Merge branch 'main' into fix/js-formatting

style: run make fmt on JS static files
2026-03-10 18:54:08 +01:00 · 2026-03-10 01:07:26 +01:00 · 2026-03-09 17:01:10 -07:00
26 changed files with 221 additions and 1925 deletions
--- a/README.md
+++ b/README.md
@@ -36,13 +36,11 @@ upaas/
 │   ├── handlers/        # HTTP request handlers
 │   ├── healthcheck/     # Health status service
 │   ├── logger/          # Structured logging (slog)
-│   ├── metrics/         # Prometheus metrics registration
+│   ├── middleware/      # HTTP middleware (auth, logging, CORS)
 │   ├── middleware/      # HTTP middleware (auth, logging, CORS, metrics)
 │   ├── models/          # Active Record style database models
 │   ├── server/          # HTTP server and routes
 │   ├── service/
 │   │   ├── app/         # App management service
 │   │   ├── audit/       # Audit logging service
 │   │   ├── auth/        # Authentication service
 │   │   ├── deploy/      # Deployment orchestration
 │   │   ├── notify/      # Notifications (ntfy, Slack)
@@ -60,18 +58,16 @@ Uses Uber fx for dependency injection. Components are wired in this order:
 2. `logger` - Structured logging
 3. `config` - Configuration loading
 4. `database` - SQLite connection + migrations
-5. `metrics` - Prometheus metrics registration
+5. `healthcheck` - Health status
-6. `healthcheck` - Health status
+6. `auth` - Authentication service
-7. `auth` - Authentication service
+7. `app` - App management
-8. `app` - App management
+8. `docker` - Docker client
-9. `docker` - Docker client
+9. `notify` - Notification service
-10. `notify` - Notification service
+10. `deploy` - Deployment service
-11. `audit` - Audit logging service
+11. `webhook` - Webhook processing
-12. `deploy` - Deployment service
+12. `middleware` - HTTP middleware
-13. `webhook` - Webhook processing
+13. `handlers` - HTTP handlers
-14. `middleware` - HTTP middleware
+14. `server` - HTTP server
 15. `handlers` - HTTP handlers
 16. `server` - HTTP server
 ### Request Flow
@@ -215,48 +211,6 @@ Example: `HOST_DATA_DIR=/srv/upaas/data docker compose up -d`
 Session secrets are automatically generated on first startup and persisted to `$UPAAS_DATA_DIR/session.key`.
 ## Observability
 ### Prometheus Metrics
 All custom metrics are exposed under the `upaas_` namespace at `/metrics`. The
 endpoint is always available and can be optionally protected with basic auth via
 `METRICS_USERNAME` and `METRICS_PASSWORD`.
 | Metric | Type | Labels | Description |
 |--------|------|--------|-------------|
 | `upaas_deployments_total` | Counter | `app`, `status` | Total deployments (success/failed/cancelled) |
 | `upaas_deployments_duration_seconds` | Histogram | `app`, `status` | Deployment duration |
 | `upaas_deployments_in_flight` | Gauge | `app` | Currently running deployments |
 | `upaas_container_healthy` | Gauge | `app` | Container health (1=healthy, 0=unhealthy) |
 | `upaas_webhook_events_total` | Counter | `app`, `event_type`, `matched` | Webhook events received |
 | `upaas_http_requests_total` | Counter | `method`, `status_code` | HTTP requests |
 | `upaas_http_request_duration_seconds` | Histogram | `method` | HTTP request latency |
 | `upaas_http_response_size_bytes` | Histogram | `method` | HTTP response sizes |
 | `upaas_audit_events_total` | Counter | `action` | Audit log events |
 ### Audit Log
 All user-facing actions are recorded in an `audit_log` SQLite table with:
 - **Who**: user ID and username
 - **What**: action type and affected resource (app, deployment, session, etc.)
 - **Where**: client IP (via X-Real-IP/X-Forwarded-For/RemoteAddr)
 - **When**: timestamp
 Audited actions include login/logout, app CRUD, deployments, container
 start/stop/restart, rollbacks, deployment cancellation, and webhook receipt.
 The audit log is available via the API at `GET /api/v1/audit?limit=N` (max 500,
 default 50).
 ### Structured Logging
 All operations use Go's `slog` structured logger. HTTP requests are logged with
 method, URL, status code, response size, latency, user agent, and client IP.
 Deployment events are logged with app name, status, and duration. Audit events
 are also logged to stdout for correlation with external log aggregators.
 ## License
 WTFPL
--- a/cmd/upaasd/main.go
+++ b/cmd/upaasd/main.go
@@ -11,11 +11,9 @@ import (
 	"sneak.berlin/go/upaas/internal/handlers"
 	"sneak.berlin/go/upaas/internal/healthcheck"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/middleware"
 	"sneak.berlin/go/upaas/internal/server"
 	"sneak.berlin/go/upaas/internal/service/app"
 	"sneak.berlin/go/upaas/internal/service/audit"
 	"sneak.berlin/go/upaas/internal/service/auth"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/notify"
@@ -43,7 +41,6 @@ func main() {
 			logger.New,
 			config.New,
 			database.New,
 			metrics.New,
 			healthcheck.New,
 			auth.New,
 			app.New,
@@ -51,7 +48,6 @@ func main() {
 			notify.New,
 			deploy.New,
 			webhook.New,
 			audit.New,
 			middleware.New,
 			handlers.New,
 			server.New,
--- a/internal/database/migrations/007_add_audit_log.sql
+++ b/internal/database/migrations/007_add_audit_log.sql
@@ -1,16 +0,0 @@
 -- Audit log table for tracking user actions.
 CREATE TABLE audit_log (
    id INTEGER PRIMARY KEY,
    user_id INTEGER,
    username TEXT NOT NULL,
    action TEXT NOT NULL,
    resource_type TEXT NOT NULL,
    resource_id TEXT,
    detail TEXT,
    remote_ip TEXT,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 CREATE INDEX idx_audit_log_created_at ON audit_log(created_at);
 CREATE INDEX idx_audit_log_action ON audit_log(action);
 CREATE INDEX idx_audit_log_resource ON audit_log(resource_type, resource_id);
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -1,7 +1,6 @@
 package handlers
 import (
 	"database/sql"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -121,9 +120,6 @@ func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 			return
 		}
 		h.auditLog(request, models.AuditActionLogin,
 			models.AuditResourceSession, "", "api login")
 		h.respondJSON(writer, request, loginResponse{
 			UserID:   user.ID,
 			Username: user.Username,
@@ -247,79 +243,3 @@ func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
 		}, http.StatusOK)
 	}
 }
 // auditLogDefaultLimit is the default number of audit entries returned.
 const auditLogDefaultLimit = 50
 // auditLogMaxLimit is the maximum number of audit entries returned.
 const auditLogMaxLimit = 500
 // HandleAPIAuditLog returns a handler that lists recent audit log entries.
 func (h *Handlers) HandleAPIAuditLog() http.HandlerFunc {
 	type auditEntryResponse struct {
 		ID           int64  `json:"id"`
 		UserID       *int64 `json:"userId,omitempty"`
 		Username     string `json:"username"`
 		Action       string `json:"action"`
 		ResourceType string `json:"resourceType"`
 		ResourceID   string `json:"resourceId,omitempty"`
 		Detail       string `json:"detail,omitempty"`
 		RemoteIP     string `json:"remoteIp,omitempty"`
 		CreatedAt    string `json:"createdAt"`
 	}
 	return func(writer http.ResponseWriter, request *http.Request) {
 		limit := auditLogDefaultLimit
 		if limitStr := request.URL.Query().Get("limit"); limitStr != "" {
 			parsed, parseErr := strconv.Atoi(limitStr)
 			if parseErr == nil && parsed > 0 && parsed <= auditLogMaxLimit {
 				limit = parsed
 			}
 		}
 		entries, err := h.audit.Recent(request.Context(), limit)
 		if err != nil {
 			h.log.Error("failed to fetch audit log", "error", err)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to fetch audit log"},
 				http.StatusInternalServerError)
 			return
 		}
 		result := make([]auditEntryResponse, 0, len(entries))
 		for _, e := range entries {
 			entry := auditEntryResponse{
 				ID:           e.ID,
 				Username:     e.Username,
 				Action:       string(e.Action),
 				ResourceType: string(e.ResourceType),
 				CreatedAt:    e.CreatedAt.UTC().Format("2006-01-02T15:04:05Z"),
 			}
 			if e.UserID.Valid {
 				id := e.UserID.Int64
 				entry.UserID = &id
 			}
 			entry.ResourceID = nullStringValue(e.ResourceID)
 			entry.Detail = nullStringValue(e.Detail)
 			entry.RemoteIP = nullStringValue(e.RemoteIP)
 			result = append(result, entry)
 		}
 		h.respondJSON(writer, request, result, http.StatusOK)
 	}
 }
 // nullStringValue returns the string value if valid, empty string otherwise.
 func nullStringValue(ns sql.NullString) string {
 	if ns.Valid {
 		return ns.String
 	}
 	return ""
 }
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -119,9 +119,6 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 			return
 		}
 		h.auditLog(request, models.AuditActionAppCreate,
 			models.AuditResourceApp, createdApp.ID, "created app: "+createdApp.Name)
 		http.Redirect(writer, request, "/apps/"+createdApp.ID, http.StatusSeeOther)
 	}
 }
@@ -292,9 +289,6 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 			return
 		}
 		h.auditLog(request, models.AuditActionAppUpdate,
 			models.AuditResourceApp, application.ID, "updated app: "+application.Name)
 		redirectURL := "/apps/" + application.ID + "?success=updated"
 		http.Redirect(writer, request, redirectURL, http.StatusSeeOther)
 	}
@@ -350,9 +344,6 @@ func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 			return
 		}
 		h.auditLog(request, models.AuditActionAppDelete,
 			models.AuditResourceApp, appID, "deleted app: "+application.Name)
 		http.Redirect(writer, request, "/", http.StatusSeeOther)
 	}
 }
@@ -369,9 +360,6 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 			return
 		}
 		h.auditLog(request, models.AuditActionAppDeploy,
 			models.AuditResourceApp, application.ID, "manual deploy: "+application.Name)
 		// Trigger deployment in background with a detached context
 		// so the deployment continues even if the HTTP request is cancelled
 		deployCtx := context.WithoutCancel(request.Context())
@@ -411,8 +399,6 @@ func (h *Handlers) HandleCancelDeploy() http.HandlerFunc {
 		cancelled := h.deploy.CancelDeploy(application.ID)
 		if cancelled {
 			h.log.Info("deployment cancelled by user", "app", application.Name)
 			h.auditLog(request, models.AuditActionDeployCancel,
 				models.AuditResourceDeployment, application.ID, "cancelled deploy: "+application.Name)
 		}
 		http.Redirect(
@@ -444,9 +430,6 @@ func (h *Handlers) HandleAppRollback() http.HandlerFunc {
 			return
 		}
 		h.auditLog(request, models.AuditActionAppRollback,
 			models.AuditResourceApp, application.ID, "rolled back: "+application.Name)
 		http.Redirect(writer, request, "/apps/"+application.ID+"?success=rolledback", http.StatusSeeOther)
 	}
 }
@@ -851,29 +834,11 @@ func (h *Handlers) handleContainerAction(
 	} else {
 		h.log.Info("container action completed",
 			"action", action, "app", application.Name, "container", containerID)
 		auditAction := containerActionToAuditAction(action)
 		h.auditLog(request, auditAction,
 			models.AuditResourceApp, appID, string(action)+" container: "+application.Name)
 	}
 	http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 }
 // containerActionToAuditAction maps container actions to audit actions.
 func containerActionToAuditAction(action containerAction) models.AuditAction {
 	switch action {
 	case actionRestart:
 		return models.AuditActionAppRestart
 	case actionStop:
 		return models.AuditActionAppStop
 	case actionStart:
 		return models.AuditActionAppStart
 	default:
 		return models.AuditAction("app." + string(action))
 	}
 }
 // HandleAppRestart handles restarting an app's container.
 func (h *Handlers) HandleAppRestart() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -938,96 +903,50 @@ func (h *Handlers) addKeyValueToApp(
 	http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
 }
-// envPairJSON represents a key-value pair in the JSON request body.
