docs: expand Important note — HOST_DATA_DIR must be absolute path

Explain why relative paths break container builds and add usage example.
Addresses sneak's review feedback on PR #126.

.dockerignore

@@ -1,10 +0,0 @@
-.git
-bin/
-.editorconfig
-.vscode/
-.idea/
-*.test
-LICENSE
-CONVENTIONS.md
-REPO_POLICIES.md
-README.md

.editorconfig

@@ -1,15 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-insert_final_newline = true
-trim_trailing_whitespace = true
-indent_style = space
-indent_size = 2
-
-[*.go]
-indent_style = tab
-
-[Makefile]
-indent_style = tab

.gitea/workflows/check.yml

@@ -10,7 +10,17 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4, 2024-10-13
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - name: Build (runs make check inside Dockerfile)
-        run: docker build .
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
+
+      - name: Run make check
+        run: make check

.gitignore

@@ -1,31 +0,0 @@
-# OS
-.DS_Store
-Thumbs.db
-
-# Editors
-*.swp
-*.swo
-*~
-*.bak
-.idea/
-.vscode/
-*.sublime-*
-
-# Node
-node_modules/
-
-# Environment / secrets
-.env
-.env.*
-*.pem
-*.key
-
-# Go
-bin/
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-*.test
-*.out

Dockerfile

@@ -1,37 +1,26 @@
-# Lint stage — fast feedback on formatting and lint issues
-# golangci/golangci-lint:v2.10.1
-FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
-
-WORKDIR /src
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY . .
-
-RUN make fmt-check
-RUN make lint
-
-# Build stage — tests and compilation
-# golang:1.25-alpine
-FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
-
-# Force BuildKit to run the lint stage by creating a stage dependency
-COPY --from=lint /src/go.sum /dev/null
+# Build stage
+FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder # golang:1.25-alpine
 
 RUN apk add --no-cache git make gcc musl-dev
 
+# Install golangci-lint v2
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
+RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
+
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
 
-RUN make test
+# Run all checks - build fails if any check fails
+RUN make check
+
+# Build the binary
 RUN make build
 
 # Runtime stage
-# alpine:3.19
-FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
+FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1 # alpine:3.19
 
 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean docker hooks
+.PHONY: all build lint fmt test check clean
 
 BINARY := upaasd
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -18,26 +18,21 @@ fmt:
 	goimports -w .
 	npx prettier --write --tab-width 4 static/js/*.js
 
-fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
-
 test:
-	go test -v -race -cover -timeout 30s ./...
+	go test -v -race -cover ./...
 
 # Check runs all validation without making changes
 # Used by CI and Docker build - fails if anything is wrong
-check: fmt-check lint test
+check:
+	@echo "==> Checking formatting..."
+	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
+	@echo "==> Running linter..."
+	golangci-lint run --config .golangci.yml ./...
+	@echo "==> Running tests..."
+	go test -v -race ./...
+	@echo "==> Building..."
+	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/upaasd
 	@echo "==> All checks passed!"
 
-docker:
-	docker build .
-
-hooks:
-	@echo "Installing pre-commit hook..."
-	@mkdir -p .git/hooks
-	@printf '#!/bin/sh\nmake check\n' > .git/hooks/pre-commit
-	@chmod +x .git/hooks/pre-commit
-	@echo "Pre-commit hook installed."
-
 clean:
 	rm -rf bin/

README.md

@@ -1,12 +1,12 @@
 # µPaaS by [@sneak](https://sneak.berlin)
 
-A simple self-hosted PaaS that auto-deploys Docker containers from Git repositories via webhooks from Gitea, GitHub, or GitLab.
+A simple self-hosted PaaS that auto-deploys Docker containers from Git repositories via Gitea webhooks.
 
 ## Features
 
 - Single admin user with argon2id password hashing
 - Per-app SSH keypairs for read-only deploy keys
-- Per-app UUID-based webhook URLs with auto-detection of Gitea, GitHub, and GitLab
+- Per-app UUID-based webhook URLs for Gitea integration
 - Branch filtering - only deploy on configured branch changes
 - Environment variables, labels, and volume mounts per app
 - Docker builds via socket access
@@ -19,7 +19,7 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
 - Complex CI pipelines
 - Multiple container orchestration
 - SPA/API-first design
-- Support for non-push webhook events (e.g. issues, merge requests)
+- Support for non-Gitea webhooks
 
 ## Architecture
 
@@ -44,7 +44,7 @@ upaas/
 │   │   ├── auth/        # Authentication service
 │   │   ├── deploy/      # Deployment orchestration
 │   │   ├── notify/      # Notifications (ntfy, Slack)
-│   │   └── webhook/     # Webhook processing (Gitea, GitHub, GitLab)
+│   │   └── webhook/     # Gitea webhook processing
 │   └── ssh/             # SSH key generation
 ├── static/              # Embedded CSS/JS assets
 └── templates/           # Embedded HTML templates
@@ -110,14 +110,11 @@ chi Router ──► Middleware Stack ──► Handler
 ### Commands
 
 ```bash
-make fmt       # Format code
-make fmt-check # Check formatting (read-only, fails if unformatted)
-make lint      # Run comprehensive linting
-make test      # Run tests with race detection (30s timeout)
-make check     # Verify everything passes (fmt-check, lint, test)
-make build     # Build binary
-make docker    # Build Docker image
-make hooks     # Install pre-commit hook (runs make check)
+make fmt      # Format code
+make lint     # Run comprehensive linting
+make test     # Run tests with race detection
+make check    # Verify everything passes (lint, test, build, format)
+make build    # Build binary
 ```
 
 ### Commit Requirements

REPO_POLICIES.md

@@ -1,188 +0,0 @@
----
-title: Repository Policies
-last_modified: 2026-02-22
----
-
-This document covers repository structure, tooling, and workflow standards. Code
-style conventions are in separate documents:
-
-- [Code Styleguide](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE.md)
-  (general, bash, Docker)
-- [Go](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_GO.md)
-- [JavaScript](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_JS.md)
-- [Python](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_PYTHON.md)
-- [Go HTTP Server Conventions](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/GO_HTTP_SERVER_CONVENTIONS.md)
-
----
-
-- Cross-project documentation (such as this file) must include
-  `last_modified: YYYY-MM-DD` in the YAML front matter so it can be kept in sync
-  with the authoritative source as policies evolve.
-
-- **ALL external references must be pinned by cryptographic hash.** This
-  includes Docker base images, Go modules, npm packages, GitHub Actions, and
-  anything else fetched from a remote source. Version tags (`@v4`, `@latest`,
-  `:3.21`, etc.) are server-mutable and therefore remote code execution
-  vulnerabilities. The ONLY acceptable way to reference an external dependency
-  is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm
-  integrity hash in lockfile, GitHub Actions `@<commit-sha>`). No exceptions.
-  This also means never `curl | bash` to install tools like pyenv, nvm, rustup,
-  etc. Instead, download a specific release archive from GitHub, verify its hash
-  (hardcoded in the Dockerfile or script), and only then install. Unverified
-  install scripts are arbitrary remote code execution. This is the single most
-  important rule in this document. Double-check every external reference in
-  every file before committing. There are zero exceptions to this rule.
-
-- Every repo with software must have a root `Makefile` with these targets:
-  `make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only),
-  `make check` (prereqs: `test`, `lint`, `fmt-check`), `make docker`, and
-  `make hooks` (installs pre-commit hook). A model Makefile is at
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/Makefile`.
-
-- Always use Makefile targets (`make fmt`, `make test`, `make lint`, etc.)
-  instead of invoking the underlying tools directly. The Makefile is the single
-  source of truth for how these operations are run.
-
-- The Makefile is authoritative documentation for how the repo is used. Beyond
-  the required targets above, it should have targets for every common operation:
-  running a local development server (`make run`, `make dev`), re-initializing
-  or migrating the database (`make db-reset`, `make migrate`), building
-  artifacts (`make build`), generating code, seeding data, or anything else a
-  developer would do regularly. If someone checks out the repo and types
-  `make<tab>`, they should see every meaningful operation available. A new
-  contributor should be able to understand the entire development workflow by
-  reading the Makefile.
-
-- Every repo should have a `Dockerfile`. All Dockerfiles must run `make check`
-  as a build step so the build fails if the branch is not green. For non-server
-  repos, the Dockerfile should bring up a development environment and run
-  `make check`. For server repos, `make check` should run as an early build
-  stage before the final image is assembled.
-
-- Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that
-  runs `docker build .` on push. Since the Dockerfile already runs `make check`,
-  a successful build implies all checks pass.
-
-- Use platform-standard formatters: `black` for Python, `prettier` for
-  JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with
-  two exceptions: four-space indents (except Go), and `proseWrap: always` for
-  Markdown (hard-wrap at 80 columns). Documentation and writing repos (Markdown,
-  HTML, CSS) should also have `.prettierrc` and `.prettierignore`.
-
-- Pre-commit hook: `make check` if local testing is possible, otherwise
-  `make lint && make fmt-check`. The Makefile should provide a `make hooks`
-  target to install the pre-commit hook.
-
-- All repos with software must have tests that run via the platform-standard
-  test framework (`go test`, `pytest`, `jest`/`vitest`, etc.). If no meaningful
-  tests exist yet, add the most minimal test possible — e.g. importing the
-  module under test to verify it compiles/parses. There is no excuse for
-  `make test` to be a no-op.
-
-- `make test` must complete in under 20 seconds. Add a 30-second timeout in the
-  Makefile.
-
-- Docker builds must complete in under 5 minutes.
-
-- `make check` must not modify any files in the repo. Tests may use temporary
-  directories.
-
-- `main` must always pass `make check`, no exceptions.
-
-- Never commit secrets. `.env` files, credentials, API keys, and private keys
-  must be in `.gitignore`. No exceptions.
-
-- `.gitignore` should be comprehensive from the start: OS files (`.DS_Store`),
-  editor files (`.swp`, `*~`), language build artifacts, and `node_modules/`.
-  Fetch the standard `.gitignore` from
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
-  a new repo.
-
-- Never use `git add -A` or `git add .`. Always stage files explicitly by name.
-
-- Never force-push to `main`.
-
-- Make all changes on a feature branch. You can do whatever you want on a
-  feature branch.
-
-- `.golangci.yml` is standardized and must _NEVER_ be modified by an agent, only
-  manually by the user. Fetch from
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.golangci.yml`.
-
-- When pinning images or packages by hash, add a comment above the reference
-  with the version and date (YYYY-MM-DD).
-
-- Use `yarn`, not `npm`.
-
-- Write all dates as YYYY-MM-DD (ISO 8601).
-
-- Simple projects should be configured with environment variables.
-
-- Dockerized web services listen on port 8080 by default, overridable with
-  `PORT`.
-
-- `README.md` is the primary documentation. Required sections:
-    - **Description**: First line must include the project name, purpose,
-      category (web server, SPA, CLI tool, etc.), license, and author. Example:
-      "µPaaS is an MIT-licensed Go web application by @sneak that receives
-      git-frontend webhooks and deploys applications via Docker in realtime."
-    - **Getting Started**: Copy-pasteable install/usage code block.
-    - **Rationale**: Why does this exist?
-    - **Design**: How is the program structured?
-    - **TODO**: Update meticulously, even between commits. When planning, put
-      the todo list in the README so a new agent can pick up where the last one
-      left off.
-    - **License**: MIT, GPL, or WTFPL. Ask the user for new projects. Include a
-      `LICENSE` file in the repo root and a License section in the README.
-    - **Author**: [@sneak](https://sneak.berlin).
-
-- First commit of a new repo should contain only `README.md`.
-
-- Go module root: `sneak.berlin/go/<name>`. Always run `go mod tidy` before
-  committing.
-
-- Use SemVer.
-
-- Database migrations live in `internal/db/migrations/` and must be embedded in
-  the binary.
-  - `000_migration.sql` — contains ONLY the creation of the migrations tracking
-    table itself. Nothing else.
-  - `001_schema.sql` — the full application schema.
-  - **Pre-1.0.0:** never add additional migration files (002, 003, etc.). There
-    is no installed base to migrate. Edit `001_schema.sql` directly.
-  - **Post-1.0.0:** add new numbered migration files for each schema change.
-    Never edit existing migrations after release.
-
-- All repos should have an `.editorconfig` enforcing the project's indentation
-  settings.
-
-- Avoid putting files in the repo root unless necessary. Root should contain
-  only project-level config files (`README.md`, `Makefile`, `Dockerfile`,
-  `LICENSE`, `.gitignore`, `.editorconfig`, `REPO_POLICIES.md`, and
-  language-specific config). Everything else goes in a subdirectory. Canonical
-  subdirectory names:
-    - `bin/` — executable scripts and tools
-    - `cmd/` — Go command entrypoints
-    - `configs/` — configuration templates and examples
-    - `deploy/` — deployment manifests (k8s, compose, terraform)
-    - `docs/` — documentation and markdown (README.md stays in root)
-    - `internal/` — Go internal packages
-    - `internal/db/migrations/` — database migrations
-    - `pkg/` — Go library packages
-    - `share/` — systemd units, data files
-    - `static/` — static assets (images, fonts, etc.)
-    - `web/` — web frontend source
-
-- When setting up a new repo, files from the `prompts` repo may be used as
-  templates. Fetch them from
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/<path>`.
-
-- New repos must contain at minimum:
-    - `README.md`, `.git`, `.gitignore`, `.editorconfig`
-    - `LICENSE`, `REPO_POLICIES.md` (copy from the `prompts` repo)
-    - `Makefile`
-    - `Dockerfile`, `.dockerignore`
-    - `.gitea/workflows/check.yml`
-    - Go: `go.mod`, `go.sum`, `.golangci.yml`
-    - JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
-    - Python: `pyproject.toml`

cmd/upaasd/main.go

@@ -4,20 +4,20 @@ package main
 import (
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
-	"sneak.berlin/go/upaas/internal/server"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/server"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 
 	_ "github.com/joho/godotenv/autoload"
 )

go.mod

@@ -1,4 +1,4 @@
-module sneak.berlin/go/upaas
+module git.eeqj.de/sneak/upaas
 
 go 1.25
 
@@ -19,7 +19,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.46.0
-	golang.org/x/time v0.12.0
 )
 
 require (
@@ -75,6 +74,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect

internal/config/config.go

@@ -13,8 +13,8 @@ import (
 	"github.com/spf13/viper"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 
 // defaultPort is the default HTTP server port.

internal/database/database.go

@@ -14,8 +14,8 @@ import (
 	_ "github.com/mattn/go-sqlite3" // SQLite driver
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 
 // dataDirPermissions is the file permission for the data directory.

internal/database/hash_test.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 func TestHashWebhookSecret(t *testing.T) {

internal/database/testing.go

@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 
 // NewTestDatabase creates an in-memory Database for testing.

internal/docker/client.go

@@ -25,9 +25,9 @@ import (
 	"github.com/docker/go-connections/nat"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
 
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 
 // sshKeyPermissions is the file permission for SSH private keys.

internal/handlers/api.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
 // apiAppResponse is the JSON representation of an app.

internal/handlers/api_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
 )
 
 // apiRouter builds a chi router with the API routes using session auth middleware.

internal/handlers/app.go

@@ -15,9 +15,9 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 
 const (
@@ -54,18 +54,12 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		repoURL := request.FormValue("repo_url")
 		branch := request.FormValue("branch")
 		dockerfilePath := request.FormValue("dockerfile_path")
-		dockerNetwork := request.FormValue("docker_network")
-		ntfyTopic := request.FormValue("ntfy_topic")
-		slackWebhook := request.FormValue("slack_webhook")
 
 		data := h.addGlobals(map[string]any{
 			"Name":           name,
 			"RepoURL":        repoURL,
 			"Branch":         branch,
 			"DockerfilePath": dockerfilePath,
-			"DockerNetwork":  dockerNetwork,
-			"NtfyTopic":      ntfyTopic,
-			"SlackWebhook":   slackWebhook,
 		}, request)
 
 		if name == "" || repoURL == "" {
@@ -106,9 +100,6 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 				RepoURL:        repoURL,
 				Branch:         branch,
 				DockerfilePath: dockerfilePath,
-				DockerNetwork:  dockerNetwork,
-				NtfyTopic:      ntfyTopic,
-				SlackWebhook:   slackWebhook,
 			},
 		)
 		if createErr != nil {
@@ -903,92 +894,50 @@ func (h *Handlers) addKeyValueToApp(
 	http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
 }
 
