				http.StatusUnauthorized)
 			return
 		}
 		tokens, listErr := models.ListAPITokensByUser(
 			request.Context(), h.db, user.ID,
 		)
 		if listErr != nil {
 			h.log.Error("api: failed to list tokens",
 				"error", listErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "internal error"},
 				http.StatusInternalServerError)
 			return
 		}
 		result := make([]apiTokenResponse, 0, len(tokens))
 		for _, t := range tokens {
 			result = append(result, tokenToAPI(t))
 		}
 		h.respondJSON(writer, request, result, http.StatusOK)
 	}
 }
 // HandleAPIDeleteToken returns a handler that revokes an API token.
 func (h *Handlers) HandleAPIDeleteToken() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		user, err := h.auth.GetCurrentUser(
 			request.Context(), request,
 		)
 		if err != nil || user == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "unauthorized"},
 				http.StatusUnauthorized)
 			return
 		}
 		tokenID := chi.URLParam(request, "tokenID")
 		token, findErr := models.FindAPIToken(
 			request.Context(), h.db, tokenID,
 		)
 		if findErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "internal error"},
 				http.StatusInternalServerError)
 			return
 		}
 		if token == nil || token.UserID != user.ID {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "token not found"},
 				http.StatusNotFound)
 			return
 		}
 		deleteErr := token.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("api: failed to delete token",
 				"error", deleteErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "internal error"},
 				http.StatusInternalServerError)
 			return
 		}
 		h.respondJSON(writer, request,
 			map[string]string{"status": "deleted"},
 			http.StatusOK)
 	}
 }
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -497,7 +499,8 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
-		_, _ = writer.Write([]byte(logs))
+		//nolint:gosec // logs sanitized: ANSI escapes and control chars stripped
 		_, _ = writer.Write([]byte(SanitizeLogs(logs)))
 	}
 }
@@ -536,7 +539,7 @@ func (h *Handlers) HandleDeploymentLogsAPI() http.HandlerFunc {
 		}
 		response := map[string]any{
-			"logs":   logs,
+			"logs":   SanitizeLogs(logs),
 			"status": deployment.Status,
 		}
@@ -580,7 +583,7 @@ func (h *Handlers) HandleDeploymentLogDownload() http.HandlerFunc {
 		}
 		// Check if file exists
-		_, err := os.Stat(logPath)
+		_, err := os.Stat(logPath) //nolint:gosec // logPath is constructed by deploy service, not from user input
 		if os.IsNotExist(err) {
 			http.NotFound(writer, request)
@@ -659,7 +662,7 @@ func (h *Handlers) HandleContainerLogsAPI() http.HandlerFunc {
 		}
 		response := map[string]any{
-			"logs":   logs,
+			"logs":   SanitizeLogs(logs),
 			"status": status,
 		}
@@ -1140,6 +1143,207 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
 	}
 }
 // ErrVolumePathEmpty is returned when a volume path is empty.
 var ErrVolumePathEmpty = errors.New("path must not be empty")
 // ErrVolumePathNotAbsolute is returned when a volume path is not absolute.
 var ErrVolumePathNotAbsolute = errors.New("path must be absolute")
 // ErrVolumePathNotClean is returned when a volume path is not clean.
 var ErrVolumePathNotClean = errors.New("path must be clean")
 // ValidateVolumePath checks that a path is absolute and clean.
 func ValidateVolumePath(p string) error {
 	if p == "" {
 		return ErrVolumePathEmpty
 	}
 	if !filepath.IsAbs(p) {
 		return ErrVolumePathNotAbsolute
 	}
 	cleaned := filepath.Clean(p)
 	if cleaned != p {
 		return fmt.Errorf("%w (expected %q)", ErrVolumePathNotClean, cleaned)
 	}
 	return nil
 }
 // HandleEnvVarEdit handles editing an existing environment variable.
 func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		envVarIDStr := chi.URLParam(request, "varID")
 		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
 		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
 		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
 		if findErr != nil || envVar == nil || envVar.AppID != appID {
 			http.NotFound(writer, request)
 			return
 		}
 		formErr := request.ParseForm()
 		if formErr != nil {
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
 			return
 		}
 		key := request.FormValue("key")
 		value := request.FormValue("value")
 		if key == "" || value == "" {
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		envVar.Key = key
 		envVar.Value = value
 		saveErr := envVar.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update env var", "error", saveErr)
 		}
 		http.Redirect(
 			writer,
 			request,
 			"/apps/"+appID+"?success=env-updated",
 			http.StatusSeeOther,
 		)
 	}
 }
 // HandleLabelEdit handles editing an existing label.
 func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		labelIDStr := chi.URLParam(request, "labelID")
 		labelID, parseErr := strconv.ParseInt(labelIDStr, 10, 64)
 		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
 		label, findErr := models.FindLabel(request.Context(), h.db, labelID)
 		if findErr != nil || label == nil || label.AppID != appID {
 			http.NotFound(writer, request)
 			return
 		}
 		formErr := request.ParseForm()
 		if formErr != nil {
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
 			return
 		}
 		key := request.FormValue("key")
 		value := request.FormValue("value")
 		if key == "" || value == "" {
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		label.Key = key
 		label.Value = value
 		saveErr := label.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update label", "error", saveErr)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 	}
 }
 // HandleVolumeEdit handles editing an existing volume mount.
 func (h *Handlers) HandleVolumeEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		volumeIDStr := chi.URLParam(request, "volumeID")
 		volumeID, parseErr := strconv.ParseInt(volumeIDStr, 10, 64)
 		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
 		volume, findErr := models.FindVolume(request.Context(), h.db, volumeID)
 		if findErr != nil || volume == nil || volume.AppID != appID {
 			http.NotFound(writer, request)
 			return
 		}
 		formErr := request.ParseForm()
 		if formErr != nil {
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
 			return
 		}
 		hostPath := request.FormValue("host_path")
 		containerPath := request.FormValue("container_path")
 		readOnly := request.FormValue("readonly") == "1"
 		if hostPath == "" || containerPath == "" {
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		pathErr := validateVolumePaths(hostPath, containerPath)
 		if pathErr != nil {
 			h.log.Error("invalid volume path", "error", pathErr)
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		volume.HostPath = hostPath
 		volume.ContainerPath = containerPath
 		volume.ReadOnly = readOnly
 		saveErr := volume.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update volume", "error", saveErr)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 	}
 }
 // validateVolumePaths validates both host and container paths for a volume.
 func validateVolumePaths(hostPath, containerPath string) error {
 	hostErr := ValidateVolumePath(hostPath)
 	if hostErr != nil {
 		return fmt.Errorf("host path: %w", hostErr)
 	}
 	containerErr := ValidateVolumePath(containerPath)
 	if containerErr != nil {
 		return fmt.Errorf("container path: %w", containerErr)
 	}
 	return nil
 }
 // formatDeployKey formats an SSH public key with a descriptive comment.
