feat: add custom health check commands per app

Add configurable health check commands per app via a new 'healthcheck_command' field. When set, the command is passed to Docker as a CMD-SHELL health check on the container. When empty, the image's default health check is used. Changes: - Add migration 007 for healthcheck_command column on apps table - Add HealthcheckCommand field to App model with full CRUD support - Add buildHealthcheck() to docker client for CMD-SHELL config - Pass health check command through CreateContainerOptions - Add health check command input to app create/edit UI forms - Extract optionalNullString helper to reduce handler complexity - Update README features list closes #81
2026-03-17 02:11:08 -07:00
22 changed files with 509 additions and 1857 deletions
--- a/README.md
+++ b/README.md
@@ -1,15 +1,14 @@
 # µPaaS by [@sneak](https://sneak.berlin)

-A simple self-hosted PaaS that auto-deploys Docker containers from Git repositories via webhooks from Gitea, GitHub, or GitLab.
+A simple self-hosted PaaS that auto-deploys Docker containers from Git repositories via Gitea webhooks.

 ## Features

 - Single admin user with argon2id password hashing
 - Per-app SSH keypairs for read-only deploy keys
- Per-app UUID-based webhook URLs with auto-detection of Gitea, GitHub, and GitLab
+- Per-app UUID-based webhook URLs for Gitea integration
 - Branch filtering - only deploy on configured branch changes
- Environment variables, labels, and volume mounts per app
- CPU and memory resource limits per app
+- Environment variables, labels, volume mounts, and custom health checks per app
 - Docker builds via socket access
 - Notifications via ntfy and Slack-compatible webhooks
 - Simple server-rendered UI with Tailwind CSS
@@ -20,7 +19,7 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
 - Complex CI pipelines
 - Multiple container orchestration
 - SPA/API-first design
- Support for non-push webhook events (e.g. issues, merge requests)
+- Support for non-Gitea webhooks

 ## Architecture

@@ -45,7 +44,7 @@ upaas/
 │   │   ├── auth/        # Authentication service
 │   │   ├── deploy/      # Deployment orchestration
 │   │   ├── notify/      # Notifications (ntfy, Slack)
-│   │   └── webhook/     # Webhook processing (Gitea, GitHub, GitLab)
+│   │   └── webhook/     # Gitea webhook processing
 │   └── ssh/             # SSH key generation
 ├── static/              # Embedded CSS/JS assets
 └── templates/           # Embedded HTML templates
--- a/internal/database/migrations/007_add_healthcheck_command.sql
+++ b/internal/database/migrations/007_add_healthcheck_command.sql
@@ -0,0 +1,2 @@
+-- Add custom health check command per app
+ALTER TABLE apps ADD COLUMN healthcheck_command TEXT;
--- a/internal/database/migrations/007_add_resource_limits.sql
+++ b/internal/database/migrations/007_add_resource_limits.sql
@@ -1,3 +0,0 @@
-- Add CPU and memory resource limits per app
-ALTER TABLE apps ADD COLUMN cpu_limit REAL;
-ALTER TABLE apps ADD COLUMN memory_limit INTEGER;
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"

 	dockertypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -145,8 +146,7 @@ type CreateContainerOptions struct {
 	Volumes            []VolumeMount
 	Ports              []PortMapping
 	Network            string
-	CPULimit    float64 // CPU cores (e.g. 0.5 = half a core, 2.0 = two cores). 0 means unlimited.
-	MemoryLimit int64   // Memory in bytes. 0 means unlimited.
+	HealthcheckCommand string // Custom health check shell command (empty = use image default)
 }

 // VolumeMount represents a volume mount.
@@ -163,14 +163,6 @@ type PortMapping struct {
 	Protocol      string // "tcp" or "udp"
 }

-// nanoCPUsPerCPU is the number of NanoCPUs per CPU core.
-const nanoCPUsPerCPU = 1e9
-
-// cpuLimitToNanoCPUs converts a CPU limit (e.g. 0.5 cores) to Docker NanoCPUs.
-func cpuLimitToNanoCPUs(cpuLimit float64) int64 {
-	return int64(cpuLimit * nanoCPUsPerCPU)
-}
-
 // buildPortConfig converts port mappings to Docker port configuration.
 func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	exposedPorts := make(nat.PortSet)
@@ -195,46 +187,27 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	return exposedPorts, portBindings
 }

-// buildEnvSlice converts an env map to a Docker-compatible env slice.
-func buildEnvSlice(env map[string]string) []string {
-	envSlice := make([]string, 0, len(env))
+// healthcheckInterval is the time between health check attempts.
+const healthcheckInterval = 30 * time.Second

-	for key, val := range env {
-		envSlice = append(envSlice, key+"="+val)
+// healthcheckTimeout is the maximum time a single health check can take.
+const healthcheckTimeout = 10 * time.Second
+
+// healthcheckStartPeriod is the grace period before health checks start counting failures.
+const healthcheckStartPeriod = 15 * time.Second
+
+// healthcheckRetries is the number of consecutive failures needed to mark unhealthy.
+const healthcheckRetries = 3
+
+// buildHealthcheck creates a Docker health check config from a shell command string.
+func buildHealthcheck(command string) *container.HealthConfig {
+	return &container.HealthConfig{
+		Test:        []string{"CMD-SHELL", command},
+		Interval:    healthcheckInterval,
+		Timeout:     healthcheckTimeout,
+		StartPeriod: healthcheckStartPeriod,
+		Retries:     healthcheckRetries,
 	}
-
-	return envSlice
-}
-
-// buildMounts converts volume mounts to Docker mount configuration.
-func buildMounts(volumes []VolumeMount) []mount.Mount {
-	mounts := make([]mount.Mount, 0, len(volumes))
-
-	for _, vol := range volumes {
-		mounts = append(mounts, mount.Mount{
-			Type:     mount.TypeBind,
-			Source:   vol.HostPath,
-			Target:   vol.ContainerPath,
-			ReadOnly: vol.ReadOnly,
-		})
-	}
-
-	return mounts
-}
-
-// buildResources builds Docker resource constraints from container options.
-func buildResources(opts CreateContainerOptions) container.Resources {
-	resources := container.Resources{}
-
-	if opts.CPULimit > 0 {
-		resources.NanoCPUs = cpuLimitToNanoCPUs(opts.CPULimit)
-	}
-
-	if opts.MemoryLimit > 0 {
-		resources.Memory = opts.MemoryLimit
-	}
-
-	return resources
 }

 // CreateContainer creates a new container.
@@ -248,20 +221,48 @@ func (c *Client) CreateContainer(

 	c.log.Info("creating container", "name", opts.Name, "image", opts.Image)

+	// Convert env map to slice
+	envSlice := make([]string, 0, len(opts.Env))
+
+	for key, val := range opts.Env {
+		envSlice = append(envSlice, key+"="+val)
+	}
+
+	// Convert volumes to mounts
+	mounts := make([]mount.Mount, 0, len(opts.Volumes))
+
+	for _, vol := range opts.Volumes {
+		mounts = append(mounts, mount.Mount{
+			Type:     mount.TypeBind,
+			Source:   vol.HostPath,
+			Target:   vol.ContainerPath,
+			ReadOnly: vol.ReadOnly,
+		})
+	}
+
+	// Convert ports to exposed ports and port bindings
 	exposedPorts, portBindings := buildPortConfig(opts.Ports)