-// envPairJSON represents a key-value pair in the JSON request body.
-type envPairJSON struct {
-	Key   string `json:"key"`
-	Value string `json:"value"`
-}
+// HandleEnvVarAdd handles adding an environment variable.
+func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		h.addKeyValueToApp(
+			writer,
+			request,
+			func(ctx context.Context, application *models.App, key, value string) error {
+				envVar := models.NewEnvVar(h.db)
+				envVar.AppID = application.ID
+				envVar.Key = key
+				envVar.Value = value
 
-// envVarMaxBodyBytes is the maximum allowed request body size for env var saves (1 MB).
-const envVarMaxBodyBytes = 1 << 20
-
-// validateEnvPairs validates env var pairs.
-// It rejects empty keys and duplicate keys (returns a non-empty error string).
-func validateEnvPairs(pairs []envPairJSON) ([]models.EnvVarPair, string) {
-	seen := make(map[string]bool, len(pairs))
-
-	result := make([]models.EnvVarPair, 0, len(pairs))
-
-	for _, p := range pairs {
-		trimmedKey := strings.TrimSpace(p.Key)
-		if trimmedKey == "" {
-			return nil, "empty environment variable key is not allowed"
-		}
-
-		if seen[trimmedKey] {
-			return nil, "duplicate environment variable key: " + trimmedKey
-		}
-
-		seen[trimmedKey] = true
-
-		result = append(result, models.EnvVarPair{Key: trimmedKey, Value: p.Value})
+				return envVar.Save(ctx)
+			},
+		)
 	}
-
-	return result, ""
 }
 
-// HandleEnvVarSave handles bulk saving of all environment variables.
-// It reads a JSON array of {key, value} objects from the request body,
-// deletes all existing env vars for the app, and inserts the full
-// submitted set atomically within a database transaction.
-// Duplicate keys are rejected with a 400 Bad Request error.
-func (h *Handlers) HandleEnvVarSave() http.HandlerFunc {
+// HandleEnvVarDelete handles deleting an environment variable.
+func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
+		envVarIDStr := chi.URLParam(request, "varID")
 
-		application, findErr := models.FindApp(request.Context(), h.db, appID)
-		if findErr != nil || application == nil {
+		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
+		if parseErr != nil {
 			http.NotFound(writer, request)
 
 			return
 		}
 
-		// Limit request body size to prevent abuse
-		request.Body = http.MaxBytesReader(writer, request.Body, envVarMaxBodyBytes)
-
-		var pairs []envPairJSON
-
-		decodeErr := json.NewDecoder(request.Body).Decode(&pairs)
-		if decodeErr != nil {
-			h.respondJSON(writer, request, map[string]string{
-				"error": "invalid request body",
-			}, http.StatusBadRequest)
+		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
+		if findErr != nil || envVar == nil || envVar.AppID != appID {
+			http.NotFound(writer, request)
 
 			return
 		}
 
-		modelPairs, validationErr := validateEnvPairs(pairs)
-		if validationErr != "" {
-			h.respondJSON(writer, request, map[string]string{
-				"error": validationErr,
-			}, http.StatusBadRequest)
-
-			return
+		deleteErr := envVar.Delete(request.Context())
+		if deleteErr != nil {
+			h.log.Error("failed to delete env var", "error", deleteErr)
 		}
 
-		replaceErr := models.ReplaceEnvVarsByAppID(
-			request.Context(), h.db, application.ID, modelPairs,
-		)
-		if replaceErr != nil {
-			h.log.Error("failed to replace env vars", "error", replaceErr)
-			h.respondJSON(writer, request, map[string]string{
-				"error": "failed to save environment variables",
-			}, http.StatusInternalServerError)
-
-			return
-		}
-
-		h.respondJSON(writer, request, map[string]bool{"ok": true}, http.StatusOK)
+		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 	}
 }
 
@@ -1247,6 +1196,59 @@ func ValidateVolumePath(p string) error {
 	return nil
 }
 
+// HandleEnvVarEdit handles editing an existing environment variable.
+func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+		envVarIDStr := chi.URLParam(request, "varID")
+
+		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
+		if parseErr != nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
+		if findErr != nil || envVar == nil || envVar.AppID != appID {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		formErr := request.ParseForm()
+		if formErr != nil {
+			http.Error(writer, "Bad Request", http.StatusBadRequest)
+
+			return
+		}
+
+		key := request.FormValue("key")
+		value := request.FormValue("value")
+
+		if key == "" || value == "" {
+			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+
+			return
+		}
+
+		envVar.Key = key
+		envVar.Value = value
+
+		saveErr := envVar.Save(request.Context())
+		if saveErr != nil {
+			h.log.Error("failed to update env var", "error", saveErr)
+		}
+
+		http.Redirect(
+			writer,
+			request,
+			"/apps/"+appID+"?success=env-updated",
+			http.StatusSeeOther,
+		)
+	}
+}
+
 // HandleLabelEdit handles editing an existing label.
 func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {

internal/handlers/auth.go

@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"
 
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 
 // HandleLoginGET returns the login page handler.

internal/handlers/dashboard.go

@@ -4,8 +4,8 @@ import (
 	"net/http"
 	"time"
 
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 
 // AppStats holds deployment statistics for an app.

internal/handlers/handlers.go

@@ -10,16 +10,16 @@ import (
 	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/webhook"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 
 // Params contains dependencies for Handlers.

internal/handlers/handlers_test.go

@@ -15,21 +15,21 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 )
 
 type testContext struct {
@@ -404,25 +404,6 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Equal(t, http.StatusOK, recorder.Code)
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
-
-	t.Run("renders dashboard with apps without crashing on CSRFField", func(t *testing.T) {
-		t.Parallel()
-
-		testCtx := setupTestHandlers(t)
-
-		// Create an app so the template iterates over AppStats and hits .CSRFField
-		createTestApp(t, testCtx, "csrf-test-app")
-
-		request := httptest.NewRequest(http.MethodGet, "/", nil)
-		recorder := httptest.NewRecorder()
-
-		handler := testCtx.handlers.HandleDashboard()
-		handler.ServeHTTP(recorder, request)
-
-		assert.Equal(t, http.StatusOK, recorder.Code,
-			"dashboard should not 500 when apps exist (CSRFField must be accessible)")
-		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
-	})
 }
 
 func TestHandleAppNew(t *testing.T) {
@@ -560,242 +541,45 @@ func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
 	cfg.verifyFn(t, testCtx, resourceID)
 }
 
-// TestHandleEnvVarSaveBulk tests that HandleEnvVarSave replaces all env vars
-// for an app with the submitted set (monolithic delete-all + insert-all).
-func TestHandleEnvVarSaveBulk(t *testing.T) {
+// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
+// via another app's URL path returns 404 (IDOR prevention).
+func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
 	t.Parallel()
 
-	testCtx := setupTestHandlers(t)
-	createdApp := createTestApp(t, testCtx, "envvar-bulk-app")
+	testOwnershipVerification(t, ownedResourceTestConfig{
+		appPrefix1: "envvar-owner-app",
+		appPrefix2: "envvar-other-app",
+		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
+			t.Helper()
 
-	// Create some pre-existing env vars
-	for _, kv := range [][2]string{{"OLD_KEY", "old_value"}, {"REMOVE_ME", "gone"}} {
-		ev := models.NewEnvVar(testCtx.database)
-		ev.AppID = createdApp.ID
-		ev.Key = kv[0]
-		ev.Value = kv[1]
-		require.NoError(t, ev.Save(context.Background()))
-	}
+			envVar := models.NewEnvVar(tc.database)
+			envVar.AppID = ownerApp.ID
+			envVar.Key = "SECRET"
+			envVar.Value = "hunter2"
+			require.NoError(t, envVar.Save(context.Background()))
 
-	// Submit a new set as a JSON array of key/value objects
-	body := `[{"key":"NEW_KEY","value":"new_value"},{"key":"ANOTHER","value":"42"}]`
+			return envVar.ID
+		},
+		deletePath: func(appID string, resourceID int64) string {
+			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
+		},
+		chiParams: func(appID string, resourceID int64) map[string]string {
+			return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
+		},
+		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
+		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
+			t.Helper()
 
-	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
-
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env",
-		strings.NewReader(body),
-	)
-	request.Header.Set("Content-Type", "application/json")
-
-	recorder := httptest.NewRecorder()
-	r.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusOK, recorder.Code)
-
-	// Verify old env vars are gone and new ones exist
-	envVars, err := models.FindEnvVarsByAppID(
-		context.Background(), testCtx.database, createdApp.ID,
-	)
-	require.NoError(t, err)
-	assert.Len(t, envVars, 2)
-
-	keys := make(map[string]string)
-	for _, ev := range envVars {
-		keys[ev.Key] = ev.Value
-	}
-
-	assert.Equal(t, "new_value", keys["NEW_KEY"])
-	assert.Equal(t, "42", keys["ANOTHER"])
-	assert.Empty(t, keys["OLD_KEY"], "old env vars should be deleted")
-	assert.Empty(t, keys["REMOVE_ME"], "old env vars should be deleted")
-}
-
-// TestHandleEnvVarSaveAppNotFound tests that HandleEnvVarSave returns 404
-// for a non-existent app.
-func TestHandleEnvVarSaveAppNotFound(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-
-	body := `[{"key":"KEY","value":"value"}]`
-
-	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
-
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/nonexistent-id/env",
-		strings.NewReader(body),
-	)
-	request.Header.Set("Content-Type", "application/json")
-
-	recorder := httptest.NewRecorder()
-	r.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusNotFound, recorder.Code)
-}
-
-// TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON
-// array containing an entry with an empty key returns 400.
-func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-	createdApp := createTestApp(t, testCtx, "envvar-emptykey-app")
-
-	body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]`
-
-	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
-
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env",
-		strings.NewReader(body),
-	)
-	request.Header.Set("Content-Type", "application/json")
-
-	recorder := httptest.NewRecorder()
-	r.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusBadRequest, recorder.Code)
-}
-
-// TestHandleEnvVarSaveDuplicateKeyRejected verifies that when the client
-// sends duplicate keys, the server rejects them with 400 Bad Request.
-func TestHandleEnvVarSaveDuplicateKeyRejected(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-	createdApp := createTestApp(t, testCtx, "envvar-dedup-app")
-
-	// Send two entries with the same key — should be rejected
-	body := `[{"key":"FOO","value":"first"},{"key":"BAR","value":"bar"},{"key":"FOO","value":"second"}]`
-
-	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
-
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env",
-		strings.NewReader(body),
-	)
-	request.Header.Set("Content-Type", "application/json")
-
-	recorder := httptest.NewRecorder()
-	r.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusBadRequest, recorder.Code)
-	assert.Contains(t, recorder.Body.String(), "duplicate environment variable key: FOO")
-}
-
-// TestHandleEnvVarSaveCrossAppIsolation verifies that posting env vars
-// to appA's endpoint does not affect appB's env vars (IDOR prevention).
-func TestHandleEnvVarSaveCrossAppIsolation(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-	appA := createTestApp(t, testCtx, "envvar-iso-appA")
-	appB := createTestApp(t, testCtx, "envvar-iso-appB")
-
-	// Give appB some env vars
-	for _, kv := range [][2]string{{"B_KEY1", "b_val1"}, {"B_KEY2", "b_val2"}} {
-		ev := models.NewEnvVar(testCtx.database)
-		ev.AppID = appB.ID
-		ev.Key = kv[0]
-		ev.Value = kv[1]
-		require.NoError(t, ev.Save(context.Background()))
-	}
-
-	// POST new env vars to appA's endpoint
-	body := `[{"key":"A_KEY","value":"a_val"}]`
-
-	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
-
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/"+appA.ID+"/env",
-		strings.NewReader(body),
-	)
-	request.Header.Set("Content-Type", "application/json")
-
-	recorder := httptest.NewRecorder()
-	r.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusOK, recorder.Code)
-
-	// Verify appA has exactly what we sent
-	appAVars, err := models.FindEnvVarsByAppID(
-		context.Background(), testCtx.database, appA.ID,
-	)
-	require.NoError(t, err)
-	assert.Len(t, appAVars, 1)
-	assert.Equal(t, "A_KEY", appAVars[0].Key)
-
-	// Verify appB's env vars are completely untouched
-	appBVars, err := models.FindEnvVarsByAppID(
-		context.Background(), testCtx.database, appB.ID,
-	)
-	require.NoError(t, err)
-	assert.Len(t, appBVars, 2, "appB env vars must not be affected")
-
-	bKeys := make(map[string]string)
-	for _, ev := range appBVars {
-		bKeys[ev.Key] = ev.Value
-	}
-
-	assert.Equal(t, "b_val1", bKeys["B_KEY1"])
-	assert.Equal(t, "b_val2", bKeys["B_KEY2"])
-}
-
-// TestHandleEnvVarSaveBodySizeLimit verifies that a request body
-// exceeding the 1 MB limit is rejected.
-func TestHandleEnvVarSaveBodySizeLimit(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-	createdApp := createTestApp(t, testCtx, "envvar-sizelimit-app")
-
-	// Build a JSON body that exceeds 1 MB
-	// Each entry is ~30 bytes; 40000 entries ≈ 1.2 MB
-	var sb strings.Builder
-
-	sb.WriteString("[")
-
-	for i := range 40000 {
-		if i > 0 {
-			sb.WriteString(",")
-		}
-
-		sb.WriteString(`{"key":"K` + strconv.Itoa(i) + `","value":"val"}`)
-	}
-
-	sb.WriteString("]")
-
-	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
-
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env",
-		strings.NewReader(sb.String()),
-	)
-	request.Header.Set("Content-Type", "application/json")
-
-	recorder := httptest.NewRecorder()
-	r.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusBadRequest, recorder.Code,
-		"oversized body should be rejected with 400")
+			found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
+			require.NoError(t, findErr)
+			assert.NotNil(t, found, "env var should still exist after IDOR attempt")
+		},
+	})
 }
 
 // TestDeleteLabelOwnershipVerification tests that deleting a label
 // via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteLabelOwnershipVerification(t *testing.T) {
+func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
 	t.Parallel()
 
 	testOwnershipVerification(t, ownedResourceTestConfig{
@@ -911,43 +695,41 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
 
-// TestHandleEnvVarSaveEmptyClears verifies that submitting an empty JSON
-// array deletes all existing env vars for the app.
-func TestHandleEnvVarSaveEmptyClears(t *testing.T) {
+// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
+// reads the "varID" chi URL parameter (matching the route definition {varID}),
+// not a mismatched name like "envID".
+func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
 	t.Parallel()
 
 	testCtx := setupTestHandlers(t)
-	createdApp := createTestApp(t, testCtx, "envvar-clear-app")
 
-	// Create a pre-existing env var
-	ev := models.NewEnvVar(testCtx.database)
-	ev.AppID = createdApp.ID
-	ev.Key = "DELETE_ME"
-	ev.Value = "gone"
-	require.NoError(t, ev.Save(context.Background()))
+	createdApp := createTestApp(t, testCtx, "envdelete-param-app")
 