 // Format: ssh-ed25519 AAAA... upaas_2025-01-15_myapp
 func formatDeployKey(pubKey string, createdAt time.Time, appName string) string {
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -24,6 +24,7 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/handlers"
 	"git.eeqj.de/sneak/upaas/internal/healthcheck"
 	"git.eeqj.de/sneak/upaas/internal/logger"
 	"git.eeqj.de/sneak/upaas/internal/middleware"
 	"git.eeqj.de/sneak/upaas/internal/service/app"
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 	"git.eeqj.de/sneak/upaas/internal/service/deploy"
@@ -36,6 +37,7 @@ type testContext struct {
 	database   *database.Database
 	authSvc    *auth.Service
 	appSvc     *app.Service
 	middleware *middleware.Middleware
 }
 func createTestConfig(t *testing.T) *config.Config {
@@ -166,11 +168,21 @@ func setupTestHandlers(t *testing.T) *testContext {
 	)
 	require.NoError(t, handlerErr)
 	mw, mwErr := middleware.New(fx.Lifecycle(nil), middleware.Params{
 		Logger:   logInstance,
 		Globals:  globalInstance,
 		Config:   cfg,
 		Auth:     authSvc,
 		Database: dbInstance,
 	})
 	require.NoError(t, mwErr)
 	return &testContext{
 		handlers:   handlersInstance,
 		database:   dbInstance,
 		authSvc:    authSvc,
 		appSvc:     appSvc,
 		middleware: mw,
 	}
 }
--- a/internal/handlers/sanitize.go
+++ b/internal/handlers/sanitize.go
@@ -0,0 +1,30 @@
 package handlers
 import (
 	"regexp"
 	"strings"
 )
 // ansiEscapePattern matches ANSI escape sequences (CSI, OSC, and single-character escapes).
 var ansiEscapePattern = regexp.MustCompile(`(\x1b\[[0-9;]*[a-zA-Z]|\x1b\][^\x07]*\x07|\x1b[^[\]])`)
 // SanitizeLogs strips ANSI escape sequences and non-printable control characters
 // from container log output. Newlines (\n), carriage returns (\r), and tabs (\t)
 // are preserved. This ensures that attacker-controlled container output cannot
 // inject terminal escape sequences or other dangerous control characters.
 func SanitizeLogs(input string) string {
 	// Strip ANSI escape sequences
 	result := ansiEscapePattern.ReplaceAllString(input, "")
 	// Strip remaining non-printable characters (keep \n, \r, \t)
 	var b strings.Builder
 	b.Grow(len(result))
 	for _, r := range result {
 		if r == '\n' || r == '\r' || r == '\t' || r >= ' ' {
 			b.WriteRune(r)
 		}
 	}
 	return b.String()
 }
--- a/internal/handlers/sanitize_test.go
+++ b/internal/handlers/sanitize_test.go
@@ -0,0 +1,84 @@
 package handlers_test
 import (
 	"testing"
 	"git.eeqj.de/sneak/upaas/internal/handlers"
 )
 func TestSanitizeLogs(t *testing.T) { //nolint:funlen // table-driven tests
 	t.Parallel()
 	tests := []struct {
 		name     string
 		input    string
 		expected string
 	}{
 		{
 			name:     "plain text unchanged",
 			input:    "hello world\n",
 			expected: "hello world\n",
 		},
 		{
 			name:     "strips ANSI color codes",
 			input:    "\x1b[31mERROR\x1b[0m: something failed\n",
 			expected: "ERROR: something failed\n",
 		},
 		{
 			name:     "strips OSC sequences",
 			input:    "\x1b]0;window title\x07normal text\n",
 			expected: "normal text\n",
 		},
 		{
 			name:     "strips null bytes",
 			input:    "hello\x00world\n",
 			expected: "helloworld\n",
 		},
 		{
 			name:     "strips bell characters",
 			input:    "alert\x07here\n",
 			expected: "alerthere\n",
 		},
 		{
 			name:     "preserves tabs",
 			input:    "field1\tfield2\tfield3\n",
 			expected: "field1\tfield2\tfield3\n",
 		},
 		{
 			name:     "preserves carriage returns",
 			input:    "line1\r\nline2\r\n",
 			expected: "line1\r\nline2\r\n",
 		},
 		{
 			name:     "strips mixed escape sequences",
 			input:    "\x1b[32m2024-01-01\x1b[0m \x1b[1mINFO\x1b[0m starting\x00\n",
 			expected: "2024-01-01 INFO starting\n",
 		},
 		{
 			name:     "empty string",
 			input:    "",
 			expected: "",
 		},
 		{
 			name:     "only control characters",
 			input:    "\x00\x01\x02\x03",
 			expected: "",
 		},
 		{
 			name:     "cursor movement sequences stripped",
 			input:    "\x1b[2J\x1b[H\x1b[3Atext\n",
 			expected: "text\n",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			got := handlers.SanitizeLogs(tt.input)
 			if got != tt.expected {
 				t.Errorf("SanitizeLogs(%q) = %q, want %q", tt.input, got, tt.expected)
 			}
 		})
 	}
 }
--- a/internal/handlers/volume_validation_test.go
+++ b/internal/handlers/volume_validation_test.go
@@ -0,0 +1,34 @@
 package handlers //nolint:testpackage // tests exported ValidateVolumePath function
 import "testing"
 func TestValidateVolumePath(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
 		path    string
 		wantErr bool
 	}{
 		{"valid absolute path", "/data/myapp", false},
 		{"root path", "/", false},
 		{"empty path", "", true},
 		{"relative path", "data/myapp", true},
 		{"path with dotdot", "/data/../etc", true},
 		{"path with trailing slash", "/data/", true},
 		{"path with double slash", "/data//myapp", true},
 		{"single dot path", ".", true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			err := ValidateVolumePath(tt.path)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValidateVolumePath(%q) error = %v, wantErr %v",
 					tt.path, err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/middleware/bearer_auth_test.go
+++ b/internal/middleware/bearer_auth_test.go
@@ -0,0 +1,160 @@
 package middleware_test
 import (
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 	"git.eeqj.de/sneak/upaas/internal/config"
 	"git.eeqj.de/sneak/upaas/internal/database"
 	"git.eeqj.de/sneak/upaas/internal/globals"
 	"git.eeqj.de/sneak/upaas/internal/logger"
 	"git.eeqj.de/sneak/upaas/internal/middleware"
 	"git.eeqj.de/sneak/upaas/internal/models"
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 // setupMiddleware creates a Middleware with a real SQLite database for
 // integration testing.