-	resp, err := c.docker.ContainerCreate(ctx,
-		&container.Config{
+	// Build container config
+	containerConfig := &container.Config{
 		Image:        opts.Image,
-			Env:          buildEnvSlice(opts.Env),
+		Env:          envSlice,
 		Labels:       opts.Labels,
 		ExposedPorts: exposedPorts,
-		},
+	}
+
+	// Apply custom health check if configured
+	if opts.HealthcheckCommand != "" {
+		containerConfig.Healthcheck = buildHealthcheck(opts.HealthcheckCommand)
+	}
+
+	// Create container
+	resp, err := c.docker.ContainerCreate(ctx,
+		containerConfig,
 		&container.HostConfig{
-			Mounts:       buildMounts(opts.Volumes),
+			Mounts:       mounts,
 			PortBindings: portBindings,
 			NetworkMode:  container.NetworkMode(opts.Network),
-			Resources:    buildResources(opts),
 			RestartPolicy: container.RestartPolicy{
 				Name: container.RestartPolicyUnlessStopped,
 			},
--- a/internal/docker/resource_limits_test.go
+++ b/internal/docker/resource_limits_test.go
@@ -1,31 +0,0 @@
-package docker //nolint:testpackage // tests unexported cpuLimitToNanoCPUs
-
-import (
-	"testing"
-)
-
-func TestCpuLimitToNanoCPUs(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name     string
-		cpuLimit float64
-		expected int64
-	}{
-		{"one core", 1.0, 1_000_000_000},
-		{"half core", 0.5, 500_000_000},
-		{"two cores", 2.0, 2_000_000_000},
-		{"quarter core", 0.25, 250_000_000},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			got := cpuLimitToNanoCPUs(tt.cpuLimit)
-			if got != tt.expected {
-				t.Errorf("cpuLimitToNanoCPUs(%v) = %d, want %d", tt.cpuLimit, got, tt.expected)
-			}
-		})
-	}
-}
--- a/internal/docker/validation_test.go
+++ b/internal/docker/validation_test.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"log/slog"
 	"testing"
+	"time"
 )

 func TestValidBranchRegex(t *testing.T) {
@@ -146,3 +147,52 @@ func TestCloneRepoRejectsInjection(t *testing.T) { //nolint:funlen // table-driv
 		})
 	}
 }
+
+func TestBuildHealthcheck(t *testing.T) {
+	t.Parallel()
+
+	t.Run("creates CMD-SHELL health check", func(t *testing.T) {
+		t.Parallel()
+
+		cmd := "curl -f http://localhost:8080/healthz || exit 1"
+		hc := buildHealthcheck(cmd)
+
+		if len(hc.Test) != 2 {
+			t.Fatalf("expected 2 test elements, got %d", len(hc.Test))
+		}
+
+		if hc.Test[0] != "CMD-SHELL" {
+			t.Errorf("expected Test[0]=%q, got %q", "CMD-SHELL", hc.Test[0])
+		}
+
+		if hc.Test[1] != cmd {
+			t.Errorf("expected Test[1]=%q, got %q", cmd, hc.Test[1])
+		}
+	})
+
+	t.Run("sets expected intervals", func(t *testing.T) {
+		t.Parallel()
+
+		hc := buildHealthcheck("true")
+
+		expectedInterval := 30 * time.Second
+		if hc.Interval != expectedInterval {
+			t.Errorf("expected Interval=%v, got %v", expectedInterval, hc.Interval)
+		}
+
+		expectedTimeout := 10 * time.Second
+		if hc.Timeout != expectedTimeout {
+			t.Errorf("expected Timeout=%v, got %v", expectedTimeout, hc.Timeout)
+		}
+
+		expectedStartPeriod := 15 * time.Second
+		if hc.StartPeriod != expectedStartPeriod {
+			t.Errorf("expected StartPeriod=%v, got %v", expectedStartPeriod, hc.StartPeriod)
+		}
+
+		expectedRetries := 3
+		if hc.Retries != expectedRetries {
+			t.Errorf("expected Retries=%d, got %d", expectedRetries, hc.Retries)
+		}
+	})
+}
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -57,6 +57,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		dockerNetwork := request.FormValue("docker_network")
 		ntfyTopic := request.FormValue("ntfy_topic")
 		slackWebhook := request.FormValue("slack_webhook")
+		healthcheckCommand := request.FormValue("healthcheck_command")

 		data := h.addGlobals(map[string]any{
 			"Name":               name,
@@ -66,6 +67,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 			"DockerNetwork":      dockerNetwork,
 			"NtfyTopic":          ntfyTopic,
 			"SlackWebhook":       slackWebhook,
+			"HealthcheckCommand": healthcheckCommand,
 		}, request)

 		if name == "" || repoURL == "" {
@@ -109,6 +111,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 				DockerNetwork:      dockerNetwork,
 				NtfyTopic:          ntfyTopic,
 				SlackWebhook:       slackWebhook,
+				HealthcheckCommand: healthcheckCommand,
 			},
 		)
 		if createErr != nil {
@@ -208,6 +211,11 @@ func (h *Handlers) HandleAppEdit() http.HandlerFunc {
 	}
 }

+// optionalNullString returns a valid NullString if the value is non-empty, or an empty NullString.
+func optionalNullString(value string) sql.NullString {
+	return sql.NullString{String: value, Valid: value != ""}
+}
+
 // HandleAppUpdate handles app updates.
 func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
 	tmpl := templates.GetParsed()
@@ -260,17 +268,7 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 		application.DockerNetwork = optionalNullString(request.FormValue("docker_network"))
 		application.NtfyTopic = optionalNullString(request.FormValue("ntfy_topic"))
 		application.SlackWebhook = optionalNullString(request.FormValue("slack_webhook"))
-
-		limitsErr := applyResourceLimits(application, request)
-		if limitsErr != "" {
-			data := h.addGlobals(map[string]any{
-				"App":   application,
-				"Error": limitsErr,
-			}, request)
-			h.renderTemplate(writer, tmpl, "app_edit.html", data)
-
-			return
-		}
+		application.HealthcheckCommand = optionalNullString(request.FormValue("healthcheck_command"))

 		saveErr := application.Save(request.Context())
 		if saveErr != nil {
@@ -1364,129 +1362,6 @@ func validateVolumePaths(hostPath, containerPath string) error {
 	return nil
 }