+// HandleEnvVarAdd handles adding an environment variable.
-type envPairJSON struct {
+func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
-	Key   string `json:"key"`
+	return func(writer http.ResponseWriter, request *http.Request) {
-	Value string `json:"value"`
+		h.addKeyValueToApp(
 			writer,
 			request,
 			func(ctx context.Context, application *models.App, key, value string) error {
 				envVar := models.NewEnvVar(h.db)
 				envVar.AppID = application.ID
 				envVar.Key = key
 				envVar.Value = value
 				return envVar.Save(ctx)
 			},
 		)
 	}
 }
-// envVarMaxBodyBytes is the maximum allowed request body size for env var saves (1 MB).
+// HandleEnvVarDelete handles deleting an environment variable.
-const envVarMaxBodyBytes = 1 << 20
+func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
 // validateEnvPairs validates env var pairs.
 // It rejects empty keys and duplicate keys (returns a non-empty error string).
 func validateEnvPairs(pairs []envPairJSON) ([]models.EnvVarPair, string) {
 	seen := make(map[string]bool, len(pairs))
 	result := make([]models.EnvVarPair, 0, len(pairs))
 	for _, p := range pairs {
 		trimmedKey := strings.TrimSpace(p.Key)
 		if trimmedKey == "" {
 			return nil, "empty environment variable key is not allowed"
 		}
 		if seen[trimmedKey] {
 			return nil, "duplicate environment variable key: " + trimmedKey
 		}
 		seen[trimmedKey] = true
 		result = append(result, models.EnvVarPair{Key: trimmedKey, Value: p.Value})
 	}
 	return result, ""
 }
 // HandleEnvVarSave handles bulk saving of all environment variables.
 // It reads a JSON array of {key, value} objects from the request body,
 // deletes all existing env vars for the app, and inserts the full
 // submitted set atomically within a database transaction.
 // Duplicate keys are rejected with a 400 Bad Request error.
 func (h *Handlers) HandleEnvVarSave() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		envVarIDStr := chi.URLParam(request, "varID")
-		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
-		if findErr != nil || application == nil {
+		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
-		// Limit request body size to prevent abuse
+		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
-		request.Body = http.MaxBytesReader(writer, request.Body, envVarMaxBodyBytes)
+		if findErr != nil || envVar == nil || envVar.AppID != appID {
-
+			http.NotFound(writer, request)
 		var pairs []envPairJSON
 		decodeErr := json.NewDecoder(request.Body).Decode(&pairs)
 		if decodeErr != nil {
 			h.respondJSON(writer, request, map[string]string{
 				"error": "invalid request body",
 			}, http.StatusBadRequest)
 			return
 		}
-		modelPairs, validationErr := validateEnvPairs(pairs)
+		deleteErr := envVar.Delete(request.Context())
-		if validationErr != "" {
+		if deleteErr != nil {
-			h.respondJSON(writer, request, map[string]string{
+			h.log.Error("failed to delete env var", "error", deleteErr)
 				"error": validationErr,
 			}, http.StatusBadRequest)
 			return
 		}
-		replaceErr := models.ReplaceEnvVarsByAppID(
+		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			request.Context(), h.db, application.ID, modelPairs,
 		)
 		if replaceErr != nil {
 			h.log.Error("failed to replace env vars", "error", replaceErr)
 			h.respondJSON(writer, request, map[string]string{
 				"error": "failed to save environment variables",
 			}, http.StatusInternalServerError)
 			return
 		}
 		h.auditLog(request, models.AuditActionEnvVarSave,
 			models.AuditResourceEnvVar, application.ID,
 			fmt.Sprintf("saved %d env vars", len(modelPairs)))
 		h.respondJSON(writer, request, map[string]bool{"ok": true}, http.StatusOK)
 	}
 }
@@ -1043,13 +962,7 @@ func (h *Handlers) HandleLabelAdd() http.HandlerFunc {
 				label.Key = key
 				label.Value = value
-				err := label.Save(ctx)
+				return label.Save(ctx)
 				if err == nil {
 					h.auditLog(request, models.AuditActionLabelAdd,
 						models.AuditResourceLabel, application.ID, "added label: "+key)
 				}
 				return err
 			},
 		)
 	}
@@ -1078,9 +991,6 @@ func (h *Handlers) HandleLabelDelete() http.HandlerFunc {
 		deleteErr := label.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete label", "error", deleteErr)
 		} else {
 			h.auditLog(request, models.AuditActionLabelDelete,
 				models.AuditResourceLabel, appID, "deleted label: "+label.Key)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1138,10 +1048,6 @@ func (h *Handlers) HandleVolumeAdd() http.HandlerFunc {
 		saveErr := volume.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to add volume", "error", saveErr)
 		} else {
 			h.auditLog(request, models.AuditActionVolumeAdd,
 				models.AuditResourceVolume, application.ID,
 				"added volume: "+hostPath+":"+containerPath)
 		}
 		http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
@@ -1171,10 +1077,6 @@ func (h *Handlers) HandleVolumeDelete() http.HandlerFunc {
 		deleteErr := volume.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete volume", "error", deleteErr)
 		} else {
 			h.auditLog(request, models.AuditActionVolumeDelete,
 				models.AuditResourceVolume, appID,
 				"deleted volume: "+volume.HostPath+":"+volume.ContainerPath)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1224,10 +1126,6 @@ func (h *Handlers) HandlePortAdd() http.HandlerFunc {
 		saveErr := port.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to save port", "error", saveErr)
 		} else {
 			h.auditLog(request, models.AuditActionPortAdd,
 				models.AuditResourcePort, application.ID,
 				fmt.Sprintf("added port: %d:%d/%s", hostPort, containerPort, protocol))
 		}
 		http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
@@ -1274,10 +1172,6 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
 		deleteErr := port.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete port", "error", deleteErr)
 		} else {
 			h.auditLog(request, models.AuditActionPortDelete,
 				models.AuditResourcePort, appID,
 				fmt.Sprintf("deleted port: %d:%d/%s", port.HostPort, port.ContainerPort, port.Protocol))
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1311,6 +1205,59 @@ func ValidateVolumePath(p string) error {
 	return nil
 }
 // HandleEnvVarEdit handles editing an existing environment variable.
 func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		envVarIDStr := chi.URLParam(request, "varID")
 		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
 		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
 		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
 		if findErr != nil || envVar == nil || envVar.AppID != appID {
 			http.NotFound(writer, request)
 			return
 		}
 		formErr := request.ParseForm()
 		if formErr != nil {
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
 			return
 		}
 		key := request.FormValue("key")
 		value := request.FormValue("value")
 		if key == "" || value == "" {
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		envVar.Key = key
 		envVar.Value = value
 		saveErr := envVar.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update env var", "error", saveErr)
 		}
 		http.Redirect(
 			writer,
 			request,
 			"/apps/"+appID+"?success=env-updated",
 			http.StatusSeeOther,
 		)
 	}
 }
 // HandleLabelEdit handles editing an existing label.
 func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -1353,9 +1300,6 @@ func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
 		saveErr := label.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update label", "error", saveErr)
 		} else {
 			h.auditLog(request, models.AuditActionLabelEdit,
 				models.AuditResourceLabel, appID, "edited label: "+key)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
@@ -1414,10 +1358,6 @@ func (h *Handlers) HandleVolumeEdit() http.HandlerFunc {
 		saveErr := volume.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update volume", "error", saveErr)
 		} else {
 			h.auditLog(request, models.AuditActionVolumeEdit,
 				models.AuditResourceVolume, appID,
 				"edited volume: "+hostPath+":"+containerPath)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -3,7 +3,6 @@ package handlers
 import (
 	"net/http"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/templates"
 )
@@ -62,9 +61,6 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 			return
 		}
 		h.auditLog(request, models.AuditActionLogin,
 			models.AuditResourceSession, "", "user logged in")
 		http.Redirect(writer, request, "/", http.StatusSeeOther)
 	}
 }
@@ -72,9 +68,6 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 // HandleLogout handles logout requests.
 func (h *Handlers) HandleLogout() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		h.auditLog(request, models.AuditActionLogout,
 			models.AuditResourceSession, "", "user logged out")
 		destroyErr := h.auth.DestroySession(writer, request)
 		if destroyErr != nil {
 			h.log.Error("failed to destroy session", "error", destroyErr)
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -15,9 +15,7 @@ import (
 	"sneak.berlin/go/upaas/internal/globals"
 	"sneak.berlin/go/upaas/internal/healthcheck"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/app"
 	"sneak.berlin/go/upaas/internal/service/audit"
 	"sneak.berlin/go/upaas/internal/service/auth"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/webhook"
@@ -37,7 +35,6 @@ type Params struct {
 	Deploy      *deploy.Service
 	Webhook     *webhook.Service
 	Docker      *docker.Client
 	Audit       *audit.Service
 }
 // Handlers provides HTTP request handlers.
@@ -51,7 +48,6 @@ type Handlers struct {
 	deploy     *deploy.Service
 	webhook    *webhook.Service
 	docker     *docker.Client
 	audit      *audit.Service
 	globals    *globals.Globals
 }
@@ -67,48 +63,10 @@ func New(_ fx.Lifecycle, params Params) (*Handlers, error) {
 		deploy:     params.Deploy,
 		webhook:    params.Webhook,
 		docker:     params.Docker,
 		audit:      params.Audit,
 		globals:    params.Globals,
 	}, nil
 }
 // currentUser returns the currently authenticated user, or nil if not authenticated.
 func (h *Handlers) currentUser(request *http.Request) *models.User {
 	user, err := h.auth.GetCurrentUser(request.Context(), request)
 	if err != nil || user == nil {
 		return nil
 	}
 	return user
 }
 // auditLog records an audit entry for the current request.
 func (h *Handlers) auditLog(
 	request *http.Request,
 	action models.AuditAction,
 	resourceType models.AuditResourceType,
 	resourceID string,
 	detail string,
 ) {
 	user := h.currentUser(request)
 	entry := audit.LogEntry{
 		Action:       action,
 		ResourceType: resourceType,
 		ResourceID:   resourceID,
 		Detail:       detail,
 	}
 	if user != nil {
 		entry.UserID = user.ID
 		entry.Username = user.Username
 	} else {
 		entry.Username = "anonymous"
 	}
 	h.audit.LogFromRequest(request.Context(), request, entry)
 }
 // addGlobals adds version info and CSRF token to template data map.
