fix: address review findings for observability PR

1. Security: Replace insecure extractRemoteIP() in audit service with
   middleware.RealIP() which validates trusted proxies before trusting
   X-Real-IP/X-Forwarded-For headers. Export RealIP from middleware.
   Update audit tests to verify anti-spoofing behavior.

2. Audit coverage: Add audit instrumentation to all 9 handlers that
   had dead action constants: HandleEnvVarSave, HandleLabelAdd,
   HandleLabelEdit, HandleLabelDelete, HandleVolumeAdd, HandleVolumeEdit,
   HandleVolumeDelete, HandlePortAdd, HandlePortDelete.

3. README: Fix API path from /api/audit to /api/v1/audit.

4. README: Fix duplicate numbering in DI order section (items 10-11
   were listed twice, now correctly numbered 10-16).

README.md

@@ -1,12 +1,12 @@
 # µPaaS by [@sneak](https://sneak.berlin)
 
-A simple self-hosted PaaS that auto-deploys Docker containers from Git repositories via webhooks from Gitea, GitHub, or GitLab.
+A simple self-hosted PaaS that auto-deploys Docker containers from Git repositories via Gitea webhooks.
 
 ## Features
 
 - Single admin user with argon2id password hashing
 - Per-app SSH keypairs for read-only deploy keys
-- Per-app UUID-based webhook URLs with auto-detection of Gitea, GitHub, and GitLab
+- Per-app UUID-based webhook URLs for Gitea integration
 - Branch filtering - only deploy on configured branch changes
 - Environment variables, labels, and volume mounts per app
 - Docker builds via socket access
@@ -19,7 +19,7 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
 - Complex CI pipelines
 - Multiple container orchestration
 - SPA/API-first design
-- Support for non-push webhook events (e.g. issues, merge requests)
+- Support for non-Gitea webhooks
 
 ## Architecture
 
@@ -36,15 +36,17 @@ upaas/
 │   ├── handlers/        # HTTP request handlers
 │   ├── healthcheck/     # Health status service
 │   ├── logger/          # Structured logging (slog)
-│   ├── middleware/      # HTTP middleware (auth, logging, CORS)
+│   ├── metrics/         # Prometheus metrics registration
+│   ├── middleware/      # HTTP middleware (auth, logging, CORS, metrics)
 │   ├── models/          # Active Record style database models
 │   ├── server/          # HTTP server and routes
 │   ├── service/
 │   │   ├── app/         # App management service
+│   │   ├── audit/       # Audit logging service
 │   │   ├── auth/        # Authentication service
 │   │   ├── deploy/      # Deployment orchestration
 │   │   ├── notify/      # Notifications (ntfy, Slack)
-│   │   └── webhook/     # Webhook processing (Gitea, GitHub, GitLab)
+│   │   └── webhook/     # Gitea webhook processing
 │   └── ssh/             # SSH key generation
 ├── static/              # Embedded CSS/JS assets
 └── templates/           # Embedded HTML templates
@@ -58,16 +60,18 @@ Uses Uber fx for dependency injection. Components are wired in this order:
 2. `logger` - Structured logging
 3. `config` - Configuration loading
 4. `database` - SQLite connection + migrations
-5. `healthcheck` - Health status
+5. `metrics` - Prometheus metrics registration
-6. `auth` - Authentication service
+6. `healthcheck` - Health status
-7. `app` - App management
+7. `auth` - Authentication service
-8. `docker` - Docker client
+8. `app` - App management
-9. `notify` - Notification service
+9. `docker` - Docker client
-10. `deploy` - Deployment service
+10. `notify` - Notification service
-11. `webhook` - Webhook processing
+11. `audit` - Audit logging service
-12. `middleware` - HTTP middleware
+12. `deploy` - Deployment service
-13. `handlers` - HTTP handlers
+13. `webhook` - Webhook processing
-14. `server` - HTTP server
+14. `middleware` - HTTP middleware
+15. `handlers` - HTTP handlers
+16. `server` - HTTP server
 
 ### Request Flow
 
@@ -211,6 +215,48 @@ Example: `HOST_DATA_DIR=/srv/upaas/data docker compose up -d`
 
 Session secrets are automatically generated on first startup and persisted to `$UPAAS_DATA_DIR/session.key`.
 
+## Observability
+
+### Prometheus Metrics
+
+All custom metrics are exposed under the `upaas_` namespace at `/metrics`. The
+endpoint is always available and can be optionally protected with basic auth via
+`METRICS_USERNAME` and `METRICS_PASSWORD`.
+
+| Metric | Type | Labels | Description |
+|--------|------|--------|-------------|
+| `upaas_deployments_total` | Counter | `app`, `status` | Total deployments (success/failed/cancelled) |
+| `upaas_deployments_duration_seconds` | Histogram | `app`, `status` | Deployment duration |
+| `upaas_deployments_in_flight` | Gauge | `app` | Currently running deployments |
+| `upaas_container_healthy` | Gauge | `app` | Container health (1=healthy, 0=unhealthy) |
+| `upaas_webhook_events_total` | Counter | `app`, `event_type`, `matched` | Webhook events received |
+| `upaas_http_requests_total` | Counter | `method`, `status_code` | HTTP requests |
+| `upaas_http_request_duration_seconds` | Histogram | `method` | HTTP request latency |
+| `upaas_http_response_size_bytes` | Histogram | `method` | HTTP response sizes |
+| `upaas_audit_events_total` | Counter | `action` | Audit log events |
+
+### Audit Log
+
+All user-facing actions are recorded in an `audit_log` SQLite table with:
+
+- **Who**: user ID and username
+- **What**: action type and affected resource (app, deployment, session, etc.)
+- **Where**: client IP (via X-Real-IP/X-Forwarded-For/RemoteAddr)
+- **When**: timestamp
+
+Audited actions include login/logout, app CRUD, deployments, container
+start/stop/restart, rollbacks, deployment cancellation, and webhook receipt.
+
+The audit log is available via the API at `GET /api/v1/audit?limit=N` (max 500,
+default 50).
+
+### Structured Logging
+
+All operations use Go's `slog` structured logger. HTTP requests are logged with
+method, URL, status code, response size, latency, user agent, and client IP.
+Deployment events are logged with app name, status, and duration. Audit events
+are also logged to stdout for correlation with external log aggregators.
+
 ## License
 
 WTFPL

cmd/upaasd/main.go

@@ -11,9 +11,11 @@ import (
 	"sneak.berlin/go/upaas/internal/handlers"
 	"sneak.berlin/go/upaas/internal/healthcheck"
 	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/middleware"
 	"sneak.berlin/go/upaas/internal/server"
 	"sneak.berlin/go/upaas/internal/service/app"
+	"sneak.berlin/go/upaas/internal/service/audit"
 	"sneak.berlin/go/upaas/internal/service/auth"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/notify"
@@ -41,6 +43,7 @@ func main() {
 			logger.New,
 			config.New,
 			database.New,
+			metrics.New,
 			healthcheck.New,
 			auth.New,
 			app.New,
@@ -48,6 +51,7 @@ func main() {
 			notify.New,
 			deploy.New,
 			webhook.New,
+			audit.New,
 			middleware.New,
 			handlers.New,
 			server.New,

internal/database/migrations/007_add_audit_log.sql

@@ -0,0 +1,16 @@
+-- Audit log table for tracking user actions.
+CREATE TABLE audit_log (
+    id INTEGER PRIMARY KEY,
+    user_id INTEGER,
+    username TEXT NOT NULL,
+    action TEXT NOT NULL,
+    resource_type TEXT NOT NULL,
+    resource_id TEXT,
+    detail TEXT,
+    remote_ip TEXT,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX idx_audit_log_created_at ON audit_log(created_at);
+CREATE INDEX idx_audit_log_action ON audit_log(action);
+CREATE INDEX idx_audit_log_resource ON audit_log(resource_type, resource_id);

internal/handlers/api.go

@@ -1,6 +1,7 @@
 package handlers
 
 import (
+	"database/sql"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -120,6 +121,9 @@ func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 			return
 		}
 
+		h.auditLog(request, models.AuditActionLogin,
+			models.AuditResourceSession, "", "api login")
+
 		h.respondJSON(writer, request, loginResponse{
 			UserID:   user.ID,
 			Username: user.Username,
@@ -243,3 +247,79 @@ func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
 		}, http.StatusOK)
 	}
 }
+
+// auditLogDefaultLimit is the default number of audit entries returned.
+const auditLogDefaultLimit = 50
+
+// auditLogMaxLimit is the maximum number of audit entries returned.
+const auditLogMaxLimit = 500
+
+// HandleAPIAuditLog returns a handler that lists recent audit log entries.
+func (h *Handlers) HandleAPIAuditLog() http.HandlerFunc {
+	type auditEntryResponse struct {
+		ID           int64  `json:"id"`
+		UserID       *int64 `json:"userId,omitempty"`
+		Username     string `json:"username"`
+		Action       string `json:"action"`
+		ResourceType string `json:"resourceType"`
+		ResourceID   string `json:"resourceId,omitempty"`
+		Detail       string `json:"detail,omitempty"`
+		RemoteIP     string `json:"remoteIp,omitempty"`
+		CreatedAt    string `json:"createdAt"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		limit := auditLogDefaultLimit
+
+		if limitStr := request.URL.Query().Get("limit"); limitStr != "" {
+			parsed, parseErr := strconv.Atoi(limitStr)
+			if parseErr == nil && parsed > 0 && parsed <= auditLogMaxLimit {
+				limit = parsed
+			}
+		}
+
+		entries, err := h.audit.Recent(request.Context(), limit)
+		if err != nil {
+			h.log.Error("failed to fetch audit log", "error", err)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to fetch audit log"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		result := make([]auditEntryResponse, 0, len(entries))
+
+		for _, e := range entries {
+			entry := auditEntryResponse{
+				ID:           e.ID,
+				Username:     e.Username,
+				Action:       string(e.Action),
+				ResourceType: string(e.ResourceType),
+				CreatedAt:    e.CreatedAt.UTC().Format("2006-01-02T15:04:05Z"),
+			}
+
+			if e.UserID.Valid {
+				id := e.UserID.Int64
+				entry.UserID = &id
+			}
+
+			entry.ResourceID = nullStringValue(e.ResourceID)
+			entry.Detail = nullStringValue(e.Detail)
+			entry.RemoteIP = nullStringValue(e.RemoteIP)
+
+			result = append(result, entry)
+		}
+
+		h.respondJSON(writer, request, result, http.StatusOK)
+	}
+}
+
+// nullStringValue returns the string value if valid, empty string otherwise.
+func nullStringValue(ns sql.NullString) string {
+	if ns.Valid {
+		return ns.String
+	}
+
+	return ""
+}

internal/handlers/app.go

@@ -119,6 +119,9 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 			return
 		}
 
+		h.auditLog(request, models.AuditActionAppCreate,
+			models.AuditResourceApp, createdApp.ID, "created app: "+createdApp.Name)
+
 		http.Redirect(writer, request, "/apps/"+createdApp.ID, http.StatusSeeOther)
 	}
 }
@@ -289,6 +292,9 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 			return
 		}
 
+		h.auditLog(request, models.AuditActionAppUpdate,
+			models.AuditResourceApp, application.ID, "updated app: "+application.Name)
+
 		redirectURL := "/apps/" + application.ID + "?success=updated"
 		http.Redirect(writer, request, redirectURL, http.StatusSeeOther)
 	}
@@ -344,6 +350,9 @@ func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 			return
 		}
 
+		h.auditLog(request, models.AuditActionAppDelete,
+			models.AuditResourceApp, appID, "deleted app: "+application.Name)
+
 		http.Redirect(writer, request, "/", http.StatusSeeOther)
 	}
 }
@@ -360,6 +369,9 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 			return
 		}
 
+		h.auditLog(request, models.AuditActionAppDeploy,
+			models.AuditResourceApp, application.ID, "manual deploy: "+application.Name)
+
 		// Trigger deployment in background with a detached context
 		// so the deployment continues even if the HTTP request is cancelled
 		deployCtx := context.WithoutCancel(request.Context())
@@ -399,6 +411,8 @@ func (h *Handlers) HandleCancelDeploy() http.HandlerFunc {
 		cancelled := h.deploy.CancelDeploy(application.ID)
 		if cancelled {
 			h.log.Info("deployment cancelled by user", "app", application.Name)
+			h.auditLog(request, models.AuditActionDeployCancel,
+				models.AuditResourceDeployment, application.ID, "cancelled deploy: "+application.Name)
 		}
 
 		http.Redirect(
@@ -430,6 +444,9 @@ func (h *Handlers) HandleAppRollback() http.HandlerFunc {
 			return
 		}
 
+		h.auditLog(request, models.AuditActionAppRollback,
+			models.AuditResourceApp, application.ID, "rolled back: "+application.Name)
+
 		http.Redirect(writer, request, "/apps/"+application.ID+"?success=rolledback", http.StatusSeeOther)
 	}
 }
@@ -834,11 +851,29 @@ func (h *Handlers) handleContainerAction(
 	} else {
 		h.log.Info("container action completed",
 			"action", action, "app", application.Name, "container", containerID)
+
+		auditAction := containerActionToAuditAction(action)
+		h.auditLog(request, auditAction,
+			models.AuditResourceApp, appID, string(action)+" container: "+application.Name)
 	}
 
 	http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 }
 
+// containerActionToAuditAction maps container actions to audit actions.
+func containerActionToAuditAction(action containerAction) models.AuditAction {
+	switch action {
+	case actionRestart:
+		return models.AuditActionAppRestart
+	case actionStop:
+		return models.AuditActionAppStop
+	case actionStart:
+		return models.AuditActionAppStart
+	default:
+		return models.AuditAction("app." + string(action))
+	}
+}
+
 // HandleAppRestart handles restarting an app's container.
 func (h *Handlers) HandleAppRestart() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -988,6 +1023,10 @@ func (h *Handlers) HandleEnvVarSave() http.HandlerFunc {
 			return
 		}
 