 func setupMiddleware(t *testing.T) (*middleware.Middleware, *auth.Service, *database.Database) {
 	t.Helper()
 	tmpDir := t.TempDir()
 	globals.SetAppname("upaas-test")
 	globals.SetVersion("test")
 	globalsInst, err := globals.New(fx.Lifecycle(nil))
 	require.NoError(t, err)
 	loggerInst, err := logger.New(
 		fx.Lifecycle(nil),
 		logger.Params{Globals: globalsInst},
 	)
 	require.NoError(t, err)
 	cfg := &config.Config{
 		Port:          8080,
 		DataDir:       tmpDir,
 		SessionSecret: "test-secret-key-at-least-32-chars!!",
 	}
 	_ = filepath.Join(tmpDir, "upaas.db")
 	dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
 		Logger: loggerInst,
 		Config: cfg,
 	})
 	require.NoError(t, err)
 	authSvc, err := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
 		Logger:   loggerInst,
 		Config:   cfg,
 		Database: dbInst,
 	})
 	require.NoError(t, err)
 	mw, err := middleware.New(fx.Lifecycle(nil), middleware.Params{
 		Logger:   loggerInst,
 		Globals:  globalsInst,
 		Config:   cfg,
 		Auth:     authSvc,
 		Database: dbInst,
 	})
 	require.NoError(t, err)
 	return mw, authSvc, dbInst
 }
 func TestAPISessionAuth_BearerTokenSetsUserContext(t *testing.T) {
 	t.Parallel()
 	mw, authSvc, dbInst := setupMiddleware(t)
 	ctx := t.Context()
 	// Create a user.
 	user, err := authSvc.CreateUser(ctx, "testuser", "password123")
 	require.NoError(t, err)
 	require.NotNil(t, user)
 	// Create an API token for the user.
 	rawToken, err := models.GenerateToken()
 	require.NoError(t, err)
 	tokenHash := database.HashAPIToken(rawToken)
 	apiToken := models.NewAPIToken(dbInst)
 	apiToken.UserID = user.ID
 	apiToken.Name = "test-token"
 	apiToken.TokenHash = tokenHash
 	err = apiToken.Save(ctx)
 	require.NoError(t, err)
 	// Build a handler behind APISessionAuth that checks user context.
 	var gotUser *models.User
 	var getUserErr error
 	handler := mw.APISessionAuth()(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
 			gotUser, getUserErr = authSvc.GetCurrentUser(r.Context(), r)
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	// Make request with bearer token.
 	req := httptest.NewRequest(http.MethodGet, "/api/test", nil)
 	req.Header.Set("Authorization", "Bearer "+rawToken)
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusOK, rec.Code)
 	require.NoError(t, getUserErr)
 	require.NotNil(t, gotUser, "GetCurrentUser should return the user for bearer auth")
 	assert.Equal(t, user.ID, gotUser.ID)
 	assert.Equal(t, "testuser", gotUser.Username)
 }
 func TestAPISessionAuth_NoBearerTokenReturns401(t *testing.T) {
 	t.Parallel()
 	mw, _, _ := setupMiddleware(t)
 	handler := mw.APISessionAuth()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	req := httptest.NewRequest(http.MethodGet, "/api/test", nil)
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusUnauthorized, rec.Code)
 }
 func TestAPISessionAuth_InvalidBearerTokenReturns401(t *testing.T) {
 	t.Parallel()
 	mw, _, _ := setupMiddleware(t)
 	handler := mw.APISessionAuth()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	req := httptest.NewRequest(http.MethodGet, "/api/test", nil)
 	req.Header.Set("Authorization", "Bearer invalid-token")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusUnauthorized, rec.Code)
 }
--- a/internal/middleware/cors_test.go
+++ b/internal/middleware/cors_test.go
@@ -0,0 +1,81 @@
 package middleware //nolint:testpackage // tests internal CORS behavior
 import (
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"git.eeqj.de/sneak/upaas/internal/config"
 )
 //nolint:gosec // test credentials
 func newCORSTestMiddleware(corsOrigins string) *Middleware {
 	return &Middleware{
 		log: slog.Default(),
 		params: &Params{
 			Config: &config.Config{
 				CORSOrigins:   corsOrigins,
 				SessionSecret: "test-secret-32-bytes-long-enough",
 			},
 		},
 	}
 }
 func TestCORS_NoOriginsConfigured_NoCORSHeaders(t *testing.T) {
 	t.Parallel()
 	m := newCORSTestMiddleware("")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://evil.com")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin"),
 		"expected no CORS headers when no origins configured")
 }
 func TestCORS_OriginsConfigured_AllowsMatchingOrigin(t *testing.T) {
 	t.Parallel()
 	m := newCORSTestMiddleware("https://app.example.com,https://other.example.com")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://app.example.com")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, "https://app.example.com",
 		rec.Header().Get("Access-Control-Allow-Origin"))
 	assert.Equal(t, "true",
 		rec.Header().Get("Access-Control-Allow-Credentials"))
 }
 func TestCORS_OriginsConfigured_RejectsNonMatchingOrigin(t *testing.T) {
 	t.Parallel()
 	m := newCORSTestMiddleware("https://app.example.com")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://evil.com")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin"),
 		"expected no CORS headers for non-matching origin")
 }
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -19,8 +19,10 @@ import (
 	"golang.org/x/time/rate"
 	"git.eeqj.de/sneak/upaas/internal/config"
 	"git.eeqj.de/sneak/upaas/internal/database"
 	"git.eeqj.de/sneak/upaas/internal/globals"
 	"git.eeqj.de/sneak/upaas/internal/logger"
 	"git.eeqj.de/sneak/upaas/internal/models"
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
@@ -35,6 +37,7 @@ type Params struct {
 	Globals  *globals.Globals
 	Config   *config.Config
 	Auth     *auth.Service
 	Database *database.Database
 }
 // Middleware provides HTTP middleware.
@@ -177,17 +180,48 @@ func realIP(r *http.Request) string {
 }
 // CORS returns CORS middleware.