 func (h *Handlers) addGlobals(
 	data map[string]any,
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -11,7 +11,6 @@ import (
 	"time"
 	"github.com/go-chi/chi/v5"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
@@ -25,10 +24,8 @@ import (
 	"sneak.berlin/go/upaas/internal/handlers"
 	"sneak.berlin/go/upaas/internal/healthcheck"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/middleware"
 	"sneak.berlin/go/upaas/internal/service/app"
 	"sneak.berlin/go/upaas/internal/service/audit"
 	"sneak.berlin/go/upaas/internal/service/auth"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/notify"
@@ -95,8 +92,7 @@ func createAppServices(
 	logInstance *logger.Logger,
 	dbInstance *database.Database,
 	cfg *config.Config,
-	metricsInstance *metrics.Metrics,
+) (*auth.Service, *app.Service, *deploy.Service, *webhook.Service, *docker.Client) {
 ) (*auth.Service, *app.Service, *deploy.Service, *webhook.Service, *docker.Client, *audit.Service) {
 	t.Helper()
 	authSvc, authErr := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
@@ -129,7 +125,6 @@ func createAppServices(
 		Database: dbInstance,
 		Docker:   dockerClient,
 		Notify:   notifySvc,
 		Metrics:  metricsInstance,
 	})
 	require.NoError(t, deployErr)
@@ -137,18 +132,10 @@ func createAppServices(
 		Logger:   logInstance,
 		Database: dbInstance,
 		Deploy:   deploySvc,
 		Metrics:  metricsInstance,
 	})
 	require.NoError(t, webhookErr)
-	auditSvc, auditErr := audit.New(fx.Lifecycle(nil), audit.ServiceParams{
+	return authSvc, appSvc, deploySvc, webhookSvc, dockerClient
 		Logger:   logInstance,
 		Database: dbInstance,
 		Metrics:  metricsInstance,
 	})
 	require.NoError(t, auditErr)
 	return authSvc, appSvc, deploySvc, webhookSvc, dockerClient, auditSvc
 }
 func setupTestHandlers(t *testing.T) *testContext {
@@ -158,14 +145,11 @@ func setupTestHandlers(t *testing.T) *testContext {
 	globalInstance, logInstance, dbInstance, hcInstance := createCoreServices(t, cfg)
-	metricsInstance := metrics.NewForTest(prometheus.NewRegistry())
+	authSvc, appSvc, deploySvc, webhookSvc, dockerClient := createAppServices(
 	authSvc, appSvc, deploySvc, webhookSvc, dockerClient, auditSvc := createAppServices(
 		t,
 		logInstance,
 		dbInstance,
 		cfg,
 		metricsInstance,
 	)
 	handlersInstance, handlerErr := handlers.New(
@@ -180,7 +164,6 @@ func setupTestHandlers(t *testing.T) *testContext {
 			Deploy:      deploySvc,
 			Webhook:     webhookSvc,
 			Docker:      dockerClient,
 			Audit:       auditSvc,
 		},
 	)
 	require.NoError(t, handlerErr)
@@ -190,7 +173,6 @@ func setupTestHandlers(t *testing.T) *testContext {
 		Globals: globalInstance,
 		Config:  cfg,
 		Auth:    authSvc,
 		Metrics: metricsInstance,
 	})
 	require.NoError(t, mwErr)
@@ -578,242 +560,45 @@ func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
 	cfg.verifyFn(t, testCtx, resourceID)
 }
-// TestHandleEnvVarSaveBulk tests that HandleEnvVarSave replaces all env vars
+// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
-// for an app with the submitted set (monolithic delete-all + insert-all).
+// via another app's URL path returns 404 (IDOR prevention).
-func TestHandleEnvVarSaveBulk(t *testing.T) {
+func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
 	t.Parallel()
-	testCtx := setupTestHandlers(t)
+	testOwnershipVerification(t, ownedResourceTestConfig{
-	createdApp := createTestApp(t, testCtx, "envvar-bulk-app")
+		appPrefix1: "envvar-owner-app",
 		appPrefix2: "envvar-other-app",
 		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
 			t.Helper()
-	// Create some pre-existing env vars
+			envVar := models.NewEnvVar(tc.database)
-	for _, kv := range [][2]string{{"OLD_KEY", "old_value"}, {"REMOVE_ME", "gone"}} {
+			envVar.AppID = ownerApp.ID
-		ev := models.NewEnvVar(testCtx.database)
+			envVar.Key = "SECRET"
-		ev.AppID = createdApp.ID
+			envVar.Value = "hunter2"
-		ev.Key = kv[0]
+			require.NoError(t, envVar.Save(context.Background()))
 		ev.Value = kv[1]
 		require.NoError(t, ev.Save(context.Background()))
 	}
-	// Submit a new set as a JSON array of key/value objects
+			return envVar.ID
-	body := `[{"key":"NEW_KEY","value":"new_value"},{"key":"ANOTHER","value":"42"}]`
+		},
 		deletePath: func(appID string, resourceID int64) string {
 			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
 		},
 		chiParams: func(appID string, resourceID int64) map[string]string {
 			return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
 		},
 		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
 		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
 			t.Helper()
-	r := chi.NewRouter()
+			found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+			require.NoError(t, findErr)
-
+			assert.NotNil(t, found, "env var should still exist after IDOR attempt")
-	request := httptest.NewRequest(
+		},
-		http.MethodPost,
+	})
 		"/apps/"+createdApp.ID+"/env",
 		strings.NewReader(body),
 	)
 	request.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	// Verify old env vars are gone and new ones exist
 	envVars, err := models.FindEnvVarsByAppID(
 		context.Background(), testCtx.database, createdApp.ID,
 	)
 	require.NoError(t, err)
 	assert.Len(t, envVars, 2)
 	keys := make(map[string]string)
 	for _, ev := range envVars {
 		keys[ev.Key] = ev.Value
 	}
 	assert.Equal(t, "new_value", keys["NEW_KEY"])
 	assert.Equal(t, "42", keys["ANOTHER"])
 	assert.Empty(t, keys["OLD_KEY"], "old env vars should be deleted")
 	assert.Empty(t, keys["REMOVE_ME"], "old env vars should be deleted")
 }
 // TestHandleEnvVarSaveAppNotFound tests that HandleEnvVarSave returns 404
 // for a non-existent app.
 func TestHandleEnvVarSaveAppNotFound(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	body := `[{"key":"KEY","value":"value"}]`
 	r := chi.NewRouter()
 	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/nonexistent-id/env",
 		strings.NewReader(body),
 	)
 	request.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusNotFound, recorder.Code)
 }
 // TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON
 // array containing an entry with an empty key returns 400.
 func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "envvar-emptykey-app")
 	body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]`
 	r := chi.NewRouter()
 	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/"+createdApp.ID+"/env",
 		strings.NewReader(body),
 	)
 	request.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusBadRequest, recorder.Code)
 }
 // TestHandleEnvVarSaveDuplicateKeyRejected verifies that when the client
 // sends duplicate keys, the server rejects them with 400 Bad Request.
 func TestHandleEnvVarSaveDuplicateKeyRejected(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "envvar-dedup-app")
 	// Send two entries with the same key — should be rejected
 	body := `[{"key":"FOO","value":"first"},{"key":"BAR","value":"bar"},{"key":"FOO","value":"second"}]`
 	r := chi.NewRouter()
 	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/"+createdApp.ID+"/env",
 		strings.NewReader(body),
 	)
 	request.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusBadRequest, recorder.Code)
 	assert.Contains(t, recorder.Body.String(), "duplicate environment variable key: FOO")
 }
 // TestHandleEnvVarSaveCrossAppIsolation verifies that posting env vars
 // to appA's endpoint does not affect appB's env vars (IDOR prevention).
 func TestHandleEnvVarSaveCrossAppIsolation(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	appA := createTestApp(t, testCtx, "envvar-iso-appA")
 	appB := createTestApp(t, testCtx, "envvar-iso-appB")
 	// Give appB some env vars
 	for _, kv := range [][2]string{{"B_KEY1", "b_val1"}, {"B_KEY2", "b_val2"}} {
 		ev := models.NewEnvVar(testCtx.database)
 		ev.AppID = appB.ID
 		ev.Key = kv[0]
 		ev.Value = kv[1]
 		require.NoError(t, ev.Save(context.Background()))
 	}
 	// POST new env vars to appA's endpoint
 	body := `[{"key":"A_KEY","value":"a_val"}]`
 	r := chi.NewRouter()
 	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/"+appA.ID+"/env",
 		strings.NewReader(body),
 	)
 	request.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	// Verify appA has exactly what we sent
 	appAVars, err := models.FindEnvVarsByAppID(
 		context.Background(), testCtx.database, appA.ID,
 	)
 	require.NoError(t, err)
 	assert.Len(t, appAVars, 1)
 	assert.Equal(t, "A_KEY", appAVars[0].Key)
 	// Verify appB's env vars are completely untouched
 	appBVars, err := models.FindEnvVarsByAppID(
 		context.Background(), testCtx.database, appB.ID,
 	)
 	require.NoError(t, err)
 	assert.Len(t, appBVars, 2, "appB env vars must not be affected")
 	bKeys := make(map[string]string)
 	for _, ev := range appBVars {
 		bKeys[ev.Key] = ev.Value
 	}
 	assert.Equal(t, "b_val1", bKeys["B_KEY1"])
 	assert.Equal(t, "b_val2", bKeys["B_KEY2"])
 }
 // TestHandleEnvVarSaveBodySizeLimit verifies that a request body
 // exceeding the 1 MB limit is rejected.
 func TestHandleEnvVarSaveBodySizeLimit(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "envvar-sizelimit-app")
 	// Build a JSON body that exceeds 1 MB
 	// Each entry is ~30 bytes; 40000 entries ≈ 1.2 MB
 	var sb strings.Builder
 	sb.WriteString("[")
 	for i := range 40000 {
 		if i > 0 {
 			sb.WriteString(",")
 		}
 		sb.WriteString(`{"key":"K` + strconv.Itoa(i) + `","value":"val"}`)
 	}
 	sb.WriteString("]")
 	r := chi.NewRouter()
 	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/"+createdApp.ID+"/env",
 		strings.NewReader(sb.String()),
 	)
 	request.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusBadRequest, recorder.Code,
 		"oversized body should be rejected with 400")
 }
 // TestDeleteLabelOwnershipVerification tests that deleting a label
 // via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteLabelOwnershipVerification(t *testing.T) {
+func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
 	t.Parallel()
 	testOwnershipVerification(t, ownedResourceTestConfig{
@@ -929,43 +714,41 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
-// TestHandleEnvVarSaveEmptyClears verifies that submitting an empty JSON
+// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
-// array deletes all existing env vars for the app.
+// reads the "varID" chi URL parameter (matching the route definition {varID}),
-func TestHandleEnvVarSaveEmptyClears(t *testing.T) {
+// not a mismatched name like "envID".
 func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "envvar-clear-app")
-	// Create a pre-existing env var
+	createdApp := createTestApp(t, testCtx, "envdelete-param-app")
 	ev := models.NewEnvVar(testCtx.database)
 	ev.AppID = createdApp.ID
 	ev.Key = "DELETE_ME"
 	ev.Value = "gone"
 	require.NoError(t, ev.Save(context.Background()))
-	// Submit empty JSON array
+	envVar := models.NewEnvVar(testCtx.database)
 	envVar.AppID = createdApp.ID
 	envVar.Key = "DELETE_ME"
 	envVar.Value = "gone"
 	require.NoError(t, envVar.Save(context.Background()))
 	// Use chi router with the real route pattern to test param name
 	r := chi.NewRouter()
-	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+	r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
 	request := httptest.NewRequest(
 		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env",
+		"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
-		strings.NewReader("[]"),
+		nil,
 	)
 	request.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
-	assert.Equal(t, http.StatusOK, recorder.Code)
+	assert.Equal(t, http.StatusSeeOther, recorder.Code)
-	// Verify all env vars are gone
+	// Verify the env var was actually deleted
-	envVars, err := models.FindEnvVarsByAppID(
+	found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
-		context.Background(), testCtx.database, createdApp.ID,
+	require.NoError(t, findErr)
-	)
+	assert.Nil(t, found, "env var should be deleted when using correct route param")
 	require.NoError(t, err)
 	assert.Empty(t, envVars, "all env vars should be deleted")
 }
 // TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates
--- a/internal/handlers/setup.go
+++ b/internal/handlers/setup.go
@@ -3,7 +3,6 @@ package handlers
 import (
 	"net/http"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/templates"
 )
@@ -112,9 +111,6 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 			return
 		}
 		h.auditLog(request, models.AuditActionSetup,
 			models.AuditResourceUser, "", "initial setup completed")
 		http.Redirect(writer, request, "/", http.StatusSeeOther)
 	}
 }
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -7,14 +7,13 @@ import (
 	"github.com/go-chi/chi/v5"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/audit"
 )
 // maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
 const maxWebhookBodySize = 1 << 20
 // HandleWebhook handles incoming Gitea webhooks.