+		h.auditLog(request, models.AuditActionEnvVarSave,
+			models.AuditResourceEnvVar, application.ID,
+			fmt.Sprintf("saved %d env vars", len(modelPairs)))
+
 		h.respondJSON(writer, request, map[string]bool{"ok": true}, http.StatusOK)
 	}
 }
@@ -1004,7 +1043,13 @@ func (h *Handlers) HandleLabelAdd() http.HandlerFunc {
 				label.Key = key
 				label.Value = value
 
-				return label.Save(ctx)
+				err := label.Save(ctx)
+				if err == nil {
+					h.auditLog(request, models.AuditActionLabelAdd,
+						models.AuditResourceLabel, application.ID, "added label: "+key)
+				}
+
+				return err
 			},
 		)
 	}
@@ -1033,6 +1078,9 @@ func (h *Handlers) HandleLabelDelete() http.HandlerFunc {
 		deleteErr := label.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete label", "error", deleteErr)
+		} else {
+			h.auditLog(request, models.AuditActionLabelDelete,
+				models.AuditResourceLabel, appID, "deleted label: "+label.Key)
 		}
 
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1090,6 +1138,10 @@ func (h *Handlers) HandleVolumeAdd() http.HandlerFunc {
 		saveErr := volume.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to add volume", "error", saveErr)
+		} else {
+			h.auditLog(request, models.AuditActionVolumeAdd,
+				models.AuditResourceVolume, application.ID,
+				"added volume: "+hostPath+":"+containerPath)
 		}
 
 		http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
@@ -1119,6 +1171,10 @@ func (h *Handlers) HandleVolumeDelete() http.HandlerFunc {
 		deleteErr := volume.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete volume", "error", deleteErr)
+		} else {
+			h.auditLog(request, models.AuditActionVolumeDelete,
+				models.AuditResourceVolume, appID,
+				"deleted volume: "+volume.HostPath+":"+volume.ContainerPath)
 		}
 
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1168,6 +1224,10 @@ func (h *Handlers) HandlePortAdd() http.HandlerFunc {
 		saveErr := port.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to save port", "error", saveErr)
+		} else {
+			h.auditLog(request, models.AuditActionPortAdd,
+				models.AuditResourcePort, application.ID,
+				fmt.Sprintf("added port: %d:%d/%s", hostPort, containerPort, protocol))
 		}
 
 		http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
@@ -1214,6 +1274,10 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
 		deleteErr := port.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete port", "error", deleteErr)
+		} else {
+			h.auditLog(request, models.AuditActionPortDelete,
+				models.AuditResourcePort, appID,
+				fmt.Sprintf("deleted port: %d:%d/%s", port.HostPort, port.ContainerPort, port.Protocol))
 		}
 
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1289,6 +1353,9 @@ func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
 		saveErr := label.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update label", "error", saveErr)
+		} else {
+			h.auditLog(request, models.AuditActionLabelEdit,
+				models.AuditResourceLabel, appID, "edited label: "+key)
 		}
 
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1347,6 +1414,10 @@ func (h *Handlers) HandleVolumeEdit() http.HandlerFunc {
 		saveErr := volume.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update volume", "error", saveErr)
+		} else {
+			h.auditLog(request, models.AuditActionVolumeEdit,
+				models.AuditResourceVolume, appID,
+				"edited volume: "+hostPath+":"+containerPath)
 		}
 
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)

internal/handlers/auth.go

@@ -3,6 +3,7 @@ package handlers
 import (
 	"net/http"
 
+	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/templates"
 )
 
@@ -61,6 +62,9 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 			return
 		}
 
+		h.auditLog(request, models.AuditActionLogin,
+			models.AuditResourceSession, "", "user logged in")
+
 		http.Redirect(writer, request, "/", http.StatusSeeOther)
 	}
 }
@@ -68,6 +72,9 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 // HandleLogout handles logout requests.
 func (h *Handlers) HandleLogout() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
+		h.auditLog(request, models.AuditActionLogout,
+			models.AuditResourceSession, "", "user logged out")
+
 		destroyErr := h.auth.DestroySession(writer, request)
 		if destroyErr != nil {
 			h.log.Error("failed to destroy session", "error", destroyErr)

internal/handlers/handlers.go

@@ -15,7 +15,9 @@ import (
 	"sneak.berlin/go/upaas/internal/globals"
 	"sneak.berlin/go/upaas/internal/healthcheck"
 	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/app"
+	"sneak.berlin/go/upaas/internal/service/audit"
 	"sneak.berlin/go/upaas/internal/service/auth"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/webhook"
@@ -35,6 +37,7 @@ type Params struct {
 	Deploy      *deploy.Service
 	Webhook     *webhook.Service
 	Docker      *docker.Client
+	Audit       *audit.Service
 }
 
 // Handlers provides HTTP request handlers.
@@ -48,6 +51,7 @@ type Handlers struct {
 	deploy     *deploy.Service
 	webhook    *webhook.Service
 	docker     *docker.Client
+	audit      *audit.Service
 	globals    *globals.Globals
 }
 
@@ -63,10 +67,48 @@ func New(_ fx.Lifecycle, params Params) (*Handlers, error) {
 		deploy:     params.Deploy,
 		webhook:    params.Webhook,
 		docker:     params.Docker,
+		audit:      params.Audit,
 		globals:    params.Globals,
 	}, nil
 }
 
+// currentUser returns the currently authenticated user, or nil if not authenticated.
+func (h *Handlers) currentUser(request *http.Request) *models.User {
+	user, err := h.auth.GetCurrentUser(request.Context(), request)
+	if err != nil || user == nil {
+		return nil
+	}
+
+	return user
+}
+
+// auditLog records an audit entry for the current request.
+func (h *Handlers) auditLog(
+	request *http.Request,
+	action models.AuditAction,
+	resourceType models.AuditResourceType,
+	resourceID string,
+	detail string,
+) {
+	user := h.currentUser(request)
+
+	entry := audit.LogEntry{
+		Action:       action,
+		ResourceType: resourceType,
+		ResourceID:   resourceID,
+		Detail:       detail,
+	}
+
+	if user != nil {
+		entry.UserID = user.ID
+		entry.Username = user.Username
+	} else {
+		entry.Username = "anonymous"
+	}
+
+	h.audit.LogFromRequest(request.Context(), request, entry)
+}
+
 // addGlobals adds version info and CSRF token to template data map.
 func (h *Handlers) addGlobals(
 	data map[string]any,

internal/handlers/handlers_test.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/go-chi/chi/v5"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
@@ -24,8 +25,10 @@ import (
 	"sneak.berlin/go/upaas/internal/handlers"
 	"sneak.berlin/go/upaas/internal/healthcheck"
 	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/middleware"
 	"sneak.berlin/go/upaas/internal/service/app"
+	"sneak.berlin/go/upaas/internal/service/audit"
 	"sneak.berlin/go/upaas/internal/service/auth"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/notify"
@@ -92,7 +95,8 @@ func createAppServices(
 	logInstance *logger.Logger,
 	dbInstance *database.Database,
 	cfg *config.Config,
-) (*auth.Service, *app.Service, *deploy.Service, *webhook.Service, *docker.Client) {
+	metricsInstance *metrics.Metrics,
+) (*auth.Service, *app.Service, *deploy.Service, *webhook.Service, *docker.Client, *audit.Service) {
 	t.Helper()
 
 	authSvc, authErr := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
@@ -125,6 +129,7 @@ func createAppServices(
 		Database: dbInstance,
 		Docker:   dockerClient,
 		Notify:   notifySvc,
+		Metrics:  metricsInstance,
 	})
 	require.NoError(t, deployErr)
 
@@ -132,10 +137,18 @@ func createAppServices(
 		Logger:   logInstance,
 		Database: dbInstance,
 		Deploy:   deploySvc,
+		Metrics:  metricsInstance,
 	})
 	require.NoError(t, webhookErr)
 
-	return authSvc, appSvc, deploySvc, webhookSvc, dockerClient
+	auditSvc, auditErr := audit.New(fx.Lifecycle(nil), audit.ServiceParams{
+		Logger:   logInstance,
+		Database: dbInstance,
+		Metrics:  metricsInstance,
+	})
+	require.NoError(t, auditErr)
+
+	return authSvc, appSvc, deploySvc, webhookSvc, dockerClient, auditSvc
 }
 
 func setupTestHandlers(t *testing.T) *testContext {
@@ -145,11 +158,14 @@ func setupTestHandlers(t *testing.T) *testContext {
 
 	globalInstance, logInstance, dbInstance, hcInstance := createCoreServices(t, cfg)
 
-	authSvc, appSvc, deploySvc, webhookSvc, dockerClient := createAppServices(
+	metricsInstance := metrics.NewForTest(prometheus.NewRegistry())
+
+	authSvc, appSvc, deploySvc, webhookSvc, dockerClient, auditSvc := createAppServices(
 		t,
 		logInstance,
 		dbInstance,
 		cfg,
+		metricsInstance,
 	)
 
 	handlersInstance, handlerErr := handlers.New(
@@ -164,6 +180,7 @@ func setupTestHandlers(t *testing.T) *testContext {
 			Deploy:      deploySvc,
 			Webhook:     webhookSvc,
 			Docker:      dockerClient,
+			Audit:       auditSvc,
 		},
 	)
 	require.NoError(t, handlerErr)
@@ -173,6 +190,7 @@ func setupTestHandlers(t *testing.T) *testContext {
 		Globals: globalInstance,
 		Config:  cfg,
 		Auth:    authSvc,
+		Metrics: metricsInstance,
 	})
 	require.NoError(t, mwErr)
 

internal/handlers/setup.go

@@ -3,6 +3,7 @@ package handlers
 import (
 	"net/http"
 
+	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/templates"
 )
 
@@ -111,6 +112,9 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 			return
 		}
 
+		h.auditLog(request, models.AuditActionSetup,
+			models.AuditResourceUser, "", "initial setup completed")
+
 		http.Redirect(writer, request, "/", http.StatusSeeOther)
 	}
 }

internal/handlers/webhook.go

@@ -7,15 +7,14 @@ import (
 	"github.com/go-chi/chi/v5"
 
 	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"sneak.berlin/go/upaas/internal/service/audit"
 )
 
 // maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
 const maxWebhookBodySize = 1 << 20
 
-// HandleWebhook handles incoming webhooks from Gitea, GitHub, or GitLab.
+// HandleWebhook handles incoming Gitea webhooks.
-// The webhook source is auto-detected from HTTP headers.
+func (h *Handlers) HandleWebhook() http.HandlerFunc { //nolint:funlen // audit logging adds necessary length
-func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		secret := chi.URLParam(request, "secret")
 		if secret == "" {
@@ -52,17 +51,25 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 			return
 		}
 
-		// Auto-detect webhook source from headers
+		// Get event type from header
-		source := webhook.DetectWebhookSource(request.Header)
+		eventType := request.Header.Get("X-Gitea-Event")
+		if eventType == "" {
+			eventType = "push"
+		}
 
-		// Extract event type based on detected source
+		// Log webhook receipt
-		eventType := webhook.DetectEventType(request.Header, source)
+		h.audit.LogFromRequest(request.Context(), request, audit.LogEntry{
+			Username:     "webhook",
+			Action:       models.AuditActionWebhookReceive,
+			ResourceType: models.AuditResourceWebhook,
+			ResourceID:   application.ID,
+			Detail:       "webhook from app: " + application.Name + ", event: " + eventType,
+		})
 
 		// Process webhook
 		webhookErr := h.webhook.HandleWebhook(
 			request.Context(),
 			application,
-			source,
 			eventType,
 			body,
 		)