-	// Submit empty JSON array
+	envVar := models.NewEnvVar(testCtx.database)
+	envVar.AppID = createdApp.ID
+	envVar.Key = "DELETE_ME"
+	envVar.Value = "gone"
+	require.NoError(t, envVar.Save(context.Background()))
+
+	// Use chi router with the real route pattern to test param name
 	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+	r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
 
 	request := httptest.NewRequest(
 		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env",
-		strings.NewReader("[]"),
+		"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
+		nil,
 	)
-	request.Header.Set("Content-Type", "application/json")
-
 	recorder := httptest.NewRecorder()
+
 	r.ServeHTTP(recorder, request)
 
-	assert.Equal(t, http.StatusOK, recorder.Code)
+	assert.Equal(t, http.StatusSeeOther, recorder.Code)
 
-	// Verify all env vars are gone
-	envVars, err := models.FindEnvVarsByAppID(
-		context.Background(), testCtx.database, createdApp.ID,
-	)
-	require.NoError(t, err)
-	assert.Empty(t, envVars, "all env vars should be deleted")
+	// Verify the env var was actually deleted
+	found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
+	require.NoError(t, findErr)
+	assert.Nil(t, found, "env var should be deleted when using correct route param")
 }
 
 // TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates

internal/handlers/repo_url_validation_test.go

@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"
 
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )
 
 func TestValidateRepoURL(t *testing.T) {

internal/handlers/sanitize_test.go

@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"
 
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )
 
 func TestSanitizeLogs(t *testing.T) { //nolint:funlen // table-driven tests

internal/handlers/setup.go

@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"
 
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 
 const (

internal/handlers/tail_validation_test.go

@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"
 
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )
 
 func TestSanitizeTail(t *testing.T) {

internal/handlers/webhook.go

@@ -6,15 +6,13 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
 // maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
 const maxWebhookBodySize = 1 << 20
 
-// HandleWebhook handles incoming webhooks from Gitea, GitHub, or GitLab.
-// The webhook source is auto-detected from HTTP headers.
+// HandleWebhook handles incoming Gitea webhooks.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		secret := chi.URLParam(request, "secret")
@@ -52,17 +50,16 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 			return
 		}
 
-		// Auto-detect webhook source from headers
-		source := webhook.DetectWebhookSource(request.Header)
-
-		// Extract event type based on detected source
-		eventType := webhook.DetectEventType(request.Header, source)
+		// Get event type from header
+		eventType := request.Header.Get("X-Gitea-Event")
+		if eventType == "" {
+			eventType = "push"
+		}
 
 		// Process webhook
 		webhookErr := h.webhook.HandleWebhook(
 			request.Context(),
 			application,
-			source,
 			eventType,
 			body,
 		)

internal/handlers/webhook_events.go

@@ -1,56 +0,0 @@
-package handlers
-
-import (
-	"net/http"
-
-	"github.com/go-chi/chi/v5"
-
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/templates"
-)
-
-// webhookEventsLimit is the number of webhook events to show in history.
-const webhookEventsLimit = 100
-
-// HandleAppWebhookEvents returns the webhook event history handler.
-func (h *Handlers) HandleAppWebhookEvents() http.HandlerFunc {
-	tmpl := templates.GetParsed()
-
-	return func(writer http.ResponseWriter, request *http.Request) {
-		appID := chi.URLParam(request, "id")
-
-		application, findErr := models.FindApp(request.Context(), h.db, appID)
-		if findErr != nil {
-			h.log.Error("failed to find app", "error", findErr)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-
-			return
-		}
-
-		if application == nil {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		events, eventsErr := application.GetWebhookEvents(
-			request.Context(),
-			webhookEventsLimit,
-		)
-		if eventsErr != nil {
-			h.log.Error("failed to get webhook events",
-				"error", eventsErr,
-				"app", appID,
-			)
-
-			events = []*models.WebhookEvent{}
-		}
-
-		data := h.addGlobals(map[string]any{
-			"App":    application,
-			"Events": events,
-		}, request)
-
-		h.renderTemplate(writer, tmpl, "webhook_events.html", data)
-	}
-}

internal/healthcheck/healthcheck.go

@@ -8,10 +8,10 @@ import (
 
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 
 // Params contains dependencies for Healthcheck.

internal/logger/logger.go

@@ -7,7 +7,7 @@ import (
 
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
 )
 
 // Params contains dependencies for Logger.

internal/middleware/cors_test.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
 )
 
 //nolint:gosec // test credentials

internal/middleware/middleware.go

@@ -18,10 +18,10 @@ import (
 	"go.uber.org/fx"
 	"golang.org/x/time/rate"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 
 // corsMaxAge is the maximum age for CORS preflight responses in seconds.

internal/middleware/ratelimit_test.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
 )
 
 func newTestMiddleware(t *testing.T) *Middleware {

internal/models/app.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // appColumns is the standard column list for app queries.

internal/models/deployment.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 	"time"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // DeploymentStatus represents the status of a deployment.

internal/models/env_var.go

@@ -1,3 +1,4 @@
+//nolint:dupl // Active Record pattern - similar structure to label.go is intentional
 package models
 
 import (
@@ -6,7 +7,7 @@ import (
 	"errors"
 	"fmt"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // EnvVar represents an environment variable for an app.
@@ -128,48 +129,13 @@ func FindEnvVarsByAppID(
 	return envVars, rows.Err()
 }
 
-// EnvVarPair is a key-value pair for bulk env var operations.
-type EnvVarPair struct {
-	Key   string
-	Value string
-}
-
-// ReplaceEnvVarsByAppID atomically replaces all env vars for an app
-// within a single database transaction. It deletes all existing env
-// vars and inserts the provided pairs. If any operation fails, the
-// entire transaction is rolled back.
-func ReplaceEnvVarsByAppID(
+// DeleteEnvVarsByAppID deletes all env vars for an app.
+func DeleteEnvVarsByAppID(
 	ctx context.Context,
 	db *database.Database,
 	appID string,
-	pairs []EnvVarPair,
 ) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return fmt.Errorf("beginning transaction: %w", err)
-	}
+	_, err := db.Exec(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
 
-	defer func() { _ = tx.Rollback() }()
-
-	_, err = tx.ExecContext(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
-	if err != nil {
-		return fmt.Errorf("deleting env vars: %w", err)
-	}
-
-	for _, p := range pairs {
-		_, err = tx.ExecContext(ctx,
-			"INSERT INTO app_env_vars (app_id, key, value) VALUES (?, ?, ?)",
-			appID, p.Key, p.Value,
-		)
-		if err != nil {
-			return fmt.Errorf("inserting env var %q: %w", p.Key, err)
-		}
-	}
-
-	err = tx.Commit()
-	if err != nil {
-		return fmt.Errorf("committing transaction: %w", err)
-	}
-
-	return nil
+	return err
 }

internal/models/label.go

@@ -1,3 +1,4 @@
+//nolint:dupl // Active Record pattern - similar structure to env_var.go is intentional
 package models
 
 import (
@@ -6,7 +7,7 @@ import (
 	"errors"
 	"fmt"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // Label represents a Docker label for an app container.

internal/models/models_test.go

@@ -10,11 +10,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
 // Test constants to satisfy goconst linter.

internal/models/port.go

@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // PortProtocol represents the protocol for a port mapping.

internal/models/user.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"time"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // User represents a user in the system.

internal/models/volume.go

@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // Volume represents a volume mount for an app container.

internal/models/webhook_event.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
 // WebhookEvent represents a received webhook event.
@@ -52,20 +52,6 @@ func (w *WebhookEvent) Reload(ctx context.Context) error {
 	return w.scan(row)
 }
 
-// ShortCommit returns a truncated commit SHA for display.
-func (w *WebhookEvent) ShortCommit() string {
-	if !w.CommitSHA.Valid {
-		return ""
-	}
-
-	sha := w.CommitSHA.String
-	if len(sha) > shortCommitLength {
-		return sha[:shortCommitLength]
-	}
-
-	return sha
-}
-
 func (w *WebhookEvent) insert(ctx context.Context) error {
 	query := `
 		INSERT INTO webhook_events (

internal/server/routes.go

@@ -8,7 +8,7 @@ import (
 	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
-	"sneak.berlin/go/upaas/static"
+	"git.eeqj.de/sneak/upaas/static"
 )
 
 // requestTimeout is the maximum duration for handling a request.
@@ -70,7 +70,6 @@ func (s *Server) SetupRoutes() {
 			r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
 			r.Post("/apps/{id}/deployments/cancel", s.handlers.HandleCancelDeploy())
 			r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
-			r.Get("/apps/{id}/webhooks", s.handlers.HandleAppWebhookEvents())
 			r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
 			r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
 			r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
@@ -82,8 +81,10 @@ func (s *Server) SetupRoutes() {
 			r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
 			r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 
-			// Environment variables (monolithic bulk save)
-			r.Post("/apps/{id}/env", s.handlers.HandleEnvVarSave())
+			// Environment variables
+			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
+			r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
+			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 
 			// Labels
 			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())

internal/server/server.go

@@ -12,11 +12,11 @@ import (
 	"github.com/go-chi/chi/v5"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
 )
 
 // Params contains dependencies for Server.

internal/service/app/app.go

@@ -14,10 +14,10 @@ import (
 
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/ssh"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/ssh"
 )
 
 // ServiceParams contains dependencies for Service.

internal/service/app/app_test.go

@@ -8,12 +8,12 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
 )
 
 func setupTestService(t *testing.T) (*app.Service, func()) {

internal/service/auth/auth.go

@@ -15,10 +15,10 @@ import (
 	"go.uber.org/fx"
 	"golang.org/x/crypto/argon2"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
 const (

internal/service/auth/auth_test.go

@@ -12,11 +12,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 
 func setupTestService(t *testing.T) (*auth.Service, func()) {

internal/service/deploy/deploy.go

@@ -17,12 +17,12 @@ import (
 
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
 )
 
 // Time constants.

internal/service/deploy/deploy_cancel_test.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )
 
 func TestCancelActiveDeploy_NoExisting(t *testing.T) {

internal/service/deploy/deploy_cleanup_test.go

@@ -10,8 +10,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )
 
 func TestCleanupCancelledDeploy_RemovesBuildDir(t *testing.T) {

internal/service/deploy/deploy_container_test.go

@@ -6,10 +6,10 @@ import (
 	"os"
 	"testing"
 
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )
 
 func TestBuildContainerOptionsUsesImageID(t *testing.T) {

internal/service/deploy/export_test.go

@@ -8,9 +8,9 @@ import (
 	"path/filepath"
 	"strings"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
 // NewTestService creates a Service with minimal dependencies for testing.

internal/service/notify/notify.go

@@ -15,8 +15,8 @@ import (
 
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
 // HTTP client timeout.

internal/service/webhook/payloads.go

@@ -1,248 +0,0 @@
-package webhook
-
-import "encoding/json"
-
-// GiteaPushPayload represents a Gitea push webhook payload.
-//
-//nolint:tagliatelle // Field names match Gitea API (snake_case)
-type GiteaPushPayload struct {
-	Ref        string      `json:"ref"`
-	Before     string      `json:"before"`
-	After      string      `json:"after"`
-	CompareURL UnparsedURL `json:"compare_url"`
-	Repository struct {
-		FullName string      `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
-	} `json:"repository"`
-	Pusher struct {
-		Username string `json:"username"`
-		Email    string `json:"email"`
-	} `json:"pusher"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// GitHubPushPayload represents a GitHub push webhook payload.
-//
-//nolint:tagliatelle // Field names match GitHub API (snake_case)
-type GitHubPushPayload struct {
-	Ref        string `json:"ref"`
-	Before     string `json:"before"`
-	After      string `json:"after"`
-	CompareURL string `json:"compare"`
-	Repository struct {
-		FullName string      `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
-	} `json:"repository"`
-	Pusher struct {
-		Name  string `json:"name"`
-		Email string `json:"email"`
-	} `json:"pusher"`
-	HeadCommit *struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-	} `json:"head_commit"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// GitLabPushPayload represents a GitLab push webhook payload.
-//
-//nolint:tagliatelle // Field names match GitLab API (snake_case)
-type GitLabPushPayload struct {
-	Ref       string `json:"ref"`
-	Before    string `json:"before"`
-	After     string `json:"after"`
-	UserName  string `json:"user_name"`
-	UserEmail string `json:"user_email"`
-	Project   struct {
-		PathWithNamespace string      `json:"path_with_namespace"`
-		GitHTTPURL        UnparsedURL `json:"git_http_url"`
-		GitSSHURL         string      `json:"git_ssh_url"`
-		WebURL            UnparsedURL `json:"web_url"`
-	} `json:"project"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// ParsePushPayload parses a raw webhook payload into a normalized PushEvent
-// based on the detected webhook source. Returns an error if JSON unmarshaling
-// fails. For SourceUnknown, falls back to Gitea format for backward
-// compatibility.
-func ParsePushPayload(source Source, payload []byte) (*PushEvent, error) {
-	switch source {
-	case SourceGitHub:
-		return parseGitHubPush(payload)
-	case SourceGitLab:
-		return parseGitLabPush(payload)
-	case SourceGitea, SourceUnknown:
-		// Gitea and unknown both use Gitea format for backward compatibility.
-		return parseGiteaPush(payload)
-	}
-
-	// Unreachable for known source values, but satisfies exhaustive checker.
-	return parseGiteaPush(payload)
-}
-
-func parseGiteaPush(payload []byte) (*PushEvent, error) {
-	var p GiteaPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGiteaCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitea,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Repository.FullName,
-		CloneURL:  p.Repository.CloneURL,
-		HTMLURL:   p.Repository.HTMLURL,
-		CommitURL: commitURL,
-		Pusher:    p.Pusher.Username,
-	}, nil
-}
-
-func parseGitHubPush(payload []byte) (*PushEvent, error) {
-	var p GitHubPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGitHubCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitHub,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Repository.FullName,
-		CloneURL:  p.Repository.CloneURL,
-		HTMLURL:   p.Repository.HTMLURL,
-		CommitURL: commitURL,
-		Pusher:    p.Pusher.Name,
-	}, nil
-}
-
-func parseGitLabPush(payload []byte) (*PushEvent, error) {
-	var p GitLabPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGitLabCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitLab,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Project.PathWithNamespace,
-		CloneURL:  p.Project.GitHTTPURL,
-		HTMLURL:   p.Project.WebURL,
-		CommitURL: commitURL,
-		Pusher:    p.UserName,
-	}, nil
-}
-
-// extractBranch extracts the branch name from a git ref.
-func extractBranch(ref string) string {
-	// refs/heads/main -> main
-	const prefix = "refs/heads/"
-
-	if len(ref) >= len(prefix) && ref[:len(prefix)] == prefix {
-		return ref[len(prefix):]
-	}
-
-	return ref
-}
-
-// extractGiteaCommitURL extracts the commit URL from a Gitea push payload.
-// Prefers the URL from the head commit, falls back to constructing from repo URL.
-func extractGiteaCommitURL(payload GiteaPushPayload) UnparsedURL {
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
-	}
-
-	return ""
-}
-
-// extractGitHubCommitURL extracts the commit URL from a GitHub push payload.
-// Prefers head_commit.url, then searches commits, then constructs from repo URL.
-func extractGitHubCommitURL(payload GitHubPushPayload) UnparsedURL {
-	if payload.HeadCommit != nil && payload.HeadCommit.URL != "" {
-		return payload.HeadCommit.URL
-	}
-
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
-	}
-
-	return ""
-}
-
-// extractGitLabCommitURL extracts the commit URL from a GitLab push payload.
-// Prefers commit URL from the commits list, falls back to constructing from
-// project web URL.
-func extractGitLabCommitURL(payload GitLabPushPayload) UnparsedURL {
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Project.WebURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Project.WebURL.String() + "/-/commit/" + payload.After)
-	}
-
-	return ""
-}

internal/service/webhook/types.go

@@ -1,7 +1,5 @@
 package webhook
 
-import "net/http"
-
 // UnparsedURL is a URL stored as a plain string without parsing.
 // Use this instead of string when the value is known to be a URL
 // but should not be parsed into a net/url.URL (e.g. webhook URLs,
@@ -10,84 +8,3 @@ type UnparsedURL string
 