-func (h *Handlers) HandleWebhook() http.HandlerFunc { //nolint:funlen // audit logging adds necessary length
+func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		secret := chi.URLParam(request, "secret")
 		if secret == "" {
@@ -57,15 +56,6 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc { //nolint:funlen // audit l
 			eventType = "push"
 		}
 		// Log webhook receipt
 		h.audit.LogFromRequest(request.Context(), request, audit.LogEntry{
 			Username:     "webhook",
 			Action:       models.AuditActionWebhookReceive,
 			ResourceType: models.AuditResourceWebhook,
 			ResourceID:   application.ID,
 			Detail:       "webhook from app: " + application.Name + ", event: " + eventType,
 		})
 		// Process webhook
 		webhookErr := h.webhook.HandleWebhook(
 			request.Context(),
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -1,148 +0,0 @@
 // Package metrics provides Prometheus metrics for upaas.
 //
 //nolint:revive // "metrics" matches the domain; runtime/metrics is rarely imported directly
 package metrics
 import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"go.uber.org/fx"
 )
 // Params contains dependencies for Metrics.
 type Params struct {
 	fx.In
 }
 // Metrics holds all Prometheus metrics for the application.
 type Metrics struct {
 	// Deployment metrics.
 	DeploymentsTotal    *prometheus.CounterVec
 	DeploymentDuration  *prometheus.HistogramVec
 	DeploymentsInFlight *prometheus.GaugeVec
 	// Container health metrics.
 	ContainerHealthy *prometheus.GaugeVec
 	// Webhook metrics.
 	WebhookEventsTotal *prometheus.CounterVec
 	// HTTP request metrics.
 	HTTPRequestsTotal     *prometheus.CounterVec
 	HTTPRequestDuration   *prometheus.HistogramVec
 	HTTPResponseSizeBytes *prometheus.HistogramVec
 	// Audit log metrics.
 	AuditEventsTotal *prometheus.CounterVec
 }
 // New creates a new Metrics instance with all Prometheus metrics registered
 // in the default Prometheus registry.
 func New(_ fx.Lifecycle, _ Params) (*Metrics, error) {
 	return newMetrics(promauto.With(prometheus.DefaultRegisterer)), nil
 }
 // NewForTest creates a Metrics instance with a custom registry for test isolation.
 func NewForTest(reg prometheus.Registerer) *Metrics {
 	return newMetrics(promauto.With(reg))
 }
 // newMetrics creates a Metrics instance using the given factory.
 func newMetrics(factory promauto.Factory) *Metrics {
 	return &Metrics{
 		DeploymentsTotal:      newDeploymentsTotal(factory),
 		DeploymentDuration:    newDeploymentDuration(factory),
 		DeploymentsInFlight:   newDeploymentsInFlight(factory),
 		ContainerHealthy:      newContainerHealthy(factory),
 		WebhookEventsTotal:    newWebhookEventsTotal(factory),
 		HTTPRequestsTotal:     newHTTPRequestsTotal(factory),
 		HTTPRequestDuration:   newHTTPRequestDuration(factory),
 		HTTPResponseSizeBytes: newHTTPResponseSizeBytes(factory),
 		AuditEventsTotal:      newAuditEventsTotal(factory),
 	}
 }
 func newDeploymentsTotal(f promauto.Factory) *prometheus.CounterVec {
 	return f.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "upaas",
 		Subsystem: "deployments",
 		Name:      "total",
 		Help:      "Total number of deployments by app and status.",
 	}, []string{"app", "status"})
 }
 func newDeploymentDuration(f promauto.Factory) *prometheus.HistogramVec {
 	return f.NewHistogramVec(prometheus.HistogramOpts{
 		Namespace: "upaas",
 		Subsystem: "deployments",
 		Name:      "duration_seconds",
 		Help:      "Duration of deployments in seconds by app and status.",
 		Buckets:   []float64{10, 30, 60, 120, 300, 600, 1800},
 	}, []string{"app", "status"})
 }
 func newDeploymentsInFlight(f promauto.Factory) *prometheus.GaugeVec {
 	return f.NewGaugeVec(prometheus.GaugeOpts{
 		Namespace: "upaas",
 		Subsystem: "deployments",
 		Name:      "in_flight",
 		Help:      "Number of deployments currently in progress by app.",
 	}, []string{"app"})
 }
 func newContainerHealthy(f promauto.Factory) *prometheus.GaugeVec {
 	return f.NewGaugeVec(prometheus.GaugeOpts{
 		Namespace: "upaas",
 		Subsystem: "container",
 		Name:      "healthy",
 		Help:      "Whether the app container is healthy (1) or unhealthy (0).",
 	}, []string{"app"})
 }
 func newWebhookEventsTotal(f promauto.Factory) *prometheus.CounterVec {
 	return f.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "upaas",
 		Subsystem: "webhook",
 		Name:      "events_total",
 		Help:      "Total number of webhook events by app, event type, and matched status.",
 	}, []string{"app", "event_type", "matched"})
 }
 func newHTTPRequestsTotal(f promauto.Factory) *prometheus.CounterVec {
 	return f.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "upaas",
 		Subsystem: "http",
 		Name:      "requests_total",
 		Help:      "Total number of HTTP requests by method and status code.",
 	}, []string{"method", "status_code"})
 }
 func newHTTPRequestDuration(f promauto.Factory) *prometheus.HistogramVec {
 	return f.NewHistogramVec(prometheus.HistogramOpts{
 		Namespace: "upaas",
 		Subsystem: "http",
 		Name:      "request_duration_seconds",
 		Help:      "Duration of HTTP requests in seconds by method.",
 		Buckets:   prometheus.DefBuckets,
 	}, []string{"method"})
 }
 //nolint:mnd // bucket boundaries are domain-specific constants
 func newHTTPResponseSizeBytes(f promauto.Factory) *prometheus.HistogramVec {
 	return f.NewHistogramVec(prometheus.HistogramOpts{
 		Namespace: "upaas",
 		Subsystem: "http",
 		Name:      "response_size_bytes",
 		Help:      "Size of HTTP responses in bytes by method.",
 		Buckets:   prometheus.ExponentialBuckets(100, 10, 7),
 	}, []string{"method"})
 }
 func newAuditEventsTotal(f promauto.Factory) *prometheus.CounterVec {
 	return f.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "upaas",
 		Subsystem: "audit",
 		Name:      "events_total",
 		Help:      "Total number of audit log events by action.",
 	}, []string{"action"})
 }
--- a/internal/metrics/metrics_test.go
+++ b/internal/metrics/metrics_test.go
@@ -1,158 +0,0 @@
 package metrics_test
 import (
 	"testing"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 	"sneak.berlin/go/upaas/internal/metrics"
 )
 func TestNewForTest(t *testing.T) {
 	t.Parallel()
 	reg := prometheus.NewRegistry()
 	m := metrics.NewForTest(reg)
 	require.NotNil(t, m)
 	assert.NotNil(t, m.DeploymentsTotal)
 	assert.NotNil(t, m.DeploymentDuration)
 	assert.NotNil(t, m.DeploymentsInFlight)
 	assert.NotNil(t, m.ContainerHealthy)
 	assert.NotNil(t, m.WebhookEventsTotal)
 	assert.NotNil(t, m.HTTPRequestsTotal)
 	assert.NotNil(t, m.HTTPRequestDuration)
 	assert.NotNil(t, m.HTTPResponseSizeBytes)
 	assert.NotNil(t, m.AuditEventsTotal)
 }
 func TestNew(t *testing.T) {
 	t.Parallel()
 	m, err := metrics.New(fx.Lifecycle(nil), metrics.Params{})
 	require.NoError(t, err)
 	require.NotNil(t, m)
 }
 func TestDeploymentMetrics(t *testing.T) {
 	t.Parallel()
 	reg := prometheus.NewRegistry()
 	m := metrics.NewForTest(reg)
 	m.DeploymentsTotal.WithLabelValues("test-app", "success").Inc()
 	m.DeploymentDuration.WithLabelValues("test-app", "success").Observe(42.5)
 	m.DeploymentsInFlight.WithLabelValues("test-app").Set(1)
 	families, err := reg.Gather()
 	require.NoError(t, err)
 	names := make(map[string]bool)
 	for _, f := range families {
 		names[f.GetName()] = true
 	}
 	assert.True(t, names["upaas_deployments_total"])
 	assert.True(t, names["upaas_deployments_duration_seconds"])
 	assert.True(t, names["upaas_deployments_in_flight"])
 }
 func TestContainerHealthMetrics(t *testing.T) {
 	t.Parallel()
 	reg := prometheus.NewRegistry()
 	m := metrics.NewForTest(reg)
 	m.ContainerHealthy.WithLabelValues("my-app").Set(1)
 	families, err := reg.Gather()
 	require.NoError(t, err)
 	found := false
 	for _, f := range families {
 		if f.GetName() == "upaas_container_healthy" {
 			found = true
 			break
 		}
 	}
 	assert.True(t, found)
 }
 func TestWebhookMetrics(t *testing.T) {
 	t.Parallel()
 	reg := prometheus.NewRegistry()
 	m := metrics.NewForTest(reg)
 	m.WebhookEventsTotal.WithLabelValues("test-app", "push", "true").Inc()
 	families, err := reg.Gather()
 	require.NoError(t, err)
 	found := false
 	for _, f := range families {
 		if f.GetName() == "upaas_webhook_events_total" {
 			found = true
 			break
 		}
 	}
 	assert.True(t, found)
 }
 func TestHTTPMetrics(t *testing.T) {
 	t.Parallel()
 	reg := prometheus.NewRegistry()
 	m := metrics.NewForTest(reg)
 	m.HTTPRequestsTotal.WithLabelValues("GET", "200").Inc()
 	m.HTTPRequestDuration.WithLabelValues("GET").Observe(0.05)
 	m.HTTPResponseSizeBytes.WithLabelValues("GET").Observe(1024)
 	families, err := reg.Gather()
 	require.NoError(t, err)
 	names := make(map[string]bool)
 	for _, f := range families {
 		names[f.GetName()] = true
 	}
 	assert.True(t, names["upaas_http_requests_total"])
 	assert.True(t, names["upaas_http_request_duration_seconds"])
 	assert.True(t, names["upaas_http_response_size_bytes"])
 }
 func TestAuditMetrics(t *testing.T) {
 	t.Parallel()
 	reg := prometheus.NewRegistry()
 	m := metrics.NewForTest(reg)
 	m.AuditEventsTotal.WithLabelValues("login").Inc()
 	families, err := reg.Gather()
 	require.NoError(t, err)
 	found := false
 	for _, f := range families {
 		if f.GetName() == "upaas_audit_events_total" {
 			found = true
 			break
 		}
 	}
 	assert.True(t, found)
 }
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -21,7 +21,6 @@ import (
 	"sneak.berlin/go/upaas/internal/config"
 	"sneak.berlin/go/upaas/internal/globals"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/service/auth"
 )
@@ -36,13 +35,11 @@ type Params struct {
 	Globals *globals.Globals
 	Config  *config.Config
 	Auth    *auth.Service
 	Metrics *metrics.Metrics
 }
 // Middleware provides HTTP middleware.
 type Middleware struct {
 	log    *slog.Logger
 	metrics *metrics.Metrics
 	params *Params
 }
@@ -50,23 +47,21 @@ type Middleware struct {
 func New(_ fx.Lifecycle, params Params) (*Middleware, error) {
 	return &Middleware{
 		log:    params.Logger.Get(),
 		metrics: params.Metrics,
 		params: &params,
 	}, nil
 }
-// loggingResponseWriter wraps http.ResponseWriter to capture status code and bytes written.