internal/metrics/metrics.go

@@ -0,0 +1,148 @@
+// Package metrics provides Prometheus metrics for upaas.
+//
+//nolint:revive // "metrics" matches the domain; runtime/metrics is rarely imported directly
+package metrics
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
+	"go.uber.org/fx"
+)
+
+// Params contains dependencies for Metrics.
+type Params struct {
+	fx.In
+}
+
+// Metrics holds all Prometheus metrics for the application.
+type Metrics struct {
+	// Deployment metrics.
+	DeploymentsTotal    *prometheus.CounterVec
+	DeploymentDuration  *prometheus.HistogramVec
+	DeploymentsInFlight *prometheus.GaugeVec
+
+	// Container health metrics.
+	ContainerHealthy *prometheus.GaugeVec
+
+	// Webhook metrics.
+	WebhookEventsTotal *prometheus.CounterVec
+
+	// HTTP request metrics.
+	HTTPRequestsTotal     *prometheus.CounterVec
+	HTTPRequestDuration   *prometheus.HistogramVec
+	HTTPResponseSizeBytes *prometheus.HistogramVec
+
+	// Audit log metrics.
+	AuditEventsTotal *prometheus.CounterVec
+}
+
+// New creates a new Metrics instance with all Prometheus metrics registered
+// in the default Prometheus registry.
+func New(_ fx.Lifecycle, _ Params) (*Metrics, error) {
+	return newMetrics(promauto.With(prometheus.DefaultRegisterer)), nil
+}
+
+// NewForTest creates a Metrics instance with a custom registry for test isolation.
+func NewForTest(reg prometheus.Registerer) *Metrics {
+	return newMetrics(promauto.With(reg))
+}
+
+// newMetrics creates a Metrics instance using the given factory.
+func newMetrics(factory promauto.Factory) *Metrics {
+	return &Metrics{
+		DeploymentsTotal:      newDeploymentsTotal(factory),
+		DeploymentDuration:    newDeploymentDuration(factory),
+		DeploymentsInFlight:   newDeploymentsInFlight(factory),
+		ContainerHealthy:      newContainerHealthy(factory),
+		WebhookEventsTotal:    newWebhookEventsTotal(factory),
+		HTTPRequestsTotal:     newHTTPRequestsTotal(factory),
+		HTTPRequestDuration:   newHTTPRequestDuration(factory),
+		HTTPResponseSizeBytes: newHTTPResponseSizeBytes(factory),
+		AuditEventsTotal:      newAuditEventsTotal(factory),
+	}
+}
+
+func newDeploymentsTotal(f promauto.Factory) *prometheus.CounterVec {
+	return f.NewCounterVec(prometheus.CounterOpts{
+		Namespace: "upaas",
+		Subsystem: "deployments",
+		Name:      "total",
+		Help:      "Total number of deployments by app and status.",
+	}, []string{"app", "status"})
+}
+
+func newDeploymentDuration(f promauto.Factory) *prometheus.HistogramVec {
+	return f.NewHistogramVec(prometheus.HistogramOpts{
+		Namespace: "upaas",
+		Subsystem: "deployments",
+		Name:      "duration_seconds",
+		Help:      "Duration of deployments in seconds by app and status.",
+		Buckets:   []float64{10, 30, 60, 120, 300, 600, 1800},
+	}, []string{"app", "status"})
+}
+
+func newDeploymentsInFlight(f promauto.Factory) *prometheus.GaugeVec {
+	return f.NewGaugeVec(prometheus.GaugeOpts{
+		Namespace: "upaas",
+		Subsystem: "deployments",
+		Name:      "in_flight",
+		Help:      "Number of deployments currently in progress by app.",
+	}, []string{"app"})
+}
+
+func newContainerHealthy(f promauto.Factory) *prometheus.GaugeVec {
+	return f.NewGaugeVec(prometheus.GaugeOpts{
+		Namespace: "upaas",
+		Subsystem: "container",
+		Name:      "healthy",
+		Help:      "Whether the app container is healthy (1) or unhealthy (0).",
+	}, []string{"app"})
+}
+
+func newWebhookEventsTotal(f promauto.Factory) *prometheus.CounterVec {
+	return f.NewCounterVec(prometheus.CounterOpts{
+		Namespace: "upaas",
+		Subsystem: "webhook",
+		Name:      "events_total",
+		Help:      "Total number of webhook events by app, event type, and matched status.",
+	}, []string{"app", "event_type", "matched"})
+}
+
+func newHTTPRequestsTotal(f promauto.Factory) *prometheus.CounterVec {
+	return f.NewCounterVec(prometheus.CounterOpts{
+		Namespace: "upaas",
+		Subsystem: "http",
+		Name:      "requests_total",
+		Help:      "Total number of HTTP requests by method and status code.",
+	}, []string{"method", "status_code"})
+}
+
+func newHTTPRequestDuration(f promauto.Factory) *prometheus.HistogramVec {
+	return f.NewHistogramVec(prometheus.HistogramOpts{
+		Namespace: "upaas",
+		Subsystem: "http",
+		Name:      "request_duration_seconds",
+		Help:      "Duration of HTTP requests in seconds by method.",
+		Buckets:   prometheus.DefBuckets,
+	}, []string{"method"})
+}
+
+//nolint:mnd // bucket boundaries are domain-specific constants
+func newHTTPResponseSizeBytes(f promauto.Factory) *prometheus.HistogramVec {
+	return f.NewHistogramVec(prometheus.HistogramOpts{
+		Namespace: "upaas",
+		Subsystem: "http",
+		Name:      "response_size_bytes",
+		Help:      "Size of HTTP responses in bytes by method.",
+		Buckets:   prometheus.ExponentialBuckets(100, 10, 7),
+	}, []string{"method"})
+}
+
+func newAuditEventsTotal(f promauto.Factory) *prometheus.CounterVec {
+	return f.NewCounterVec(prometheus.CounterOpts{
+		Namespace: "upaas",
+		Subsystem: "audit",
+		Name:      "events_total",
+		Help:      "Total number of audit log events by action.",
+	}, []string{"action"})
+}

internal/metrics/metrics_test.go

@@ -0,0 +1,158 @@
+package metrics_test
+
+import (
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/fx"
+
+	"sneak.berlin/go/upaas/internal/metrics"
+)
+
+func TestNewForTest(t *testing.T) {
+	t.Parallel()
+
+	reg := prometheus.NewRegistry()
+	m := metrics.NewForTest(reg)
+
+	require.NotNil(t, m)
+	assert.NotNil(t, m.DeploymentsTotal)
+	assert.NotNil(t, m.DeploymentDuration)
+	assert.NotNil(t, m.DeploymentsInFlight)
+	assert.NotNil(t, m.ContainerHealthy)
+	assert.NotNil(t, m.WebhookEventsTotal)
+	assert.NotNil(t, m.HTTPRequestsTotal)
+	assert.NotNil(t, m.HTTPRequestDuration)
+	assert.NotNil(t, m.HTTPResponseSizeBytes)
+	assert.NotNil(t, m.AuditEventsTotal)
+}
+
+func TestNew(t *testing.T) {
+	t.Parallel()
+
+	m, err := metrics.New(fx.Lifecycle(nil), metrics.Params{})
+	require.NoError(t, err)
+	require.NotNil(t, m)
+}
+
+func TestDeploymentMetrics(t *testing.T) {
+	t.Parallel()
+
+	reg := prometheus.NewRegistry()
+	m := metrics.NewForTest(reg)
+
+	m.DeploymentsTotal.WithLabelValues("test-app", "success").Inc()
+	m.DeploymentDuration.WithLabelValues("test-app", "success").Observe(42.5)
+	m.DeploymentsInFlight.WithLabelValues("test-app").Set(1)
+
+	families, err := reg.Gather()
+	require.NoError(t, err)
+
+	names := make(map[string]bool)
+
+	for _, f := range families {
+		names[f.GetName()] = true
+	}
+
+	assert.True(t, names["upaas_deployments_total"])
+	assert.True(t, names["upaas_deployments_duration_seconds"])
+	assert.True(t, names["upaas_deployments_in_flight"])
+}
+
+func TestContainerHealthMetrics(t *testing.T) {
+	t.Parallel()
+
+	reg := prometheus.NewRegistry()
+	m := metrics.NewForTest(reg)
+
+	m.ContainerHealthy.WithLabelValues("my-app").Set(1)
+
+	families, err := reg.Gather()
+	require.NoError(t, err)
+
+	found := false
+
+	for _, f := range families {
+		if f.GetName() == "upaas_container_healthy" {
+			found = true
+
+			break
+		}
+	}
+
+	assert.True(t, found)
+}
+
+func TestWebhookMetrics(t *testing.T) {
+	t.Parallel()
+
+	reg := prometheus.NewRegistry()
+	m := metrics.NewForTest(reg)
+
+	m.WebhookEventsTotal.WithLabelValues("test-app", "push", "true").Inc()
+
+	families, err := reg.Gather()
+	require.NoError(t, err)
+
+	found := false
+
+	for _, f := range families {
+		if f.GetName() == "upaas_webhook_events_total" {
+			found = true
+
+			break
+		}
+	}
+
+	assert.True(t, found)
+}
+
+func TestHTTPMetrics(t *testing.T) {
+	t.Parallel()
+
+	reg := prometheus.NewRegistry()
+	m := metrics.NewForTest(reg)
+
+	m.HTTPRequestsTotal.WithLabelValues("GET", "200").Inc()
+	m.HTTPRequestDuration.WithLabelValues("GET").Observe(0.05)
+	m.HTTPResponseSizeBytes.WithLabelValues("GET").Observe(1024)
+
+	families, err := reg.Gather()
+	require.NoError(t, err)
+
+	names := make(map[string]bool)
+
+	for _, f := range families {
+		names[f.GetName()] = true
+	}
+
+	assert.True(t, names["upaas_http_requests_total"])
+	assert.True(t, names["upaas_http_request_duration_seconds"])
+	assert.True(t, names["upaas_http_response_size_bytes"])
+}
+
+func TestAuditMetrics(t *testing.T) {
+	t.Parallel()
+
+	reg := prometheus.NewRegistry()
+	m := metrics.NewForTest(reg)
+
+	m.AuditEventsTotal.WithLabelValues("login").Inc()
+
+	families, err := reg.Gather()
+	require.NoError(t, err)
+
+	found := false
+
+	for _, f := range families {
+		if f.GetName() == "upaas_audit_events_total" {
+			found = true
+
+			break
+		}
+	}
+
+	assert.True(t, found)
+}

internal/middleware/middleware.go

@@ -21,6 +21,7 @@ import (
 	"sneak.berlin/go/upaas/internal/config"
 	"sneak.berlin/go/upaas/internal/globals"
 	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/service/auth"
 )
 
@@ -35,11 +36,13 @@ type Params struct {
 	Globals *globals.Globals
 	Config  *config.Config
 	Auth    *auth.Service
+	Metrics *metrics.Metrics
 }
 
 // Middleware provides HTTP middleware.
 type Middleware struct {
 	log     *slog.Logger
+	metrics *metrics.Metrics
 	params  *Params
 }
 
@@ -47,21 +50,23 @@ type Middleware struct {
 func New(_ fx.Lifecycle, params Params) (*Middleware, error) {
 	return &Middleware{
 		log:     params.Logger.Get(),
+		metrics: params.Metrics,
 		params:  &params,
 	}, nil
 }
 
-// loggingResponseWriter wraps http.ResponseWriter to capture status code.
+// loggingResponseWriter wraps http.ResponseWriter to capture status code and bytes written.
 type loggingResponseWriter struct {
 	http.ResponseWriter
 
 	statusCode   int
+	bytesWritten int
 }
 
 func newLoggingResponseWriter(
 	writer http.ResponseWriter,
 ) *loggingResponseWriter {
-	return &loggingResponseWriter{writer, http.StatusOK}
+	return &loggingResponseWriter{ResponseWriter: writer, statusCode: http.StatusOK}
 }
 
 func (lrw *loggingResponseWriter) WriteHeader(code int) {
@@ -69,7 +74,14 @@ func (lrw *loggingResponseWriter) WriteHeader(code int) {
 	lrw.ResponseWriter.WriteHeader(code)
 }
 
-// Logging returns a request logging middleware.
+func (lrw *loggingResponseWriter) Write(b []byte) (int, error) {
+	n, err := lrw.ResponseWriter.Write(b)
+	lrw.bytesWritten += n
+
+	return n, err
+}
+
+// Logging returns a request logging middleware that also records HTTP metrics.
 func (m *Middleware) Logging() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
@@ -83,6 +95,8 @@ func (m *Middleware) Logging() func(http.Handler) http.Handler {
 			defer func() {
 				latency := time.Since(start)
 				reqID := middleware.GetReqID(ctx)
+				statusStr := strconv.Itoa(lrw.statusCode)
+
 				m.log.InfoContext(ctx, "request",
 					"request_start", start,
 					"method", request.Method,
@@ -91,10 +105,21 @@ func (m *Middleware) Logging() func(http.Handler) http.Handler {
 					"request_id", reqID,
 					"referer", request.Referer(),
 					"proto", request.Proto,
-					"remoteIP", realIP(request),
+					"remoteIP", RealIP(request),
 					"status", lrw.statusCode,
+					"bytes", lrw.bytesWritten,
 					"latency_ms", latency.Milliseconds(),
 				)
+
+				m.metrics.HTTPRequestsTotal.WithLabelValues(
+					request.Method, statusStr,
+				).Inc()
+				m.metrics.HTTPRequestDuration.WithLabelValues(
+					request.Method,
+				).Observe(latency.Seconds())
+				m.metrics.HTTPResponseSizeBytes.WithLabelValues(
+					request.Method,
+				).Observe(float64(lrw.bytesWritten))
 			}()
 
 			next.ServeHTTP(lrw, request)
@@ -145,11 +170,11 @@ func isTrustedProxy(ip net.IP) bool {
 	return false
 }
 
-// realIP extracts the client's real IP address from the request.
+// RealIP extracts the client's real IP address from the request.
 // Proxy headers (X-Real-IP, X-Forwarded-For) are only trusted when the
 // direct connection originates from an RFC1918/loopback address.
 // Otherwise, headers are ignored and RemoteAddr is used (fail closed).
-func realIP(r *http.Request) string {
+func RealIP(r *http.Request) string {
 	addr := ipFromHostPort(r.RemoteAddr)
 	remoteIP := net.ParseIP(addr)
 
@@ -340,7 +365,7 @@ func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 			writer http.ResponseWriter,
 			request *http.Request,
 		) {
-			ip := realIP(request)
+			ip := RealIP(request)
 			limiter := loginLimiter.getLimiter(ip)
 
 			if !limiter.Allow() {

internal/middleware/realip_test.go

@@ -1,4 +1,4 @@
-package middleware //nolint:testpackage // tests unexported realIP function
+package middleware //nolint:testpackage // tests RealIP via internal package access
 
 import (
 	"context"
@@ -126,9 +126,9 @@ func TestRealIP(t *testing.T) { //nolint:funlen // table-driven test
 				req.Header.Set("X-Forwarded-For", tt.xff)
 			}
 