-// ErrInvalidMemoryFormat is returned when a memory limit string cannot be parsed.
-var ErrInvalidMemoryFormat = errors.New(
-	"must be a number with optional unit suffix (e.g. 256m, 1g, 512000000)",
-)
-
-// ErrNegativeValue is returned when a resource limit is negative.
-var ErrNegativeValue = errors.New("value must be positive")
-
-// Memory unit byte multipliers.
-const (
-	kilobyte = 1024
-	megabyte = 1024 * 1024
-	gigabyte = 1024 * 1024 * 1024
-)
-
-// optionalNullString converts a form value to a sql.NullString.
-// Returns a valid NullString if non-empty, invalid (NULL) if empty.
-func optionalNullString(s string) sql.NullString {
-	if s != "" {
-		return sql.NullString{String: s, Valid: true}
-	}
-
-	return sql.NullString{}
-}
-
-// applyResourceLimits parses CPU and memory limit form values and applies them to the app.
-// Returns an error message string if validation fails, or empty string on success.
-func applyResourceLimits(application *models.App, request *http.Request) string {
-	cpuLimit, cpuErr := parseOptionalFloat64(request.FormValue("cpu_limit"))
-	if cpuErr != nil {
-		return "Invalid CPU limit: must be a positive number (e.g. 0.5, 1, 2)"
-	}
-
-	application.CPULimit = cpuLimit
-
-	memoryLimit, memErr := parseOptionalMemoryBytes(request.FormValue("memory_limit"))
-	if memErr != nil {
-		return "Invalid memory limit: " + memErr.Error()
-	}
-
-	application.MemoryLimit = memoryLimit
-
-	return ""
-}
-
-// memoryUnitMultiplier returns the byte multiplier for a memory unit suffix.
-// Returns 0 if the suffix is not recognized.
-func memoryUnitMultiplier(suffix byte) int64 {
-	switch suffix {
-	case 'k':
-		return kilobyte
-	case 'm':
-		return megabyte
-	case 'g':
-		return gigabyte
-	default:
-		return 0
-	}
-}
-
-// parseOptionalFloat64 parses an optional float64 form field.
-// Returns a valid NullFloat64 if the string is non-empty and parses to a positive number.
-// Returns an empty NullFloat64 if the string is empty.
-// Returns an error if the string is non-empty but invalid or non-positive.
-func parseOptionalFloat64(s string) (sql.NullFloat64, error) {
-	s = strings.TrimSpace(s)
-	if s == "" {
-		return sql.NullFloat64{}, nil
-	}
-
-	val, err := strconv.ParseFloat(s, 64)
-	if err != nil {
-		return sql.NullFloat64{}, fmt.Errorf("invalid number: %w", err)
-	}
-
-	if val <= 0 {
-		return sql.NullFloat64{}, ErrNegativeValue
-	}
-
-	return sql.NullFloat64{Float64: val, Valid: true}, nil
-}
-
-// parseOptionalMemoryBytes parses an optional memory limit string into bytes.
-// Accepts plain bytes (e.g. "536870912") or suffixed values (e.g. "512m", "1g", "256k").
-// Returns a valid NullInt64 with bytes if non-empty, empty NullInt64 if blank.
-func parseOptionalMemoryBytes(s string) (sql.NullInt64, error) {
-	s = strings.TrimSpace(s)
-	if s == "" {
-		return sql.NullInt64{}, nil
-	}
-
-	s = strings.ToLower(s)
-
-	// Check for unit suffix
-	multiplier := memoryUnitMultiplier(s[len(s)-1])
-	if multiplier > 0 {
-		numStr := s[:len(s)-1]
-
-		val, err := strconv.ParseFloat(numStr, 64)
-		if err != nil {
-			return sql.NullInt64{}, ErrInvalidMemoryFormat
-		}
-
-		if val <= 0 {
-			return sql.NullInt64{}, ErrNegativeValue
-		}
-
-		return sql.NullInt64{Int64: int64(val * float64(multiplier)), Valid: true}, nil
-	}
-
-	// Plain bytes
-	val, err := strconv.ParseInt(s, 10, 64)
-	if err != nil {
-		return sql.NullInt64{}, ErrInvalidMemoryFormat
-	}
-
-	if val <= 0 {
-		return sql.NullInt64{}, ErrNegativeValue
-	}
-
-	return sql.NullInt64{Int64: val, Valid: true}, nil
-}
-
 // formatDeployKey formats an SSH public key with a descriptive comment.
 // Format: ssh-ed25519 AAAA... upaas_2025-01-15_myapp
 func formatDeployKey(pubKey string, createdAt time.Time, appName string) string {
--- a/internal/handlers/resource_limits_test.go
+++ b/internal/handlers/resource_limits_test.go
@@ -1,195 +0,0 @@
-package handlers //nolint:testpackage // tests unexported parsing functions
-
-import (
-	"database/sql"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestParseOptionalFloat64(t *testing.T) {
-	t.Parallel()
-
-	t.Run("empty string returns invalid", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalFloat64("")
-		require.NoError(t, err)
-		assert.False(t, result.Valid)
-	})
-
-	t.Run("whitespace only returns invalid", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalFloat64("   ")
-		require.NoError(t, err)
-		assert.False(t, result.Valid)
-	})
-
-	t.Run("valid float", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalFloat64("0.5")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.InDelta(t, 0.5, result.Float64, 0.001)
-	})
-
-	t.Run("valid integer", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalFloat64("2")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.InDelta(t, 2.0, result.Float64, 0.001)
-	})
-
-	t.Run("negative value rejected", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := parseOptionalFloat64("-1")
-		require.Error(t, err)
-	})
-
-	t.Run("zero value rejected", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := parseOptionalFloat64("0")
-		require.Error(t, err)
-	})
-
-	t.Run("non-numeric rejected", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := parseOptionalFloat64("abc")
-		require.Error(t, err)
-	})
-}
-
-func TestParseOptionalMemoryBytes(t *testing.T) { //nolint:funlen // table-driven test
-	t.Parallel()
-
-	t.Run("empty string returns invalid", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("")
-		require.NoError(t, err)
-		assert.False(t, result.Valid)
-	})
-
-	t.Run("whitespace only returns invalid", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("   ")
-		require.NoError(t, err)
-		assert.False(t, result.Valid)
-	})
-
-	t.Run("plain bytes", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("536870912")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.Equal(t, int64(536870912), result.Int64)
-	})
-
-	t.Run("megabytes suffix", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("256m")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.Equal(t, int64(256*1024*1024), result.Int64)
-	})
-
-	t.Run("megabytes suffix uppercase", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("256M")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.Equal(t, int64(256*1024*1024), result.Int64)
-	})
-
-	t.Run("gigabytes suffix", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("1g")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.Equal(t, int64(1024*1024*1024), result.Int64)
-	})
-
-	t.Run("kilobytes suffix", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("512k")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.Equal(t, int64(512*1024), result.Int64)
-	})
-
-	t.Run("fractional gigabytes", func(t *testing.T) {
-		t.Parallel()
-
-		result, err := parseOptionalMemoryBytes("1.5g")
-		require.NoError(t, err)
-		assert.True(t, result.Valid)
-		assert.Equal(t, int64(1.5*1024*1024*1024), result.Int64)
-	})
-
-	t.Run("negative value rejected", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := parseOptionalMemoryBytes("-256m")
-		require.Error(t, err)
-	})
-
-	t.Run("zero value rejected", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := parseOptionalMemoryBytes("0")
-		require.Error(t, err)
-	})
-
-	t.Run("invalid string rejected", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := parseOptionalMemoryBytes("abc")
-		require.Error(t, err)
-	})
-
-	t.Run("negative plain bytes rejected", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := parseOptionalMemoryBytes("-100")
-		require.Error(t, err)
-	})
-}
-
-func TestAppResourceLimitsRoundTrip(t *testing.T) {
-	t.Parallel()
-
-	// Test that parsing and formatting are consistent
-	tests := []struct {
-		input    string
-		expected sql.NullInt64
-		format   string
-	}{
-		{"256m", sql.NullInt64{Int64: 256 * 1024 * 1024, Valid: true}, "256m"},
-		{"1g", sql.NullInt64{Int64: 1024 * 1024 * 1024, Valid: true}, "1g"},
-		{"512k", sql.NullInt64{Int64: 512 * 1024, Valid: true}, "512k"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.input, func(t *testing.T) {
-			t.Parallel()
-
-			result, err := parseOptionalMemoryBytes(tt.input)
-			require.NoError(t, err)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -7,14 +7,12 @@ import (
 	"github.com/go-chi/chi/v5"

 	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/webhook"
 )

 // maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
 const maxWebhookBodySize = 1 << 20

-// HandleWebhook handles incoming webhooks from Gitea, GitHub, or GitLab.
-// The webhook source is auto-detected from HTTP headers.
+// HandleWebhook handles incoming Gitea webhooks.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		secret := chi.URLParam(request, "secret")
@@ -52,17 +50,16 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 			return
 		}

-		// Auto-detect webhook source from headers
-		source := webhook.DetectWebhookSource(request.Header)
-
-		// Extract event type based on detected source
-		eventType := webhook.DetectEventType(request.Header, source)
+		// Get event type from header
+		eventType := request.Header.Get("X-Gitea-Event")
+		if eventType == "" {
+			eventType = "push"
+		}

 		// Process webhook
 		webhookErr := h.webhook.HandleWebhook(
 			request.Context(),
 			application,
-			source,
 			eventType,
 			body,
 		)
--- a/internal/models/app.go
+++ b/internal/models/app.go
@@ -14,8 +14,7 @@ import (
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id, cpu_limit, memory_limit,
-			created_at, updated_at`
+			previous_image_id, healthcheck_command, created_at, updated_at`

 // AppStatus represents the status of an app.
 type AppStatus string
@@ -48,8 +47,7 @@ type App struct {
 	DockerNetwork      sql.NullString
 	NtfyTopic          sql.NullString
 	SlackWebhook       sql.NullString
-	CPULimit          sql.NullFloat64
-	MemoryLimit       sql.NullInt64
+	HealthcheckCommand sql.NullString
 	CreatedAt          time.Time
 	UpdatedAt          time.Time
 }
@@ -145,14 +143,14 @@ func (a *App) insert(ctx context.Context) error {
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id, cpu_limit, memory_limit
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+			previous_image_id, healthcheck_command
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`

 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
-		a.PreviousImageID, a.CPULimit, a.MemoryLimit,
+		a.PreviousImageID, a.HealthcheckCommand,
 	)
 	if err != nil {
 		return err
@@ -167,8 +165,7 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
-			previous_image_id = ?,
-			cpu_limit = ?, memory_limit = ?,
+			previous_image_id = ?, healthcheck_command = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`

@@ -176,8 +173,7 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
-		a.PreviousImageID,
-		a.CPULimit, a.MemoryLimit,
+		a.PreviousImageID, a.HealthcheckCommand,
 		a.ID,
 	)

@@ -192,8 +188,7 @@ func (a *App) scan(row *sql.Row) error {
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
-		&a.PreviousImageID,
-		&a.CPULimit, &a.MemoryLimit,
+		&a.PreviousImageID, &a.HealthcheckCommand,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -211,8 +206,7 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
-			&app.PreviousImageID,
-			&app.CPULimit, &app.MemoryLimit,
+			&app.PreviousImageID, &app.HealthcheckCommand,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {
--- a/internal/models/models_test.go
+++ b/internal/models/models_test.go
@@ -704,6 +704,72 @@ func TestAppGetWebhookEvents(t *testing.T) {
 	assert.Len(t, events, 1)
 }

+// App HealthcheckCommand Tests.
+
+func TestAppHealthcheckCommand(t *testing.T) {
+	t.Parallel()
+
+	t.Run("saves and loads healthcheck command", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+		app.HealthcheckCommand = sql.NullString{
+			String: "curl -f http://localhost:8080/healthz || exit 1",
+			Valid:  true,
+		}
+
+		err := app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.True(t, found.HealthcheckCommand.Valid)
+		assert.Equal(t, "curl -f http://localhost:8080/healthz || exit 1", found.HealthcheckCommand.String)
+	})
+
+	t.Run("null when not set", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.HealthcheckCommand.Valid)
+	})
+
+	t.Run("can be cleared", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+		app.HealthcheckCommand = sql.NullString{String: "true", Valid: true}
+
+		err := app.Save(context.Background())
+		require.NoError(t, err)
+
+		// Clear it
+		app.HealthcheckCommand = sql.NullString{}
+
+		err = app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.HealthcheckCommand.Valid)
+	})
+}
+
 // Cascade Delete Tests.

 //nolint:funlen // Test function with many assertions - acceptable for integration tests
@@ -781,96 +847,6 @@ func TestCascadeDelete(t *testing.T) {
 	})
 }

-// Resource Limits Tests.
-
-func TestAppResourceLimits(t *testing.T) { //nolint:funlen // integration test with multiple subtests
-	t.Parallel()
-
-	t.Run("saves and loads CPU limit", func(t *testing.T) {
-		t.Parallel()
-
-		testDB, cleanup := setupTestDB(t)
-		defer cleanup()
-
-		app := createTestApp(t, testDB)
-
-		app.CPULimit = sql.NullFloat64{Float64: 0.5, Valid: true}
-
-		err := app.Save(context.Background())
-		require.NoError(t, err)
-
-		found, err := models.FindApp(context.Background(), testDB, app.ID)
-		require.NoError(t, err)
-		require.NotNil(t, found)
-		assert.True(t, found.CPULimit.Valid)
-		assert.InDelta(t, 0.5, found.CPULimit.Float64, 0.001)
-	})
-
-	t.Run("saves and loads memory limit", func(t *testing.T) {
-		t.Parallel()
-
-		testDB, cleanup := setupTestDB(t)
-		defer cleanup()
-
-		app := createTestApp(t, testDB)
-
-		app.MemoryLimit = sql.NullInt64{Int64: 536870912, Valid: true} // 512m
-
-		err := app.Save(context.Background())
-		require.NoError(t, err)
-
-		found, err := models.FindApp(context.Background(), testDB, app.ID)
-		require.NoError(t, err)
-		require.NotNil(t, found)
-		assert.True(t, found.MemoryLimit.Valid)
-		assert.Equal(t, int64(536870912), found.MemoryLimit.Int64)
-	})
-
-	t.Run("null limits by default", func(t *testing.T) {
-		t.Parallel()
-
-		testDB, cleanup := setupTestDB(t)
-		defer cleanup()
-
-		app := createTestApp(t, testDB)
-
-		found, err := models.FindApp(context.Background(), testDB, app.ID)
-		require.NoError(t, err)
-		require.NotNil(t, found)
-		assert.False(t, found.CPULimit.Valid)
-		assert.False(t, found.MemoryLimit.Valid)
-	})
-
-	t.Run("clears limits when set to null", func(t *testing.T) {
-		t.Parallel()
-
-		testDB, cleanup := setupTestDB(t)
-		defer cleanup()
-
-		app := createTestApp(t, testDB)
-
-		// Set limits
-		app.CPULimit = sql.NullFloat64{Float64: 1.0, Valid: true}
-		app.MemoryLimit = sql.NullInt64{Int64: 1073741824, Valid: true} // 1g
-
-		err := app.Save(context.Background())
-		require.NoError(t, err)
-
-		// Clear limits
-		app.CPULimit = sql.NullFloat64{}
-		app.MemoryLimit = sql.NullInt64{}
-
-		err = app.Save(context.Background())
-		require.NoError(t, err)
-
-		found, err := models.FindApp(context.Background(), testDB, app.ID)
-		require.NoError(t, err)
-		require.NotNil(t, found)
-		assert.False(t, found.CPULimit.Valid)
-		assert.False(t, found.MemoryLimit.Valid)
-	})
-}
-
 // Helper function to create a test app.
 func createTestApp(t *testing.T, testDB *database.Database) *models.App {
 	t.Helper()
--- a/internal/service/app/app.go
+++ b/internal/service/app/app.go
@@ -53,6 +53,7 @@ type CreateAppInput struct {
 	DockerNetwork      string
 	NtfyTopic          string
 	SlackWebhook       string
+	HealthcheckCommand string
 }