 // String implements the fmt.Stringer interface.
 func (u UnparsedURL) String() string { return string(u) }
-
-// Source identifies which git hosting platform sent the webhook.
-type Source string
-
-const (
-	// SourceGitea indicates the webhook was sent by a Gitea instance.
-	SourceGitea Source = "gitea"
-
-	// SourceGitHub indicates the webhook was sent by GitHub.
-	SourceGitHub Source = "github"
-
-	// SourceGitLab indicates the webhook was sent by a GitLab instance.
-	SourceGitLab Source = "gitlab"
-
-	// SourceUnknown indicates the webhook source could not be determined.
-	SourceUnknown Source = "unknown"
-)
-
-// String implements the fmt.Stringer interface.
-func (s Source) String() string { return string(s) }
-
-// DetectWebhookSource determines the webhook source from HTTP headers.
-// It checks for platform-specific event headers in this order:
-// Gitea (X-Gitea-Event), GitHub (X-GitHub-Event), GitLab (X-Gitlab-Event).
-// Returns SourceUnknown if no recognized header is found.
-func DetectWebhookSource(headers http.Header) Source {
-	if headers.Get("X-Gitea-Event") != "" {
-		return SourceGitea
-	}
-
-	if headers.Get("X-Github-Event") != "" {
-		return SourceGitHub
-	}
-
-	if headers.Get("X-Gitlab-Event") != "" {
-		return SourceGitLab
-	}
-
-	return SourceUnknown
-}
-
-// DetectEventType extracts the event type string from HTTP headers
-// based on the detected webhook source. Returns "push" as a fallback
-// when no event header is found.
-func DetectEventType(headers http.Header, source Source) string {
-	switch source {
-	case SourceGitea:
-		if v := headers.Get("X-Gitea-Event"); v != "" {
-			return v
-		}
-	case SourceGitHub:
-		if v := headers.Get("X-Github-Event"); v != "" {
-			return v
-		}
-	case SourceGitLab:
-		if v := headers.Get("X-Gitlab-Event"); v != "" {
-			return v
-		}
-	case SourceUnknown:
-		// Fall through to default
-	}
-
-	return "push"
-}
-
-// PushEvent is a normalized representation of a push webhook payload
-// from any supported source (Gitea, GitHub, GitLab). The webhook
-// service converts source-specific payloads into this format before
-// processing.
-type PushEvent struct {
-	Source    Source
-	Ref       string
-	Before    string
-	After     string
-	Branch    string
-	RepoName  string
-	CloneURL  UnparsedURL
-	HTMLURL   UnparsedURL
-	CommitURL UnparsedURL
-	Pusher    string
-}

internal/service/webhook/webhook.go

@@ -4,16 +4,17 @@ package webhook
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"fmt"
 	"log/slog"
 
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )
 
 // ServiceParams contains dependencies for Service.
@@ -43,46 +44,68 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 	}, nil
 }
 
-// HandleWebhook processes a webhook request from any supported source
-// (Gitea, GitHub, or GitLab). The source parameter determines which
-// payload format to use for parsing.
+// GiteaPushPayload represents a Gitea push webhook payload.
+//
+//nolint:tagliatelle // Field names match Gitea API (snake_case)
+type GiteaPushPayload struct {
+	Ref        string      `json:"ref"`
+	Before     string      `json:"before"`
+	After      string      `json:"after"`
+	CompareURL UnparsedURL `json:"compare_url"`
+	Repository struct {
+		FullName string      `json:"full_name"`
+		CloneURL UnparsedURL `json:"clone_url"`
+		SSHURL   string      `json:"ssh_url"`
+		HTMLURL  UnparsedURL `json:"html_url"`
+	} `json:"repository"`
+	Pusher struct {
+		Username string `json:"username"`
+		Email    string `json:"email"`
+	} `json:"pusher"`
+	Commits []struct {
+		ID      string      `json:"id"`
+		URL     UnparsedURL `json:"url"`
+		Message string      `json:"message"`
+		Author  struct {
+			Name  string `json:"name"`
+			Email string `json:"email"`
+		} `json:"author"`
+	} `json:"commits"`
+}
+
+// HandleWebhook processes a webhook request.
 func (svc *Service) HandleWebhook(
 	ctx context.Context,
 	app *models.App,
-	source Source,
 	eventType string,
 	payload []byte,
 ) error {
-	svc.log.Info("processing webhook",
-		"app", app.Name,
-		"source", source.String(),
-		"event", eventType,
-	)
+	svc.log.Info("processing webhook", "app", app.Name, "event", eventType)
 
-	// Parse payload into normalized push event
-	pushEvent, parseErr := ParsePushPayload(source, payload)
-	if parseErr != nil {
-		svc.log.Warn("failed to parse webhook payload",
-			"error", parseErr,
-			"source", source.String(),
-		)
-		// Continue with empty push event to still log the webhook
-		pushEvent = &PushEvent{Source: source}
+	// Parse payload
+	var pushPayload GiteaPushPayload
+
+	unmarshalErr := json.Unmarshal(payload, &pushPayload)
+	if unmarshalErr != nil {
+		svc.log.Warn("failed to parse webhook payload", "error", unmarshalErr)
+		// Continue anyway to log the event
 	}
 
+	// Extract branch from ref
+	branch := extractBranch(pushPayload.Ref)
+	commitSHA := pushPayload.After
+	commitURL := extractCommitURL(pushPayload)
+
 	// Check if branch matches
-	matched := pushEvent.Branch == app.Branch
+	matched := branch == app.Branch
 
 	// Create webhook event record
 	event := models.NewWebhookEvent(svc.db)
 	event.AppID = app.ID
 	event.EventType = eventType
-	event.Branch = pushEvent.Branch
-	event.CommitSHA = sql.NullString{String: pushEvent.After, Valid: pushEvent.After != ""}
-	event.CommitURL = sql.NullString{
-		String: pushEvent.CommitURL.String(),
-		Valid:  pushEvent.CommitURL != "",
-	}
+	event.Branch = branch
+	event.CommitSHA = sql.NullString{String: commitSHA, Valid: commitSHA != ""}
+	event.CommitURL = sql.NullString{String: commitURL.String(), Valid: commitURL != ""}
 	event.Payload = sql.NullString{String: string(payload), Valid: true}
 	event.Matched = matched
 	event.Processed = false
@@ -94,10 +117,9 @@ func (svc *Service) HandleWebhook(
 
 	svc.log.Info("webhook event recorded",
 		"app", app.Name,
-		"source", source.String(),
-		"branch", pushEvent.Branch,
+		"branch", branch,
 		"matched", matched,
-		"commit", pushEvent.After,
+		"commit", commitSHA,
 	)
 
 	// If branch matches, trigger deployment
@@ -132,3 +154,33 @@ func (svc *Service) triggerDeployment(
 		_ = event.Save(deployCtx)
 	}()
 }
+
+// extractBranch extracts the branch name from a git ref.
+func extractBranch(ref string) string {
+	// refs/heads/main -> main
+	const prefix = "refs/heads/"
+
+	if len(ref) >= len(prefix) && ref[:len(prefix)] == prefix {
+		return ref[len(prefix):]
+	}
+
+	return ref
+}
+
+// extractCommitURL extracts the commit URL from the webhook payload.
+// Prefers the URL from the head commit, falls back to constructing from repo URL.
+func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
+	// Try to find the URL from the head commit (matching After SHA)
+	for _, commit := range payload.Commits {
+		if commit.ID == payload.After && commit.URL != "" {
+			return commit.URL
+		}
+	}
+
+	// Fall back to constructing URL from repo HTML URL
+	if payload.Repository.HTMLURL != "" && payload.After != "" {
+		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
+	}
+
+	return ""
+}

internal/service/webhook/webhook_test.go

@@ -3,7 +3,6 @@ package webhook_test
 import (
 	"context"
 	"encoding/json"
-	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
@@ -13,15 +12,15 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 )
 
 type testDeps struct {
@@ -103,114 +102,44 @@ func createTestApp(
 	return app
 }
 
-// TestDetectWebhookSource tests auto-detection of webhook source from HTTP headers.
-//
 //nolint:funlen // table-driven test with comprehensive test cases
-func TestDetectWebhookSource(testingT *testing.T) {
+func TestExtractBranch(testingT *testing.T) {
 	testingT.Parallel()
 
 	tests := []struct {
 		name     string
-		headers  map[string]string
-		expected webhook.Source
-	}{
-		{
-			name:     "detects Gitea from X-Gitea-Event header",
-			headers:  map[string]string{"X-Gitea-Event": "push"},
-			expected: webhook.SourceGitea,
-		},
-		{
-			name:     "detects GitHub from X-GitHub-Event header",
-			headers:  map[string]string{"X-GitHub-Event": "push"},
-			expected: webhook.SourceGitHub,
-		},
-		{
-			name:     "detects GitLab from X-Gitlab-Event header",
-			headers:  map[string]string{"X-Gitlab-Event": "Push Hook"},
-			expected: webhook.SourceGitLab,
-		},
-		{
-			name:     "returns unknown when no recognized header",
-			headers:  map[string]string{"Content-Type": "application/json"},
-			expected: webhook.SourceUnknown,
-		},
-		{
-			name:     "returns unknown for empty headers",
-			headers:  map[string]string{},
-			expected: webhook.SourceUnknown,
-		},
-		{
-			name: "Gitea takes precedence over GitHub",
-			headers: map[string]string{
-				"X-Gitea-Event":  "push",
-				"X-GitHub-Event": "push",
-			},
-			expected: webhook.SourceGitea,
-		},
-		{
-			name: "GitHub takes precedence over GitLab",
-			headers: map[string]string{
-				"X-GitHub-Event": "push",
-				"X-Gitlab-Event": "Push Hook",
-			},
-			expected: webhook.SourceGitHub,
-		},
-	}
-
-	for _, testCase := range tests {
-		testingT.Run(testCase.name, func(t *testing.T) {
-			t.Parallel()
-
-			headers := http.Header{}
-			for key, value := range testCase.headers {
-				headers.Set(key, value)
-			}
-
-			result := webhook.DetectWebhookSource(headers)
-			assert.Equal(t, testCase.expected, result)
-		})
-	}
-}
-
-// TestDetectEventType tests event type extraction from HTTP headers.
-func TestDetectEventType(testingT *testing.T) {
-	testingT.Parallel()
-
-	tests := []struct {
-		name     string
-		headers  map[string]string
-		source   webhook.Source
+		ref      string
 		expected string
 	}{
 		{
-			name:     "extracts Gitea event type",
-			headers:  map[string]string{"X-Gitea-Event": "push"},
-			source:   webhook.SourceGitea,
-			expected: "push",
+			name:     "extracts main branch",
+			ref:      "refs/heads/main",
+			expected: "main",
 		},
 		{
-			name:     "extracts GitHub event type",
-			headers:  map[string]string{"X-GitHub-Event": "push"},
-			source:   webhook.SourceGitHub,
-			expected: "push",
+			name:     "extracts feature branch",
+			ref:      "refs/heads/feature/new-feature",
+			expected: "feature/new-feature",
 		},
 		{
-			name:     "extracts GitLab event type",
-			headers:  map[string]string{"X-Gitlab-Event": "Push Hook"},
-			source:   webhook.SourceGitLab,
-			expected: "Push Hook",
+			name:     "extracts develop branch",
+			ref:      "refs/heads/develop",
+			expected: "develop",
 		},
 		{
-			name:     "returns push for unknown source",
-			headers:  map[string]string{},
-			source:   webhook.SourceUnknown,
-			expected: "push",
+			name:     "returns raw ref if no prefix",
+			ref:      "main",
+			expected: "main",
 		},
 		{
-			name:     "returns push when header missing for source",
-			headers:  map[string]string{},
-			source:   webhook.SourceGitea,
-			expected: "push",
+			name:     "handles empty ref",
+			ref:      "",
+			expected: "",
+		},
+		{
+			name:     "handles partial prefix",
+			ref:      "refs/heads/",
+			expected: "",
 		},
 	}
 
@@ -218,318 +147,123 @@ func TestDetectEventType(testingT *testing.T) {
 		testingT.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()
 
-			headers := http.Header{}
-			for key, value := range testCase.headers {
-				headers.Set(key, value)
-			}
+			// We test via HandleWebhook since extractBranch is not exported.
+			// The test verifies behavior indirectly through the webhook event's branch.
+			svc, dbInst, cleanup := setupTestService(t)
+			defer cleanup()
 
-			result := webhook.DetectEventType(headers, testCase.source)
-			assert.Equal(t, testCase.expected, result)
-		})
-	}
-}
+			app := createTestApp(t, dbInst, testCase.expected)
 
-// TestWebhookSourceString tests the String method on WebhookSource.
-func TestWebhookSourceString(t *testing.T) {
-	t.Parallel()
+			payload := []byte(`{"ref": "` + testCase.ref + `"}`)
 