 // When UPAAS_CORS_ORIGINS is empty (default), no CORS headers are sent
 // (same-origin only). When configured, only the specified origins are
 // allowed and credentials (cookies) are permitted.
 func (m *Middleware) CORS() func(http.Handler) http.Handler {
 	origins := parseCORSOrigins(m.params.Config.CORSOrigins)
 	// No origins configured — no CORS headers (same-origin policy).
 	if len(origins) == 0 {
 		return func(next http.Handler) http.Handler {
 			return next
 		}
 	}
 	return cors.Handler(cors.Options{
-		AllowedOrigins:   []string{"*"},
+		AllowedOrigins:   origins,
 		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
 		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: false,
+		AllowCredentials: true,
 		MaxAge:           corsMaxAge,
 	})
 }
 // parseCORSOrigins splits a comma-separated origin string into a slice,
 // trimming whitespace. Returns nil if the input is empty.
 func parseCORSOrigins(raw string) []string {
 	if raw == "" {
 		return nil
 	}
 	parts := strings.Split(raw, ",")
 	origins := make([]string, 0, len(parts))
 	for _, p := range parts {
 		if o := strings.TrimSpace(p); o != "" {
 			origins = append(origins, o)
 		}
 	}
 	return origins
 }
 // MetricsAuth returns basic auth middleware for metrics endpoint.
 func (m *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 	if m.params.Config.MetricsUsername == "" {
@@ -339,6 +373,45 @@ func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 	}
 }
 // bearerPrefix is the expected prefix for Authorization headers.
 const bearerPrefix = "Bearer "
 // APISessionAuth returns middleware that requires authentication
 // for API routes. It checks Bearer token first, then falls back
 // to session cookie. Returns JSON 401 on failure.
 func (m *Middleware) APISessionAuth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
 			writer http.ResponseWriter,
 			request *http.Request,
 		) {
 			// Try Bearer token first.
 			if authedReq, ok := m.tryBearerAuth(request); ok {
 				next.ServeHTTP(writer, authedReq)
 				return
 			}
 			// Fall back to session cookie.
 			user, err := m.params.Auth.GetCurrentUser(
 				request.Context(), request,
 			)
 			if err != nil || user == nil {
 				writer.Header().Set("Content-Type", "application/json")
 				http.Error(
 					writer,
 					`{"error":"unauthorized"}`,
 					http.StatusUnauthorized,
 				)
 				return
 			}
 			next.ServeHTTP(writer, request)
 		})
 	}
 }
 // SetupRequired returns middleware that redirects to setup if no user exists.
 func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
@@ -382,3 +455,49 @@ func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 		})
 	}
 }
 // tryBearerAuth checks for a valid Bearer token in the
 // Authorization header. On success it returns a new request
 // with the authenticated user set on the context.
 func (m *Middleware) tryBearerAuth(
 	request *http.Request,
 ) (*http.Request, bool) {
 	authHeader := request.Header.Get("Authorization")
 	if !strings.HasPrefix(authHeader, bearerPrefix) {
 		return request, false
 	}
 	rawToken := strings.TrimPrefix(authHeader, bearerPrefix)
 	if rawToken == "" {
 		return request, false
 	}
 	tokenHash := database.HashAPIToken(rawToken)
 	apiToken, err := models.FindAPITokenByHash(
 		request.Context(), m.params.Database, tokenHash,
 	)
 	if err != nil || apiToken == nil {
 		return request, false
 	}
 	if apiToken.IsExpired() {
 		return request, false
 	}
 	// Look up the user associated with the token.
 	user, err := models.FindUser(
 		request.Context(), m.params.Database, apiToken.UserID,
 	)
 	if err != nil || user == nil {
 		return request, false
 	}
 	// Update last_used_at (best effort).
 	_ = apiToken.TouchLastUsed(request.Context())
 	// Set the authenticated user on the request context.
 	ctx := auth.ContextWithUser(request.Context(), user)
 	return request.WithContext(ctx), true
 }
--- a/internal/models/api_token.go
+++ b/internal/models/api_token.go
@@ -0,0 +1,206 @@
 package models
 import (
 	"context"
 	"crypto/rand"
 	"database/sql"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"time"
 	"github.com/oklog/ulid/v2"
 	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // tokenRandomBytes is the number of random bytes for token generation.
 const tokenRandomBytes = 32
 // tokenPrefix is prepended to generated API tokens.
 const tokenPrefix = "upaas_"
 // APIToken represents an API authentication token.
 type APIToken struct {
 	db *database.Database
 	ID         string
 	UserID     int64
 	Name       string
 	TokenHash  string
 	CreatedAt  time.Time
 	ExpiresAt  sql.NullTime
 	LastUsedAt sql.NullTime
 }
 // NewAPIToken creates a new APIToken with a database reference.
 func NewAPIToken(db *database.Database) *APIToken {
 	return &APIToken{db: db}
 }
 // GenerateToken generates a random API token string.
 func GenerateToken() (string, error) {
 	b := make([]byte, tokenRandomBytes)
 	_, err := rand.Read(b)
 	if err != nil {
 		return "", fmt.Errorf("generating token: %w", err)
 	}
 	return tokenPrefix + hex.EncodeToString(b), nil
 }
 // Save inserts the API token into the database.
 func (t *APIToken) Save(ctx context.Context) error {
 	if t.ID == "" {
 		t.ID = ulid.Make().String()
 	}
 	query := `INSERT INTO api_tokens
 		(id, user_id, name, token_hash, expires_at)
 		VALUES (?, ?, ?, ?, ?)`
 	_, err := t.db.Exec(
 		ctx, query,
 		t.ID, t.UserID, t.Name, t.TokenHash, t.ExpiresAt,
 	)
 	if err != nil {
 		return fmt.Errorf("inserting api token: %w", err)
 	}
 	return t.Reload(ctx)
 }
 // Reload refreshes the token from the database.
 func (t *APIToken) Reload(ctx context.Context) error {
 	row := t.db.QueryRow(ctx,
 		`SELECT id, user_id, name, token_hash,
 			created_at, expires_at, last_used_at
 		 FROM api_tokens WHERE id = ?`, t.ID)
 	return t.scan(row)
 }
 // Delete removes the token from the database.
 func (t *APIToken) Delete(ctx context.Context) error {
 	_, err := t.db.Exec(ctx,
 		"DELETE FROM api_tokens WHERE id = ?", t.ID)
 	return err
 }
 // TouchLastUsed updates the last_used_at timestamp.
 func (t *APIToken) TouchLastUsed(ctx context.Context) error {
 	_, err := t.db.Exec(ctx,
 		"UPDATE api_tokens SET last_used_at = ? WHERE id = ?",
 		time.Now().UTC(), t.ID)
 	return err
 }
 // IsExpired reports whether the token has expired.
 func (t *APIToken) IsExpired() bool {
 	return t.ExpiresAt.Valid && t.ExpiresAt.Time.Before(time.Now())
 }
 func (t *APIToken) scan(row *sql.Row) error {
 	return row.Scan(
 		&t.ID, &t.UserID, &t.Name, &t.TokenHash,
 		&t.CreatedAt, &t.ExpiresAt, &t.LastUsedAt,
 	)
 }
 // FindAPITokenByHash finds a token by its hash.