 // CreateApp creates a new application with generated SSH keys and webhook secret.
@@ -100,6 +101,10 @@ func (svc *Service) CreateApp(
 		app.SlackWebhook = sql.NullString{String: input.SlackWebhook, Valid: true}
 	}

+	if input.HealthcheckCommand != "" {
+		app.HealthcheckCommand = sql.NullString{String: input.HealthcheckCommand, Valid: true}
+	}
+
 	saveErr := app.Save(ctx)
 	if saveErr != nil {
 		return nil, fmt.Errorf("failed to save app: %w", saveErr)
@@ -119,6 +124,7 @@ type UpdateAppInput struct {
 	DockerNetwork      string
 	NtfyTopic          string
 	SlackWebhook       string
+	HealthcheckCommand string
 }

 // UpdateApp updates an existing application.
@@ -144,6 +150,10 @@ func (svc *Service) UpdateApp(
 		String: input.SlackWebhook,
 		Valid:  input.SlackWebhook != "",
 	}
+	app.HealthcheckCommand = sql.NullString{
+		String: input.HealthcheckCommand,
+		Valid:  input.HealthcheckCommand != "",
+	}

 	saveErr := app.Save(ctx)
 	if saveErr != nil {
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -1094,16 +1094,9 @@ func (svc *Service) buildContainerOptions(
 		network = app.DockerNetwork.String
 	}

-	var cpuLimit float64
-
-	if app.CPULimit.Valid {
-		cpuLimit = app.CPULimit.Float64
-	}
-
-	var memoryLimit int64
-
-	if app.MemoryLimit.Valid {
-		memoryLimit = app.MemoryLimit.Int64
+	healthcheckCmd := ""
+	if app.HealthcheckCommand.Valid {
+		healthcheckCmd = app.HealthcheckCommand.String
 	}

 	return docker.CreateContainerOptions{
@@ -1114,8 +1107,7 @@ func (svc *Service) buildContainerOptions(
 		Volumes:            buildVolumeMounts(volumes),
 		Ports:              buildPortMappings(ports),
 		Network:            network,
-		CPULimit:    cpuLimit,
-		MemoryLimit: memoryLimit,
+		HealthcheckCommand: healthcheckCmd,
 	}, nil
 }

--- a/internal/service/deploy/deploy_container_test.go
+++ b/internal/service/deploy/deploy_container_test.go
@@ -45,13 +45,17 @@ func TestBuildContainerOptionsUsesImageID(t *testing.T) {
 	}
 }

-func TestBuildContainerOptionsNoResourceLimits(t *testing.T) {
+func TestBuildContainerOptionsHealthcheckSet(t *testing.T) {
 	t.Parallel()

 	db := database.NewTestDatabase(t)

 	app := models.NewApp(db)
-	app.Name = "nolimits"
+	app.Name = "hc-app"
+	app.HealthcheckCommand = sql.NullString{
+		String: "curl -f http://localhost:8080/healthz || exit 1",
+		Valid:  true,
+	}

 	err := app.Save(context.Background())
 	if err != nil {
@@ -62,29 +66,25 @@ func TestBuildContainerOptionsNoResourceLimits(t *testing.T) {
 	svc := deploy.NewTestService(log)

 	opts, err := svc.BuildContainerOptionsExported(
-		context.Background(), app, docker.ImageID("test:latest"),
+		context.Background(), app, "sha256:test",
 	)
 	if err != nil {
 		t.Fatalf("buildContainerOptions returned error: %v", err)
 	}

-	if opts.CPULimit != 0 {
-		t.Errorf("expected CPULimit=0, got %v", opts.CPULimit)
-	}
-
-	if opts.MemoryLimit != 0 {
-		t.Errorf("expected MemoryLimit=0, got %v", opts.MemoryLimit)
+	expected := "curl -f http://localhost:8080/healthz || exit 1"
+	if opts.HealthcheckCommand != expected {
+		t.Errorf("expected HealthcheckCommand=%q, got %q", expected, opts.HealthcheckCommand)
 	}
 }

-func TestBuildContainerOptionsCPULimit(t *testing.T) {
+func TestBuildContainerOptionsHealthcheckEmpty(t *testing.T) {
 	t.Parallel()

 	db := database.NewTestDatabase(t)

 	app := models.NewApp(db)
-	app.Name = "cpulimit"
-	app.CPULimit = sql.NullFloat64{Float64: 0.5, Valid: true}
+	app.Name = "no-hc-app"

 	err := app.Save(context.Background())
 	if err != nil {
@@ -95,42 +95,13 @@ func TestBuildContainerOptionsCPULimit(t *testing.T) {
 	svc := deploy.NewTestService(log)

 	opts, err := svc.BuildContainerOptionsExported(
-		context.Background(), app, docker.ImageID("test:latest"),
+		context.Background(), app, "sha256:test",
 	)
 	if err != nil {
 		t.Fatalf("buildContainerOptions returned error: %v", err)
 	}