-	assert.Equal(t, "gitea", webhook.SourceGitea.String())
-	assert.Equal(t, "github", webhook.SourceGitHub.String())
-	assert.Equal(t, "gitlab", webhook.SourceGitLab.String())
-	assert.Equal(t, "unknown", webhook.SourceUnknown.String())
-}
-
-// TestUnparsedURLString tests the String method on UnparsedURL.
-func TestUnparsedURLString(t *testing.T) {
-	t.Parallel()
-
-	u := webhook.UnparsedURL("https://example.com/test")
-	assert.Equal(t, "https://example.com/test", u.String())
-
-	empty := webhook.UnparsedURL("")
-	assert.Empty(t, empty.String())
-}
-
-// TestParsePushPayloadGitea tests parsing of Gitea push payloads.
-func TestParsePushPayloadGitea(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"compare_url": "https://gitea.example.com/myorg/myrepo/compare/000...abc",
-		"repository": {
-			"full_name": "myorg/myrepo",
-			"clone_url": "https://gitea.example.com/myorg/myrepo.git",
-			"ssh_url": "git@gitea.example.com:myorg/myrepo.git",
-			"html_url": "https://gitea.example.com/myorg/myrepo"
-		},
-		"pusher": {"username": "developer", "email": "dev@example.com"},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://gitea.example.com/myorg/myrepo/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
-	}`)
-
-	event, err := webhook.ParsePushPayload(webhook.SourceGitea, payload)
-	require.NoError(t, err)
-
-	assert.Equal(t, webhook.SourceGitea, event.Source)
-	assert.Equal(t, "refs/heads/main", event.Ref)
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, "abc123def456789", event.After)
-	assert.Equal(t, "myorg/myrepo", event.RepoName)
-	assert.Equal(t, webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
-}
-
-// TestParsePushPayloadGitHub tests parsing of GitHub push payloads.
-func TestParsePushPayloadGitHub(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"compare": "https://github.com/myorg/myrepo/compare/000...abc",
-		"repository": {
-			"full_name": "myorg/myrepo",
-			"clone_url": "https://github.com/myorg/myrepo.git",
-			"ssh_url": "git@github.com:myorg/myrepo.git",
-			"html_url": "https://github.com/myorg/myrepo"
-		},
-		"pusher": {"name": "developer", "email": "dev@example.com"},
-		"head_commit": {
-			"id": "abc123def456789",
-			"url": "https://github.com/myorg/myrepo/commit/abc123def456789",
-			"message": "Fix bug"
-		},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://github.com/myorg/myrepo/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
-	}`)
-
-	event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-	require.NoError(t, err)
-
-	assert.Equal(t, webhook.SourceGitHub, event.Source)
-	assert.Equal(t, "refs/heads/main", event.Ref)
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, "abc123def456789", event.After)
-	assert.Equal(t, "myorg/myrepo", event.RepoName)
-	assert.Equal(t, webhook.UnparsedURL("https://github.com/myorg/myrepo.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://github.com/myorg/myrepo"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://github.com/myorg/myrepo/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
-}
-
-// TestParsePushPayloadGitLab tests parsing of GitLab push payloads.
-func TestParsePushPayloadGitLab(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/develop",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"user_name": "developer",
-		"user_email": "dev@example.com",
-		"project": {
-			"path_with_namespace": "mygroup/myproject",
-			"git_http_url": "https://gitlab.com/mygroup/myproject.git",
-			"git_ssh_url": "git@gitlab.com:mygroup/myproject.git",
-			"web_url": "https://gitlab.com/mygroup/myproject"
-		},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://gitlab.com/mygroup/myproject/-/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
-	}`)
-
-	event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
-	require.NoError(t, err)
-
-	assert.Equal(t, webhook.SourceGitLab, event.Source)
-	assert.Equal(t, "refs/heads/develop", event.Ref)
-	assert.Equal(t, "develop", event.Branch)
-	assert.Equal(t, "abc123def456789", event.After)
-	assert.Equal(t, "mygroup/myproject", event.RepoName)
-	assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/mygroup/myproject.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/mygroup/myproject"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://gitlab.com/mygroup/myproject/-/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
-}
-
-// TestParsePushPayloadUnknownFallsBackToGitea tests that unknown source uses Gitea parser.
-func TestParsePushPayloadUnknownFallsBackToGitea(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "abc123",
-		"repository": {"full_name": "user/repo"},
-		"pusher": {"username": "user"}
-	}`)
-
-	event, err := webhook.ParsePushPayload(webhook.SourceUnknown, payload)
-	require.NoError(t, err)
-
-	assert.Equal(t, webhook.SourceGitea, event.Source)
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, "abc123", event.After)
-}
-
-// TestParsePushPayloadInvalidJSON tests that invalid JSON returns an error.
-func TestParsePushPayloadInvalidJSON(t *testing.T) {
-	t.Parallel()
-
-	sources := []webhook.Source{
-		webhook.SourceGitea,
-		webhook.SourceGitHub,
-		webhook.SourceGitLab,
-	}
-
-	for _, source := range sources {
-		t.Run(source.String(), func(t *testing.T) {
-			t.Parallel()
-
-			_, err := webhook.ParsePushPayload(source, []byte(`{invalid json}`))
-			require.Error(t, err)
-		})
-	}
-}
-
-// TestParsePushPayloadEmptyPayload tests parsing of empty JSON objects.
-func TestParsePushPayloadEmptyPayload(t *testing.T) {
-	t.Parallel()
-
-	sources := []webhook.Source{
-		webhook.SourceGitea,
-		webhook.SourceGitHub,
-		webhook.SourceGitLab,
-	}
-
-	for _, source := range sources {
-		t.Run(source.String(), func(t *testing.T) {
-			t.Parallel()
-
-			event, err := webhook.ParsePushPayload(source, []byte(`{}`))
+			err := svc.HandleWebhook(context.Background(), app, "push", payload)
 			require.NoError(t, err)
 
-			assert.Empty(t, event.Branch)
-			assert.Empty(t, event.After)
+			// Allow async deployment goroutine to complete before test cleanup
+			time.Sleep(100 * time.Millisecond)
+
+			events, err := app.GetWebhookEvents(context.Background(), 10)
+			require.NoError(t, err)
+			require.Len(t, events, 1)
+
+			assert.Equal(t, testCase.expected, events[0].Branch)
 		})
 	}
 }
 
-// TestGitHubCommitURLFallback tests commit URL extraction fallback paths for GitHub.
-func TestGitHubCommitURLFallback(t *testing.T) {
+func TestHandleWebhookMatchingBranch(t *testing.T) {
 	t.Parallel()
 
-	t.Run("uses head_commit URL when available", func(t *testing.T) {
-		t.Parallel()
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()
 
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"head_commit": {"id": "abc123", "url": "https://github.com/u/r/commit/abc123"},
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
+	app := createTestApp(t, dbInst, "main")
 
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
+	payload := []byte(`{
+		"ref": "refs/heads/main",
+		"before": "0000000000000000000000000000000000000000",
+		"after": "abc123def456",
+		"repository": {
+			"full_name": "user/repo",
+			"clone_url": "https://gitea.example.com/user/repo.git",
+			"ssh_url": "git@gitea.example.com:user/repo.git"
+		},
+		"pusher": {"username": "testuser", "email": "test@example.com"},
+		"commits": [{"id": "abc123def456", "message": "Test commit",
+			"author": {"name": "Test User", "email": "test@example.com"}}]
+	}`)
 
-	t.Run("falls back to commits list", func(t *testing.T) {
-		t.Parallel()
+	err := svc.HandleWebhook(context.Background(), app, "push", payload)
+	require.NoError(t, err)
 
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"commits": [{"id": "abc123", "url": "https://github.com/u/r/commit/abc123"}],
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
+	// Allow async deployment goroutine to complete before test cleanup
+	time.Sleep(100 * time.Millisecond)
 
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
 
-	t.Run("constructs URL from repo HTML URL", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
+	event := events[0]
+	assert.Equal(t, "push", event.EventType)
+	assert.Equal(t, "main", event.Branch)
+	assert.True(t, event.Matched)
+	assert.Equal(t, "abc123def456", event.CommitSHA.String)
 }
 
-// TestGitLabCommitURLFallback tests commit URL extraction fallback paths for GitLab.
-func TestGitLabCommitURLFallback(t *testing.T) {
+func TestHandleWebhookNonMatchingBranch(t *testing.T) {
 	t.Parallel()
 
-	t.Run("uses commit URL from list", func(t *testing.T) {
-		t.Parallel()
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()
 
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"project": {"web_url": "https://gitlab.com/g/p"},
-			"commits": [{"id": "abc123", "url": "https://gitlab.com/g/p/-/commit/abc123"}]
-		}`)
+	app := createTestApp(t, dbInst, "main")
 
-		event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/g/p/-/commit/abc123"), event.CommitURL)
-	})
+	payload := []byte(`{"ref": "refs/heads/develop", "after": "def789ghi012"}`)
 
-	t.Run("constructs URL from project web URL", func(t *testing.T) {
-		t.Parallel()
+	err := svc.HandleWebhook(context.Background(), app, "push", payload)
+	require.NoError(t, err)
 
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"project": {"web_url": "https://gitlab.com/g/p"}
-		}`)
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
 
-		event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/g/p/-/commit/abc123"), event.CommitURL)
-	})
+	assert.Equal(t, "develop", events[0].Branch)
+	assert.False(t, events[0].Matched)
+}
+
+func TestHandleWebhookInvalidJSON(t *testing.T) {
+	t.Parallel()
+
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()
+
+	app := createTestApp(t, dbInst, "main")
+
+	err := svc.HandleWebhook(context.Background(), app, "push", []byte(`{invalid json}`))
+	require.NoError(t, err)
+
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
+}
+
+func TestHandleWebhookEmptyPayload(t *testing.T) {
+	t.Parallel()
+
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()
+
+	app := createTestApp(t, dbInst, "main")
+
+	err := svc.HandleWebhook(context.Background(), app, "push", []byte(`{}`))
+	require.NoError(t, err)
+
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
+	assert.False(t, events[0].Matched)
 }
 
-// TestGiteaPushPayloadParsing tests direct deserialization of the Gitea payload struct.
 func TestGiteaPushPayloadParsing(testingT *testing.T) {
 	testingT.Parallel()
 
@@ -588,354 +322,6 @@ func TestGiteaPushPayloadParsing(testingT *testing.T) {
 	})
 }
 
-// TestGitHubPushPayloadParsing tests direct deserialization of the GitHub payload struct.
-func TestGitHubPushPayloadParsing(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000",
-		"after": "abc123",
-		"compare": "https://github.com/o/r/compare/000...abc",
-		"repository": {
-			"full_name": "o/r",
-			"clone_url": "https://github.com/o/r.git",
-			"ssh_url": "git@github.com:o/r.git",
-			"html_url": "https://github.com/o/r"
-		},
-		"pusher": {"name": "octocat", "email": "octocat@github.com"},
-		"head_commit": {
-			"id": "abc123",
-			"url": "https://github.com/o/r/commit/abc123",
-			"message": "Update README"
-		},
-		"commits": [
-			{
-				"id": "abc123",
-				"url": "https://github.com/o/r/commit/abc123",
-				"message": "Update README",
-				"author": {"name": "Octocat", "email": "octocat@github.com"}
-			}
-		]
-	}`)
-
-	var p webhook.GitHubPushPayload
-
-	err := json.Unmarshal(payload, &p)
-	require.NoError(t, err)
-
-	assert.Equal(t, "refs/heads/main", p.Ref)
-	assert.Equal(t, "abc123", p.After)
-	assert.Equal(t, "o/r", p.Repository.FullName)
-	assert.Equal(t, "octocat", p.Pusher.Name)
-	assert.NotNil(t, p.HeadCommit)
-	assert.Equal(t, "abc123", p.HeadCommit.ID)
-	assert.Len(t, p.Commits, 1)
-}
-
-// TestGitLabPushPayloadParsing tests direct deserialization of the GitLab payload struct.
-func TestGitLabPushPayloadParsing(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000",
-		"after": "abc123",
-		"user_name": "gitlab-user",
-		"user_email": "user@gitlab.com",
-		"project": {
-			"path_with_namespace": "group/project",
-			"git_http_url": "https://gitlab.com/group/project.git",
-			"git_ssh_url": "git@gitlab.com:group/project.git",
-			"web_url": "https://gitlab.com/group/project"
-		},
-		"commits": [
-			{
-				"id": "abc123",
-				"url": "https://gitlab.com/group/project/-/commit/abc123",
-				"message": "Fix pipeline",
-				"author": {"name": "GitLab User", "email": "user@gitlab.com"}
-			}
-		]
-	}`)
-
-	var p webhook.GitLabPushPayload
-
-	err := json.Unmarshal(payload, &p)
-	require.NoError(t, err)
-
-	assert.Equal(t, "refs/heads/main", p.Ref)
-	assert.Equal(t, "abc123", p.After)
-	assert.Equal(t, "group/project", p.Project.PathWithNamespace)
-	assert.Equal(t, "gitlab-user", p.UserName)
-	assert.Len(t, p.Commits, 1)
-}
-
-// TestExtractBranch tests branch extraction via HandleWebhook integration (extractBranch is unexported).
-//
-//nolint:funlen // table-driven test with comprehensive test cases
-func TestExtractBranch(testingT *testing.T) {
-	testingT.Parallel()
-
-	tests := []struct {
-		name     string
-		ref      string
-		expected string
-	}{
-		{
-			name:     "extracts main branch",
-			ref:      "refs/heads/main",
-			expected: "main",
-		},
-		{
-			name:     "extracts feature branch",
-			ref:      "refs/heads/feature/new-feature",
-			expected: "feature/new-feature",
-		},
-		{
-			name:     "extracts develop branch",
-			ref:      "refs/heads/develop",
-			expected: "develop",
-		},
-		{
-			name:     "returns raw ref if no prefix",
-			ref:      "main",
-			expected: "main",
-		},
-		{
-			name:     "handles empty ref",
-			ref:      "",
-			expected: "",
-		},
-		{
-			name:     "handles partial prefix",
-			ref:      "refs/heads/",
-			expected: "",
-		},
-	}
-
-	for _, testCase := range tests {
-		testingT.Run(testCase.name, func(t *testing.T) {
-			t.Parallel()
-
-			// We test via HandleWebhook since extractBranch is not exported.
-			// The test verifies behavior indirectly through the webhook event's branch.
-			svc, dbInst, cleanup := setupTestService(t)
-			defer cleanup()
-
-			app := createTestApp(t, dbInst, testCase.expected)
-
-			payload := []byte(`{"ref": "` + testCase.ref + `"}`)
-
-			err := svc.HandleWebhook(
-				context.Background(), app, webhook.SourceGitea, "push", payload,
-			)
-			require.NoError(t, err)
-
-			// Allow async deployment goroutine to complete before test cleanup
-			time.Sleep(100 * time.Millisecond)
-
-			events, err := app.GetWebhookEvents(context.Background(), 10)
-			require.NoError(t, err)
-			require.Len(t, events, 1)
-
-			assert.Equal(t, testCase.expected, events[0].Branch)
-		})
-	}
-}
-
-func TestHandleWebhookMatchingBranch(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456",
-		"repository": {
-			"full_name": "user/repo",
-			"clone_url": "https://gitea.example.com/user/repo.git",
-			"ssh_url": "git@gitea.example.com:user/repo.git"
-		},
-		"pusher": {"username": "testuser", "email": "test@example.com"},
-		"commits": [{"id": "abc123def456", "message": "Test commit",
-			"author": {"name": "Test User", "email": "test@example.com"}}]
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "push", event.EventType)
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "abc123def456", event.CommitSHA.String)
-}
-
-func TestHandleWebhookNonMatchingBranch(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{"ref": "refs/heads/develop", "after": "def789ghi012"}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", payload,
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	assert.Equal(t, "develop", events[0].Branch)
-	assert.False(t, events[0].Matched)
-}
-
-func TestHandleWebhookInvalidJSON(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", []byte(`{invalid json}`),
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-}
-
-func TestHandleWebhookEmptyPayload(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", []byte(`{}`),
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-	assert.False(t, events[0].Matched)
-}
-
-// TestHandleWebhookGitHubSource tests HandleWebhook with a GitHub push payload.
-func TestHandleWebhookGitHubSource(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "github123",
-		"repository": {
-			"full_name": "org/repo",
-			"clone_url": "https://github.com/org/repo.git",
-			"html_url": "https://github.com/org/repo"
-		},
-		"pusher": {"name": "octocat", "email": "octocat@github.com"},
-		"head_commit": {
-			"id": "github123",
-			"url": "https://github.com/org/repo/commit/github123",
-			"message": "Update feature"
-		}
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitHub, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "github123", event.CommitSHA.String)
-	assert.Equal(t, "https://github.com/org/repo/commit/github123", event.CommitURL.String)
-}
-
-// TestHandleWebhookGitLabSource tests HandleWebhook with a GitLab push payload.
-func TestHandleWebhookGitLabSource(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "gitlab456",
-		"user_name": "gitlab-dev",
-		"user_email": "dev@gitlab.com",
-		"project": {
-			"path_with_namespace": "group/project",
-			"git_http_url": "https://gitlab.com/group/project.git",
-			"web_url": "https://gitlab.com/group/project"
-		},
-		"commits": [
-			{
-				"id": "gitlab456",
-				"url": "https://gitlab.com/group/project/-/commit/gitlab456",
-				"message": "Deploy fix"
-			}
-		]
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitLab, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "gitlab456", event.CommitSHA.String)
-	assert.Equal(t, "https://gitlab.com/group/project/-/commit/gitlab456", event.CommitURL.String)
-}
-
 // TestSetupTestService verifies the test helper creates a working test service.
 func TestSetupTestService(testingT *testing.T) {
 	testingT.Parallel()
@@ -955,25 +341,3 @@ func TestSetupTestService(testingT *testing.T) {
 		require.NoError(t, err)
 	})
 }
-
-// TestPushEventConstruction tests that PushEvent can be constructed directly.
-func TestPushEventConstruction(t *testing.T) {
-	t.Parallel()
-
-	event := webhook.PushEvent{
-		Source:    webhook.SourceGitHub,
-		Ref:       "refs/heads/main",
-		Before:    "000",
-		After:     "abc",
-		Branch:    "main",
-		RepoName:  "org/repo",
-		CloneURL:  webhook.UnparsedURL("https://github.com/org/repo.git"),
-		HTMLURL:   webhook.UnparsedURL("https://github.com/org/repo"),
-		CommitURL: webhook.UnparsedURL("https://github.com/org/repo/commit/abc"),
-		Pusher:    "user",
-	}
-
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, webhook.SourceGitHub, event.Source)
-	assert.Equal(t, "abc", event.After)
-}

internal/ssh/keygen_test.go

@@ -4,9 +4,9 @@ import (
 	"strings"
 	"testing"
 