 //
 //nolint:nilnil // nil,nil is idiomatic for "not found"
 func FindAPITokenByHash(
 	ctx context.Context,
 	db *database.Database,
 	hash string,
 ) (*APIToken, error) {
 	token := NewAPIToken(db)
 	row := db.QueryRow(ctx,
 		`SELECT id, user_id, name, token_hash,
 			created_at, expires_at, last_used_at
 		 FROM api_tokens WHERE token_hash = ?`, hash)
 	err := token.scan(row)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, nil
 		}
 		return nil, fmt.Errorf("finding api token by hash: %w", err)
 	}
 	return token, nil
 }
 // FindAPIToken finds a token by ID.
 //
 //nolint:nilnil // nil,nil is idiomatic for "not found"
 func FindAPIToken(
 	ctx context.Context,
 	db *database.Database,
 	id string,
 ) (*APIToken, error) {
 	token := NewAPIToken(db)
 	row := db.QueryRow(ctx,
 		`SELECT id, user_id, name, token_hash,
 			created_at, expires_at, last_used_at
 		 FROM api_tokens WHERE id = ?`, id)
 	err := token.scan(row)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, nil
 		}
 		return nil, fmt.Errorf("finding api token: %w", err)
 	}
 	return token, nil
 }
 // ListAPITokensByUser returns all tokens for a user.
 func ListAPITokensByUser(
 	ctx context.Context,
 	db *database.Database,
 	userID int64,
 ) ([]*APIToken, error) {
 	rows, err := db.Query(ctx,
 		`SELECT id, user_id, name, token_hash,
 			created_at, expires_at, last_used_at
 		 FROM api_tokens WHERE user_id = ?
 		 ORDER BY created_at DESC`, userID)
 	if err != nil {
 		return nil, fmt.Errorf("listing api tokens: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	var tokens []*APIToken
 	for rows.Next() {
 		t := NewAPIToken(db)
 		scanErr := rows.Scan(
 			&t.ID, &t.UserID, &t.Name, &t.TokenHash,
 			&t.CreatedAt, &t.ExpiresAt, &t.LastUsedAt,
 		)
 		if scanErr != nil {
 			return nil, fmt.Errorf("scanning api token: %w", scanErr)
 		}
 		tokens = append(tokens, t)
 	}
 	rowsErr := rows.Err()
 	if rowsErr != nil {
 		return nil, fmt.Errorf("iterating api tokens: %w", rowsErr)
 	}
 	return tokens, nil
 }
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -83,14 +83,17 @@ func (s *Server) SetupRoutes() {
 			// Environment variables
 			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
 			r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
 			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 			// Labels
 			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
 			r.Post("/apps/{id}/labels/{labelID}/edit", s.handlers.HandleLabelEdit())
 			r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
 			// Volumes
 			r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
 			r.Post("/apps/{id}/volumes/{volumeID}/edit", s.handlers.HandleVolumeEdit())
 			r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
 			// Ports
@@ -99,6 +102,31 @@ func (s *Server) SetupRoutes() {
 		})
 	})
 	// API v1 routes (cookie-based session auth, no CSRF)
 	s.router.Route("/api/v1", func(r chi.Router) {
 		// Login endpoint is public (returns session cookie)
 		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
 		// All other API routes require session auth
 		r.Group(func(r chi.Router) {
 			r.Use(s.mw.APISessionAuth())
 			r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
 			r.Get("/apps", s.handlers.HandleAPIListApps())
 			r.Post("/apps", s.handlers.HandleAPICreateApp())
 			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
 			r.Delete("/apps/{id}", s.handlers.HandleAPIDeleteApp())
 			r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
 			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
 			// API token management
 			r.Post("/tokens", s.handlers.HandleAPICreateToken())
 			r.Get("/tokens", s.handlers.HandleAPIListTokens())
 			r.Delete("/tokens/{tokenID}", s.handlers.HandleAPIDeleteToken())
 		})
 	})
 	// Metrics endpoint (optional, with basic auth)
 	if s.params.Config.MetricsUsername != "" {
 		s.router.Group(func(r chi.Router) {
--- a/internal/service/auth/auth.go
+++ b/internal/service/auth/auth.go
@@ -26,6 +26,21 @@ const (
 	sessionUserID = "user_id"
 )
 // contextKeyUser is the context key for storing the authenticated user.
 type contextKeyUser struct{}
 // ContextWithUser returns a new context with the given user attached.
 func ContextWithUser(ctx context.Context, user *models.User) context.Context {
 	return context.WithValue(ctx, contextKeyUser{}, user)
 }
 // UserFromContext retrieves the user from the context, if set.
 func UserFromContext(ctx context.Context) *models.User {
 	user, _ := ctx.Value(contextKeyUser{}).(*models.User)
 	return user
 }
 // Argon2 parameters.
 const (
 	argonTime    = 1
@@ -239,6 +254,11 @@ func (svc *Service) GetCurrentUser(
 	ctx context.Context,
 	request *http.Request,
 ) (*models.User, error) {
 	// Check context first (set by bearer token auth).
 	if user := UserFromContext(ctx); user != nil {
 		return user, nil
 	}
 	session, sessionErr := svc.store.Get(request, sessionName)
 	if sessionErr != nil {
 		// Session error means no user - this is not an error condition
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -11,6 +11,7 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -472,7 +473,7 @@ func (svc *Service) runBuildAndDeploy(
 	// Build phase with timeout
 	imageID, err := svc.buildImageWithTimeout(deployCtx, app, deployment)
 	if err != nil {
-		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment)
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, "")
 		if cancelErr != nil {
 			return cancelErr
 		}
@@ -485,7 +486,7 @@ func (svc *Service) runBuildAndDeploy(
 	// Deploy phase with timeout
 	err = svc.deployContainerWithTimeout(deployCtx, app, deployment, imageID)
 	if err != nil {
-		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment)
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, imageID)
 		if cancelErr != nil {
 			return cancelErr
 		}
@@ -661,24 +662,77 @@ func (svc *Service) cancelActiveDeploy(appID string) {
 }
 // checkCancelled checks if the deploy context was cancelled (by a newer deploy)
-// and if so, marks the deployment as cancelled. Returns ErrDeployCancelled or nil.
+// and if so, marks the deployment as cancelled and cleans up orphan resources.