-	if opts.CPULimit != 0.5 {
-		t.Errorf("expected CPULimit=0.5, got %v", opts.CPULimit)
-	}
-}
-
-func TestBuildContainerOptionsMemoryLimit(t *testing.T) {
-	t.Parallel()
-
-	db := database.NewTestDatabase(t)
-
-	app := models.NewApp(db)
-	app.Name = "memlimit"
-	app.MemoryLimit = sql.NullInt64{Int64: 536870912, Valid: true} // 512m
-
-	err := app.Save(context.Background())
-	if err != nil {
-		t.Fatalf("failed to save app: %v", err)
-	}
-
-	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	svc := deploy.NewTestService(log)
-
-	opts, err := svc.BuildContainerOptionsExported(
-		context.Background(), app, docker.ImageID("test:latest"),
-	)
-	if err != nil {
-		t.Fatalf("buildContainerOptions returned error: %v", err)
-	}
-
-	if opts.MemoryLimit != 536870912 {
-		t.Errorf("expected MemoryLimit=536870912, got %v", opts.MemoryLimit)
+	if opts.HealthcheckCommand != "" {
+		t.Errorf("expected empty HealthcheckCommand, got %q", opts.HealthcheckCommand)
 	}
 }
--- a/internal/service/webhook/payloads.go
+++ b/internal/service/webhook/payloads.go
@@ -1,248 +0,0 @@
-package webhook
-
-import "encoding/json"
-
-// GiteaPushPayload represents a Gitea push webhook payload.
-//
-//nolint:tagliatelle // Field names match Gitea API (snake_case)
-type GiteaPushPayload struct {
-	Ref        string      `json:"ref"`
-	Before     string      `json:"before"`
-	After      string      `json:"after"`
-	CompareURL UnparsedURL `json:"compare_url"`
-	Repository struct {
-		FullName string      `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
-	} `json:"repository"`
-	Pusher struct {
-		Username string `json:"username"`
-		Email    string `json:"email"`
-	} `json:"pusher"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// GitHubPushPayload represents a GitHub push webhook payload.
-//
-//nolint:tagliatelle // Field names match GitHub API (snake_case)
-type GitHubPushPayload struct {
-	Ref        string `json:"ref"`
-	Before     string `json:"before"`
-	After      string `json:"after"`
-	CompareURL string `json:"compare"`
-	Repository struct {
-		FullName string      `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
-	} `json:"repository"`
-	Pusher struct {
-		Name  string `json:"name"`
-		Email string `json:"email"`
-	} `json:"pusher"`
-	HeadCommit *struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-	} `json:"head_commit"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// GitLabPushPayload represents a GitLab push webhook payload.
-//
-//nolint:tagliatelle // Field names match GitLab API (snake_case)
-type GitLabPushPayload struct {
-	Ref       string `json:"ref"`
-	Before    string `json:"before"`
-	After     string `json:"after"`
-	UserName  string `json:"user_name"`
-	UserEmail string `json:"user_email"`
-	Project   struct {
-		PathWithNamespace string      `json:"path_with_namespace"`
-		GitHTTPURL        UnparsedURL `json:"git_http_url"`
-		GitSSHURL         string      `json:"git_ssh_url"`
-		WebURL            UnparsedURL `json:"web_url"`
-	} `json:"project"`
-	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
-		Author  struct {
-			Name  string `json:"name"`
-			Email string `json:"email"`
-		} `json:"author"`
-	} `json:"commits"`
-}
-
-// ParsePushPayload parses a raw webhook payload into a normalized PushEvent
-// based on the detected webhook source. Returns an error if JSON unmarshaling
-// fails. For SourceUnknown, falls back to Gitea format for backward
-// compatibility.
-func ParsePushPayload(source Source, payload []byte) (*PushEvent, error) {
-	switch source {
-	case SourceGitHub:
-		return parseGitHubPush(payload)
-	case SourceGitLab:
-		return parseGitLabPush(payload)
-	case SourceGitea, SourceUnknown:
-		// Gitea and unknown both use Gitea format for backward compatibility.
-		return parseGiteaPush(payload)
-	}
-
-	// Unreachable for known source values, but satisfies exhaustive checker.
-	return parseGiteaPush(payload)
-}
-
-func parseGiteaPush(payload []byte) (*PushEvent, error) {
-	var p GiteaPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGiteaCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitea,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Repository.FullName,
-		CloneURL:  p.Repository.CloneURL,
-		HTMLURL:   p.Repository.HTMLURL,
-		CommitURL: commitURL,
-		Pusher:    p.Pusher.Username,
-	}, nil
-}
-
-func parseGitHubPush(payload []byte) (*PushEvent, error) {
-	var p GitHubPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGitHubCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitHub,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Repository.FullName,
-		CloneURL:  p.Repository.CloneURL,
-		HTMLURL:   p.Repository.HTMLURL,
-		CommitURL: commitURL,
-		Pusher:    p.Pusher.Name,
-	}, nil
-}
-
-func parseGitLabPush(payload []byte) (*PushEvent, error) {
-	var p GitLabPushPayload
-
-	unmarshalErr := json.Unmarshal(payload, &p)
-	if unmarshalErr != nil {
-		return nil, unmarshalErr
-	}
-
-	commitURL := extractGitLabCommitURL(p)
-
-	return &PushEvent{
-		Source:    SourceGitLab,
-		Ref:       p.Ref,
-		Before:    p.Before,
-		After:     p.After,
-		Branch:    extractBranch(p.Ref),
-		RepoName:  p.Project.PathWithNamespace,
-		CloneURL:  p.Project.GitHTTPURL,
-		HTMLURL:   p.Project.WebURL,
-		CommitURL: commitURL,
-		Pusher:    p.UserName,
-	}, nil
-}
-
-// extractBranch extracts the branch name from a git ref.
-func extractBranch(ref string) string {
-	// refs/heads/main -> main
-	const prefix = "refs/heads/"
-
-	if len(ref) >= len(prefix) && ref[:len(prefix)] == prefix {
-		return ref[len(prefix):]
-	}
-
-	return ref
-}
-
-// extractGiteaCommitURL extracts the commit URL from a Gitea push payload.
-// Prefers the URL from the head commit, falls back to constructing from repo URL.
-func extractGiteaCommitURL(payload GiteaPushPayload) UnparsedURL {
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
-	}
-
-	return ""
-}
-
-// extractGitHubCommitURL extracts the commit URL from a GitHub push payload.
-// Prefers head_commit.url, then searches commits, then constructs from repo URL.
-func extractGitHubCommitURL(payload GitHubPushPayload) UnparsedURL {
-	if payload.HeadCommit != nil && payload.HeadCommit.URL != "" {
-		return payload.HeadCommit.URL
-	}
-
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
-	}
-
-	return ""
-}
-
-// extractGitLabCommitURL extracts the commit URL from a GitLab push payload.
-// Prefers commit URL from the commits list, falls back to constructing from
-// project web URL.
-func extractGitLabCommitURL(payload GitLabPushPayload) UnparsedURL {
-	for _, commit := range payload.Commits {
-		if commit.ID == payload.After && commit.URL != "" {
-			return commit.URL
-		}
-	}
-
-	if payload.Project.WebURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Project.WebURL.String() + "/-/commit/" + payload.After)
-	}
-
-	return ""
-}
--- a/internal/service/webhook/types.go
+++ b/internal/service/webhook/types.go
@@ -1,7 +1,5 @@
 package webhook

-import "net/http"
-
 // UnparsedURL is a URL stored as a plain string without parsing.
 // Use this instead of string when the value is known to be a URL
 // but should not be parsed into a net/url.URL (e.g. webhook URLs,
@@ -10,84 +8,3 @@ type UnparsedURL string

 // String implements the fmt.Stringer interface.
 func (u UnparsedURL) String() string { return string(u) }
-
-// Source identifies which git hosting platform sent the webhook.
-type Source string
-
-const (
-	// SourceGitea indicates the webhook was sent by a Gitea instance.
-	SourceGitea Source = "gitea"
-
-	// SourceGitHub indicates the webhook was sent by GitHub.
-	SourceGitHub Source = "github"
-
-	// SourceGitLab indicates the webhook was sent by a GitLab instance.
-	SourceGitLab Source = "gitlab"
-
-	// SourceUnknown indicates the webhook source could not be determined.
-	SourceUnknown Source = "unknown"
-)
-
-// String implements the fmt.Stringer interface.
-func (s Source) String() string { return string(s) }
-
-// DetectWebhookSource determines the webhook source from HTTP headers.
-// It checks for platform-specific event headers in this order:
-// Gitea (X-Gitea-Event), GitHub (X-GitHub-Event), GitLab (X-Gitlab-Event).
-// Returns SourceUnknown if no recognized header is found.
-func DetectWebhookSource(headers http.Header) Source {
-	if headers.Get("X-Gitea-Event") != "" {
-		return SourceGitea
-	}
-
-	if headers.Get("X-Github-Event") != "" {
-		return SourceGitHub
-	}
-
-	if headers.Get("X-Gitlab-Event") != "" {
-		return SourceGitLab
-	}
-
-	return SourceUnknown
-}
-
-// DetectEventType extracts the event type string from HTTP headers
-// based on the detected webhook source. Returns "push" as a fallback
-// when no event header is found.
-func DetectEventType(headers http.Header, source Source) string {
-	switch source {
-	case SourceGitea:
-		if v := headers.Get("X-Gitea-Event"); v != "" {
-			return v
-		}
-	case SourceGitHub:
-		if v := headers.Get("X-Github-Event"); v != "" {
-			return v
-		}
-	case SourceGitLab:
-		if v := headers.Get("X-Gitlab-Event"); v != "" {
-			return v
-		}
-	case SourceUnknown:
-		// Fall through to default
-	}
-
-	return "push"
-}
-
-// PushEvent is a normalized representation of a push webhook payload
-// from any supported source (Gitea, GitHub, GitLab). The webhook
-// service converts source-specific payloads into this format before
-// processing.
-type PushEvent struct {
-	Source    Source
-	Ref       string
-	Before    string
-	After     string
-	Branch    string
-	RepoName  string
-	CloneURL  UnparsedURL
-	HTMLURL   UnparsedURL
-	CommitURL UnparsedURL
-	Pusher    string
-}
--- a/internal/service/webhook/webhook.go
+++ b/internal/service/webhook/webhook.go
@@ -4,6 +4,7 @@ package webhook
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"fmt"
 	"log/slog"