+	"git.eeqj.de/sneak/upaas/internal/ssh"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"sneak.berlin/go/upaas/internal/ssh"
 )
 
 func TestGenerateKeyPair(t *testing.T) {

static/js/app-detail.js

@@ -1,317 +0,0 @@
-/**
- * upaas - App Detail Page Component
- *
- * Handles the single-app view: status polling, container logs,
- * build logs, and recent deployments list.
- */
-
-document.addEventListener("alpine:init", () => {
-    // ============================================
-    // Environment Variable Editor Component
-    // ============================================
-    Alpine.data("envVarEditor", (appId) => ({
-        vars: [],
-        editIdx: -1,
-        editKey: "",
-        editVal: "",
-        appId: appId,
-
-        init() {
-            this.vars = Array.from(this.$el.querySelectorAll(".env-init")).map(
-                (span) => ({
-                    key: span.dataset.key,
-                    value: span.dataset.value,
-                }),
-            );
-        },
-
-        startEdit(i) {
-            this.editIdx = i;
-            this.editKey = this.vars[i].key;
-            this.editVal = this.vars[i].value;
-        },
-
-        saveEdit(i) {
-            this.vars[i] = { key: this.editKey, value: this.editVal };
-            this.editIdx = -1;
-            this.submitAll();
-        },
-
-        removeVar(i) {
-            if (!window.confirm("Delete this environment variable?")) {
-                return;
-            }
-
-            this.vars.splice(i, 1);
-            this.submitAll();
-        },
-
-        addVar(keyEl, valEl) {
-            const k = keyEl.value.trim();
-            const v = valEl.value.trim();
-
-            if (!k) {
-                return;
-            }
-
-            this.vars.push({ key: k, value: v });
-            this.submitAll();
-        },
-
-        submitAll() {
-            const csrfInput = this.$el.querySelector(
-                'input[name="gorilla.csrf.Token"]',
-            );
-            const csrfToken = csrfInput ? csrfInput.value : "";
-
-            fetch("/apps/" + this.appId + "/env", {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    "X-CSRF-Token": csrfToken,
-                },
-                body: JSON.stringify(
-                    this.vars.map((e) => ({ key: e.key, value: e.value })),
-                ),
-            })
-                .then((res) => {
-                    if (res.ok) {
-                        window.location.reload();
-                        return;
-                    }
-                    res.json()
-                        .then((data) => {
-                            window.alert(
-                                data.error ||
-                                    "Failed to save environment variables.",
-                            );
-                        })
-                        .catch(() => {
-                            window.alert(
-                                "Failed to save environment variables.",
-                            );
-                        });
-                })
-                .catch(() => {
-                    window.alert(
-                        "Network error: could not save environment variables.",
-                    );
-                });
-        },
-    }));
-
-    // ============================================
-    // App Detail Page Component
-    // ============================================
-    Alpine.data("appDetail", (config) => ({
-        appId: config.appId,
-        currentDeploymentId: config.initialDeploymentId,
-        appStatus: config.initialStatus || "unknown",
-        containerLogs: "Loading container logs...",
-        containerStatus: "unknown",
-        buildLogs: config.initialDeploymentId
-            ? "Loading build logs..."
-            : "No deployments yet",
-        buildStatus: config.initialBuildStatus || "unknown",
-        showBuildLogs: !!config.initialDeploymentId,
-        deploying: false,
-        deployments: [],
-        // Track whether user wants auto-scroll (per log pane)
-        _containerAutoScroll: true,
-        _buildAutoScroll: true,
-        _pollTimer: null,
-
-        init() {
-            this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
-            this.fetchAll();
-            this._schedulePoll();
-
-            // Set up scroll listeners after DOM is ready
-            this.$nextTick(() => {
-                this._initScrollTracking(
-                    this.$refs.containerLogsWrapper,
-                    "_containerAutoScroll",
-                );
-                this._initScrollTracking(
-                    this.$refs.buildLogsWrapper,
-                    "_buildAutoScroll",
-                );
-            });
-        },
-
-        _schedulePoll() {
-            if (this._pollTimer) clearTimeout(this._pollTimer);
-            const interval = Alpine.store("utils").isDeploying(this.appStatus)
-                ? 1000
-                : 10000;
-            this._pollTimer = setTimeout(() => {
-                this.fetchAll();
-                this._schedulePoll();
-            }, interval);
-        },
-
-        _initScrollTracking(el, flag) {
-            if (!el) return;
-            el.addEventListener(
-                "scroll",
-                () => {
-                    this[flag] = Alpine.store("utils").isScrolledToBottom(el);
-                },
-                { passive: true },
-            );
-        },
-
-        fetchAll() {
-            this.fetchAppStatus();
-            // Only fetch logs when the respective pane is visible
-            if (
-                this.$refs.containerLogsWrapper &&
-                this._isElementVisible(this.$refs.containerLogsWrapper)
-            ) {
-                this.fetchContainerLogs();
-            }
-            if (
-                this.showBuildLogs &&
-                this.$refs.buildLogsWrapper &&
-                this._isElementVisible(this.$refs.buildLogsWrapper)
-            ) {
-                this.fetchBuildLogs();
-            }
-            this.fetchRecentDeployments();
-        },
-
-        _isElementVisible(el) {
-            if (!el) return false;
-            // Check if element is in viewport (roughly)
-            const rect = el.getBoundingClientRect();
-            return rect.bottom > 0 && rect.top < window.innerHeight;
-        },
-
-        async fetchAppStatus() {
-            try {
-                const res = await fetch(`/apps/${this.appId}/status`);
-                const data = await res.json();
-                const wasDeploying = this.deploying;
-                this.appStatus = data.status;
-                this.deploying = Alpine.store("utils").isDeploying(data.status);
-
-                // Re-schedule polling when deployment state changes
-                if (this.deploying !== wasDeploying) {
-                    this._schedulePoll();
-                }
-
-                if (
-                    data.latestDeploymentID &&
-                    data.latestDeploymentID !== this.currentDeploymentId
-                ) {
-                    this.currentDeploymentId = data.latestDeploymentID;
-                    this.showBuildLogs = true;
-                    this.fetchBuildLogs();
-                }
-            } catch (err) {
-                console.error("Status fetch error:", err);
-            }
-        },
-
-        async fetchContainerLogs() {
-            try {
-                const res = await fetch(`/apps/${this.appId}/container-logs`);
-                const data = await res.json();
-                const newLogs = data.logs || "No logs available";
-                const changed = newLogs !== this.containerLogs;
-                this.containerLogs = newLogs;
-                this.containerStatus = data.status;
-                if (changed && this._containerAutoScroll) {
-                    this.$nextTick(() => {
-                        Alpine.store("utils").scrollToBottom(
-                            this.$refs.containerLogsWrapper,
-                        );
-                    });
-                }
-            } catch (err) {
-                this.containerLogs = "Failed to fetch logs";
-            }
-        },
-
-        async fetchBuildLogs() {
-            if (!this.currentDeploymentId) return;
-            try {
-                const res = await fetch(
-                    `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
-                );
-                const data = await res.json();
-                const newLogs = data.logs || "No build logs available";
-                const changed = newLogs !== this.buildLogs;
-                this.buildLogs = newLogs;
-                this.buildStatus = data.status;
-                if (changed && this._buildAutoScroll) {
-                    this.$nextTick(() => {
-                        Alpine.store("utils").scrollToBottom(
-                            this.$refs.buildLogsWrapper,
-                        );
-                    });
-                }
-            } catch (err) {
-                this.buildLogs = "Failed to fetch logs";
-            }
-        },
-
-        async fetchRecentDeployments() {
-            try {
-                const res = await fetch(
-                    `/apps/${this.appId}/recent-deployments`,
-                );
-                const data = await res.json();
-                this.deployments = data.deployments || [];
-            } catch (err) {
-                console.error("Deployments fetch error:", err);
-            }
-        },
-
-        submitDeploy() {
-            this.deploying = true;
-        },
-
-        get statusBadgeClass() {
-            return Alpine.store("utils").statusBadgeClass(this.appStatus);
-        },
-
-        get statusLabel() {
-            return Alpine.store("utils").statusLabel(this.appStatus);
-        },
-
-        get containerStatusBadgeClass() {
-            return (
-                Alpine.store("utils").statusBadgeClass(this.containerStatus) +
-                " text-xs"
-            );
-        },
-
-        get containerStatusLabel() {
-            return Alpine.store("utils").statusLabel(this.containerStatus);
-        },
-
-        get buildStatusBadgeClass() {
-            return (
-                Alpine.store("utils").statusBadgeClass(this.buildStatus) +
-                " text-xs"
-            );
-        },
-
-        get buildStatusLabel() {
-            return Alpine.store("utils").statusLabel(this.buildStatus);
-        },
-
-        deploymentStatusClass(status) {
-            return Alpine.store("utils").statusBadgeClass(status);
-        },
-
-        deploymentStatusLabel(status) {
-            return Alpine.store("utils").statusLabel(status);
-        },
-
-        formatTime(isoTime) {
-            return Alpine.store("utils").formatRelativeTime(isoTime);
-        },
-    }));
-});