+// loggingResponseWriter wraps http.ResponseWriter to capture status code.
 type loggingResponseWriter struct {
 	http.ResponseWriter
 	statusCode int
 	bytesWritten int
 }
 func newLoggingResponseWriter(
 	writer http.ResponseWriter,
 ) *loggingResponseWriter {
-	return &loggingResponseWriter{ResponseWriter: writer, statusCode: http.StatusOK}
+	return &loggingResponseWriter{writer, http.StatusOK}
 }
 func (lrw *loggingResponseWriter) WriteHeader(code int) {
@@ -74,14 +69,7 @@ func (lrw *loggingResponseWriter) WriteHeader(code int) {
 	lrw.ResponseWriter.WriteHeader(code)
 }
-func (lrw *loggingResponseWriter) Write(b []byte) (int, error) {
+// Logging returns a request logging middleware.
 	n, err := lrw.ResponseWriter.Write(b)
 	lrw.bytesWritten += n
 	return n, err
 }
 // Logging returns a request logging middleware that also records HTTP metrics.
 func (m *Middleware) Logging() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
@@ -95,8 +83,6 @@ func (m *Middleware) Logging() func(http.Handler) http.Handler {
 			defer func() {
 				latency := time.Since(start)
 				reqID := middleware.GetReqID(ctx)
 				statusStr := strconv.Itoa(lrw.statusCode)
 				m.log.InfoContext(ctx, "request",
 					"request_start", start,
 					"method", request.Method,
@@ -105,21 +91,10 @@ func (m *Middleware) Logging() func(http.Handler) http.Handler {
 					"request_id", reqID,
 					"referer", request.Referer(),
 					"proto", request.Proto,
-					"remoteIP", RealIP(request),
+					"remoteIP", realIP(request),
 					"status", lrw.statusCode,
 					"bytes", lrw.bytesWritten,
 					"latency_ms", latency.Milliseconds(),
 				)
 				m.metrics.HTTPRequestsTotal.WithLabelValues(
 					request.Method, statusStr,
 				).Inc()
 				m.metrics.HTTPRequestDuration.WithLabelValues(
 					request.Method,
 				).Observe(latency.Seconds())
 				m.metrics.HTTPResponseSizeBytes.WithLabelValues(
 					request.Method,
 				).Observe(float64(lrw.bytesWritten))
 			}()
 			next.ServeHTTP(lrw, request)
@@ -170,11 +145,11 @@ func isTrustedProxy(ip net.IP) bool {
 	return false
 }
-// RealIP extracts the client's real IP address from the request.
+// realIP extracts the client's real IP address from the request.
 // Proxy headers (X-Real-IP, X-Forwarded-For) are only trusted when the
 // direct connection originates from an RFC1918/loopback address.
 // Otherwise, headers are ignored and RemoteAddr is used (fail closed).
-func RealIP(r *http.Request) string {
+func realIP(r *http.Request) string {
 	addr := ipFromHostPort(r.RemoteAddr)
 	remoteIP := net.ParseIP(addr)
@@ -365,7 +340,7 @@ func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 			writer http.ResponseWriter,
 			request *http.Request,
 		) {
-			ip := RealIP(request)
+			ip := realIP(request)
 			limiter := loginLimiter.getLimiter(ip)
 			if !limiter.Allow() {
--- a/internal/middleware/realip_test.go
+++ b/internal/middleware/realip_test.go
@@ -1,4 +1,4 @@
-package middleware //nolint:testpackage // tests RealIP via internal package access
+package middleware //nolint:testpackage // tests unexported realIP function
 import (
 	"context"
@@ -126,9 +126,9 @@ func TestRealIP(t *testing.T) { //nolint:funlen // table-driven test
 				req.Header.Set("X-Forwarded-For", tt.xff)
 			}
-			got := RealIP(req)
+			got := realIP(req)
 			if got != tt.want {
-				t.Errorf("RealIP() = %q, want %q", got, tt.want)
+				t.Errorf("realIP() = %q, want %q", got, tt.want)
 			}
 		})
 	}
--- a/internal/models/audit_log.go
+++ b/internal/models/audit_log.go
@@ -1,193 +0,0 @@
 package models
 import (
 	"context"
 	"database/sql"
 	"fmt"
 	"time"
 	"sneak.berlin/go/upaas/internal/database"
 )
 // AuditAction represents the type of audited user action.
 type AuditAction string
 // Audit action constants.
 const (
 	AuditActionLogin          AuditAction = "login"
 	AuditActionLogout         AuditAction = "logout"
 	AuditActionAppCreate      AuditAction = "app.create"
 	AuditActionAppUpdate      AuditAction = "app.update"
 	AuditActionAppDelete      AuditAction = "app.delete"
 	AuditActionAppDeploy      AuditAction = "app.deploy"
 	AuditActionAppRollback    AuditAction = "app.rollback"
 	AuditActionAppRestart     AuditAction = "app.restart"
 	AuditActionAppStop        AuditAction = "app.stop"
 	AuditActionAppStart       AuditAction = "app.start"
 	AuditActionDeployCancel   AuditAction = "deploy.cancel"
 	AuditActionEnvVarSave     AuditAction = "env_var.save"
 	AuditActionLabelAdd       AuditAction = "label.add"
 	AuditActionLabelEdit      AuditAction = "label.edit"
 	AuditActionLabelDelete    AuditAction = "label.delete"
 	AuditActionVolumeAdd      AuditAction = "volume.add"
 	AuditActionVolumeEdit     AuditAction = "volume.edit"
 	AuditActionVolumeDelete   AuditAction = "volume.delete"
 	AuditActionPortAdd        AuditAction = "port.add"
 	AuditActionPortDelete     AuditAction = "port.delete"
 	AuditActionSetup          AuditAction = "setup"
 	AuditActionWebhookReceive AuditAction = "webhook.receive"
 )
 // AuditResourceType represents the type of resource being acted on.
 type AuditResourceType string
 // Audit resource type constants.
 const (
 	AuditResourceApp        AuditResourceType = "app"
 	AuditResourceUser       AuditResourceType = "user"
 	AuditResourceSession    AuditResourceType = "session"
 	AuditResourceEnvVar     AuditResourceType = "env_var"
 	AuditResourceLabel      AuditResourceType = "label"
 	AuditResourceVolume     AuditResourceType = "volume"
 	AuditResourcePort       AuditResourceType = "port"
 	AuditResourceDeployment AuditResourceType = "deployment"
 	AuditResourceWebhook    AuditResourceType = "webhook"
 )
 // AuditEntry represents a single audit log entry.
 type AuditEntry struct {
 	db *database.Database
 	ID           int64
 	UserID       sql.NullInt64
 	Username     string
 	Action       AuditAction
 	ResourceType AuditResourceType
 	ResourceID   sql.NullString
 	Detail       sql.NullString
 	RemoteIP     sql.NullString
 	CreatedAt    time.Time
 }
 // NewAuditEntry creates a new AuditEntry with a database reference.
 func NewAuditEntry(db *database.Database) *AuditEntry {
 	return &AuditEntry{db: db}
 }
 // Save inserts the audit entry into the database.
 func (a *AuditEntry) Save(ctx context.Context) error {
 	query := `
 		INSERT INTO audit_log (
 			user_id, username, action, resource_type, resource_id,
 			detail, remote_ip
 		) VALUES (?, ?, ?, ?, ?, ?, ?)`
 	result, err := a.db.Exec(ctx, query,
 		a.UserID, a.Username, a.Action, a.ResourceType,
 		a.ResourceID, a.Detail, a.RemoteIP,
 	)
 	if err != nil {
 		return fmt.Errorf("inserting audit entry: %w", err)
 	}
 	id, err := result.LastInsertId()
 	if err != nil {
 		return fmt.Errorf("getting audit entry id: %w", err)
 	}
 	a.ID = id
 	return nil
 }
 // FindAuditEntries returns recent audit log entries, newest first.
 func FindAuditEntries(
 	ctx context.Context,
 	db *database.Database,
 	limit int,
 ) ([]*AuditEntry, error) {
 	query := `
 		SELECT id, user_id, username, action, resource_type, resource_id,
 			detail, remote_ip, created_at
 		FROM audit_log
 		ORDER BY created_at DESC
 		LIMIT ?`
 	rows, err := db.Query(ctx, query, limit)
 	if err != nil {
 		return nil, fmt.Errorf("querying audit entries: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	return scanAuditRows(rows)
 }
 // FindAuditEntriesByResource returns audit log entries for a specific resource.
 func FindAuditEntriesByResource(
 	ctx context.Context,
 	db *database.Database,
 	resourceType AuditResourceType,
 	resourceID string,
 	limit int,
 ) ([]*AuditEntry, error) {
 	query := `
 		SELECT id, user_id, username, action, resource_type, resource_id,
 			detail, remote_ip, created_at
 		FROM audit_log
 		WHERE resource_type = ? AND resource_id = ?
 		ORDER BY created_at DESC
 		LIMIT ?`
 	rows, err := db.Query(ctx, query, resourceType, resourceID, limit)
 	if err != nil {
 		return nil, fmt.Errorf("querying audit entries by resource: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	return scanAuditRows(rows)
 }
 // CountAuditEntries returns the total number of audit log entries.
 func CountAuditEntries(
 	ctx context.Context,
 	db *database.Database,
 ) (int, error) {
 	var count int
 	row := db.QueryRow(ctx, "SELECT COUNT(*) FROM audit_log")
 	err := row.Scan(&count)
 	if err != nil {
 		return 0, fmt.Errorf("counting audit entries: %w", err)
 	}
 	return count, nil
 }
 func scanAuditRows(rows *sql.Rows) ([]*AuditEntry, error) {
 	var entries []*AuditEntry
 	for rows.Next() {
 		entry := &AuditEntry{}
 		scanErr := rows.Scan(
 			&entry.ID, &entry.UserID, &entry.Username, &entry.Action,
 			&entry.ResourceType, &entry.ResourceID, &entry.Detail,
 			&entry.RemoteIP, &entry.CreatedAt,
 		)
 		if scanErr != nil {
 			return nil, fmt.Errorf("scanning audit entry: %w", scanErr)
 		}
 		entries = append(entries, entry)
 	}
 	rowsErr := rows.Err()
 	if rowsErr != nil {
 		return nil, fmt.Errorf("iterating audit entries: %w", rowsErr)
 	}
 	return entries, nil
 }
--- a/internal/models/env_var.go
+++ b/internal/models/env_var.go
@@ -1,3 +1,4 @@
 //nolint:dupl // Active Record pattern - similar structure to label.go is intentional
 package models
 import (
@@ -128,48 +129,13 @@ func FindEnvVarsByAppID(
 	return envVars, rows.Err()
 }
-// EnvVarPair is a key-value pair for bulk env var operations.