-			got := realIP(req)
+			got := RealIP(req)
 			if got != tt.want {
-				t.Errorf("realIP() = %q, want %q", got, tt.want)
+				t.Errorf("RealIP() = %q, want %q", got, tt.want)
 			}
 		})
 	}

internal/models/audit_log.go

@@ -0,0 +1,193 @@
+package models
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"time"
+
+	"sneak.berlin/go/upaas/internal/database"
+)
+
+// AuditAction represents the type of audited user action.
+type AuditAction string
+
+// Audit action constants.
+const (
+	AuditActionLogin          AuditAction = "login"
+	AuditActionLogout         AuditAction = "logout"
+	AuditActionAppCreate      AuditAction = "app.create"
+	AuditActionAppUpdate      AuditAction = "app.update"
+	AuditActionAppDelete      AuditAction = "app.delete"
+	AuditActionAppDeploy      AuditAction = "app.deploy"
+	AuditActionAppRollback    AuditAction = "app.rollback"
+	AuditActionAppRestart     AuditAction = "app.restart"
+	AuditActionAppStop        AuditAction = "app.stop"
+	AuditActionAppStart       AuditAction = "app.start"
+	AuditActionDeployCancel   AuditAction = "deploy.cancel"
+	AuditActionEnvVarSave     AuditAction = "env_var.save"
+	AuditActionLabelAdd       AuditAction = "label.add"
+	AuditActionLabelEdit      AuditAction = "label.edit"
+	AuditActionLabelDelete    AuditAction = "label.delete"
+	AuditActionVolumeAdd      AuditAction = "volume.add"
+	AuditActionVolumeEdit     AuditAction = "volume.edit"
+	AuditActionVolumeDelete   AuditAction = "volume.delete"
+	AuditActionPortAdd        AuditAction = "port.add"
+	AuditActionPortDelete     AuditAction = "port.delete"
+	AuditActionSetup          AuditAction = "setup"
+	AuditActionWebhookReceive AuditAction = "webhook.receive"
+)
+
+// AuditResourceType represents the type of resource being acted on.
+type AuditResourceType string
+
+// Audit resource type constants.
+const (
+	AuditResourceApp        AuditResourceType = "app"
+	AuditResourceUser       AuditResourceType = "user"
+	AuditResourceSession    AuditResourceType = "session"
+	AuditResourceEnvVar     AuditResourceType = "env_var"
+	AuditResourceLabel      AuditResourceType = "label"
+	AuditResourceVolume     AuditResourceType = "volume"
+	AuditResourcePort       AuditResourceType = "port"
+	AuditResourceDeployment AuditResourceType = "deployment"
+	AuditResourceWebhook    AuditResourceType = "webhook"
+)
+
+// AuditEntry represents a single audit log entry.
+type AuditEntry struct {
+	db *database.Database
+
+	ID           int64
+	UserID       sql.NullInt64
+	Username     string
+	Action       AuditAction
+	ResourceType AuditResourceType
+	ResourceID   sql.NullString
+	Detail       sql.NullString
+	RemoteIP     sql.NullString
+	CreatedAt    time.Time
+}
+
+// NewAuditEntry creates a new AuditEntry with a database reference.
+func NewAuditEntry(db *database.Database) *AuditEntry {
+	return &AuditEntry{db: db}
+}
+
+// Save inserts the audit entry into the database.
+func (a *AuditEntry) Save(ctx context.Context) error {
+	query := `
+		INSERT INTO audit_log (
+			user_id, username, action, resource_type, resource_id,
+			detail, remote_ip
+		) VALUES (?, ?, ?, ?, ?, ?, ?)`
+
+	result, err := a.db.Exec(ctx, query,
+		a.UserID, a.Username, a.Action, a.ResourceType,
+		a.ResourceID, a.Detail, a.RemoteIP,
+	)
+	if err != nil {
+		return fmt.Errorf("inserting audit entry: %w", err)
+	}
+
+	id, err := result.LastInsertId()
+	if err != nil {
+		return fmt.Errorf("getting audit entry id: %w", err)
+	}
+
+	a.ID = id
+
+	return nil
+}
+
+// FindAuditEntries returns recent audit log entries, newest first.
+func FindAuditEntries(
+	ctx context.Context,
+	db *database.Database,
+	limit int,
+) ([]*AuditEntry, error) {
+	query := `
+		SELECT id, user_id, username, action, resource_type, resource_id,
+			detail, remote_ip, created_at
+		FROM audit_log
+		ORDER BY created_at DESC
+		LIMIT ?`
+
+	rows, err := db.Query(ctx, query, limit)
+	if err != nil {
+		return nil, fmt.Errorf("querying audit entries: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	return scanAuditRows(rows)
+}
+
+// FindAuditEntriesByResource returns audit log entries for a specific resource.
+func FindAuditEntriesByResource(
+	ctx context.Context,
+	db *database.Database,
+	resourceType AuditResourceType,
+	resourceID string,
+	limit int,
+) ([]*AuditEntry, error) {
+	query := `
+		SELECT id, user_id, username, action, resource_type, resource_id,
+			detail, remote_ip, created_at
+		FROM audit_log
+		WHERE resource_type = ? AND resource_id = ?
+		ORDER BY created_at DESC
+		LIMIT ?`
+
+	rows, err := db.Query(ctx, query, resourceType, resourceID, limit)
+	if err != nil {
+		return nil, fmt.Errorf("querying audit entries by resource: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	return scanAuditRows(rows)
+}
+
+// CountAuditEntries returns the total number of audit log entries.
+func CountAuditEntries(
+	ctx context.Context,
+	db *database.Database,
+) (int, error) {
+	var count int
+
+	row := db.QueryRow(ctx, "SELECT COUNT(*) FROM audit_log")
+
+	err := row.Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf("counting audit entries: %w", err)
+	}
+
+	return count, nil
+}
+
+func scanAuditRows(rows *sql.Rows) ([]*AuditEntry, error) {
+	var entries []*AuditEntry
+
+	for rows.Next() {
+		entry := &AuditEntry{}
+
+		scanErr := rows.Scan(
+			&entry.ID, &entry.UserID, &entry.Username, &entry.Action,
+			&entry.ResourceType, &entry.ResourceID, &entry.Detail,
+			&entry.RemoteIP, &entry.CreatedAt,
+		)
+		if scanErr != nil {
+			return nil, fmt.Errorf("scanning audit entry: %w", scanErr)
+		}
+
+		entries = append(entries, entry)
+	}
+
+	rowsErr := rows.Err()
+	if rowsErr != nil {
+		return nil, fmt.Errorf("iterating audit entries: %w", rowsErr)
+	}
+
+	return entries, nil
+}

internal/models/models_test.go

@@ -23,6 +23,7 @@ const (
 	testBranch    = "main"
 	testValue     = "value"
 	testEventType = "push"
+	testAdmin     = "admin"
 )
 
 func setupTestDB(t *testing.T) (*database.Database, func()) {
@@ -183,7 +184,7 @@ func TestUserExists(t *testing.T) {
 		defer cleanup()
 
 		user := models.NewUser(testDB)
-		user.Username = "admin"
+		user.Username = testAdmin
 		user.PasswordHash = testHash
 
 		err := user.Save(context.Background())
@@ -781,6 +782,179 @@ func TestCascadeDelete(t *testing.T) {
 	})
 }
 
+// AuditEntry Tests.
+
+func TestAuditEntryCreateAndFind(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	entry := models.NewAuditEntry(testDB)
+	entry.Username = testAdmin
+	entry.Action = models.AuditActionLogin
+	entry.ResourceType = models.AuditResourceSession
+
+	err := entry.Save(context.Background())
+	require.NoError(t, err)
+	assert.NotZero(t, entry.ID)
+
+	entries, err := models.FindAuditEntries(context.Background(), testDB, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.Equal(t, testAdmin, entries[0].Username)
+	assert.Equal(t, models.AuditActionLogin, entries[0].Action)
+	assert.Equal(t, models.AuditResourceSession, entries[0].ResourceType)
+}
+
+func TestAuditEntryWithAllFields(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	entry := models.NewAuditEntry(testDB)
+	entry.UserID = sql.NullInt64{Int64: 1, Valid: true}
+	entry.Username = testAdmin
+	entry.Action = models.AuditActionAppCreate
+	entry.ResourceType = models.AuditResourceApp
+	entry.ResourceID = sql.NullString{String: "app-123", Valid: true}
+	entry.Detail = sql.NullString{String: "created new app", Valid: true}
+	entry.RemoteIP = sql.NullString{String: "192.168.1.1", Valid: true}
+
+	err := entry.Save(context.Background())
+	require.NoError(t, err)
+
+	entries, err := models.FindAuditEntries(context.Background(), testDB, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.Equal(t, int64(1), entries[0].UserID.Int64)
+	assert.Equal(t, "app-123", entries[0].ResourceID.String)
+	assert.Equal(t, "created new app", entries[0].Detail.String)
+	assert.Equal(t, "192.168.1.1", entries[0].RemoteIP.String)
+}
+
+func TestAuditEntryFindByResource(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	// Create entries for different resources.
+	for _, action := range []models.AuditAction{
+		models.AuditActionAppCreate,
+		models.AuditActionAppUpdate,
+		models.AuditActionAppDeploy,
+	} {
+		entry := models.NewAuditEntry(testDB)
+		entry.Username = testAdmin
+		entry.Action = action
+		entry.ResourceType = models.AuditResourceApp
+		entry.ResourceID = sql.NullString{String: "app-1", Valid: true}
+
+		err := entry.Save(context.Background())
+		require.NoError(t, err)
+	}
+
+	// Create entry for a different resource.
+	entry := models.NewAuditEntry(testDB)
+	entry.Username = testAdmin
+	entry.Action = models.AuditActionLogin
+	entry.ResourceType = models.AuditResourceSession
+
+	err := entry.Save(context.Background())
+	require.NoError(t, err)
+
+	// Find by resource.
+	appEntries, err := models.FindAuditEntriesByResource(
+		context.Background(), testDB,
+		models.AuditResourceApp, "app-1", 10,
+	)
+	require.NoError(t, err)
+	assert.Len(t, appEntries, 3)
+
+	// All entries.
+	allEntries, err := models.FindAuditEntries(context.Background(), testDB, 10)
+	require.NoError(t, err)
+	assert.Len(t, allEntries, 4)
+}
+
+func TestAuditEntryCount(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	count, err := models.CountAuditEntries(context.Background(), testDB)
+	require.NoError(t, err)
+	assert.Equal(t, 0, count)
+
+	entry := models.NewAuditEntry(testDB)
+	entry.Username = testAdmin
+	entry.Action = models.AuditActionLogin
+	entry.ResourceType = models.AuditResourceSession
+
+	err = entry.Save(context.Background())
+	require.NoError(t, err)
+
+	count, err = models.CountAuditEntries(context.Background(), testDB)
+	require.NoError(t, err)
+	assert.Equal(t, 1, count)
+}
+
+func TestAuditEntryFindLimit(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	for range 5 {
+		entry := models.NewAuditEntry(testDB)
+		entry.Username = testAdmin
+		entry.Action = models.AuditActionLogin
+		entry.ResourceType = models.AuditResourceSession
+
+		err := entry.Save(context.Background())
+		require.NoError(t, err)
+	}
+
+	entries, err := models.FindAuditEntries(context.Background(), testDB, 3)
+	require.NoError(t, err)
+	assert.Len(t, entries, 3)
+}
+
+func TestAuditEntryOrderByCreatedAtDesc(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	actions := []models.AuditAction{
+		models.AuditActionLogin,
+		models.AuditActionAppCreate,
+		models.AuditActionLogout,
+	}
+
+	for _, action := range actions {
+		entry := models.NewAuditEntry(testDB)
+		entry.Username = testAdmin
+		entry.Action = action
+		entry.ResourceType = models.AuditResourceSession
+
+		err := entry.Save(context.Background())
+		require.NoError(t, err)
+	}
+
+	entries, err := models.FindAuditEntries(context.Background(), testDB, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 3)
+
+	// Newest first (logout was last inserted).
+	assert.Equal(t, models.AuditActionLogout, entries[0].Action)
+	assert.Equal(t, models.AuditActionAppCreate, entries[1].Action)
+	assert.Equal(t, models.AuditActionLogin, entries[2].Action)
+}
+
 // Helper function to create a test app.
 func createTestApp(t *testing.T, testDB *database.Database) *models.App {
 	t.Helper()

internal/server/routes.go

@@ -115,14 +115,13 @@ func (s *Server) SetupRoutes() {
 			r.Get("/apps", s.handlers.HandleAPIListApps())
 			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
 			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
+			r.Get("/audit", s.handlers.HandleAPIAuditLog())
 		})
 	})
 