 // Returns ErrDeployCancelled or nil.
 func (svc *Service) checkCancelled(
 	deployCtx context.Context,
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 	imageID string,
 ) error {
 	if !errors.Is(deployCtx.Err(), context.Canceled) {
 		return nil
 	}
-	svc.log.Info("deployment cancelled by newer deploy", "app", app.Name)
+	svc.log.Info("deployment cancelled", "app", app.Name)
 	svc.cleanupCancelledDeploy(bgCtx, app, deployment, imageID)
 	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusCancelled)
 	return ErrDeployCancelled
 }
 // cleanupCancelledDeploy removes orphan resources left by a cancelled deployment.
 func (svc *Service) cleanupCancelledDeploy(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 	imageID string,
 ) {
 	// Clean up the intermediate Docker image if one was built
 	if imageID != "" {
 		removeErr := svc.docker.RemoveImage(ctx, imageID)
 		if removeErr != nil {
 			svc.log.Error("failed to remove image from cancelled deploy",
 				"error", removeErr, "app", app.Name, "image", imageID)
 			_ = deployment.AppendLog(ctx, "WARNING: failed to clean up image "+imageID+": "+removeErr.Error())
 		} else {
 			svc.log.Info("cleaned up image from cancelled deploy",
 				"app", app.Name, "image", imageID)
 			_ = deployment.AppendLog(ctx, "Cleaned up intermediate image: "+imageID)
 		}
 	}
 	// Clean up the build directory for this deployment
 	buildDir := svc.GetBuildDir(app.Name)
 	entries, err := os.ReadDir(buildDir)
 	if err != nil {
 		return
 	}
 	prefix := fmt.Sprintf("%d-", deployment.ID)
 	for _, entry := range entries {
 		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
 			dirPath := filepath.Join(buildDir, entry.Name())
 			removeErr := os.RemoveAll(dirPath)
 			if removeErr != nil {
 				svc.log.Error("failed to remove build dir from cancelled deploy",
 					"error", removeErr, "path", dirPath)
 			} else {
 				svc.log.Info("cleaned up build dir from cancelled deploy",
 					"app", app.Name, "path", dirPath)
 				_ = deployment.AppendLog(ctx, "Cleaned up build directory")
 			}
 		}
 	}
 }
 func (svc *Service) fetchWebhookEvent(
 	ctx context.Context,
 	webhookEventID *int64,
--- a/internal/service/deploy/deploy_cleanup_test.go
+++ b/internal/service/deploy/deploy_cleanup_test.go
@@ -0,0 +1,63 @@
 package deploy_test
 import (
 	"context"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"git.eeqj.de/sneak/upaas/internal/config"
 	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )
 func TestCleanupCancelledDeploy_RemovesBuildDir(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()
 	cfg := &config.Config{DataDir: tmpDir}
 	svc := deploy.NewTestServiceWithConfig(slog.Default(), cfg, nil)
 	// Create a fake build directory matching the deployment pattern
 	appName := "test-app"
 	buildDir := svc.GetBuildDirExported(appName)
 	require.NoError(t, os.MkdirAll(buildDir, 0o750))
 	// Create deployment-specific dir: <deploymentID>-<random>
 	deployDir := filepath.Join(buildDir, "42-abc123")
 	require.NoError(t, os.MkdirAll(deployDir, 0o750))
 	// Create a file inside to verify full removal
 	require.NoError(t, os.WriteFile(filepath.Join(deployDir, "work"), []byte("test"), 0o600))
 	// Also create a dir for a different deployment (should NOT be removed)
 	otherDir := filepath.Join(buildDir, "99-xyz789")
 	require.NoError(t, os.MkdirAll(otherDir, 0o750))
 	// Run cleanup for deployment 42
 	svc.CleanupCancelledDeploy(context.Background(), appName, 42, "")
 	// Deployment 42's dir should be gone
 	_, err := os.Stat(deployDir)
 	assert.True(t, os.IsNotExist(err), "deployment build dir should be removed")
 	// Deployment 99's dir should still exist
 	_, err = os.Stat(otherDir)
 	assert.NoError(t, err, "other deployment build dir should not be removed")
 }
 func TestCleanupCancelledDeploy_NoBuildDir(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()
 	cfg := &config.Config{DataDir: tmpDir}
 	svc := deploy.NewTestServiceWithConfig(slog.Default(), cfg, nil)
 	// Should not panic when build dir doesn't exist
 	svc.CleanupCancelledDeploy(context.Background(), "nonexistent-app", 1, "")
 }
--- a/internal/service/deploy/export_test.go
+++ b/internal/service/deploy/export_test.go
@@ -2,7 +2,14 @@ package deploy
 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 	"git.eeqj.de/sneak/upaas/internal/config"
 	"git.eeqj.de/sneak/upaas/internal/docker"
 )
 // NewTestService creates a Service with minimal dependencies for testing.
@@ -31,3 +38,45 @@ func (svc *Service) TryLockApp(appID string) bool {
 func (svc *Service) UnlockApp(appID string) {
 	svc.unlockApp(appID)
 }
 // NewTestServiceWithConfig creates a Service with config and docker client for testing.
 func NewTestServiceWithConfig(log *slog.Logger, cfg *config.Config, dockerClient *docker.Client) *Service {
 	return &Service{
 		log:    log,
 		config: cfg,
 		docker: dockerClient,
 	}
 }
 // CleanupCancelledDeploy exposes the build directory cleanup portion of
 // cleanupCancelledDeploy for testing. It removes build directories matching
 // the deployment ID prefix.
 func (svc *Service) CleanupCancelledDeploy(
 	_ context.Context,
 	appName string,
 	deploymentID int64,
 	_ string,
 ) {
 	// We can't create real models.App/Deployment in tests easily,
 	// so we test the build dir cleanup portion directly.
 	buildDir := svc.GetBuildDir(appName)
 	entries, err := os.ReadDir(buildDir)
 	if err != nil {
 		return
 	}
 	prefix := fmt.Sprintf("%d-", deploymentID)
 	for _, entry := range entries {
 		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
 			dirPath := filepath.Join(buildDir, entry.Name())
 			_ = os.RemoveAll(dirPath)
 		}
 	}
 }
 // GetBuildDirExported exposes GetBuildDir for testing.
 func (svc *Service) GetBuildDirExported(appName string) string {
 	return svc.GetBuildDir(appName)
 }
--- a/internal/service/notify/notify.go
+++ b/internal/service/notify/notify.go
@@ -260,7 +260,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", svc.ntfyPriority(priority))
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL constructed from trusted config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to send ntfy request: %w", err)
 	}
@@ -352,7 +352,7 @@ func (svc *Service) sendSlack(
 	request.Header.Set("Content-Type", "application/json")
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL from trusted webhook config
 	if err != nil {
 		return fmt.Errorf("failed to send slack request: %w", err)
 	}
--- a/internal/ssh/keygen.go
+++ b/internal/ssh/keygen.go
@@ -12,7 +12,7 @@ import (
 // KeyPair contains an SSH key pair.