+// DeleteEnvVarsByAppID deletes all env vars for an app.
-type EnvVarPair struct {
+func DeleteEnvVarsByAppID(
 	Key   string
 	Value string
 }
 // ReplaceEnvVarsByAppID atomically replaces all env vars for an app
 // within a single database transaction. It deletes all existing env
 // vars and inserts the provided pairs. If any operation fails, the
 // entire transaction is rolled back.
 func ReplaceEnvVarsByAppID(
 	ctx context.Context,
 	db *database.Database,
 	appID string,
 	pairs []EnvVarPair,
 ) error {
-	tx, err := db.BeginTx(ctx, nil)
+	_, err := db.Exec(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
 	if err != nil {
 		return fmt.Errorf("beginning transaction: %w", err)
 	}
-	defer func() { _ = tx.Rollback() }()
+	return err
 	_, err = tx.ExecContext(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
 	if err != nil {
 		return fmt.Errorf("deleting env vars: %w", err)
 	}
 	for _, p := range pairs {
 		_, err = tx.ExecContext(ctx,
 			"INSERT INTO app_env_vars (app_id, key, value) VALUES (?, ?, ?)",
 			appID, p.Key, p.Value,
 		)
 		if err != nil {
 			return fmt.Errorf("inserting env var %q: %w", p.Key, err)
 		}
 	}
 	err = tx.Commit()
 	if err != nil {
 		return fmt.Errorf("committing transaction: %w", err)
 	}
 	return nil
 }
--- a/internal/models/label.go
+++ b/internal/models/label.go
@@ -1,3 +1,4 @@
 //nolint:dupl // Active Record pattern - similar structure to env_var.go is intentional
 package models
 import (
--- a/internal/models/models_test.go
+++ b/internal/models/models_test.go
@@ -23,7 +23,6 @@ const (
 	testBranch    = "main"
 	testValue     = "value"
 	testEventType = "push"
 	testAdmin     = "admin"
 )
 func setupTestDB(t *testing.T) (*database.Database, func()) {
@@ -184,7 +183,7 @@ func TestUserExists(t *testing.T) {
 		defer cleanup()
 		user := models.NewUser(testDB)
-		user.Username = testAdmin
+		user.Username = "admin"
 		user.PasswordHash = testHash
 		err := user.Save(context.Background())
@@ -782,179 +781,6 @@ func TestCascadeDelete(t *testing.T) {
 	})
 }
 // AuditEntry Tests.
 func TestAuditEntryCreateAndFind(t *testing.T) {
 	t.Parallel()
 	testDB, cleanup := setupTestDB(t)
 	defer cleanup()
 	entry := models.NewAuditEntry(testDB)
 	entry.Username = testAdmin
 	entry.Action = models.AuditActionLogin
 	entry.ResourceType = models.AuditResourceSession
 	err := entry.Save(context.Background())
 	require.NoError(t, err)
 	assert.NotZero(t, entry.ID)
 	entries, err := models.FindAuditEntries(context.Background(), testDB, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
 	assert.Equal(t, testAdmin, entries[0].Username)
 	assert.Equal(t, models.AuditActionLogin, entries[0].Action)
 	assert.Equal(t, models.AuditResourceSession, entries[0].ResourceType)
 }
 func TestAuditEntryWithAllFields(t *testing.T) {
 	t.Parallel()
 	testDB, cleanup := setupTestDB(t)
 	defer cleanup()
 	entry := models.NewAuditEntry(testDB)
 	entry.UserID = sql.NullInt64{Int64: 1, Valid: true}
 	entry.Username = testAdmin
 	entry.Action = models.AuditActionAppCreate
 	entry.ResourceType = models.AuditResourceApp
 	entry.ResourceID = sql.NullString{String: "app-123", Valid: true}
 	entry.Detail = sql.NullString{String: "created new app", Valid: true}
 	entry.RemoteIP = sql.NullString{String: "192.168.1.1", Valid: true}
 	err := entry.Save(context.Background())
 	require.NoError(t, err)
 	entries, err := models.FindAuditEntries(context.Background(), testDB, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
 	assert.Equal(t, int64(1), entries[0].UserID.Int64)
 	assert.Equal(t, "app-123", entries[0].ResourceID.String)
 	assert.Equal(t, "created new app", entries[0].Detail.String)
 	assert.Equal(t, "192.168.1.1", entries[0].RemoteIP.String)
 }
 func TestAuditEntryFindByResource(t *testing.T) {
 	t.Parallel()
 	testDB, cleanup := setupTestDB(t)
 	defer cleanup()
 	// Create entries for different resources.
 	for _, action := range []models.AuditAction{
 		models.AuditActionAppCreate,
 		models.AuditActionAppUpdate,
 		models.AuditActionAppDeploy,
 	} {
 		entry := models.NewAuditEntry(testDB)
 		entry.Username = testAdmin
 		entry.Action = action
 		entry.ResourceType = models.AuditResourceApp
 		entry.ResourceID = sql.NullString{String: "app-1", Valid: true}
 		err := entry.Save(context.Background())
 		require.NoError(t, err)
 	}
 	// Create entry for a different resource.
 	entry := models.NewAuditEntry(testDB)
 	entry.Username = testAdmin
 	entry.Action = models.AuditActionLogin
 	entry.ResourceType = models.AuditResourceSession
 	err := entry.Save(context.Background())
 	require.NoError(t, err)
 	// Find by resource.
 	appEntries, err := models.FindAuditEntriesByResource(
 		context.Background(), testDB,
 		models.AuditResourceApp, "app-1", 10,
 	)
 	require.NoError(t, err)
 	assert.Len(t, appEntries, 3)
 	// All entries.
 	allEntries, err := models.FindAuditEntries(context.Background(), testDB, 10)
 	require.NoError(t, err)
 	assert.Len(t, allEntries, 4)
 }
 func TestAuditEntryCount(t *testing.T) {
 	t.Parallel()
 	testDB, cleanup := setupTestDB(t)
 	defer cleanup()
 	count, err := models.CountAuditEntries(context.Background(), testDB)
 	require.NoError(t, err)
 	assert.Equal(t, 0, count)
 	entry := models.NewAuditEntry(testDB)
 	entry.Username = testAdmin
 	entry.Action = models.AuditActionLogin
 	entry.ResourceType = models.AuditResourceSession
 	err = entry.Save(context.Background())
 	require.NoError(t, err)
 	count, err = models.CountAuditEntries(context.Background(), testDB)
 	require.NoError(t, err)
 	assert.Equal(t, 1, count)
 }
 func TestAuditEntryFindLimit(t *testing.T) {
 	t.Parallel()
 	testDB, cleanup := setupTestDB(t)
 	defer cleanup()
 	for range 5 {
 		entry := models.NewAuditEntry(testDB)
 		entry.Username = testAdmin
 		entry.Action = models.AuditActionLogin
 		entry.ResourceType = models.AuditResourceSession
 		err := entry.Save(context.Background())
 		require.NoError(t, err)
 	}
 	entries, err := models.FindAuditEntries(context.Background(), testDB, 3)
 	require.NoError(t, err)
 	assert.Len(t, entries, 3)
 }
 func TestAuditEntryOrderByCreatedAtDesc(t *testing.T) {
 	t.Parallel()
 	testDB, cleanup := setupTestDB(t)
 	defer cleanup()
 	actions := []models.AuditAction{
 		models.AuditActionLogin,
 		models.AuditActionAppCreate,
 		models.AuditActionLogout,
 	}
 	for _, action := range actions {
 		entry := models.NewAuditEntry(testDB)
 		entry.Username = testAdmin
 		entry.Action = action
 		entry.ResourceType = models.AuditResourceSession
 		err := entry.Save(context.Background())
 		require.NoError(t, err)
 	}
 	entries, err := models.FindAuditEntries(context.Background(), testDB, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 3)
 	// Newest first (logout was last inserted).
 	assert.Equal(t, models.AuditActionLogout, entries[0].Action)
 	assert.Equal(t, models.AuditActionAppCreate, entries[1].Action)
 	assert.Equal(t, models.AuditActionLogin, entries[2].Action)
 }
 // Helper function to create a test app.
 func createTestApp(t *testing.T, testDB *database.Database) *models.App {
 	t.Helper()
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -82,8 +82,10 @@ func (s *Server) SetupRoutes() {
 			r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
 			r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
-			// Environment variables (monolithic bulk save)
+			// Environment variables
-			r.Post("/apps/{id}/env", s.handlers.HandleEnvVarSave())
+			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
 			r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
 			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 			// Labels
 			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
@@ -115,13 +117,14 @@ func (s *Server) SetupRoutes() {
 			r.Get("/apps", s.handlers.HandleAPIListApps())
 			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
 			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
 			r.Get("/audit", s.handlers.HandleAPIAuditLog())
 		})
 	})
-	// Metrics endpoint (always available, optionally protected with basic auth)
+	// Metrics endpoint (optional, with basic auth)
 	if s.params.Config.MetricsUsername != "" {
 		s.router.Group(func(r chi.Router) {
 			r.Use(s.mw.MetricsAuth())
 			r.Get("/metrics", promhttp.Handler().ServeHTTP)
 		})
 	}
 }
--- a/internal/service/audit/audit.go
+++ b/internal/service/audit/audit.go
@@ -1,126 +0,0 @@
 // Package audit provides audit logging for user actions.
 package audit
 import (
 	"context"
 	"database/sql"
 	"log/slog"
 	"net/http"
 	"go.uber.org/fx"
 	"sneak.berlin/go/upaas/internal/database"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/middleware"
 	"sneak.berlin/go/upaas/internal/models"
 )
 // ServiceParams contains dependencies for Service.
 type ServiceParams struct {
 	fx.In
 	Logger   *logger.Logger
 	Database *database.Database
 	Metrics  *metrics.Metrics
 }
 // Service provides audit logging functionality.
 type Service struct {
 	log     *slog.Logger
 	db      *database.Database
 	metrics *metrics.Metrics
 }
 // New creates a new audit Service.
 func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 	return &Service{
 		log:     params.Logger.Get(),
 		db:      params.Database,
 		metrics: params.Metrics,
 	}, nil
 }
 // LogEntry records an audit event.
 type LogEntry struct {
 	UserID       int64
 	Username     string
 	Action       models.AuditAction
 	ResourceType models.AuditResourceType
 	ResourceID   string
 	Detail       string
 	RemoteIP     string
 }
 // Log records an audit log entry and increments the audit metrics counter.
 func (svc *Service) Log(ctx context.Context, entry LogEntry) {
 	auditEntry := models.NewAuditEntry(svc.db)
 	auditEntry.Username = entry.Username
 	auditEntry.Action = entry.Action
 	auditEntry.ResourceType = entry.ResourceType
 	if entry.UserID != 0 {
 		auditEntry.UserID = sql.NullInt64{Int64: entry.UserID, Valid: true}
 	}
 	if entry.ResourceID != "" {
 		auditEntry.ResourceID = sql.NullString{String: entry.ResourceID, Valid: true}
 	}
 	if entry.Detail != "" {
 		auditEntry.Detail = sql.NullString{String: entry.Detail, Valid: true}
 	}
 	if entry.RemoteIP != "" {
 		auditEntry.RemoteIP = sql.NullString{String: entry.RemoteIP, Valid: true}
 	}
 	err := auditEntry.Save(ctx)
 	if err != nil {
 		svc.log.Error("failed to save audit entry",
 			"error", err,
 			"action", entry.Action,
 			"username", entry.Username,
 		)
 		return
 	}
 	svc.metrics.AuditEventsTotal.WithLabelValues(string(entry.Action)).Inc()
 	svc.log.Info("audit",
 		"action", entry.Action,
 		"username", entry.Username,
 		"resource_type", entry.ResourceType,
 		"resource_id", entry.ResourceID,
 	)
 }
 // LogFromRequest records an audit log entry, extracting the remote IP from
 // the HTTP request using the middleware's trusted-proxy-aware IP resolution.