-	// Metrics endpoint (optional, with basic auth)
+	// Metrics endpoint (always available, optionally protected with basic auth)
-	if s.params.Config.MetricsUsername != "" {
 	s.router.Group(func(r chi.Router) {
 		r.Use(s.mw.MetricsAuth())
 		r.Get("/metrics", promhttp.Handler().ServeHTTP)
 	})
-	}
 }

internal/service/audit/audit.go

@@ -0,0 +1,126 @@
+// Package audit provides audit logging for user actions.
+package audit
+
+import (
+	"context"
+	"database/sql"
+	"log/slog"
+	"net/http"
+
+	"go.uber.org/fx"
+
+	"sneak.berlin/go/upaas/internal/database"
+	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
+	"sneak.berlin/go/upaas/internal/middleware"
+	"sneak.berlin/go/upaas/internal/models"
+)
+
+// ServiceParams contains dependencies for Service.
+type ServiceParams struct {
+	fx.In
+
+	Logger   *logger.Logger
+	Database *database.Database
+	Metrics  *metrics.Metrics
+}
+
+// Service provides audit logging functionality.
+type Service struct {
+	log     *slog.Logger
+	db      *database.Database
+	metrics *metrics.Metrics
+}
+
+// New creates a new audit Service.
+func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
+	return &Service{
+		log:     params.Logger.Get(),
+		db:      params.Database,
+		metrics: params.Metrics,
+	}, nil
+}
+
+// LogEntry records an audit event.
+type LogEntry struct {
+	UserID       int64
+	Username     string
+	Action       models.AuditAction
+	ResourceType models.AuditResourceType
+	ResourceID   string
+	Detail       string
+	RemoteIP     string
+}
+
+// Log records an audit log entry and increments the audit metrics counter.
+func (svc *Service) Log(ctx context.Context, entry LogEntry) {
+	auditEntry := models.NewAuditEntry(svc.db)
+	auditEntry.Username = entry.Username
+	auditEntry.Action = entry.Action
+	auditEntry.ResourceType = entry.ResourceType
+
+	if entry.UserID != 0 {
+		auditEntry.UserID = sql.NullInt64{Int64: entry.UserID, Valid: true}
+	}
+
+	if entry.ResourceID != "" {
+		auditEntry.ResourceID = sql.NullString{String: entry.ResourceID, Valid: true}
+	}
+
+	if entry.Detail != "" {
+		auditEntry.Detail = sql.NullString{String: entry.Detail, Valid: true}
+	}
+
+	if entry.RemoteIP != "" {
+		auditEntry.RemoteIP = sql.NullString{String: entry.RemoteIP, Valid: true}
+	}
+
+	err := auditEntry.Save(ctx)
+	if err != nil {
+		svc.log.Error("failed to save audit entry",
+			"error", err,
+			"action", entry.Action,
+			"username", entry.Username,
+		)
+
+		return
+	}
+
+	svc.metrics.AuditEventsTotal.WithLabelValues(string(entry.Action)).Inc()
+
+	svc.log.Info("audit",
+		"action", entry.Action,
+		"username", entry.Username,
+		"resource_type", entry.ResourceType,
+		"resource_id", entry.ResourceID,
+	)
+}
+
+// LogFromRequest records an audit log entry, extracting the remote IP from
+// the HTTP request using the middleware's trusted-proxy-aware IP resolution.
+func (svc *Service) LogFromRequest(
+	ctx context.Context,
+	request *http.Request,
+	entry LogEntry,
+) {
+	entry.RemoteIP = middleware.RealIP(request)
+	svc.Log(ctx, entry)
+}
+
+// Recent returns the most recent audit log entries.
+func (svc *Service) Recent(
+	ctx context.Context,
+	limit int,
+) ([]*models.AuditEntry, error) {
+	return models.FindAuditEntries(ctx, svc.db, limit)
+}
+
+// ForResource returns audit log entries for a specific resource.
+func (svc *Service) ForResource(
+	ctx context.Context,
+	resourceType models.AuditResourceType,
+	resourceID string,
+	limit int,
+) ([]*models.AuditEntry, error) {
+	return models.FindAuditEntriesByResource(ctx, svc.db, resourceType, resourceID, limit)
+}

internal/service/audit/audit_test.go

@@ -0,0 +1,221 @@
+package audit_test
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/fx"
+
+	"sneak.berlin/go/upaas/internal/config"
+	"sneak.berlin/go/upaas/internal/database"
+	"sneak.berlin/go/upaas/internal/globals"
+	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
+	"sneak.berlin/go/upaas/internal/models"
+	"sneak.berlin/go/upaas/internal/service/audit"
+)
+
+func setupTestAuditService(t *testing.T) (*audit.Service, *database.Database) {
+	t.Helper()
+
+	globals.SetAppname("upaas-test")
+	globals.SetVersion("test")
+
+	tmpDir := t.TempDir()
+
+	cfg := &config.Config{
+		DataDir: tmpDir,
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	logWrapper := logger.NewForTest(log)
+
+	db, err := database.New(fx.Lifecycle(nil), database.Params{
+		Logger: logWrapper,
+		Config: cfg,
+	})
+	require.NoError(t, err)
+
+	reg := prometheus.NewRegistry()
+	metricsInstance := metrics.NewForTest(reg)
+
+	svc, err := audit.New(fx.Lifecycle(nil), audit.ServiceParams{
+		Logger:   logWrapper,
+		Database: db,
+		Metrics:  metricsInstance,
+	})
+	require.NoError(t, err)
+
+	return svc, db
+}
+
+func TestAuditServiceLog(t *testing.T) {
+	t.Parallel()
+
+	svc, db := setupTestAuditService(t)
+	ctx := context.Background()
+
+	svc.Log(ctx, audit.LogEntry{
+		UserID:       1,
+		Username:     "admin",
+		Action:       models.AuditActionLogin,
+		ResourceType: models.AuditResourceSession,
+		Detail:       "user logged in",
+		RemoteIP:     "127.0.0.1",
+	})
+
+	entries, err := models.FindAuditEntries(ctx, db, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.Equal(t, "admin", entries[0].Username)
+	assert.Equal(t, models.AuditActionLogin, entries[0].Action)
+	assert.Equal(t, "127.0.0.1", entries[0].RemoteIP.String)
+}
+
+func TestAuditServiceLogFromRequest(t *testing.T) {
+	t.Parallel()
+
+	svc, db := setupTestAuditService(t)
+	ctx := context.Background()
+
+	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
+	request.RemoteAddr = "10.0.0.1:12345"
+
+	svc.LogFromRequest(ctx, request, audit.LogEntry{
+		Username:     "admin",
+		Action:       models.AuditActionAppCreate,
+		ResourceType: models.AuditResourceApp,
+		ResourceID:   "app-1",
+		Detail:       "created app",
+	})
+
+	entries, err := models.FindAuditEntries(ctx, db, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.Equal(t, "10.0.0.1", entries[0].RemoteIP.String)
+	assert.Equal(t, "app-1", entries[0].ResourceID.String)
+}
+
+func TestAuditServiceLogFromRequestWithXRealIPTrustedProxy(t *testing.T) {
+	t.Parallel()
+
+	svc, db := setupTestAuditService(t)
+	ctx := context.Background()
+
+	// When the request comes from a trusted proxy (RFC1918), X-Real-IP is honoured.
+	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
+	request.RemoteAddr = "10.0.0.1:1234"
+	request.Header.Set("X-Real-IP", "203.0.113.50")
+
+	svc.LogFromRequest(ctx, request, audit.LogEntry{
+		Username:     "admin",
+		Action:       models.AuditActionAppCreate,
+		ResourceType: models.AuditResourceApp,
+	})
+
+	entries, err := models.FindAuditEntries(ctx, db, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.Equal(t, "203.0.113.50", entries[0].RemoteIP.String)
+}
+
+func TestAuditServiceLogFromRequestWithXRealIPUntrustedProxy(t *testing.T) {
+	t.Parallel()
+
+	svc, db := setupTestAuditService(t)
+	ctx := context.Background()
+
+	// When the request comes from a public IP, X-Real-IP is ignored (anti-spoof).
+	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
+	request.RemoteAddr = "203.0.113.99:1234"
+	request.Header.Set("X-Real-IP", "10.0.0.1")
+
+	svc.LogFromRequest(ctx, request, audit.LogEntry{
+		Username:     "admin",
+		Action:       models.AuditActionAppCreate,
+		ResourceType: models.AuditResourceApp,
+	})
+
+	entries, err := models.FindAuditEntries(ctx, db, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.Equal(t, "203.0.113.99", entries[0].RemoteIP.String)
+}
+
+func TestAuditServiceRecent(t *testing.T) {
+	t.Parallel()
+
+	svc, _ := setupTestAuditService(t)
+	ctx := context.Background()
+
+	for range 5 {
+		svc.Log(ctx, audit.LogEntry{
+			Username:     "admin",
+			Action:       models.AuditActionLogin,
+			ResourceType: models.AuditResourceSession,
+		})
+	}
+
+	entries, err := svc.Recent(ctx, 3)
+	require.NoError(t, err)
+	assert.Len(t, entries, 3)
+}
+
+func TestAuditServiceForResource(t *testing.T) {
+	t.Parallel()
+
+	svc, _ := setupTestAuditService(t)
+	ctx := context.Background()
+
+	// Log entries for different resources.
+	svc.Log(ctx, audit.LogEntry{
+		Username:     "admin",
+		Action:       models.AuditActionAppCreate,
+		ResourceType: models.AuditResourceApp,
+		ResourceID:   "app-1",
+	})
+	svc.Log(ctx, audit.LogEntry{
+		Username:     "admin",
+		Action:       models.AuditActionAppDeploy,
+		ResourceType: models.AuditResourceApp,
+		ResourceID:   "app-1",
+	})
+	svc.Log(ctx, audit.LogEntry{
+		Username:     "admin",
+		Action:       models.AuditActionAppCreate,
+		ResourceType: models.AuditResourceApp,
+		ResourceID:   "app-2",
+	})
+
+	entries, err := svc.ForResource(ctx, models.AuditResourceApp, "app-1", 10)
+	require.NoError(t, err)
+	assert.Len(t, entries, 2)
+}
+
+func TestAuditServiceLogWithNoOptionalFields(t *testing.T) {
+	t.Parallel()
+
+	svc, db := setupTestAuditService(t)
+	ctx := context.Background()
+
+	svc.Log(ctx, audit.LogEntry{
+		Username:     "system",
+		Action:       models.AuditActionWebhookReceive,
+		ResourceType: models.AuditResourceWebhook,
+	})
+
+	entries, err := models.FindAuditEntries(ctx, db, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.False(t, entries[0].UserID.Valid)
+	assert.False(t, entries[0].ResourceID.Valid)
+	assert.False(t, entries[0].Detail.Valid)
+	assert.False(t, entries[0].RemoteIP.Valid)
+}

internal/service/deploy/deploy.go

@@ -21,6 +21,7 @@ import (
 	"sneak.berlin/go/upaas/internal/database"
 	"sneak.berlin/go/upaas/internal/docker"
 	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/notify"
 )
@@ -208,6 +209,7 @@ type ServiceParams struct {
 	Database *database.Database
 	Docker   *docker.Client
 	Notify   *notify.Service
+	Metrics  *metrics.Metrics
 }
 
 // activeDeploy tracks a running deployment so it can be cancelled.
@@ -222,6 +224,7 @@ type Service struct {
 	db            *database.Database
 	docker        *docker.Client
 	notify        *notify.Service
+	metrics       *metrics.Metrics
 	config        *config.Config
 	params        *ServiceParams
 	activeDeploys sync.Map // map[string]*activeDeploy - per-app active deployment tracking
@@ -235,6 +238,7 @@ func New(lc fx.Lifecycle, params ServiceParams) (*Service, error) {
 		db:      params.Database,
 		docker:  params.Docker,
 		notify:  params.Notify,
+		metrics: params.Metrics,
 		config:  params.Config,
 		params:  &params,
 	}
@@ -327,6 +331,11 @@ func (svc *Service) Deploy(
 	}
 	defer svc.unlockApp(app.ID)
 
+	// Track in-flight deployments
+	svc.metrics.DeploymentsInFlight.WithLabelValues(app.Name).Inc()
+
+	deployStart := time.Now()
+
 	// Set up cancellable context and register as active deploy
 	deployCtx, cancel := context.WithCancel(ctx)
 	done := make(chan struct{})
@@ -334,6 +343,7 @@ func (svc *Service) Deploy(
 	svc.activeDeploys.Store(app.ID, ad)
 
 	defer func() {
+		svc.metrics.DeploymentsInFlight.WithLabelValues(app.Name).Dec()
 		cancel()
 		close(done)
 		svc.activeDeploys.Delete(app.ID)
@@ -359,7 +369,7 @@ func (svc *Service) Deploy(
 
 	svc.notify.NotifyBuildStart(bgCtx, app, deployment)
 
-	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment)
+	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment, deployStart)
 }
 
 // Rollback rolls back an app to its previous image.
@@ -467,15 +477,20 @@ func (svc *Service) runBuildAndDeploy(
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
+	deployStart time.Time,
 ) error {
 	// Build phase with timeout
 	imageID, err := svc.buildImageWithTimeout(deployCtx, app, deployment)
 	if err != nil {
 		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, "")
 		if cancelErr != nil {
+			svc.recordDeployMetrics(app.Name, "cancelled", deployStart)
+
 			return cancelErr
 		}
 
+		svc.recordDeployMetrics(app.Name, "failed", deployStart)
+
 		return err
 	}
 
@@ -486,9 +501,13 @@ func (svc *Service) runBuildAndDeploy(
 	if err != nil {
 		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, imageID)
 		if cancelErr != nil {
+			svc.recordDeployMetrics(app.Name, "cancelled", deployStart)
+
 			return cancelErr
 		}
 
+		svc.recordDeployMetrics(app.Name, "failed", deployStart)
+
 		return err
 	}
 
@@ -504,11 +523,19 @@ func (svc *Service) runBuildAndDeploy(
 
 	// Use context.WithoutCancel to ensure health check completes even if
 	// the parent context is cancelled (e.g., HTTP request ends).
-	go svc.checkHealthAfterDelay(bgCtx, app, deployment)
+	go svc.checkHealthAfterDelay(bgCtx, app, deployment, deployStart)
 
 	return nil
 }
 
+// recordDeployMetrics records deployment completion metrics.
+func (svc *Service) recordDeployMetrics(appName, status string, start time.Time) {
+	duration := time.Since(start).Seconds()
+
+	svc.metrics.DeploymentsTotal.WithLabelValues(appName, status).Inc()
+	svc.metrics.DeploymentDuration.WithLabelValues(appName, status).Observe(duration)
+}
+
 // buildImageWithTimeout runs the build phase with a timeout.
 func (svc *Service) buildImageWithTimeout(
 	ctx context.Context,
@@ -1163,6 +1190,7 @@ func (svc *Service) checkHealthAfterDelay(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
+	deployStart time.Time,
 ) {
 	svc.log.Info(
 		"waiting 60 seconds to check container health",
@@ -1189,6 +1217,8 @@ func (svc *Service) checkHealthAfterDelay(
 		svc.notify.NotifyDeployFailed(ctx, reloadedApp, deployment, err)
 		_ = deployment.MarkFinished(ctx, models.DeploymentStatusFailed)
 		svc.writeLogsToFile(reloadedApp, deployment)
+		svc.recordDeployMetrics(reloadedApp.Name, "failed", deployStart)
+		svc.metrics.ContainerHealthy.WithLabelValues(reloadedApp.Name).Set(0)
 		reloadedApp.Status = models.AppStatusError
 		_ = reloadedApp.Save(ctx)
 