static/js/app.js

@@ -0,0 +1,622 @@
+/**
+ * upaas - Frontend JavaScript with Alpine.js
+ */
+
+document.addEventListener("alpine:init", () => {
+    // ============================================
+    // Global Utilities Store
+    // ============================================
+    Alpine.store("utils", {
+        /**
+         * Format a date string as relative time (e.g., "5 minutes ago")
+         */
+        formatRelativeTime(dateStr) {
+            if (!dateStr) return "";
+            const date = new Date(dateStr);
+            const now = new Date();
+            const diffMs = now - date;
+            const diffSec = Math.floor(diffMs / 1000);
+            const diffMin = Math.floor(diffSec / 60);
+            const diffHour = Math.floor(diffMin / 60);
+            const diffDay = Math.floor(diffHour / 24);
+
+            if (diffSec < 60) return "just now";
+            if (diffMin < 60)
+                return (
+                    diffMin + (diffMin === 1 ? " minute ago" : " minutes ago")
+                );
+            if (diffHour < 24)
+                return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
+            if (diffDay < 7)
+                return diffDay + (diffDay === 1 ? " day ago" : " days ago");
+            return date.toLocaleDateString();
+        },
+
+        /**
+         * Get the badge class for a given status
+         */
+        statusBadgeClass(status) {
+            if (status === "running" || status === "success")
+                return "badge-success";
+            if (status === "building" || status === "deploying")
+                return "badge-warning";
+            if (status === "failed" || status === "error") return "badge-error";
+            return "badge-neutral";
+        },
+
+        /**
+         * Format status for display (capitalize first letter)
+         */
+        statusLabel(status) {
+            if (!status) return "";
+            return status.charAt(0).toUpperCase() + status.slice(1);
+        },
+
+        /**
+         * Check if status indicates active deployment
+         */
+        isDeploying(status) {
+            return status === "building" || status === "deploying";
+        },
+
+        /**
+         * Scroll an element to the bottom
+         */
+        scrollToBottom(el) {
+            if (el) {
+                requestAnimationFrame(() => {
+                    el.scrollTop = el.scrollHeight;
+                });
+            }
+        },
+
+        /**
+         * Check if a scrollable element is at (or near) the bottom.
+         * Tolerance of 30px accounts for rounding and partial lines.
+         */
+        isScrolledToBottom(el, tolerance = 30) {
+            if (!el) return true;
+            return (
+                el.scrollHeight - el.scrollTop - el.clientHeight <= tolerance
+            );
+        },
+
+        /**
+         * Copy text to clipboard
+         */
+        async copyToClipboard(text, button) {
+            try {
+                await navigator.clipboard.writeText(text);
+                return true;
+            } catch (err) {
+                // Fallback for older browsers
+                const textArea = document.createElement("textarea");
+                textArea.value = text;
+                textArea.style.position = "fixed";
+                textArea.style.left = "-9999px";
+                document.body.appendChild(textArea);
+                textArea.select();
+                try {
+                    document.execCommand("copy");
+                    document.body.removeChild(textArea);
+                    return true;
+                } catch (e) {
+                    document.body.removeChild(textArea);
+                    return false;
+                }
+            }
+        },
+    });
+
+    // ============================================
+    // Copy Button Component
+    // ============================================
+    Alpine.data("copyButton", (targetId) => ({
+        copied: false,
+        async copy() {
+            const target = document.getElementById(targetId);
+            if (!target) return;
+            const text = target.textContent || target.value;
+            const success = await Alpine.store("utils").copyToClipboard(text);
+            if (success) {
+                this.copied = true;
+                setTimeout(() => {
+                    this.copied = false;
+                }, 2000);
+            }
+        },
+    }));
+
+    // ============================================
+    // Confirm Action Component
+    // ============================================
+    Alpine.data("confirmAction", (message) => ({
+        confirm(event) {
+            if (!window.confirm(message)) {
+                event.preventDefault();
+            }
+        },
+    }));
+
+    // ============================================
+    // Auto-dismiss Alert Component
+    // ============================================
+    Alpine.data("autoDismiss", (delay = 5000) => ({
+        show: true,
+        init() {
+            setTimeout(() => {
+                this.dismiss();
+            }, delay);
+        },
+        dismiss() {
+            this.show = false;
+            setTimeout(() => {
+                this.$el.remove();
+            }, 300);
+        },
+    }));
+
+    // ============================================
+    // Relative Time Component
+    // ============================================
+    Alpine.data("relativeTime", (isoTime) => ({
+        display: "",
+        init() {
+            this.update();
+            // Update every minute
+            setInterval(() => this.update(), 60000);
+        },
+        update() {
+            this.display = Alpine.store("utils").formatRelativeTime(isoTime);
+        },
+    }));
+
+    // ============================================
+    // App Detail Page Component
+    // ============================================
+    Alpine.data("appDetail", (config) => ({
+        appId: config.appId,
+        currentDeploymentId: config.initialDeploymentId,
+        appStatus: config.initialStatus || "unknown",
+        containerLogs: "Loading container logs...",
+        containerStatus: "unknown",
+        buildLogs: config.initialDeploymentId
+            ? "Loading build logs..."
+            : "No deployments yet",
+        buildStatus: config.initialBuildStatus || "unknown",
+        showBuildLogs: !!config.initialDeploymentId,
+        deploying: false,
+        deployments: [],
+        // Track whether user wants auto-scroll (per log pane)
+        _containerAutoScroll: true,
+        _buildAutoScroll: true,
+        _pollTimer: null,
+
+        init() {
+            this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
+            this.fetchAll();
+            this._schedulePoll();
+
+            // Set up scroll listeners after DOM is ready
+            this.$nextTick(() => {
+                this._initScrollTracking(
+                    this.$refs.containerLogsWrapper,
+                    "_containerAutoScroll",
+                );
+                this._initScrollTracking(
+                    this.$refs.buildLogsWrapper,
+                    "_buildAutoScroll",
+                );
+            });
+        },
+
+        _schedulePoll() {
+            if (this._pollTimer) clearTimeout(this._pollTimer);
+            const interval = Alpine.store("utils").isDeploying(this.appStatus)
+                ? 1000
+                : 10000;
+            this._pollTimer = setTimeout(() => {
+                this.fetchAll();
+                this._schedulePoll();
+            }, interval);
+        },
+
+        _initScrollTracking(el, flag) {
+            if (!el) return;
+            el.addEventListener(
+                "scroll",
+                () => {
+                    this[flag] = Alpine.store("utils").isScrolledToBottom(el);
+                },
+                { passive: true },
+            );
+        },
+
+        fetchAll() {
+            this.fetchAppStatus();
+            // Only fetch logs when the respective pane is visible
+            if (
+                this.$refs.containerLogsWrapper &&
+                this._isElementVisible(this.$refs.containerLogsWrapper)
+            ) {
+                this.fetchContainerLogs();
+            }
+            if (
+                this.showBuildLogs &&
+                this.$refs.buildLogsWrapper &&
+                this._isElementVisible(this.$refs.buildLogsWrapper)
+            ) {
+                this.fetchBuildLogs();
+            }
+            this.fetchRecentDeployments();
+        },
+
+        _isElementVisible(el) {
+            if (!el) return false;
+            // Check if element is in viewport (roughly)
+            const rect = el.getBoundingClientRect();
+            return rect.bottom > 0 && rect.top < window.innerHeight;
+        },
+
+        async fetchAppStatus() {
+            try {
+                const res = await fetch(`/apps/${this.appId}/status`);
+                const data = await res.json();
+                const wasDeploying = this.deploying;
+                this.appStatus = data.status;
+                this.deploying = Alpine.store("utils").isDeploying(data.status);
+
+                // Re-schedule polling when deployment state changes
+                if (this.deploying !== wasDeploying) {
+                    this._schedulePoll();
+                }
+
+                if (
+                    data.latestDeploymentID &&
+                    data.latestDeploymentID !== this.currentDeploymentId
+                ) {
+                    this.currentDeploymentId = data.latestDeploymentID;
+                    this.showBuildLogs = true;
+                    this.fetchBuildLogs();
+                }
+            } catch (err) {
+                console.error("Status fetch error:", err);
+            }
+        },
+
+        async fetchContainerLogs() {
+            try {
+                const res = await fetch(`/apps/${this.appId}/container-logs`);
+                const data = await res.json();
+                const newLogs = data.logs || "No logs available";
+                const changed = newLogs !== this.containerLogs;
+                this.containerLogs = newLogs;
+                this.containerStatus = data.status;
+                if (changed && this._containerAutoScroll) {
+                    this.$nextTick(() => {
+                        Alpine.store("utils").scrollToBottom(
+                            this.$refs.containerLogsWrapper,
+                        );
+                    });
+                }
+            } catch (err) {
+                this.containerLogs = "Failed to fetch logs";
+            }
+        },
+
+        async fetchBuildLogs() {
+            if (!this.currentDeploymentId) return;
+            try {
+                const res = await fetch(
+                    `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
+                );
+                const data = await res.json();
+                const newLogs = data.logs || "No build logs available";
+                const changed = newLogs !== this.buildLogs;
+                this.buildLogs = newLogs;
+                this.buildStatus = data.status;
+                if (changed && this._buildAutoScroll) {
+                    this.$nextTick(() => {
+                        Alpine.store("utils").scrollToBottom(
+                            this.$refs.buildLogsWrapper,
+                        );
+                    });
+                }
+            } catch (err) {
+                this.buildLogs = "Failed to fetch logs";
+            }
+        },
+
+        async fetchRecentDeployments() {
+            try {
+                const res = await fetch(
+                    `/apps/${this.appId}/recent-deployments`,
+                );
+                const data = await res.json();
+                this.deployments = data.deployments || [];
+            } catch (err) {
+                console.error("Deployments fetch error:", err);
+            }
+        },
+
+        submitDeploy() {
+            this.deploying = true;
+        },
+
+        get statusBadgeClass() {
+            return Alpine.store("utils").statusBadgeClass(this.appStatus);
+        },
+
+        get statusLabel() {
+            return Alpine.store("utils").statusLabel(this.appStatus);
+        },
+
+        get containerStatusBadgeClass() {
+            return (
+                Alpine.store("utils").statusBadgeClass(this.containerStatus) +
+                " text-xs"
+            );
+        },
+
+        get containerStatusLabel() {
+            return Alpine.store("utils").statusLabel(this.containerStatus);
+        },
+
+        get buildStatusBadgeClass() {
+            return (
+                Alpine.store("utils").statusBadgeClass(this.buildStatus) +
+                " text-xs"
+            );
+        },
+
+        get buildStatusLabel() {
+            return Alpine.store("utils").statusLabel(this.buildStatus);
+        },
+
+        deploymentStatusClass(status) {
+            return Alpine.store("utils").statusBadgeClass(status);
+        },
+
+        deploymentStatusLabel(status) {
+            return Alpine.store("utils").statusLabel(status);
+        },
+
+        formatTime(isoTime) {
+            return Alpine.store("utils").formatRelativeTime(isoTime);
+        },
+    }));
+
+    // ============================================
+    // Deployment Card Component (for individual deployment cards)
+    // ============================================
+    Alpine.data("deploymentCard", (config) => ({
+        appId: config.appId,
+        deploymentId: config.deploymentId,
+        logs: "",
+        status: config.status || "",
+        pollInterval: null,
+        _autoScroll: true,
+
+        init() {
+            // Read initial logs from script tag (avoids escaping issues)
+            const initialLogsEl = this.$el.querySelector(".initial-logs");
+            this.logs = initialLogsEl?.dataset.logs || "Loading...";
+
+            // Set up scroll tracking
+            this.$nextTick(() => {
+                const wrapper = this.$refs.logsWrapper;
+                if (wrapper) {
+                    wrapper.addEventListener(
+                        "scroll",
+                        () => {
+                            this._autoScroll =
+                                Alpine.store("utils").isScrolledToBottom(
+                                    wrapper,
+                                );
+                        },
+                        { passive: true },
+                    );
+                }
+            });
+
+            // Only poll if deployment is in progress
+            if (Alpine.store("utils").isDeploying(this.status)) {
+                this.fetchLogs();
+                this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
+            }
+        },
+
+        destroy() {
+            if (this.pollInterval) {
+                clearInterval(this.pollInterval);
+            }
+        },
+
+        async fetchLogs() {
+            try {
+                const res = await fetch(
+                    `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
+                );
+                const data = await res.json();
+                const newLogs = data.logs || "No logs available";
+                const logsChanged = newLogs !== this.logs;
+                this.logs = newLogs;
+                this.status = data.status;
+
+                // Scroll to bottom only when content changes AND user hasn't scrolled up
+                if (logsChanged && this._autoScroll) {
+                    this.$nextTick(() => {
+                        Alpine.store("utils").scrollToBottom(
+                            this.$refs.logsWrapper,
+                        );
+                    });
+                }
+
+                // Stop polling if deployment is done
+                if (!Alpine.store("utils").isDeploying(data.status)) {
+                    if (this.pollInterval) {
+                        clearInterval(this.pollInterval);
+                        this.pollInterval = null;
+                    }
+                    // Reload page to show final state with duration etc
+                    window.location.reload();
+                }
+            } catch (err) {
+                console.error("Logs fetch error:", err);
+            }
+        },
+
+        get statusBadgeClass() {
+            return Alpine.store("utils").statusBadgeClass(this.status);
+        },
+
+        get statusLabel() {
+            return Alpine.store("utils").statusLabel(this.status);
+        },
+    }));
+
+    // ============================================
+    // Deployments History Page Component
+    // ============================================
+    Alpine.data("deploymentsPage", (config) => ({
+        appId: config.appId,
+        currentDeploymentId: null,
+        isDeploying: false,
+
+        init() {
+            // Check for in-progress deployments on page load
+            const inProgressCard = document.querySelector(
+                '[data-status="building"], [data-status="deploying"]',
+            );
+            if (inProgressCard) {
+                this.currentDeploymentId = parseInt(
+                    inProgressCard.getAttribute("data-deployment-id"),
+                    10,
+                );
+                this.isDeploying = true;
+            }
+
+            this.fetchAppStatus();
+            this._scheduleStatusPoll();
+        },
+
+        _statusPollTimer: null,
+
+        _scheduleStatusPoll() {
+            if (this._statusPollTimer) clearTimeout(this._statusPollTimer);
+            const interval = this.isDeploying ? 1000 : 10000;
+            this._statusPollTimer = setTimeout(() => {
+                this.fetchAppStatus();
+                this._scheduleStatusPoll();
+            }, interval);
+        },
+
+        async fetchAppStatus() {
+            try {
+                const res = await fetch(`/apps/${this.appId}/status`);
+                const data = await res.json();
+                // Use deployment status, not app status - it's more reliable during transitions
+                const deploying = Alpine.store("utils").isDeploying(
+                    data.latestDeploymentStatus,
+                );
+
+                // Detect new deployment
+                if (
+                    data.latestDeploymentID &&
+                    data.latestDeploymentID !== this.currentDeploymentId
+                ) {
+                    // Check if we have a card for this deployment
+                    const hasCard = document.querySelector(
+                        `[data-deployment-id="${data.latestDeploymentID}"]`,
+                    );
+
+                    if (deploying && !hasCard) {
+                        // New deployment started but no card exists - reload to show it
+                        window.location.reload();
+
+                        return;
+                    }
+
+                    this.currentDeploymentId = data.latestDeploymentID;
+                }
+
+                // Update deploying state based on latest deployment status
+                if (deploying && !this.isDeploying) {
+                    this.isDeploying = true;
+                    this._scheduleStatusPoll(); // Switch to fast polling
+                } else if (!deploying && this.isDeploying) {
+                    // Deployment finished - reload to show final state
+                    this.isDeploying = false;
+                    window.location.reload();
+                }
+            } catch (err) {
+                console.error("Status fetch error:", err);
+            }
+        },
+
+        submitDeploy() {
+            this.isDeploying = true;
+        },
+
+        formatTime(isoTime) {
+            return Alpine.store("utils").formatRelativeTime(isoTime);
+        },
+    }));
+
+    // ============================================
+    // Dashboard Page - Relative Time Updates
+    // ============================================
+    Alpine.data("dashboard", () => ({
+        init() {
+            // Update relative times every minute
+            setInterval(() => {
+                this.$el.querySelectorAll("[data-time]").forEach((el) => {
+                    const time = el.getAttribute("data-time");
+                    if (time) {
+                        el.textContent =
+                            Alpine.store("utils").formatRelativeTime(time);
+                    }
+                });
+            }, 60000);
+        },
+    }));
+});
+
+// ============================================
+// Legacy support - expose utilities globally
+// ============================================
+window.upaas = {
+    // These are kept for backwards compatibility but templates should use Alpine.js
+    formatRelativeTime(dateStr) {
+        if (!dateStr) return "";
+        const date = new Date(dateStr);
+        const now = new Date();
+        const diffMs = now - date;
+        const diffSec = Math.floor(diffMs / 1000);
+        const diffMin = Math.floor(diffSec / 60);
+        const diffHour = Math.floor(diffMin / 60);
+        const diffDay = Math.floor(diffHour / 24);
+
+        if (diffSec < 60) return "just now";
+        if (diffMin < 60)
+            return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
+        if (diffHour < 24)
+            return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
+        if (diffDay < 7)
+            return diffDay + (diffDay === 1 ? " day ago" : " days ago");
+        return date.toLocaleDateString();
+    },
+    // Placeholder functions - templates should migrate to Alpine.js
+    initAppDetailPage() {},
+    initDeploymentsPage() {},
+};
+
+// Update relative times on page load for non-Alpine elements
+document.addEventListener("DOMContentLoaded", () => {
+    document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
+        const time = el.getAttribute("data-time");
+        if (time) {
+            el.textContent = window.upaas.formatRelativeTime(time);
+        }
+    });
+});

static/js/components.js

@@ -1,71 +0,0 @@
-/**
- * upaas - Reusable Alpine.js Components
- *
- * Small, self-contained components: copy button, confirm dialog,
- * auto-dismiss alerts, and relative time display.
- */
-
-document.addEventListener("alpine:init", () => {
-    // ============================================
-    // Copy Button Component
-    // ============================================
-    Alpine.data("copyButton", (targetId) => ({
-        copied: false,
-        async copy() {
-            const target = document.getElementById(targetId);
-            if (!target) return;
-            const text = target.textContent || target.value;
-            const success = await Alpine.store("utils").copyToClipboard(text);
-            if (success) {
-                this.copied = true;
-                setTimeout(() => {
-                    this.copied = false;
-                }, 2000);
-            }
-        },
-    }));
-
-    // ============================================
-    // Confirm Action Component
-    // ============================================
-    Alpine.data("confirmAction", (message) => ({
-        confirm(event) {
-            if (!window.confirm(message)) {
-                event.preventDefault();
-            }
-        },
-    }));
-
-    // ============================================
-    // Auto-dismiss Alert Component
-    // ============================================
-    Alpine.data("autoDismiss", (delay = 5000) => ({
-        show: true,
-        init() {
-            setTimeout(() => {
-                this.dismiss();
-            }, delay);
-        },
-        dismiss() {
-            this.show = false;
-            setTimeout(() => {
-                this.$el.remove();
-            }, 300);
-        },
-    }));
-
-    // ============================================
-    // Relative Time Component
-    // ============================================
-    Alpine.data("relativeTime", (isoTime) => ({
-        display: "",
-        init() {
-            this.update();
-            // Update every minute
-            setInterval(() => this.update(), 60000);
-        },
-        update() {
-            this.display = Alpine.store("utils").formatRelativeTime(isoTime);
-        },
-    }));
-});

static/js/dashboard.js

@@ -1,22 +0,0 @@
-/**
- * upaas - Dashboard Page Component
- *
- * Periodically updates relative timestamps on the main dashboard.
- */
-
-document.addEventListener("alpine:init", () => {
-    Alpine.data("dashboard", () => ({
-        init() {
-            // Update relative times every minute
-            setInterval(() => {
-                this.$el.querySelectorAll("[data-time]").forEach((el) => {
-                    const time = el.getAttribute("data-time");
-                    if (time) {
-                        el.textContent =
-                            Alpine.store("utils").formatRelativeTime(time);
-                    }
-                });
-            }, 60000);
-        },
-    }));
-});