@@ -43,46 +44,68 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 	}, nil
 }

-// HandleWebhook processes a webhook request from any supported source
-// (Gitea, GitHub, or GitLab). The source parameter determines which
-// payload format to use for parsing.
+// GiteaPushPayload represents a Gitea push webhook payload.
+//
+//nolint:tagliatelle // Field names match Gitea API (snake_case)
+type GiteaPushPayload struct {
+	Ref        string      `json:"ref"`
+	Before     string      `json:"before"`
+	After      string      `json:"after"`
+	CompareURL UnparsedURL `json:"compare_url"`
+	Repository struct {
+		FullName string      `json:"full_name"`
+		CloneURL UnparsedURL `json:"clone_url"`
+		SSHURL   string      `json:"ssh_url"`
+		HTMLURL  UnparsedURL `json:"html_url"`
+	} `json:"repository"`
+	Pusher struct {
+		Username string `json:"username"`
+		Email    string `json:"email"`
+	} `json:"pusher"`
+	Commits []struct {
+		ID      string      `json:"id"`
+		URL     UnparsedURL `json:"url"`
+		Message string      `json:"message"`
+		Author  struct {
+			Name  string `json:"name"`
+			Email string `json:"email"`
+		} `json:"author"`
+	} `json:"commits"`
+}
+
+// HandleWebhook processes a webhook request.
 func (svc *Service) HandleWebhook(
 	ctx context.Context,
 	app *models.App,
-	source Source,
 	eventType string,
 	payload []byte,
 ) error {
-	svc.log.Info("processing webhook",
-		"app", app.Name,
-		"source", source.String(),
-		"event", eventType,
-	)
+	svc.log.Info("processing webhook", "app", app.Name, "event", eventType)

-	// Parse payload into normalized push event
-	pushEvent, parseErr := ParsePushPayload(source, payload)
-	if parseErr != nil {
-		svc.log.Warn("failed to parse webhook payload",
-			"error", parseErr,
-			"source", source.String(),
-		)
-		// Continue with empty push event to still log the webhook
-		pushEvent = &PushEvent{Source: source}
+	// Parse payload
+	var pushPayload GiteaPushPayload
+
+	unmarshalErr := json.Unmarshal(payload, &pushPayload)
+	if unmarshalErr != nil {
+		svc.log.Warn("failed to parse webhook payload", "error", unmarshalErr)
+		// Continue anyway to log the event
 	}

+	// Extract branch from ref
+	branch := extractBranch(pushPayload.Ref)
+	commitSHA := pushPayload.After
+	commitURL := extractCommitURL(pushPayload)
+
 	// Check if branch matches
-	matched := pushEvent.Branch == app.Branch
+	matched := branch == app.Branch

 	// Create webhook event record
 	event := models.NewWebhookEvent(svc.db)
 	event.AppID = app.ID
 	event.EventType = eventType
-	event.Branch = pushEvent.Branch
-	event.CommitSHA = sql.NullString{String: pushEvent.After, Valid: pushEvent.After != ""}
-	event.CommitURL = sql.NullString{
-		String: pushEvent.CommitURL.String(),
-		Valid:  pushEvent.CommitURL != "",
-	}
+	event.Branch = branch
+	event.CommitSHA = sql.NullString{String: commitSHA, Valid: commitSHA != ""}
+	event.CommitURL = sql.NullString{String: commitURL.String(), Valid: commitURL != ""}
 	event.Payload = sql.NullString{String: string(payload), Valid: true}
 	event.Matched = matched
 	event.Processed = false
@@ -94,10 +117,9 @@ func (svc *Service) HandleWebhook(

 	svc.log.Info("webhook event recorded",
 		"app", app.Name,
-		"source", source.String(),
-		"branch", pushEvent.Branch,
+		"branch", branch,
 		"matched", matched,
-		"commit", pushEvent.After,
+		"commit", commitSHA,
 	)

 	// If branch matches, trigger deployment
@@ -132,3 +154,33 @@ func (svc *Service) triggerDeployment(
 		_ = event.Save(deployCtx)
 	}()
 }
+
+// extractBranch extracts the branch name from a git ref.
+func extractBranch(ref string) string {
+	// refs/heads/main -> main
+	const prefix = "refs/heads/"
+
+	if len(ref) >= len(prefix) && ref[:len(prefix)] == prefix {
+		return ref[len(prefix):]
+	}
+
+	return ref
+}
+
+// extractCommitURL extracts the commit URL from the webhook payload.
+// Prefers the URL from the head commit, falls back to constructing from repo URL.
+func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
+	// Try to find the URL from the head commit (matching After SHA)
+	for _, commit := range payload.Commits {
+		if commit.ID == payload.After && commit.URL != "" {
+			return commit.URL
+		}
+	}
+
+	// Fall back to constructing URL from repo HTML URL
+	if payload.Repository.HTMLURL != "" && payload.After != "" {
+		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
+	}
+
+	return ""
+}
--- a/internal/service/webhook/webhook_test.go
+++ b/internal/service/webhook/webhook_test.go
@@ -3,7 +3,6 @@ package webhook_test
 import (
 	"context"
 	"encoding/json"
-	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
@@ -103,114 +102,44 @@ func createTestApp(
 	return app
 }

-// TestDetectWebhookSource tests auto-detection of webhook source from HTTP headers.
-//
 //nolint:funlen // table-driven test with comprehensive test cases
-func TestDetectWebhookSource(testingT *testing.T) {
+func TestExtractBranch(testingT *testing.T) {
 	testingT.Parallel()