@@ -1200,6 +1230,8 @@ func (svc *Service) checkHealthAfterDelay(
 		svc.notify.NotifyDeploySuccess(ctx, reloadedApp, deployment)
 		_ = deployment.MarkFinished(ctx, models.DeploymentStatusSuccess)
 		svc.writeLogsToFile(reloadedApp, deployment)
+		svc.recordDeployMetrics(reloadedApp.Name, "success", deployStart)
+		svc.metrics.ContainerHealthy.WithLabelValues(reloadedApp.Name).Set(1)
 	} else {
 		svc.log.Warn(
 			"container unhealthy after 60 seconds",
@@ -1208,6 +1240,8 @@ func (svc *Service) checkHealthAfterDelay(
 		svc.notify.NotifyDeployFailed(ctx, reloadedApp, deployment, ErrContainerUnhealthy)
 		_ = deployment.MarkFinished(ctx, models.DeploymentStatusFailed)
 		svc.writeLogsToFile(reloadedApp, deployment)
+		svc.recordDeployMetrics(reloadedApp.Name, "failed", deployStart)
+		svc.metrics.ContainerHealthy.WithLabelValues(reloadedApp.Name).Set(0)
 		reloadedApp.Status = models.AppStatusError
 		_ = reloadedApp.Save(ctx)
 	}

internal/service/webhook/payloads.go

@@ -1,248 +0,0 @@
-package webhook
-
-import "encoding/json"
-
-// GiteaPushPayload represents a Gitea push webhook payload.
-//
-//nolint:tagliatelle // Field names match Gitea API (snake_case)
-type GiteaPushPayload struct {
-	Ref        string      `json:"ref"`
-	Before     string      `json:"before"`
-	After      string      `json:"after"`
-	CompareURL UnparsedURL `json:"compare_url"`
-	Repository struct {
-		FullName string      `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
-	} `json:"repository"`
-	Pusher struct {
-		Username string `json:"username"`
-		Email    string `json:"email"`
-	} `json:"pusher"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// GitHubPushPayload represents a GitHub push webhook payload.
-//
-//nolint:tagliatelle // Field names match GitHub API (snake_case)
-type GitHubPushPayload struct {
-	Ref        string `json:"ref"`
-	Before     string `json:"before"`
-	After      string `json:"after"`
-	CompareURL string `json:"compare"`
-	Repository struct {
-		FullName string      `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
-	} `json:"repository"`
-	Pusher struct {
-		Name  string `json:"name"`
-		Email string `json:"email"`
-	} `json:"pusher"`
-	HeadCommit *struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-	} `json:"head_commit"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// GitLabPushPayload represents a GitLab push webhook payload.
-//
-//nolint:tagliatelle // Field names match GitLab API (snake_case)
-type GitLabPushPayload struct {
-	Ref       string `json:"ref"`
-	Before    string `json:"before"`
-	After     string `json:"after"`
-	UserName  string `json:"user_name"`
-	UserEmail string `json:"user_email"`
-	Project   struct {
-		PathWithNamespace string      `json:"path_with_namespace"`
-		GitHTTPURL        UnparsedURL `json:"git_http_url"`
-		GitSSHURL         string      `json:"git_ssh_url"`
-		WebURL            UnparsedURL `json:"web_url"`
-	} `json:"project"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// ParsePushPayload parses a raw webhook payload into a normalized PushEvent
-// based on the detected webhook source. Returns an error if JSON unmarshaling
-// fails. For SourceUnknown, falls back to Gitea format for backward
-// compatibility.
-func ParsePushPayload(source Source, payload []byte) (*PushEvent, error) {
-	switch source {
-	case SourceGitHub:
-		return parseGitHubPush(payload)
-	case SourceGitLab:
-		return parseGitLabPush(payload)
-	case SourceGitea, SourceUnknown:
-		// Gitea and unknown both use Gitea format for backward compatibility.
-		return parseGiteaPush(payload)
-	}
-
-	// Unreachable for known source values, but satisfies exhaustive checker.
-	return parseGiteaPush(payload)
-}
-
-func parseGiteaPush(payload []byte) (*PushEvent, error) {
-	var p GiteaPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGiteaCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitea,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Repository.FullName,
-		CloneURL:  p.Repository.CloneURL,
-		HTMLURL:   p.Repository.HTMLURL,
-		CommitURL: commitURL,
-		Pusher:    p.Pusher.Username,
-	}, nil
-}
-
-func parseGitHubPush(payload []byte) (*PushEvent, error) {
-	var p GitHubPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGitHubCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitHub,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Repository.FullName,
-		CloneURL:  p.Repository.CloneURL,
-		HTMLURL:   p.Repository.HTMLURL,
-		CommitURL: commitURL,
-		Pusher:    p.Pusher.Name,
-	}, nil
-}
-
-func parseGitLabPush(payload []byte) (*PushEvent, error) {
-	var p GitLabPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGitLabCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitLab,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Project.PathWithNamespace,
-		CloneURL:  p.Project.GitHTTPURL,
-		HTMLURL:   p.Project.WebURL,
-		CommitURL: commitURL,
-		Pusher:    p.UserName,
-	}, nil
-}
-
-// extractBranch extracts the branch name from a git ref.
-func extractBranch(ref string) string {
-	// refs/heads/main -> main
-	const prefix = "refs/heads/"
-
-	if len(ref) >= len(prefix) && ref[:len(prefix)] == prefix {
-		return ref[len(prefix):]
-	}
-
-	return ref
-}
-
-// extractGiteaCommitURL extracts the commit URL from a Gitea push payload.
-// Prefers the URL from the head commit, falls back to constructing from repo URL.
-func extractGiteaCommitURL(payload GiteaPushPayload) UnparsedURL {
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
-	}
-
-	return ""
-}
-
-// extractGitHubCommitURL extracts the commit URL from a GitHub push payload.
-// Prefers head_commit.url, then searches commits, then constructs from repo URL.
-func extractGitHubCommitURL(payload GitHubPushPayload) UnparsedURL {
-	if payload.HeadCommit != nil && payload.HeadCommit.URL != "" {
-		return payload.HeadCommit.URL
-	}
-
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
-	}
-
-	return ""
-}
-
-// extractGitLabCommitURL extracts the commit URL from a GitLab push payload.
-// Prefers commit URL from the commits list, falls back to constructing from
-// project web URL.
-func extractGitLabCommitURL(payload GitLabPushPayload) UnparsedURL {
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Project.WebURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Project.WebURL.String() + "/-/commit/" + payload.After)
-	}
-
-	return ""
-}

internal/service/webhook/types.go

@@ -1,7 +1,5 @@
 package webhook
 
-import "net/http"
-
 // UnparsedURL is a URL stored as a plain string without parsing.
 // Use this instead of string when the value is known to be a URL
 // but should not be parsed into a net/url.URL (e.g. webhook URLs,
@@ -10,84 +8,3 @@ type UnparsedURL string
 
 // String implements the fmt.Stringer interface.
 func (u UnparsedURL) String() string { return string(u) }
-
-// Source identifies which git hosting platform sent the webhook.
-type Source string
-
-const (
-	// SourceGitea indicates the webhook was sent by a Gitea instance.
-	SourceGitea Source = "gitea"
-
-	// SourceGitHub indicates the webhook was sent by GitHub.
-	SourceGitHub Source = "github"
-
-	// SourceGitLab indicates the webhook was sent by a GitLab instance.
-	SourceGitLab Source = "gitlab"
-
-	// SourceUnknown indicates the webhook source could not be determined.
-	SourceUnknown Source = "unknown"
-)
-
-// String implements the fmt.Stringer interface.
-func (s Source) String() string { return string(s) }
-
-// DetectWebhookSource determines the webhook source from HTTP headers.
-// It checks for platform-specific event headers in this order:
-// Gitea (X-Gitea-Event), GitHub (X-GitHub-Event), GitLab (X-Gitlab-Event).
-// Returns SourceUnknown if no recognized header is found.
-func DetectWebhookSource(headers http.Header) Source {
-	if headers.Get("X-Gitea-Event") != "" {
-		return SourceGitea
-	}
-
-	if headers.Get("X-Github-Event") != "" {
-		return SourceGitHub
-	}
-
-	if headers.Get("X-Gitlab-Event") != "" {
-		return SourceGitLab
-	}
-
-	return SourceUnknown
-}
-
-// DetectEventType extracts the event type string from HTTP headers
-// based on the detected webhook source. Returns "push" as a fallback
-// when no event header is found.
-func DetectEventType(headers http.Header, source Source) string {
-	switch source {
-	case SourceGitea:
-		if v := headers.Get("X-Gitea-Event"); v != "" {
-			return v
-		}
-	case SourceGitHub:
-		if v := headers.Get("X-Github-Event"); v != "" {
-			return v
-		}
-	case SourceGitLab:
-		if v := headers.Get("X-Gitlab-Event"); v != "" {
-			return v
-		}
-	case SourceUnknown:
-		// Fall through to default
-	}
-
-	return "push"
-}
-
-// PushEvent is a normalized representation of a push webhook payload
-// from any supported source (Gitea, GitHub, GitLab). The webhook
-// service converts source-specific payloads into this format before
-// processing.
-type PushEvent struct {
-	Source    Source
-	Ref       string
-	Before    string
-	After     string
-	Branch    string
-	RepoName  string
-	CloneURL  UnparsedURL
-	HTMLURL   UnparsedURL
-	CommitURL UnparsedURL
-	Pusher    string
-}

internal/service/webhook/webhook.go

@@ -4,14 +4,17 @@ package webhook
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"fmt"
 	"log/slog"
+	"strconv"
 
 	"go.uber.org/fx"
 
 	"sneak.berlin/go/upaas/internal/database"
 
 	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
@@ -23,6 +26,7 @@ type ServiceParams struct {
 	Logger   *logger.Logger
 	Database *database.Database
 	Deploy   *deploy.Service
+	Metrics  *metrics.Metrics
 }
 
 // Service provides webhook handling functionality.
@@ -30,6 +34,7 @@ type Service struct {
 	log     *slog.Logger
 	db      *database.Database
 	deploy  *deploy.Service
+	metrics *metrics.Metrics
 	params  *ServiceParams
 }
 
@@ -39,50 +44,73 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 		log:     params.Logger.Get(),
 		db:      params.Database,
 		deploy:  params.Deploy,
+		metrics: params.Metrics,
 		params:  &params,
 	}, nil
 }
 
-// HandleWebhook processes a webhook request from any supported source
+// GiteaPushPayload represents a Gitea push webhook payload.
-// (Gitea, GitHub, or GitLab). The source parameter determines which
+//
-// payload format to use for parsing.
+//nolint:tagliatelle // Field names match Gitea API (snake_case)
+type GiteaPushPayload struct {
+	Ref        string      `json:"ref"`
+	Before     string      `json:"before"`
+	After      string      `json:"after"`
+	CompareURL UnparsedURL `json:"compare_url"`
+	Repository struct {
+		FullName string      `json:"full_name"`
+		CloneURL UnparsedURL `json:"clone_url"`
+		SSHURL   string      `json:"ssh_url"`
+		HTMLURL  UnparsedURL `json:"html_url"`
+	} `json:"repository"`
+	Pusher struct {
+		Username string `json:"username"`
+		Email    string `json:"email"`
+	} `json:"pusher"`
+	Commits []struct {
+		ID      string      `json:"id"`
+		URL     UnparsedURL `json:"url"`
+		Message string      `json:"message"`
+		Author  struct {
+			Name  string `json:"name"`
+			Email string `json:"email"`
+		} `json:"author"`
+	} `json:"commits"`
+}
+
+// HandleWebhook processes a webhook request.
 func (svc *Service) HandleWebhook(
 	ctx context.Context,
 	app *models.App,
-	source Source,
 	eventType string,
 	payload []byte,
 ) error {
-	svc.log.Info("processing webhook",
+	svc.log.Info("processing webhook", "app", app.Name, "event", eventType)
-		"app", app.Name,
-		"source", source.String(),
-		"event", eventType,
-	)
 
-	// Parse payload into normalized push event
+	// Parse payload
-	pushEvent, parseErr := ParsePushPayload(source, payload)
+	var pushPayload GiteaPushPayload
-	if parseErr != nil {
+
-		svc.log.Warn("failed to parse webhook payload",
+	unmarshalErr := json.Unmarshal(payload, &pushPayload)
-			"error", parseErr,
+	if unmarshalErr != nil {
-			"source", source.String(),
+		svc.log.Warn("failed to parse webhook payload", "error", unmarshalErr)
-		)
+		// Continue anyway to log the event
-		// Continue with empty push event to still log the webhook
-		pushEvent = &PushEvent{Source: source}
 	}
 
+	// Extract branch from ref
+	branch := extractBranch(pushPayload.Ref)
+	commitSHA := pushPayload.After
+	commitURL := extractCommitURL(pushPayload)
+
 	// Check if branch matches
-	matched := pushEvent.Branch == app.Branch
+	matched := branch == app.Branch
 
 	// Create webhook event record
 	event := models.NewWebhookEvent(svc.db)
 	event.AppID = app.ID
 	event.EventType = eventType
-	event.Branch = pushEvent.Branch
+	event.Branch = branch
-	event.CommitSHA = sql.NullString{String: pushEvent.After, Valid: pushEvent.After != ""}
+	event.CommitSHA = sql.NullString{String: commitSHA, Valid: commitSHA != ""}
-	event.CommitURL = sql.NullString{
+	event.CommitURL = sql.NullString{String: commitURL.String(), Valid: commitURL != ""}
-		String: pushEvent.CommitURL.String(),
-		Valid:  pushEvent.CommitURL != "",
-	}
 	event.Payload = sql.NullString{String: string(payload), Valid: true}
 	event.Matched = matched
 	event.Processed = false
@@ -94,12 +122,15 @@ func (svc *Service) HandleWebhook(
 
 	svc.log.Info("webhook event recorded",
 		"app", app.Name,
-		"source", source.String(),
+		"branch", branch,
-		"branch", pushEvent.Branch,
 		"matched", matched,
-		"commit", pushEvent.After,
+		"commit", commitSHA,
 	)
 