 type KeyPair struct {
-	PrivateKey string
+	PrivateKey string //nolint:gosec // field name describes SSH key material, not a hardcoded secret
 	PublicKey  string
 }
--- a/templates/app_detail.html
+++ b/templates/app_detail.html
@@ -112,15 +112,34 @@
                </thead>
                <tbody class="table-body">
                    {{range .EnvVars}}
-                    <tr>
+                    <tr x-data="{ editing: false }">
                        <template x-if="!editing">
                            <td class="font-mono font-medium">{{.Key}}</td>
                        </template>
                        <template x-if="!editing">
                            <td class="font-mono text-gray-500">{{.Value}}</td>
                        </template>
                        <template x-if="!editing">
                            <td class="text-right">
-                            <form method="POST" action="/apps/{{$.App.ID}}/env/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
+                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
-                {{ .CSRFField }}
+                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
                                    {{ $.CSRFField }}
                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                                </form>
                            </td>
                        </template>
                        <template x-if="editing">
                            <td colspan="3">
                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center">
                                    {{ $.CSRFField }}
                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
                                    <button type="submit" class="btn-primary text-sm">Save</button>
                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                </form>
                                <p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
                            </td>
                        </template>
                    </tr>
                    {{end}}
                </tbody>
@@ -157,15 +176,33 @@
                        </td>
                    </tr>
                    {{range .Labels}}
-                    <tr>
+                    <tr x-data="{ editing: false }">
                        <template x-if="!editing">
                            <td class="font-mono font-medium">{{.Key}}</td>
                        </template>
                        <template x-if="!editing">
                            <td class="font-mono text-gray-500">{{.Value}}</td>
                        </template>
                        <template x-if="!editing">
                            <td class="text-right">
                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
                                <form method="POST" action="/apps/{{$.App.ID}}/labels/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this label?')" @submit="confirm($event)">
-                {{ .CSRFField }}
+                                    {{ $.CSRFField }}
                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                                </form>
                            </td>
                        </template>
                        <template x-if="editing">
                            <td colspan="3">
                                <form method="POST" action="/apps/{{$.App.ID}}/labels/{{.ID}}/edit" class="flex gap-2 items-center">
                                    {{ $.CSRFField }}
                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
                                    <button type="submit" class="btn-primary text-sm">Save</button>
                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                </form>
                            </td>
                        </template>
                    </tr>
                    {{end}}
                </tbody>
@@ -195,9 +232,14 @@
                </thead>
                <tbody class="table-body">
                    {{range .Volumes}}
-                    <tr>
+                    <tr x-data="{ editing: false }">
                        <template x-if="!editing">
                            <td class="font-mono">{{.HostPath}}</td>
                        </template>
                        <template x-if="!editing">
                            <td class="font-mono">{{.ContainerPath}}</td>
                        </template>
                        <template x-if="!editing">
                            <td>
                                {{if .ReadOnly}}
                                <span class="badge-neutral">Read-only</span>
@@ -205,12 +247,31 @@
                                <span class="badge-info">Read-write</span>
                                {{end}}
                            </td>
                        </template>
                        <template x-if="!editing">
                            <td class="text-right">
                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
                                <form method="POST" action="/apps/{{$.App.ID}}/volumes/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this volume mount?')" @submit="confirm($event)">
-                {{ .CSRFField }}
+                                    {{ $.CSRFField }}
                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                                </form>
                            </td>
                        </template>
                        <template x-if="editing">
                            <td colspan="4">
                                <form method="POST" action="/apps/{{$.App.ID}}/volumes/{{.ID}}/edit" class="flex gap-2 items-center">
                                    {{ $.CSRFField }}
                                    <input type="text" name="host_path" value="{{.HostPath}}" required class="input flex-1 font-mono text-sm" placeholder="/host/path">
                                    <input type="text" name="container_path" value="{{.ContainerPath}}" required class="input flex-1 font-mono text-sm" placeholder="/container/path">
                                    <label class="flex items-center gap-1 text-sm text-gray-600 whitespace-nowrap">
                                        <input type="checkbox" name="readonly" value="1" {{if .ReadOnly}}checked{{end}} class="rounded border-gray-300 text-primary-600 focus:ring-primary-500">
                                        RO
                                    </label>
                                    <button type="submit" class="btn-primary text-sm">Save</button>
                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                </form>
                            </td>
                        </template>
                    </tr>
                    {{end}}
                </tbody>
Author	SHA1	Message	Date
clawbot	e73409b567	fix: resolve lint issues for make check compliance	2026-02-19 23:43:41 -08:00
clawbot	a891fb2489	fix: increase API token entropy from 128 to 256 bits Change token random bytes from 16 to 32, producing tokens with upaas_ prefix + 64 hex characters instead of 32.	2026-02-19 23:43:22 -08:00
clawbot	96eea71c54	fix: set authenticated user on request context in bearer token auth tryBearerAuth validated the bearer token but never looked up the associated user or set it on the request context. This meant downstream handlers calling GetCurrentUser would get nil even with a valid token. Changes: - Add ContextWithUser/UserFromContext helpers in auth package - tryBearerAuth now looks up the user by token's UserID and sets it on the request context via auth.ContextWithUser - GetCurrentUser checks context first before falling back to session cookie - Add integration tests for bearer auth user context	2026-02-19 23:43:22 -08:00