static/js/deployment.js

@@ -1,185 +0,0 @@
-/**
- * upaas - Deployment Components
- *
- * Deployment card (individual deployment log viewer) and
- * deployments history page (list of all deployments).
- */
-
-document.addEventListener("alpine:init", () => {
-    // ============================================
-    // Deployment Card Component (for individual deployment cards)
-    // ============================================
-    Alpine.data("deploymentCard", (config) => ({
-        appId: config.appId,
-        deploymentId: config.deploymentId,
-        logs: "",
-        status: config.status || "",
-        pollInterval: null,
-        _autoScroll: true,
-
-        init() {
-            // Read initial logs from script tag (avoids escaping issues)
-            const initialLogsEl = this.$el.querySelector(".initial-logs");
-            this.logs = initialLogsEl?.dataset.logs || "Loading...";
-
-            // Set up scroll tracking
-            this.$nextTick(() => {
-                const wrapper = this.$refs.logsWrapper;
-                if (wrapper) {
-                    wrapper.addEventListener(
-                        "scroll",
-                        () => {
-                            this._autoScroll =
-                                Alpine.store("utils").isScrolledToBottom(
-                                    wrapper,
-                                );
-                        },
-                        { passive: true },
-                    );
-                }
-            });
-
-            // Only poll if deployment is in progress
-            if (Alpine.store("utils").isDeploying(this.status)) {
-                this.fetchLogs();
-                this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
-            }
-        },
-
-        destroy() {
-            if (this.pollInterval) {
-                clearInterval(this.pollInterval);
-            }
-        },
-
-        async fetchLogs() {
-            try {
-                const res = await fetch(
-                    `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
-                );
-                const data = await res.json();
-                const newLogs = data.logs || "No logs available";
-                const logsChanged = newLogs !== this.logs;
-                this.logs = newLogs;
-                this.status = data.status;
-
-                // Scroll to bottom only when content changes AND user hasn't scrolled up
-                if (logsChanged && this._autoScroll) {
-                    this.$nextTick(() => {
-                        Alpine.store("utils").scrollToBottom(
-                            this.$refs.logsWrapper,
-                        );
-                    });
-                }
-
-                // Stop polling if deployment is done
-                if (!Alpine.store("utils").isDeploying(data.status)) {
-                    if (this.pollInterval) {
-                        clearInterval(this.pollInterval);
-                        this.pollInterval = null;
-                    }
-                    // Reload page to show final state with duration etc
-                    window.location.reload();
-                }
-            } catch (err) {
-                console.error("Logs fetch error:", err);
-            }
-        },
-
-        get statusBadgeClass() {
-            return Alpine.store("utils").statusBadgeClass(this.status);
-        },
-
-        get statusLabel() {
-            return Alpine.store("utils").statusLabel(this.status);
-        },
-    }));
-
-    // ============================================
-    // Deployments History Page Component
-    // ============================================
-    Alpine.data("deploymentsPage", (config) => ({
-        appId: config.appId,
-        currentDeploymentId: null,
-        isDeploying: false,
-
-        init() {
-            // Check for in-progress deployments on page load
-            const inProgressCard = document.querySelector(
-                '[data-status="building"], [data-status="deploying"]',
-            );
-            if (inProgressCard) {
-                this.currentDeploymentId = parseInt(
-                    inProgressCard.getAttribute("data-deployment-id"),
-                    10,
-                );
-                this.isDeploying = true;
-            }
-
-            this.fetchAppStatus();
-            this._scheduleStatusPoll();
-        },
-
-        _statusPollTimer: null,
-
-        _scheduleStatusPoll() {
-            if (this._statusPollTimer) clearTimeout(this._statusPollTimer);
-            const interval = this.isDeploying ? 1000 : 10000;
-            this._statusPollTimer = setTimeout(() => {
-                this.fetchAppStatus();
-                this._scheduleStatusPoll();
-            }, interval);
-        },
-
-        async fetchAppStatus() {
-            try {
-                const res = await fetch(`/apps/${this.appId}/status`);
-                const data = await res.json();
-                // Use deployment status, not app status - it's more reliable during transitions
-                const deploying = Alpine.store("utils").isDeploying(
-                    data.latestDeploymentStatus,
-                );
-
-                // Detect new deployment
-                if (
-                    data.latestDeploymentID &&
-                    data.latestDeploymentID !== this.currentDeploymentId
-                ) {
-                    // Check if we have a card for this deployment
-                    const hasCard = document.querySelector(
-                        `[data-deployment-id="${data.latestDeploymentID}"]`,
-                    );
-
-                    if (deploying && !hasCard) {
-                        // New deployment started but no card exists - reload to show it
-                        window.location.reload();
-
-                        return;
-                    }
-
-                    this.currentDeploymentId = data.latestDeploymentID;
-                }
-
-                // Update deploying state based on latest deployment status
-                if (deploying && !this.isDeploying) {
-                    this.isDeploying = true;
-                    this._scheduleStatusPoll(); // Switch to fast polling
-                } else if (!deploying && this.isDeploying) {
-                    // Deployment finished - reload to show final state
-                    this.isDeploying = false;
-                    window.location.reload();
-                }
-            } catch (err) {
-                console.error("Status fetch error:", err);
-            }
-        },
-
-        submitDeploy() {
-            this.isDeploying = true;
-        },
-
-        formatTime(isoTime) {
-            return Alpine.store("utils").formatRelativeTime(isoTime);
-        },
-    }));
-});

static/js/utils.js

@@ -1,148 +0,0 @@
-/**
- * upaas - Global Utilities Store
- *
- * Shared formatting, status helpers, and clipboard utilities used across all pages.
- */
-
-document.addEventListener("alpine:init", () => {
-    Alpine.store("utils", {
-        /**
-         * Format a date string as relative time (e.g., "5 minutes ago")
-         */
-        formatRelativeTime(dateStr) {
-            if (!dateStr) return "";
-            const date = new Date(dateStr);
-            const now = new Date();
-            const diffMs = now - date;
-            const diffSec = Math.floor(diffMs / 1000);
-            const diffMin = Math.floor(diffSec / 60);
-            const diffHour = Math.floor(diffMin / 60);
-            const diffDay = Math.floor(diffHour / 24);
-
-            if (diffSec < 60) return "just now";
-            if (diffMin < 60)
-                return (
-                    diffMin + (diffMin === 1 ? " minute ago" : " minutes ago")
-                );
-            if (diffHour < 24)
-                return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
-            if (diffDay < 7)
-                return diffDay + (diffDay === 1 ? " day ago" : " days ago");
-            return date.toLocaleDateString();
-        },
-
-        /**
-         * Get the badge class for a given status
-         */
-        statusBadgeClass(status) {
-            if (status === "running" || status === "success")
-                return "badge-success";
-            if (status === "building" || status === "deploying")
-                return "badge-warning";
-            if (status === "failed" || status === "error") return "badge-error";
-            return "badge-neutral";
-        },
-
-        /**
-         * Format status for display (capitalize first letter)
-         */
-        statusLabel(status) {
-            if (!status) return "";
-            return status.charAt(0).toUpperCase() + status.slice(1);
-        },
-
-        /**
-         * Check if status indicates active deployment
-         */
-        isDeploying(status) {
-            return status === "building" || status === "deploying";
-        },
-
-        /**
-         * Scroll an element to the bottom
-         */
-        scrollToBottom(el) {
-            if (el) {
-                requestAnimationFrame(() => {
-                    el.scrollTop = el.scrollHeight;
-                });
-            }
-        },
-
-        /**
-         * Check if a scrollable element is at (or near) the bottom.
-         * Tolerance of 30px accounts for rounding and partial lines.
-         */
-        isScrolledToBottom(el, tolerance = 30) {
-            if (!el) return true;
-            return (
-                el.scrollHeight - el.scrollTop - el.clientHeight <= tolerance
-            );
-        },
-
-        /**
-         * Copy text to clipboard
-         */
-        async copyToClipboard(text, button) {
-            try {
-                await navigator.clipboard.writeText(text);
-                return true;
-            } catch (err) {
-                // Fallback for older browsers
-                const textArea = document.createElement("textarea");
-                textArea.value = text;
-                textArea.style.position = "fixed";
-                textArea.style.left = "-9999px";
-                document.body.appendChild(textArea);
-                textArea.select();
-                try {
-                    document.execCommand("copy");
-                    document.body.removeChild(textArea);
-                    return true;
-                } catch (e) {
-                    document.body.removeChild(textArea);
-                    return false;
-                }
-            }
-        },
-    });
-});
-
-// ============================================
-// Legacy support - expose utilities globally
-// ============================================
-window.upaas = {
-    // These are kept for backwards compatibility but templates should use Alpine.js
-    formatRelativeTime(dateStr) {
-        if (!dateStr) return "";
-        const date = new Date(dateStr);
-        const now = new Date();
-        const diffMs = now - date;
-        const diffSec = Math.floor(diffMs / 1000);
-        const diffMin = Math.floor(diffSec / 60);
-        const diffHour = Math.floor(diffMin / 60);
-        const diffDay = Math.floor(diffHour / 24);
-
-        if (diffSec < 60) return "just now";
-        if (diffMin < 60)
-            return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
-        if (diffHour < 24)
-            return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
-        if (diffDay < 7)
-            return diffDay + (diffDay === 1 ? " day ago" : " days ago");
-        return date.toLocaleDateString();
-    },
-    // Placeholder functions - templates should migrate to Alpine.js
-    initAppDetailPage() {},
-    initDeploymentsPage() {},
-};
-
-// Update relative times on page load for non-Alpine elements
-document.addEventListener("DOMContentLoaded", () => {
-    document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
-        const time = el.getAttribute("data-time");
-        if (time) {
-            el.textContent = window.upaas.formatRelativeTime(time);
-        }
-    });
-});

templates/app_detail.html

@@ -77,10 +77,7 @@
 
     <!-- Webhook URL -->
     <div class="card p-6 mb-6">
-        <div class="flex items-center justify-between mb-4">
-            <h2 class="section-title">Webhook URL</h2>
-            <a href="/apps/{{.App.ID}}/webhooks" class="text-primary-600 hover:text-primary-800 text-sm">Event History</a>
-        </div>
+        <h2 class="section-title mb-4">Webhook URL</h2>
         <p class="text-sm text-gray-500 mb-3">Add this URL as a push webhook in your Gitea repository:</p>
         <div class="copy-field" x-data="copyButton('webhook-url')">
             <code id="webhook-url" class="copy-field-value text-xs">{{.WebhookURL}}</code>
@@ -101,10 +98,9 @@
     </div>
 
     <!-- Environment Variables -->
-    <div class="card p-6 mb-6" x-data="envVarEditor('{{.App.ID}}')">
+    <div class="card p-6 mb-6">
         <h2 class="section-title mb-4">Environment Variables</h2>
-        {{range .EnvVars}}<span class="env-init hidden" data-key="{{.Key}}" data-value="{{.Value}}"></span>{{end}}
-        <template x-if="vars.length > 0">
+        {{if .EnvVars}}
         <div class="overflow-x-auto mb-4">
             <table class="table">
                 <thead class="table-header">
@@ -115,43 +111,47 @@
                     </tr>
                 </thead>
                 <tbody class="table-body">
-                    <template x-for="(env, idx) in vars" :key="idx">
-                    <tr>
-                        <template x-if="editIdx !== idx">
-                            <td class="font-mono font-medium" x-text="env.key"></td>
+                    {{range .EnvVars}}
+                    <tr x-data="{ editing: false }">
+                        <template x-if="!editing">
+                            <td class="font-mono font-medium">{{.Key}}</td>
                         </template>
-                        <template x-if="editIdx !== idx">
-                            <td class="font-mono text-gray-500" x-text="env.value"></td>
+                        <template x-if="!editing">
+                            <td class="font-mono text-gray-500">{{.Value}}</td>
                         </template>
-                        <template x-if="editIdx !== idx">
+                        <template x-if="!editing">
                             <td class="text-right">
-                                <button @click="startEdit(idx)" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
-                                <button @click="removeVar(idx)" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
+                                    {{ $.CSRFField }}
+                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                </form>
                             </td>
                         </template>
-                        <template x-if="editIdx === idx">
+                        <template x-if="editing">
                             <td colspan="3">
-                                <form @submit.prevent="saveEdit(idx)" class="flex gap-2 items-center">
-                                    <input type="text" x-model="editKey" required class="input flex-1 font-mono text-sm">
-                                    <input type="text" x-model="editVal" required class="input flex-1 font-mono text-sm">
+                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center">
+                                    {{ $.CSRFField }}
+                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
+                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
                                     <button type="submit" class="btn-primary text-sm">Save</button>
-                                    <button type="button" @click="editIdx = -1" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
+                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                 </form>
                                 <p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
                             </td>
                         </template>
                     </tr>
-                    </template>
+                    {{end}}
                 </tbody>
             </table>
         </div>
-        </template>
-        <form @submit.prevent="addVar($refs.newKey, $refs.newVal)" class="flex flex-col sm:flex-row gap-2">
-            <input x-ref="newKey" type="text" placeholder="KEY" required class="input flex-1 font-mono text-sm">
-            <input x-ref="newVal" type="text" placeholder="value" required class="input flex-1 font-mono text-sm">
+        {{end}}
+        <form method="POST" action="/apps/{{.App.ID}}/env" class="flex flex-col sm:flex-row gap-2">
+                {{ .CSRFField }}
+            <input type="text" name="key" placeholder="KEY" required class="input flex-1 font-mono text-sm">
+            <input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
             <button type="submit" class="btn-primary">Add</button>
         </form>
-        <div class="hidden">{{ .CSRFField }}</div>
     </div>
 
     <!-- Labels -->

templates/base.html

@@ -15,11 +15,7 @@
     </div>
     {{template "footer" .}}
     <script defer src="/s/js/alpine.min.js"></script>
-    <script src="/s/js/utils.js"></script>
-    <script src="/s/js/components.js"></script>
-    <script src="/s/js/app-detail.js"></script>
-    <script src="/s/js/deployment.js"></script>
-    <script src="/s/js/dashboard.js"></script>
+    <script src="/s/js/app.js"></script>
 </body>
 </html>
 {{end}}

templates/dashboard.html

@@ -69,7 +69,7 @@
                             <a href="/apps/{{.App.ID}}" class="btn-text text-sm py-1 px-2">View</a>
                             <a href="/apps/{{.App.ID}}/edit" class="btn-secondary text-sm py-1 px-2">Edit</a>
                             <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline">
-                {{ $.CSRFField }}
+                {{ .CSRFField }}
                                 <button type="submit" class="btn-success text-sm py-1 px-2">Deploy</button>
                             </form>
                         </div>

templates/templates.go

@@ -44,7 +44,6 @@ func initTemplates() {
 		"app_detail.html",
 		"app_edit.html",
 		"deployments.html",
-		"webhook_events.html",
 	}
 
 	pageTemplates = make(map[string]*template.Template)

templates/webhook_events.html

@@ -1,79 +0,0 @@
-{{template "base" .}}
-
-{{define "title"}}Webhook Events - {{.App.Name}} - µPaaS{{end}}
-
-{{define "content"}}
-{{template "nav" .}}
-
-<main class="max-w-4xl mx-auto px-4 py-8">
-    <div class="mb-6">
-        <a href="/apps/{{.App.ID}}" class="text-primary-600 hover:text-primary-800 inline-flex items-center">
-            <svg class="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 19l-7-7 7-7"/>
-            </svg>
-            Back to {{.App.Name}}
-        </a>
-    </div>
-
-    <div class="section-header">
-        <h1 class="text-2xl font-medium text-gray-900">Webhook Events</h1>
-    </div>
-
-    {{if .Events}}
-    <div class="card overflow-hidden">
-        <table class="table">
-            <thead class="table-header">
-                <tr>
-                    <th>Time</th>
-                    <th>Event</th>
-                    <th>Branch</th>
-                    <th>Commit</th>
-                    <th>Status</th>
-                </tr>
-            </thead>
-            <tbody class="table-body">
-                {{range .Events}}
-                <tr>
-                    <td class="text-gray-500 text-sm whitespace-nowrap">
-                        <span x-data="relativeTime('{{.CreatedAt.Format `2006-01-02T15:04:05Z07:00`}}')" x-text="display" class="cursor-default" title="{{.CreatedAt.Format `2006-01-02 15:04:05`}}"></span>
-                    </td>
-                    <td class="text-gray-700 text-sm">{{.EventType}}</td>
-                    <td class="font-mono text-gray-500 text-sm">{{.Branch}}</td>
-                    <td class="font-mono text-gray-500 text-xs">
-                        {{if and .CommitSHA.Valid .CommitURL.Valid}}
-                        <a href="{{.CommitURL.String}}" target="_blank" rel="noopener noreferrer" class="text-primary-600 hover:text-primary-800">{{.ShortCommit}}</a>
-                        {{else if .CommitSHA.Valid}}
-                        {{.ShortCommit}}
-                        {{else}}
-                        <span class="text-gray-400">-</span>
-                        {{end}}
-                    </td>
-                    <td>
-                        {{if .Matched}}
-                            {{if .Processed}}
-                            <span class="badge-success">Matched</span>
-                            {{else}}
-                            <span class="badge-warning">Matched (pending)</span>
-                            {{end}}
-                        {{else}}
-                        <span class="badge-neutral">No match</span>
-                        {{end}}
-                    </td>
-                </tr>
-                {{end}}
-            </tbody>
-        </table>
-    </div>
-    {{else}}
-    <div class="card">
-        <div class="empty-state">
-            <svg class="empty-state-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M13 10V3L4 14h7v7l9-11h-7z"/>
-            </svg>
-            <h3 class="empty-state-title">No webhook events yet</h3>
-            <p class="empty-state-description">Webhook events will appear here once your repository sends push notifications.</p>
-        </div>
-    </div>
-    {{end}}
-</main>
-{{end}}