 func (svc *Service) LogFromRequest(
 	ctx context.Context,
 	request *http.Request,
 	entry LogEntry,
 ) {
 	entry.RemoteIP = middleware.RealIP(request)
 	svc.Log(ctx, entry)
 }
 // Recent returns the most recent audit log entries.
 func (svc *Service) Recent(
 	ctx context.Context,
 	limit int,
 ) ([]*models.AuditEntry, error) {
 	return models.FindAuditEntries(ctx, svc.db, limit)
 }
 // ForResource returns audit log entries for a specific resource.
 func (svc *Service) ForResource(
 	ctx context.Context,
 	resourceType models.AuditResourceType,
 	resourceID string,
 	limit int,
 ) ([]*models.AuditEntry, error) {
 	return models.FindAuditEntriesByResource(ctx, svc.db, resourceType, resourceID, limit)
 }
--- a/internal/service/audit/audit_test.go
+++ b/internal/service/audit/audit_test.go
@@ -1,221 +0,0 @@
 package audit_test
 import (
 	"context"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"testing"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 	"sneak.berlin/go/upaas/internal/config"
 	"sneak.berlin/go/upaas/internal/database"
 	"sneak.berlin/go/upaas/internal/globals"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/audit"
 )
 func setupTestAuditService(t *testing.T) (*audit.Service, *database.Database) {
 	t.Helper()
 	globals.SetAppname("upaas-test")
 	globals.SetVersion("test")
 	tmpDir := t.TempDir()
 	cfg := &config.Config{
 		DataDir: tmpDir,
 	}
 	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
 	logWrapper := logger.NewForTest(log)
 	db, err := database.New(fx.Lifecycle(nil), database.Params{
 		Logger: logWrapper,
 		Config: cfg,
 	})
 	require.NoError(t, err)
 	reg := prometheus.NewRegistry()
 	metricsInstance := metrics.NewForTest(reg)
 	svc, err := audit.New(fx.Lifecycle(nil), audit.ServiceParams{
 		Logger:   logWrapper,
 		Database: db,
 		Metrics:  metricsInstance,
 	})
 	require.NoError(t, err)
 	return svc, db
 }
 func TestAuditServiceLog(t *testing.T) {
 	t.Parallel()
 	svc, db := setupTestAuditService(t)
 	ctx := context.Background()
 	svc.Log(ctx, audit.LogEntry{
 		UserID:       1,
 		Username:     "admin",
 		Action:       models.AuditActionLogin,
 		ResourceType: models.AuditResourceSession,
 		Detail:       "user logged in",
 		RemoteIP:     "127.0.0.1",
 	})
 	entries, err := models.FindAuditEntries(ctx, db, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
 	assert.Equal(t, "admin", entries[0].Username)
 	assert.Equal(t, models.AuditActionLogin, entries[0].Action)
 	assert.Equal(t, "127.0.0.1", entries[0].RemoteIP.String)
 }
 func TestAuditServiceLogFromRequest(t *testing.T) {
 	t.Parallel()
 	svc, db := setupTestAuditService(t)
 	ctx := context.Background()
 	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
 	request.RemoteAddr = "10.0.0.1:12345"
 	svc.LogFromRequest(ctx, request, audit.LogEntry{
 		Username:     "admin",
 		Action:       models.AuditActionAppCreate,
 		ResourceType: models.AuditResourceApp,
 		ResourceID:   "app-1",
 		Detail:       "created app",
 	})
 	entries, err := models.FindAuditEntries(ctx, db, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
 	assert.Equal(t, "10.0.0.1", entries[0].RemoteIP.String)
 	assert.Equal(t, "app-1", entries[0].ResourceID.String)
 }
 func TestAuditServiceLogFromRequestWithXRealIPTrustedProxy(t *testing.T) {
 	t.Parallel()
 	svc, db := setupTestAuditService(t)
 	ctx := context.Background()
 	// When the request comes from a trusted proxy (RFC1918), X-Real-IP is honoured.
 	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
 	request.RemoteAddr = "10.0.0.1:1234"
 	request.Header.Set("X-Real-IP", "203.0.113.50")
 	svc.LogFromRequest(ctx, request, audit.LogEntry{
 		Username:     "admin",
 		Action:       models.AuditActionAppCreate,
 		ResourceType: models.AuditResourceApp,
 	})
 	entries, err := models.FindAuditEntries(ctx, db, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
 	assert.Equal(t, "203.0.113.50", entries[0].RemoteIP.String)
 }
 func TestAuditServiceLogFromRequestWithXRealIPUntrustedProxy(t *testing.T) {
 	t.Parallel()
 	svc, db := setupTestAuditService(t)
 	ctx := context.Background()
 	// When the request comes from a public IP, X-Real-IP is ignored (anti-spoof).
 	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
 	request.RemoteAddr = "203.0.113.99:1234"
 	request.Header.Set("X-Real-IP", "10.0.0.1")
 	svc.LogFromRequest(ctx, request, audit.LogEntry{
 		Username:     "admin",
 		Action:       models.AuditActionAppCreate,
 		ResourceType: models.AuditResourceApp,
 	})
 	entries, err := models.FindAuditEntries(ctx, db, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
 	assert.Equal(t, "203.0.113.99", entries[0].RemoteIP.String)
 }
 func TestAuditServiceRecent(t *testing.T) {
 	t.Parallel()
 	svc, _ := setupTestAuditService(t)
 	ctx := context.Background()
 	for range 5 {
 		svc.Log(ctx, audit.LogEntry{
 			Username:     "admin",
 			Action:       models.AuditActionLogin,
 			ResourceType: models.AuditResourceSession,
 		})
 	}
 	entries, err := svc.Recent(ctx, 3)
 	require.NoError(t, err)
 	assert.Len(t, entries, 3)
 }
 func TestAuditServiceForResource(t *testing.T) {
 	t.Parallel()
 	svc, _ := setupTestAuditService(t)
 	ctx := context.Background()
 	// Log entries for different resources.
 	svc.Log(ctx, audit.LogEntry{
 		Username:     "admin",
 		Action:       models.AuditActionAppCreate,
 		ResourceType: models.AuditResourceApp,
 		ResourceID:   "app-1",
 	})
 	svc.Log(ctx, audit.LogEntry{
 		Username:     "admin",
 		Action:       models.AuditActionAppDeploy,
 		ResourceType: models.AuditResourceApp,
 		ResourceID:   "app-1",
 	})
 	svc.Log(ctx, audit.LogEntry{
 		Username:     "admin",
 		Action:       models.AuditActionAppCreate,
 		ResourceType: models.AuditResourceApp,
 		ResourceID:   "app-2",
 	})
 	entries, err := svc.ForResource(ctx, models.AuditResourceApp, "app-1", 10)
 	require.NoError(t, err)
 	assert.Len(t, entries, 2)
 }
 func TestAuditServiceLogWithNoOptionalFields(t *testing.T) {
 	t.Parallel()
 	svc, db := setupTestAuditService(t)
 	ctx := context.Background()
 	svc.Log(ctx, audit.LogEntry{
 		Username:     "system",
 		Action:       models.AuditActionWebhookReceive,
 		ResourceType: models.AuditResourceWebhook,
 	})
 	entries, err := models.FindAuditEntries(ctx, db, 10)
 	require.NoError(t, err)
 	require.Len(t, entries, 1)
 	assert.False(t, entries[0].UserID.Valid)
 	assert.False(t, entries[0].ResourceID.Valid)
 	assert.False(t, entries[0].Detail.Valid)
 	assert.False(t, entries[0].RemoteIP.Valid)
 }
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -21,7 +21,6 @@ import (
 	"sneak.berlin/go/upaas/internal/database"
 	"sneak.berlin/go/upaas/internal/docker"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/notify"
 )
@@ -209,7 +208,6 @@ type ServiceParams struct {
 	Database *database.Database
 	Docker   *docker.Client
 	Notify   *notify.Service
 	Metrics  *metrics.Metrics
 }
 // activeDeploy tracks a running deployment so it can be cancelled.
@@ -224,7 +222,6 @@ type Service struct {
 	db            *database.Database
 	docker        *docker.Client
 	notify        *notify.Service
 	metrics       *metrics.Metrics
 	config        *config.Config
 	params        *ServiceParams
 	activeDeploys sync.Map // map[string]*activeDeploy - per-app active deployment tracking
@@ -238,7 +235,6 @@ func New(lc fx.Lifecycle, params ServiceParams) (*Service, error) {
 		db:     params.Database,
 		docker: params.Docker,
 		notify: params.Notify,
 		metrics: params.Metrics,
 		config: params.Config,
 		params: &params,
 	}
@@ -331,11 +327,6 @@ func (svc *Service) Deploy(
 	}
 	defer svc.unlockApp(app.ID)
 	// Track in-flight deployments
 	svc.metrics.DeploymentsInFlight.WithLabelValues(app.Name).Inc()
 	deployStart := time.Now()
 	// Set up cancellable context and register as active deploy
 	deployCtx, cancel := context.WithCancel(ctx)
 	done := make(chan struct{})
@@ -343,7 +334,6 @@ func (svc *Service) Deploy(
 	svc.activeDeploys.Store(app.ID, ad)
 	defer func() {
 		svc.metrics.DeploymentsInFlight.WithLabelValues(app.Name).Dec()
 		cancel()
 		close(done)
 		svc.activeDeploys.Delete(app.ID)
@@ -369,7 +359,7 @@ func (svc *Service) Deploy(
 	svc.notify.NotifyBuildStart(bgCtx, app, deployment)
-	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment, deployStart)
+	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment)
 }
 // Rollback rolls back an app to its previous image.
@@ -477,20 +467,15 @@ func (svc *Service) runBuildAndDeploy(
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 	deployStart time.Time,
 ) error {
 	// Build phase with timeout
 	imageID, err := svc.buildImageWithTimeout(deployCtx, app, deployment)
 	if err != nil {
 		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, "")
 		if cancelErr != nil {
 			svc.recordDeployMetrics(app.Name, "cancelled", deployStart)
 			return cancelErr
 		}
 		svc.recordDeployMetrics(app.Name, "failed", deployStart)
 		return err
 	}
@@ -501,13 +486,9 @@ func (svc *Service) runBuildAndDeploy(
 	if err != nil {
 		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, imageID)
 		if cancelErr != nil {
 			svc.recordDeployMetrics(app.Name, "cancelled", deployStart)
 			return cancelErr
 		}
 		svc.recordDeployMetrics(app.Name, "failed", deployStart)
 		return err
 	}
@@ -523,19 +504,11 @@ func (svc *Service) runBuildAndDeploy(
 	// Use context.WithoutCancel to ensure health check completes even if
 	// the parent context is cancelled (e.g., HTTP request ends).