clawbot	7387ba6b5c	feat: add API token authentication (closes #87 ) - Add api_tokens table migration (007) - Add APIToken model with CRUD operations - Generate tokens with upaas_ prefix + 32 hex chars - Store SHA-256 hash of tokens (not plaintext) - Update APISessionAuth middleware to check Bearer tokens - Add POST/GET/DELETE /api/v1/tokens endpoints - Token creation returns plaintext once; list never exposes it - Expired and revoked tokens are rejected - Tests for creation, listing, deletion, bearer auth, revocation	2026-02-19 23:43:22 -08:00
Jeffrey Paul	3a4e999382	Merge pull request 'revert: undo PR #98 (CI + linter config changes)' (#99 ) from revert/pr-98 into main Reviewed-on: #99	2026-02-20 05:37:49 +01:00
clawbot	728b29ef16	Revert "Merge pull request 'feat: add Gitea Actions CI for make check (closes #96 )' (#98 ) from feat/ci-make-check into main" This reverts commit `f61d4d0f91`, reversing changes made to `06e8e66443`.	2026-02-19 20:36:22 -08:00
Jeffrey Paul	f61d4d0f91	Merge pull request 'feat: add Gitea Actions CI for make check (closes #96 )' (#98 ) from feat/ci-make-check into main Some checks failed check / check (push) Failing after 2s Details Reviewed-on: #98	2026-02-20 05:33:24 +01:00
clawbot	8ec04fdadb	feat: add Gitea Actions CI for make check (closes #96 ) Some checks failed check / check (pull_request) Failing after 16s Details - Add .gitea/workflows/check.yml running make check on PRs and pushes to main - Fix .golangci.yml for golangci-lint v2 config format (was using v1 keys) - Migrate linters-settings to linters.settings, remove deprecated exclude-use-default - Exclude gosec false positives (G117, G703, G704, G705) with documented rationale - Increase lll line-length from 88 to 120 (88 was too restrictive for idiomatic Go) - Increase dupl threshold from 100 to 150 (similar CRUD handlers are intentional) - Fix funcorder: move RemoveImage before unexported methods in docker/client.go - Fix wsl_v5: add required blank line in deploy.go - Fix revive unused-parameter in export_test.go - Fix gosec G306: tighten test file permissions to 0600 - Add html.EscapeString for log output, filepath.Clean for log path - Remove stale //nolint:funlen directives no longer needed with v2 config	2026-02-19 20:29:21 -08:00
Jeffrey Paul	06e8e66443	Merge pull request 'fix: clean up orphan resources on deploy cancellation (closes #89 )' (#93 ) from fix/deploy-cancel-cleanup into main Reviewed-on: #93	2026-02-20 05:22:58 +01:00
clawbot	95a690e805	fix: use strings.HasPrefix instead of manual slice comparison - Replace entry.Name()[:len(prefix)] == prefix with strings.HasPrefix - Applied consistently in both deploy.go and export_test.go	2026-02-19 20:17:27 -08:00
clawbot	802518b917	fix: clean up orphan resources on deploy cancellation (closes #89 )	2026-02-19 20:15:22 -08:00
Jeffrey Paul	b47f871412	Merge pull request 'fix: restrict CORS to configured origins (closes #40 )' (#92 ) from fix/cors-wildcard into main Reviewed-on: #92	2026-02-20 05:11:33 +01:00
clawbot	02847eea92	fix: restrict CORS to configured origins (closes #40 ) - Add CORSOrigins config field (UPAAS_CORS_ORIGINS env var) - Default to same-origin only (no CORS headers when unconfigured) - When configured, allow specified origins with AllowCredentials: true - Add tests for CORS middleware behavior	2026-02-19 13:45:18 -08:00
clawbot	506c795f16	test: add CORS middleware tests (failing - TDD)	2026-02-19 13:43:33 -08:00
Jeffrey Paul	38a744b489	Merge pull request 'feat: add JSON API with token auth (closes #69 )' (#74 ) from feature/json-api into main Reviewed-on: #74	2026-02-16 09:51:48 +01:00
Jeffrey Paul	11314629b6	Merge branch 'main' into feature/json-api	2026-02-16 09:51:36 +01:00
Jeffrey Paul	bc3ee2bfc5	Merge pull request 'chore: remove TODO.md — all items tracked as Gitea issues' (#65 ) from chore/update-todo into main Reviewed-on: #65	2026-02-16 09:51:14 +01:00
user	e09cf11c06	chore: remove TODO.md — all items tracked as Gitea issues All unchecked items now have corresponding issues: - #67 Edit env vars/labels/volumes (merged) - #68 GitHub/GitLab webhook support - #69 JSON API (PR #74 open) - #72 CPU/memory resource limits - #79 Backup/restore - #80 Private Docker registry auth - #81 Custom health checks - #82 Multi-user support with roles - #83 Scheduled deployments - #84 Observability (logging, metrics, audit) - #85 Webhook event history UI - #86 Settings page Completed items: #66 (cancel endpoint), #67 (edit entities), #71 (rollback), plus all Phase 1-2 items already done.	2026-02-16 00:35:23 -08:00
user	8d68a31366	fix: remove undeployed api_tokens migrations (006 + 007)	2026-02-16 00:34:02 -08:00
Jeffrey Paul	b83e68fafd	Merge pull request 'feat: edit existing env vars, labels, and volume mounts (closes #67 )' (#77 ) from feature/edit-config-entities into main Reviewed-on: #77	2026-02-16 09:33:46 +01:00
Jeffrey Paul	f743837d49	Merge branch 'main' into feature/json-api	2026-02-16 09:33:09 +01:00
user	9ac1d25788	refactor: switch API from token auth to cookie-based session auth - Remove API token system entirely (model, migration, middleware) - Add migration 007 to drop api_tokens table - Add POST /api/v1/login endpoint for JSON credential auth - API routes now use session cookies (same as web UI) - Remove /api/v1/tokens endpoint - HandleAPIWhoAmI uses session auth instead of token context - APISessionAuth middleware returns JSON 401 instead of redirect - Update all API tests to use cookie-based authentication Addresses review comment on PR #74.	2026-02-16 00:31:10 -08:00
Jeffrey Paul	0c8dcc2eb1	Merge branch 'main' into feature/edit-config-entities	2026-02-16 09:28:30 +01:00
Jeffrey Paul	d0375555af	Merge pull request 'Update TODO.md with current status (closes #54 )' (#55 ) from update-todo-md into main Reviewed-on: #55	2026-02-16 09:26:15 +01:00
clawbot	e9d284698a	feat: edit existing env vars, labels, and volume mounts Add inline edit functionality for environment variables, labels, and volume mounts on the app detail page. Each entity row now has an Edit button that reveals an inline form using Alpine.js. - POST /apps/{id}/env-vars/{varID}/edit - POST /apps/{id}/labels/{labelID}/edit - POST /apps/{id}/volumes/{volumeID}/edit - Path validation for volume host and container paths - Warning banner about container restart after env var changes - Tests for ValidateVolumePath fixes #67	2026-02-16 00:26:07 -08:00
Jeffrey Paul	96a91b09ca	Merge branch 'main' into update-todo-md	2026-02-16 09:26:01 +01:00
Jeffrey Paul	046cccf31f	Merge pull request 'feat: deployment rollback to previous image (closes #71 )' (#75 ) from feature/deployment-rollback into main Reviewed-on: #75	2026-02-16 09:25:33 +01:00
user	0536f57ec2	feat: add JSON API with token auth (closes #69 ) - Add API token model with SHA-256 hashed tokens - Add migration 006_add_api_tokens.sql - Add Bearer token auth middleware - Add API endpoints under /api/v1/: - GET /whoami - POST /tokens (create new API token) - GET /apps (list all apps) - POST /apps (create app) - GET /apps/{id} (get app) - DELETE /apps/{id} (delete app) - POST /apps/{id}/deploy (trigger deployment) - GET /apps/{id}/deployments (list deployments) - Add comprehensive tests for all API endpoints - All tests pass, zero lint issues	2026-02-16 00:24:45 -08:00
clawbot	6696db957d	Update TODO.md: check off deployment cancellation	2026-02-16 09:12:08 +01:00