+	svc.metrics.WebhookEventsTotal.WithLabelValues(
+		app.Name, eventType, strconv.FormatBool(matched),
+	).Inc()
+
 	// If branch matches, trigger deployment
 	if matched {
 		svc.triggerDeployment(ctx, app, event)
@@ -132,3 +163,33 @@ func (svc *Service) triggerDeployment(
 		_ = event.Save(deployCtx)
 	}()
 }
+
+// extractBranch extracts the branch name from a git ref.
+func extractBranch(ref string) string {
+	// refs/heads/main -> main
+	const prefix = "refs/heads/"
+
+	if len(ref) >= len(prefix) && ref[:len(prefix)] == prefix {
+		return ref[len(prefix):]
+	}
+
+	return ref
+}
+
+// extractCommitURL extracts the commit URL from the webhook payload.
+// Prefers the URL from the head commit, falls back to constructing from repo URL.
+func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
+	// Try to find the URL from the head commit (matching After SHA)
+	for _, commit := range payload.Commits {
+		if commit.ID == payload.After && commit.URL != "" {
+			return commit.URL
+		}
+	}
+
+	// Fall back to constructing URL from repo HTML URL
+	if payload.Repository.HTMLURL != "" && payload.After != "" {
+		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
+	}
+
+	return ""
+}

internal/service/webhook/webhook_test.go

@@ -3,12 +3,12 @@ package webhook_test
 import (
 	"context"
 	"encoding/json"
-	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
@@ -18,6 +18,7 @@ import (
 	"sneak.berlin/go/upaas/internal/docker"
 	"sneak.berlin/go/upaas/internal/globals"
 	"sneak.berlin/go/upaas/internal/logger"
+	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/notify"
@@ -64,13 +65,17 @@ func setupTestService(t *testing.T) (*webhook.Service, *database.Database, func(
 	notifySvc, err := notify.New(fx.Lifecycle(nil), notify.ServiceParams{Logger: deps.logger})
 	require.NoError(t, err)
 
+	metricsInstance := metrics.NewForTest(prometheus.NewRegistry())
+
 	deploySvc, err := deploy.New(fx.Lifecycle(nil), deploy.ServiceParams{
 		Logger: deps.logger, Config: deps.config, Database: deps.db, Docker: dockerClient, Notify: notifySvc,
+		Metrics: metricsInstance,
 	})
 	require.NoError(t, err)
 
 	svc, err := webhook.New(fx.Lifecycle(nil), webhook.ServiceParams{
 		Logger: deps.logger, Database: deps.db, Deploy: deploySvc,
+		Metrics: metricsInstance,
 	})
 	require.NoError(t, err)
 
@@ -103,114 +108,44 @@ func createTestApp(
 	return app
 }
 
-// TestDetectWebhookSource tests auto-detection of webhook source from HTTP headers.
-//
 //nolint:funlen // table-driven test with comprehensive test cases
-func TestDetectWebhookSource(testingT *testing.T) {
+func TestExtractBranch(testingT *testing.T) {
 	testingT.Parallel()
 
 	tests := []struct {
 		name     string
-		headers  map[string]string
+		ref      string
-		expected webhook.Source
-	}{
-		{
-			name:     "detects Gitea from X-Gitea-Event header",
-			headers:  map[string]string{"X-Gitea-Event": "push"},
-			expected: webhook.SourceGitea,
-		},
-		{
-			name:     "detects GitHub from X-GitHub-Event header",
-			headers:  map[string]string{"X-GitHub-Event": "push"},
-			expected: webhook.SourceGitHub,
-		},
-		{
-			name:     "detects GitLab from X-Gitlab-Event header",
-			headers:  map[string]string{"X-Gitlab-Event": "Push Hook"},
-			expected: webhook.SourceGitLab,
-		},
-		{
-			name:     "returns unknown when no recognized header",
-			headers:  map[string]string{"Content-Type": "application/json"},
-			expected: webhook.SourceUnknown,
-		},
-		{
-			name:     "returns unknown for empty headers",
-			headers:  map[string]string{},
-			expected: webhook.SourceUnknown,
-		},
-		{
-			name: "Gitea takes precedence over GitHub",
-			headers: map[string]string{
-				"X-Gitea-Event":  "push",
-				"X-GitHub-Event": "push",
-			},
-			expected: webhook.SourceGitea,
-		},
-		{
-			name: "GitHub takes precedence over GitLab",
-			headers: map[string]string{
-				"X-GitHub-Event": "push",
-				"X-Gitlab-Event": "Push Hook",
-			},
-			expected: webhook.SourceGitHub,
-		},
-	}
-
-	for _, testCase := range tests {
-		testingT.Run(testCase.name, func(t *testing.T) {
-			t.Parallel()
-
-			headers := http.Header{}
-			for key, value := range testCase.headers {
-				headers.Set(key, value)
-			}
-
-			result := webhook.DetectWebhookSource(headers)
-			assert.Equal(t, testCase.expected, result)
-		})
-	}
-}
-
-// TestDetectEventType tests event type extraction from HTTP headers.
-func TestDetectEventType(testingT *testing.T) {
-	testingT.Parallel()
-
-	tests := []struct {
-		name     string
-		headers  map[string]string
-		source   webhook.Source
 		expected string
 	}{
 		{
-			name:     "extracts Gitea event type",
+			name:     "extracts main branch",
-			headers:  map[string]string{"X-Gitea-Event": "push"},
+			ref:      "refs/heads/main",
-			source:   webhook.SourceGitea,
+			expected: "main",
-			expected: "push",
 		},
 		{
-			name:     "extracts GitHub event type",
+			name:     "extracts feature branch",
-			headers:  map[string]string{"X-GitHub-Event": "push"},
+			ref:      "refs/heads/feature/new-feature",
-			source:   webhook.SourceGitHub,
+			expected: "feature/new-feature",
-			expected: "push",
 		},
 		{
-			name:     "extracts GitLab event type",
+			name:     "extracts develop branch",
-			headers:  map[string]string{"X-Gitlab-Event": "Push Hook"},
+			ref:      "refs/heads/develop",
-			source:   webhook.SourceGitLab,
+			expected: "develop",
-			expected: "Push Hook",
 		},
 		{
-			name:     "returns push for unknown source",
+			name:     "returns raw ref if no prefix",
-			headers:  map[string]string{},
+			ref:      "main",
-			source:   webhook.SourceUnknown,
+			expected: "main",
-			expected: "push",
 		},
 		{
-			name:     "returns push when header missing for source",
+			name:     "handles empty ref",
-			headers:  map[string]string{},
+			ref:      "",
-			source:   webhook.SourceGitea,
+			expected: "",
-			expected: "push",
+		},
+		{
+			name:     "handles partial prefix",
+			ref:      "refs/heads/",
+			expected: "",
 		},
 	}
 
@@ -218,318 +153,123 @@ func TestDetectEventType(testingT *testing.T) {
 		testingT.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()
 
-			headers := http.Header{}
+			// We test via HandleWebhook since extractBranch is not exported.
-			for key, value := range testCase.headers {
+			// The test verifies behavior indirectly through the webhook event's branch.
-				headers.Set(key, value)
+			svc, dbInst, cleanup := setupTestService(t)
-			}
+			defer cleanup()
 
-			result := webhook.DetectEventType(headers, testCase.source)
+			app := createTestApp(t, dbInst, testCase.expected)
-			assert.Equal(t, testCase.expected, result)
+
+			payload := []byte(`{"ref": "` + testCase.ref + `"}`)
+
+			err := svc.HandleWebhook(context.Background(), app, "push", payload)
+			require.NoError(t, err)
+
+			// Allow async deployment goroutine to complete before test cleanup
+			time.Sleep(100 * time.Millisecond)
+
+			events, err := app.GetWebhookEvents(context.Background(), 10)
+			require.NoError(t, err)
+			require.Len(t, events, 1)
+
+			assert.Equal(t, testCase.expected, events[0].Branch)
 		})
 	}
 }
 
-// TestWebhookSourceString tests the String method on WebhookSource.
+func TestHandleWebhookMatchingBranch(t *testing.T) {
-func TestWebhookSourceString(t *testing.T) {
 	t.Parallel()
 
-	assert.Equal(t, "gitea", webhook.SourceGitea.String())
+	svc, dbInst, cleanup := setupTestService(t)
-	assert.Equal(t, "github", webhook.SourceGitHub.String())
+	defer cleanup()
-	assert.Equal(t, "gitlab", webhook.SourceGitLab.String())
-	assert.Equal(t, "unknown", webhook.SourceUnknown.String())
-}
 
-// TestUnparsedURLString tests the String method on UnparsedURL.
+	app := createTestApp(t, dbInst, "main")
-func TestUnparsedURLString(t *testing.T) {
-	t.Parallel()
-
-	u := webhook.UnparsedURL("https://example.com/test")
-	assert.Equal(t, "https://example.com/test", u.String())
-
-	empty := webhook.UnparsedURL("")
-	assert.Empty(t, empty.String())
-}
-
-// TestParsePushPayloadGitea tests parsing of Gitea push payloads.
-func TestParsePushPayloadGitea(t *testing.T) {
-	t.Parallel()
 
 	payload := []byte(`{
 		"ref": "refs/heads/main",
 		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
+		"after": "abc123def456",
-		"compare_url": "https://gitea.example.com/myorg/myrepo/compare/000...abc",
 		"repository": {
-			"full_name": "myorg/myrepo",
+			"full_name": "user/repo",
-			"clone_url": "https://gitea.example.com/myorg/myrepo.git",
+			"clone_url": "https://gitea.example.com/user/repo.git",
-			"ssh_url": "git@gitea.example.com:myorg/myrepo.git",
+			"ssh_url": "git@gitea.example.com:user/repo.git"
-			"html_url": "https://gitea.example.com/myorg/myrepo"
 		},
-		"pusher": {"username": "developer", "email": "dev@example.com"},
+		"pusher": {"username": "testuser", "email": "test@example.com"},
-		"commits": [
+		"commits": [{"id": "abc123def456", "message": "Test commit",
-			{
+			"author": {"name": "Test User", "email": "test@example.com"}}]
-				"id": "abc123def456789",
-				"url": "https://gitea.example.com/myorg/myrepo/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
 	}`)
 
-	event, err := webhook.ParsePushPayload(webhook.SourceGitea, payload)
+	err := svc.HandleWebhook(context.Background(), app, "push", payload)
 	require.NoError(t, err)
 
-	assert.Equal(t, webhook.SourceGitea, event.Source)
+	// Allow async deployment goroutine to complete before test cleanup
-	assert.Equal(t, "refs/heads/main", event.Ref)
+	time.Sleep(100 * time.Millisecond)
+
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
+
+	event := events[0]
+	assert.Equal(t, "push", event.EventType)
 	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, "abc123def456789", event.After)
+	assert.True(t, event.Matched)
-	assert.Equal(t, "myorg/myrepo", event.RepoName)
+	assert.Equal(t, "abc123def456", event.CommitSHA.String)
-	assert.Equal(t, webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
 }
 
-// TestParsePushPayloadGitHub tests parsing of GitHub push payloads.
+func TestHandleWebhookNonMatchingBranch(t *testing.T) {
-func TestParsePushPayloadGitHub(t *testing.T) {
 	t.Parallel()
 
-	payload := []byte(`{
+	svc, dbInst, cleanup := setupTestService(t)
-		"ref": "refs/heads/main",
+	defer cleanup()
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"compare": "https://github.com/myorg/myrepo/compare/000...abc",
-		"repository": {
-			"full_name": "myorg/myrepo",
-			"clone_url": "https://github.com/myorg/myrepo.git",
-			"ssh_url": "git@github.com:myorg/myrepo.git",
-			"html_url": "https://github.com/myorg/myrepo"
-		},
-		"pusher": {"name": "developer", "email": "dev@example.com"},
-		"head_commit": {
-			"id": "abc123def456789",
-			"url": "https://github.com/myorg/myrepo/commit/abc123def456789",
-			"message": "Fix bug"
-		},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://github.com/myorg/myrepo/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
-	}`)
 
-	event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
+	app := createTestApp(t, dbInst, "main")
+
+	payload := []byte(`{"ref": "refs/heads/develop", "after": "def789ghi012"}`)
+
+	err := svc.HandleWebhook(context.Background(), app, "push", payload)
 	require.NoError(t, err)
 
-	assert.Equal(t, webhook.SourceGitHub, event.Source)
+	events, err := app.GetWebhookEvents(context.Background(), 10)
-	assert.Equal(t, "refs/heads/main", event.Ref)
+	require.NoError(t, err)
-	assert.Equal(t, "main", event.Branch)
+	require.Len(t, events, 1)
-	assert.Equal(t, "abc123def456789", event.After)
+
-	assert.Equal(t, "myorg/myrepo", event.RepoName)
+	assert.Equal(t, "develop", events[0].Branch)
-	assert.Equal(t, webhook.UnparsedURL("https://github.com/myorg/myrepo.git"), event.CloneURL)
+	assert.False(t, events[0].Matched)
-	assert.Equal(t, webhook.UnparsedURL("https://github.com/myorg/myrepo"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://github.com/myorg/myrepo/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
 }
 
-// TestParsePushPayloadGitLab tests parsing of GitLab push payloads.
+func TestHandleWebhookInvalidJSON(t *testing.T) {
-func TestParsePushPayloadGitLab(t *testing.T) {
 	t.Parallel()
 