-	go svc.checkHealthAfterDelay(bgCtx, app, deployment, deployStart)
+	go svc.checkHealthAfterDelay(bgCtx, app, deployment)
 	return nil
 }
 // recordDeployMetrics records deployment completion metrics.
 func (svc *Service) recordDeployMetrics(appName, status string, start time.Time) {
 	duration := time.Since(start).Seconds()
 	svc.metrics.DeploymentsTotal.WithLabelValues(appName, status).Inc()
 	svc.metrics.DeploymentDuration.WithLabelValues(appName, status).Observe(duration)
 }
 // buildImageWithTimeout runs the build phase with a timeout.
 func (svc *Service) buildImageWithTimeout(
 	ctx context.Context,
@@ -1190,7 +1163,6 @@ func (svc *Service) checkHealthAfterDelay(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 	deployStart time.Time,
 ) {
 	svc.log.Info(
 		"waiting 60 seconds to check container health",
@@ -1217,8 +1189,6 @@ func (svc *Service) checkHealthAfterDelay(
 		svc.notify.NotifyDeployFailed(ctx, reloadedApp, deployment, err)
 		_ = deployment.MarkFinished(ctx, models.DeploymentStatusFailed)
 		svc.writeLogsToFile(reloadedApp, deployment)
 		svc.recordDeployMetrics(reloadedApp.Name, "failed", deployStart)
 		svc.metrics.ContainerHealthy.WithLabelValues(reloadedApp.Name).Set(0)
 		reloadedApp.Status = models.AppStatusError
 		_ = reloadedApp.Save(ctx)
@@ -1230,8 +1200,6 @@ func (svc *Service) checkHealthAfterDelay(
 		svc.notify.NotifyDeploySuccess(ctx, reloadedApp, deployment)
 		_ = deployment.MarkFinished(ctx, models.DeploymentStatusSuccess)
 		svc.writeLogsToFile(reloadedApp, deployment)
 		svc.recordDeployMetrics(reloadedApp.Name, "success", deployStart)
 		svc.metrics.ContainerHealthy.WithLabelValues(reloadedApp.Name).Set(1)
 	} else {
 		svc.log.Warn(
 			"container unhealthy after 60 seconds",
@@ -1240,8 +1208,6 @@ func (svc *Service) checkHealthAfterDelay(
 		svc.notify.NotifyDeployFailed(ctx, reloadedApp, deployment, ErrContainerUnhealthy)
 		_ = deployment.MarkFinished(ctx, models.DeploymentStatusFailed)
 		svc.writeLogsToFile(reloadedApp, deployment)
 		svc.recordDeployMetrics(reloadedApp.Name, "failed", deployStart)
 		svc.metrics.ContainerHealthy.WithLabelValues(reloadedApp.Name).Set(0)
 		reloadedApp.Status = models.AppStatusError
 		_ = reloadedApp.Save(ctx)
 	}
--- a/internal/service/webhook/webhook.go
+++ b/internal/service/webhook/webhook.go
@@ -7,14 +7,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"strconv"
 	"go.uber.org/fx"
 	"sneak.berlin/go/upaas/internal/database"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
@@ -26,7 +24,6 @@ type ServiceParams struct {
 	Logger   *logger.Logger
 	Database *database.Database
 	Deploy   *deploy.Service
 	Metrics  *metrics.Metrics
 }
 // Service provides webhook handling functionality.
@@ -34,7 +31,6 @@ type Service struct {
 	log    *slog.Logger
 	db     *database.Database
 	deploy *deploy.Service
 	metrics *metrics.Metrics
 	params *ServiceParams
 }
@@ -44,7 +40,6 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 		log:    params.Logger.Get(),
 		db:     params.Database,
 		deploy: params.Deploy,
 		metrics: params.Metrics,
 		params: &params,
 	}, nil
 }
@@ -127,10 +122,6 @@ func (svc *Service) HandleWebhook(
 		"commit", commitSHA,
 	)
 	svc.metrics.WebhookEventsTotal.WithLabelValues(
 		app.Name, eventType, strconv.FormatBool(matched),
 	).Inc()
 	// If branch matches, trigger deployment
 	if matched {
 		svc.triggerDeployment(ctx, app, event)
--- a/internal/service/webhook/webhook_test.go
+++ b/internal/service/webhook/webhook_test.go
@@ -8,7 +8,6 @@ import (
 	"testing"
 	"time"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
@@ -18,7 +17,6 @@ import (
 	"sneak.berlin/go/upaas/internal/docker"
 	"sneak.berlin/go/upaas/internal/globals"
 	"sneak.berlin/go/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/metrics"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/notify"
@@ -65,17 +63,13 @@ func setupTestService(t *testing.T) (*webhook.Service, *database.Database, func(
 	notifySvc, err := notify.New(fx.Lifecycle(nil), notify.ServiceParams{Logger: deps.logger})
 	require.NoError(t, err)
 	metricsInstance := metrics.NewForTest(prometheus.NewRegistry())
 	deploySvc, err := deploy.New(fx.Lifecycle(nil), deploy.ServiceParams{
 		Logger: deps.logger, Config: deps.config, Database: deps.db, Docker: dockerClient, Notify: notifySvc,
 		Metrics: metricsInstance,
 	})
 	require.NoError(t, err)
 	svc, err := webhook.New(fx.Lifecycle(nil), webhook.ServiceParams{
 		Logger: deps.logger, Database: deps.db, Deploy: deploySvc,
 		Metrics: metricsInstance,
 	})
 	require.NoError(t, err)
--- a/static/js/app-detail.js
+++ b/static/js/app-detail.js
@@ -6,103 +6,6 @@
 */
 document.addEventListener("alpine:init", () => {
    // ============================================
    // Environment Variable Editor Component
    // ============================================
    Alpine.data("envVarEditor", (appId) => ({
        vars: [],
        editIdx: -1,
        editKey: "",
        editVal: "",
        appId: appId,
        init() {
            this.vars = Array.from(this.$el.querySelectorAll(".env-init")).map(
                (span) => ({
                    key: span.dataset.key,
                    value: span.dataset.value,
                }),
            );
        },
        startEdit(i) {
            this.editIdx = i;
            this.editKey = this.vars[i].key;
            this.editVal = this.vars[i].value;
        },
        saveEdit(i) {
            this.vars[i] = { key: this.editKey, value: this.editVal };
            this.editIdx = -1;
            this.submitAll();
        },
        removeVar(i) {
            if (!window.confirm("Delete this environment variable?")) {
                return;
            }
            this.vars.splice(i, 1);
            this.submitAll();
        },
        addVar(keyEl, valEl) {
            const k = keyEl.value.trim();
            const v = valEl.value.trim();
            if (!k) {
                return;
            }
            this.vars.push({ key: k, value: v });
            this.submitAll();
        },
        submitAll() {
            const csrfInput = this.$el.querySelector(
                'input[name="gorilla.csrf.Token"]',
            );
            const csrfToken = csrfInput ? csrfInput.value : "";
            fetch("/apps/" + this.appId + "/env", {
                method: "POST",
                headers: {
                    "Content-Type": "application/json",
                    "X-CSRF-Token": csrfToken,
                },
                body: JSON.stringify(
                    this.vars.map((e) => ({ key: e.key, value: e.value })),
                ),
            })
                .then((res) => {
                    if (res.ok) {
                        window.location.reload();
                        return;
                    }
                    res.json()
                        .then((data) => {
                            window.alert(
                                data.error ||
                                    "Failed to save environment variables.",
                            );
                        })
                        .catch(() => {
                            window.alert(
                                "Failed to save environment variables.",
                            );
                        });
                })
                .catch(() => {
                    window.alert(
                        "Network error: could not save environment variables.",
                    );
                });
        },
    }));
    // ============================================
    // App Detail Page Component
    // ============================================
    Alpine.data("appDetail", (config) => ({
        appId: config.appId,
        currentDeploymentId: config.initialDeploymentId,
--- a/templates/app_detail.html
+++ b/templates/app_detail.html
@@ -101,10 +101,9 @@
    </div>
    <!-- Environment Variables -->
-    <div class="card p-6 mb-6" x-data="envVarEditor('{{.App.ID}}')">
+    <div class="card p-6 mb-6">
        <h2 class="section-title mb-4">Environment Variables</h2>
-        {{range .EnvVars}}<span class="env-init hidden" data-key="{{.Key}}" data-value="{{.Value}}"></span>{{end}}
+        {{if .EnvVars}}
        <template x-if="vars.length > 0">
        <div class="overflow-x-auto mb-4">
            <table class="table">
                <thead class="table-header">
@@ -115,43 +114,47 @@
                    </tr>
                </thead>
                <tbody class="table-body">
-                    <template x-for="(env, idx) in vars" :key="idx">
+                    {{range .EnvVars}}
-                    <tr>
+                    <tr x-data="{ editing: false }">
-                        <template x-if="editIdx !== idx">
+                        <template x-if="!editing">
-                            <td class="font-mono font-medium" x-text="env.key"></td>
+                            <td class="font-mono font-medium">{{.Key}}</td>
                        </template>
-                        <template x-if="editIdx !== idx">
+                        <template x-if="!editing">
-                            <td class="font-mono text-gray-500" x-text="env.value"></td>
+                            <td class="font-mono text-gray-500">{{.Value}}</td>
                        </template>
-                        <template x-if="editIdx !== idx">
+                        <template x-if="!editing">
                            <td class="text-right">
-                                <button @click="startEdit(idx)" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
-                                <button @click="removeVar(idx)" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
                                    {{ $.CSRFField }}
                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                                </form>
                            </td>
                        </template>
-                        <template x-if="editIdx === idx">
+                        <template x-if="editing">
                            <td colspan="3">
-                                <form @submit.prevent="saveEdit(idx)" class="flex gap-2 items-center">
+                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center">
-                                    <input type="text" x-model="editKey" required class="input flex-1 font-mono text-sm">
+                                    {{ $.CSRFField }}
-                                    <input type="text" x-model="editVal" required class="input flex-1 font-mono text-sm">
+                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
                                    <button type="submit" class="btn-primary text-sm">Save</button>
-                                    <button type="button" @click="editIdx = -1" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
+                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                </form>
                                <p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
                            </td>
                        </template>
                    </tr>
-                    </template>
+                    {{end}}
                </tbody>
            </table>
        </div>
-        </template>
+        {{end}}
-        <form @submit.prevent="addVar($refs.newKey, $refs.newVal)" class="flex flex-col sm:flex-row gap-2">
+        <form method="POST" action="/apps/{{.App.ID}}/env" class="flex flex-col sm:flex-row gap-2">
-            <input x-ref="newKey" type="text" placeholder="KEY" required class="input flex-1 font-mono text-sm">
+                {{ .CSRFField }}
-            <input x-ref="newVal" type="text" placeholder="value" required class="input flex-1 font-mono text-sm">
+            <input type="text" name="key" placeholder="KEY" required class="input flex-1 font-mono text-sm">
            <input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
            <button type="submit" class="btn-primary">Add</button>
        </form>
        <div class="hidden">{{ .CSRFField }}</div>
    </div>
    <!-- Labels -->
Author	SHA1	Message	Date
Jeffrey Paul	d22daf1f0a	Merge branch 'main' into fix/js-formatting All checks were successful Check / check (pull_request) Successful in 4s Details	2026-03-10 18:54:08 +01:00
Jeffrey Paul	602046b329	Merge branch 'main' into fix/js-formatting All checks were successful Check / check (pull_request) Successful in 4s Details	2026-03-10 01:07:26 +01:00
clawbot	7920e723a6	style: run make fmt on JS static files All checks were successful Check / check (pull_request) Successful in 5s Details	2026-03-09 17:01:10 -07:00