-	payload := []byte(`{
+	svc, dbInst, cleanup := setupTestService(t)
-		"ref": "refs/heads/develop",
+	defer cleanup()
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"user_name": "developer",
-		"user_email": "dev@example.com",
-		"project": {
-			"path_with_namespace": "mygroup/myproject",
-			"git_http_url": "https://gitlab.com/mygroup/myproject.git",
-			"git_ssh_url": "git@gitlab.com:mygroup/myproject.git",
-			"web_url": "https://gitlab.com/mygroup/myproject"
-		},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://gitlab.com/mygroup/myproject/-/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
-	}`)
 
-	event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
+	app := createTestApp(t, dbInst, "main")
+
+	err := svc.HandleWebhook(context.Background(), app, "push", []byte(`{invalid json}`))
 	require.NoError(t, err)
 
-	assert.Equal(t, webhook.SourceGitLab, event.Source)
+	events, err := app.GetWebhookEvents(context.Background(), 10)
-	assert.Equal(t, "refs/heads/develop", event.Ref)
+	require.NoError(t, err)
-	assert.Equal(t, "develop", event.Branch)
+	require.Len(t, events, 1)
-	assert.Equal(t, "abc123def456789", event.After)
-	assert.Equal(t, "mygroup/myproject", event.RepoName)
-	assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/mygroup/myproject.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/mygroup/myproject"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://gitlab.com/mygroup/myproject/-/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
 }
 
-// TestParsePushPayloadUnknownFallsBackToGitea tests that unknown source uses Gitea parser.
+func TestHandleWebhookEmptyPayload(t *testing.T) {
-func TestParsePushPayloadUnknownFallsBackToGitea(t *testing.T) {
 	t.Parallel()
 
-	payload := []byte(`{
+	svc, dbInst, cleanup := setupTestService(t)
-		"ref": "refs/heads/main",
+	defer cleanup()
-		"after": "abc123",
-		"repository": {"full_name": "user/repo"},
-		"pusher": {"username": "user"}
-	}`)
 
-	event, err := webhook.ParsePushPayload(webhook.SourceUnknown, payload)
+	app := createTestApp(t, dbInst, "main")
+
+	err := svc.HandleWebhook(context.Background(), app, "push", []byte(`{}`))
 	require.NoError(t, err)
 
-	assert.Equal(t, webhook.SourceGitea, event.Source)
+	events, err := app.GetWebhookEvents(context.Background(), 10)
-	assert.Equal(t, "main", event.Branch)
+	require.NoError(t, err)
-	assert.Equal(t, "abc123", event.After)
+	require.Len(t, events, 1)
+	assert.False(t, events[0].Matched)
 }
 
-// TestParsePushPayloadInvalidJSON tests that invalid JSON returns an error.
-func TestParsePushPayloadInvalidJSON(t *testing.T) {
-	t.Parallel()
-
-	sources := []webhook.Source{
-		webhook.SourceGitea,
-		webhook.SourceGitHub,
-		webhook.SourceGitLab,
-	}
-
-	for _, source := range sources {
-		t.Run(source.String(), func(t *testing.T) {
-			t.Parallel()
-
-			_, err := webhook.ParsePushPayload(source, []byte(`{invalid json}`))
-			require.Error(t, err)
-		})
-	}
-}
-
-// TestParsePushPayloadEmptyPayload tests parsing of empty JSON objects.
-func TestParsePushPayloadEmptyPayload(t *testing.T) {
-	t.Parallel()
-
-	sources := []webhook.Source{
-		webhook.SourceGitea,
-		webhook.SourceGitHub,
-		webhook.SourceGitLab,
-	}
-
-	for _, source := range sources {
-		t.Run(source.String(), func(t *testing.T) {
-			t.Parallel()
-
-			event, err := webhook.ParsePushPayload(source, []byte(`{}`))
-			require.NoError(t, err)
-
-			assert.Empty(t, event.Branch)
-			assert.Empty(t, event.After)
-		})
-	}
-}
-
-// TestGitHubCommitURLFallback tests commit URL extraction fallback paths for GitHub.
-func TestGitHubCommitURLFallback(t *testing.T) {
-	t.Parallel()
-
-	t.Run("uses head_commit URL when available", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"head_commit": {"id": "abc123", "url": "https://github.com/u/r/commit/abc123"},
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
-
-	t.Run("falls back to commits list", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"commits": [{"id": "abc123", "url": "https://github.com/u/r/commit/abc123"}],
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
-
-	t.Run("constructs URL from repo HTML URL", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
-}
-
-// TestGitLabCommitURLFallback tests commit URL extraction fallback paths for GitLab.
-func TestGitLabCommitURLFallback(t *testing.T) {
-	t.Parallel()
-
-	t.Run("uses commit URL from list", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"project": {"web_url": "https://gitlab.com/g/p"},
-			"commits": [{"id": "abc123", "url": "https://gitlab.com/g/p/-/commit/abc123"}]
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/g/p/-/commit/abc123"), event.CommitURL)
-	})
-
-	t.Run("constructs URL from project web URL", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"project": {"web_url": "https://gitlab.com/g/p"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/g/p/-/commit/abc123"), event.CommitURL)
-	})
-}
-
-// TestGiteaPushPayloadParsing tests direct deserialization of the Gitea payload struct.
 func TestGiteaPushPayloadParsing(testingT *testing.T) {
 	testingT.Parallel()
 
@@ -588,354 +328,6 @@ func TestGiteaPushPayloadParsing(testingT *testing.T) {
 	})
 }
 
-// TestGitHubPushPayloadParsing tests direct deserialization of the GitHub payload struct.
-func TestGitHubPushPayloadParsing(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000",
-		"after": "abc123",
-		"compare": "https://github.com/o/r/compare/000...abc",
-		"repository": {
-			"full_name": "o/r",
-			"clone_url": "https://github.com/o/r.git",
-			"ssh_url": "git@github.com:o/r.git",
-			"html_url": "https://github.com/o/r"
-		},
-		"pusher": {"name": "octocat", "email": "octocat@github.com"},
-		"head_commit": {
-			"id": "abc123",
-			"url": "https://github.com/o/r/commit/abc123",
-			"message": "Update README"
-		},
-		"commits": [
-			{
-				"id": "abc123",
-				"url": "https://github.com/o/r/commit/abc123",
-				"message": "Update README",
-				"author": {"name": "Octocat", "email": "octocat@github.com"}
-			}
-		]
-	}`)
-
-	var p webhook.GitHubPushPayload
-
-	err := json.Unmarshal(payload, &p)
-	require.NoError(t, err)
-
-	assert.Equal(t, "refs/heads/main", p.Ref)
-	assert.Equal(t, "abc123", p.After)
-	assert.Equal(t, "o/r", p.Repository.FullName)
-	assert.Equal(t, "octocat", p.Pusher.Name)
-	assert.NotNil(t, p.HeadCommit)
-	assert.Equal(t, "abc123", p.HeadCommit.ID)
-	assert.Len(t, p.Commits, 1)
-}
-
-// TestGitLabPushPayloadParsing tests direct deserialization of the GitLab payload struct.
-func TestGitLabPushPayloadParsing(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000",
-		"after": "abc123",
-		"user_name": "gitlab-user",
-		"user_email": "user@gitlab.com",
-		"project": {
-			"path_with_namespace": "group/project",
-			"git_http_url": "https://gitlab.com/group/project.git",
-			"git_ssh_url": "git@gitlab.com:group/project.git",
-			"web_url": "https://gitlab.com/group/project"
-		},
-		"commits": [
-			{
-				"id": "abc123",
-				"url": "https://gitlab.com/group/project/-/commit/abc123",
-				"message": "Fix pipeline",
-				"author": {"name": "GitLab User", "email": "user@gitlab.com"}
-			}
-		]
-	}`)
-
-	var p webhook.GitLabPushPayload
-
-	err := json.Unmarshal(payload, &p)
-	require.NoError(t, err)
-
-	assert.Equal(t, "refs/heads/main", p.Ref)
-	assert.Equal(t, "abc123", p.After)
-	assert.Equal(t, "group/project", p.Project.PathWithNamespace)
-	assert.Equal(t, "gitlab-user", p.UserName)
-	assert.Len(t, p.Commits, 1)
-}
-
-// TestExtractBranch tests branch extraction via HandleWebhook integration (extractBranch is unexported).
-//
-//nolint:funlen // table-driven test with comprehensive test cases
-func TestExtractBranch(testingT *testing.T) {
-	testingT.Parallel()
-
-	tests := []struct {
-		name     string
-		ref      string
-		expected string
-	}{
-		{
-			name:     "extracts main branch",
-			ref:      "refs/heads/main",
-			expected: "main",
-		},
-		{
-			name:     "extracts feature branch",
-			ref:      "refs/heads/feature/new-feature",
-			expected: "feature/new-feature",
-		},
-		{
-			name:     "extracts develop branch",
-			ref:      "refs/heads/develop",
-			expected: "develop",
-		},
-		{
-			name:     "returns raw ref if no prefix",
-			ref:      "main",
-			expected: "main",
-		},
-		{
-			name:     "handles empty ref",
-			ref:      "",
-			expected: "",
-		},
-		{
-			name:     "handles partial prefix",
-			ref:      "refs/heads/",
-			expected: "",
-		},
-	}
-
-	for _, testCase := range tests {
-		testingT.Run(testCase.name, func(t *testing.T) {
-			t.Parallel()
-
-			// We test via HandleWebhook since extractBranch is not exported.
-			// The test verifies behavior indirectly through the webhook event's branch.
-			svc, dbInst, cleanup := setupTestService(t)
-			defer cleanup()
-
-			app := createTestApp(t, dbInst, testCase.expected)
-
-			payload := []byte(`{"ref": "` + testCase.ref + `"}`)
-
-			err := svc.HandleWebhook(
-				context.Background(), app, webhook.SourceGitea, "push", payload,
-			)
-			require.NoError(t, err)
-
-			// Allow async deployment goroutine to complete before test cleanup
-			time.Sleep(100 * time.Millisecond)
-
-			events, err := app.GetWebhookEvents(context.Background(), 10)
-			require.NoError(t, err)
-			require.Len(t, events, 1)
-
-			assert.Equal(t, testCase.expected, events[0].Branch)
-		})
-	}
-}
-
-func TestHandleWebhookMatchingBranch(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456",
-		"repository": {
-			"full_name": "user/repo",
-			"clone_url": "https://gitea.example.com/user/repo.git",
-			"ssh_url": "git@gitea.example.com:user/repo.git"
-		},
-		"pusher": {"username": "testuser", "email": "test@example.com"},
-		"commits": [{"id": "abc123def456", "message": "Test commit",
-			"author": {"name": "Test User", "email": "test@example.com"}}]
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "push", event.EventType)
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "abc123def456", event.CommitSHA.String)
-}
-
-func TestHandleWebhookNonMatchingBranch(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{"ref": "refs/heads/develop", "after": "def789ghi012"}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", payload,
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	assert.Equal(t, "develop", events[0].Branch)
-	assert.False(t, events[0].Matched)
-}
-
-func TestHandleWebhookInvalidJSON(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", []byte(`{invalid json}`),
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-}
-
-func TestHandleWebhookEmptyPayload(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", []byte(`{}`),
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-	assert.False(t, events[0].Matched)
-}
-
-// TestHandleWebhookGitHubSource tests HandleWebhook with a GitHub push payload.
-func TestHandleWebhookGitHubSource(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "github123",
-		"repository": {
-			"full_name": "org/repo",
-			"clone_url": "https://github.com/org/repo.git",
-			"html_url": "https://github.com/org/repo"
-		},
-		"pusher": {"name": "octocat", "email": "octocat@github.com"},
-		"head_commit": {
-			"id": "github123",
-			"url": "https://github.com/org/repo/commit/github123",
-			"message": "Update feature"
-		}
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitHub, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "github123", event.CommitSHA.String)
-	assert.Equal(t, "https://github.com/org/repo/commit/github123", event.CommitURL.String)
-}
-
-// TestHandleWebhookGitLabSource tests HandleWebhook with a GitLab push payload.
-func TestHandleWebhookGitLabSource(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "gitlab456",
-		"user_name": "gitlab-dev",
-		"user_email": "dev@gitlab.com",
-		"project": {
-			"path_with_namespace": "group/project",
-			"git_http_url": "https://gitlab.com/group/project.git",
-			"web_url": "https://gitlab.com/group/project"
-		},
-		"commits": [
-			{
-				"id": "gitlab456",
-				"url": "https://gitlab.com/group/project/-/commit/gitlab456",
-				"message": "Deploy fix"
-			}
-		]
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitLab, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "gitlab456", event.CommitSHA.String)
-	assert.Equal(t, "https://gitlab.com/group/project/-/commit/gitlab456", event.CommitURL.String)
-}
-
 // TestSetupTestService verifies the test helper creates a working test service.
 func TestSetupTestService(testingT *testing.T) {
 	testingT.Parallel()
@@ -955,25 +347,3 @@ func TestSetupTestService(testingT *testing.T) {
 		require.NoError(t, err)
 	})
 }
-
-// TestPushEventConstruction tests that PushEvent can be constructed directly.
-func TestPushEventConstruction(t *testing.T) {
-	t.Parallel()
-
-	event := webhook.PushEvent{
-		Source:    webhook.SourceGitHub,
-		Ref:       "refs/heads/main",
-		Before:    "000",
-		After:     "abc",
-		Branch:    "main",
-		RepoName:  "org/repo",
-		CloneURL:  webhook.UnparsedURL("https://github.com/org/repo.git"),
-		HTMLURL:   webhook.UnparsedURL("https://github.com/org/repo"),
-		CommitURL: webhook.UnparsedURL("https://github.com/org/repo/commit/abc"),
-		Pusher:    "user",
-	}
-
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, webhook.SourceGitHub, event.Source)
-	assert.Equal(t, "abc", event.After)
-}