 	tests := []struct {
 		name     string
-		headers  map[string]string
-		expected webhook.Source
-	}{
-		{
-			name:     "detects Gitea from X-Gitea-Event header",
-			headers:  map[string]string{"X-Gitea-Event": "push"},
-			expected: webhook.SourceGitea,
-		},
-		{
-			name:     "detects GitHub from X-GitHub-Event header",
-			headers:  map[string]string{"X-GitHub-Event": "push"},
-			expected: webhook.SourceGitHub,
-		},
-		{
-			name:     "detects GitLab from X-Gitlab-Event header",
-			headers:  map[string]string{"X-Gitlab-Event": "Push Hook"},
-			expected: webhook.SourceGitLab,
-		},
-		{
-			name:     "returns unknown when no recognized header",
-			headers:  map[string]string{"Content-Type": "application/json"},
-			expected: webhook.SourceUnknown,
-		},
-		{
-			name:     "returns unknown for empty headers",
-			headers:  map[string]string{},
-			expected: webhook.SourceUnknown,
-		},
-		{
-			name: "Gitea takes precedence over GitHub",
-			headers: map[string]string{
-				"X-Gitea-Event":  "push",
-				"X-GitHub-Event": "push",
-			},
-			expected: webhook.SourceGitea,
-		},
-		{
-			name: "GitHub takes precedence over GitLab",
-			headers: map[string]string{
-				"X-GitHub-Event": "push",
-				"X-Gitlab-Event": "Push Hook",
-			},
-			expected: webhook.SourceGitHub,
-		},
-	}
-
-	for _, testCase := range tests {
-		testingT.Run(testCase.name, func(t *testing.T) {
-			t.Parallel()
-
-			headers := http.Header{}
-			for key, value := range testCase.headers {
-				headers.Set(key, value)
-			}
-
-			result := webhook.DetectWebhookSource(headers)
-			assert.Equal(t, testCase.expected, result)
-		})
-	}
-}
-
-// TestDetectEventType tests event type extraction from HTTP headers.
-func TestDetectEventType(testingT *testing.T) {
-	testingT.Parallel()
-
-	tests := []struct {
-		name     string
-		headers  map[string]string
-		source   webhook.Source
+		ref      string
 		expected string
 	}{
 		{
-			name:     "extracts Gitea event type",
-			headers:  map[string]string{"X-Gitea-Event": "push"},
-			source:   webhook.SourceGitea,
-			expected: "push",
+			name:     "extracts main branch",
+			ref:      "refs/heads/main",
+			expected: "main",
 		},
 		{
-			name:     "extracts GitHub event type",
-			headers:  map[string]string{"X-GitHub-Event": "push"},
-			source:   webhook.SourceGitHub,
-			expected: "push",
+			name:     "extracts feature branch",
+			ref:      "refs/heads/feature/new-feature",
+			expected: "feature/new-feature",
 		},
 		{
-			name:     "extracts GitLab event type",
-			headers:  map[string]string{"X-Gitlab-Event": "Push Hook"},
-			source:   webhook.SourceGitLab,
-			expected: "Push Hook",
+			name:     "extracts develop branch",
+			ref:      "refs/heads/develop",
+			expected: "develop",
 		},
 		{
-			name:     "returns push for unknown source",
-			headers:  map[string]string{},
-			source:   webhook.SourceUnknown,
-			expected: "push",
+			name:     "returns raw ref if no prefix",
+			ref:      "main",
+			expected: "main",
 		},
 		{
-			name:     "returns push when header missing for source",
-			headers:  map[string]string{},
-			source:   webhook.SourceGitea,
-			expected: "push",
+			name:     "handles empty ref",
+			ref:      "",
+			expected: "",
+		},
+		{
+			name:     "handles partial prefix",
+			ref:      "refs/heads/",
+			expected: "",
 		},
 	}

@@ -218,318 +147,123 @@ func TestDetectEventType(testingT *testing.T) {
 		testingT.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()

-			headers := http.Header{}
-			for key, value := range testCase.headers {
-				headers.Set(key, value)
-			}
+			// We test via HandleWebhook since extractBranch is not exported.
+			// The test verifies behavior indirectly through the webhook event's branch.
+			svc, dbInst, cleanup := setupTestService(t)
+			defer cleanup()

-			result := webhook.DetectEventType(headers, testCase.source)
-			assert.Equal(t, testCase.expected, result)
+			app := createTestApp(t, dbInst, testCase.expected)
+
+			payload := []byte(`{"ref": "` + testCase.ref + `"}`)
+
+			err := svc.HandleWebhook(context.Background(), app, "push", payload)
+			require.NoError(t, err)
+
+			// Allow async deployment goroutine to complete before test cleanup
+			time.Sleep(100 * time.Millisecond)
+
+			events, err := app.GetWebhookEvents(context.Background(), 10)
+			require.NoError(t, err)
+			require.Len(t, events, 1)
+
+			assert.Equal(t, testCase.expected, events[0].Branch)
 		})
 	}
 }

-// TestWebhookSourceString tests the String method on WebhookSource.
-func TestWebhookSourceString(t *testing.T) {
+func TestHandleWebhookMatchingBranch(t *testing.T) {
 	t.Parallel()

-	assert.Equal(t, "gitea", webhook.SourceGitea.String())
-	assert.Equal(t, "github", webhook.SourceGitHub.String())
-	assert.Equal(t, "gitlab", webhook.SourceGitLab.String())
-	assert.Equal(t, "unknown", webhook.SourceUnknown.String())
-}
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()

-// TestUnparsedURLString tests the String method on UnparsedURL.
-func TestUnparsedURLString(t *testing.T) {
-	t.Parallel()
-
-	u := webhook.UnparsedURL("https://example.com/test")
-	assert.Equal(t, "https://example.com/test", u.String())
-
-	empty := webhook.UnparsedURL("")
-	assert.Empty(t, empty.String())
-}
-
-// TestParsePushPayloadGitea tests parsing of Gitea push payloads.
-func TestParsePushPayloadGitea(t *testing.T) {
-	t.Parallel()
+	app := createTestApp(t, dbInst, "main")

 	payload := []byte(`{
 		"ref": "refs/heads/main",
 		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"compare_url": "https://gitea.example.com/myorg/myrepo/compare/000...abc",
+		"after": "abc123def456",
 		"repository": {
-			"full_name": "myorg/myrepo",
-			"clone_url": "https://gitea.example.com/myorg/myrepo.git",
-			"ssh_url": "git@gitea.example.com:myorg/myrepo.git",
-			"html_url": "https://gitea.example.com/myorg/myrepo"
+			"full_name": "user/repo",
+			"clone_url": "https://gitea.example.com/user/repo.git",
+			"ssh_url": "git@gitea.example.com:user/repo.git"
 		},
-		"pusher": {"username": "developer", "email": "dev@example.com"},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://gitea.example.com/myorg/myrepo/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
+		"pusher": {"username": "testuser", "email": "test@example.com"},
+		"commits": [{"id": "abc123def456", "message": "Test commit",
+			"author": {"name": "Test User", "email": "test@example.com"}}]
 	}`)

-	event, err := webhook.ParsePushPayload(webhook.SourceGitea, payload)
+	err := svc.HandleWebhook(context.Background(), app, "push", payload)
 	require.NoError(t, err)

-	assert.Equal(t, webhook.SourceGitea, event.Source)
-	assert.Equal(t, "refs/heads/main", event.Ref)
+	// Allow async deployment goroutine to complete before test cleanup
+	time.Sleep(100 * time.Millisecond)
+
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
+
+	event := events[0]
+	assert.Equal(t, "push", event.EventType)
 	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, "abc123def456789", event.After)
-	assert.Equal(t, "myorg/myrepo", event.RepoName)
-	assert.Equal(t, webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://gitea.example.com/myorg/myrepo/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
+	assert.True(t, event.Matched)
+	assert.Equal(t, "abc123def456", event.CommitSHA.String)
 }

-// TestParsePushPayloadGitHub tests parsing of GitHub push payloads.
-func TestParsePushPayloadGitHub(t *testing.T) {
+func TestHandleWebhookNonMatchingBranch(t *testing.T) {
 	t.Parallel()

-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"compare": "https://github.com/myorg/myrepo/compare/000...abc",
-		"repository": {
-			"full_name": "myorg/myrepo",
-			"clone_url": "https://github.com/myorg/myrepo.git",
-			"ssh_url": "git@github.com:myorg/myrepo.git",
-			"html_url": "https://github.com/myorg/myrepo"
-		},
-		"pusher": {"name": "developer", "email": "dev@example.com"},
-		"head_commit": {
-			"id": "abc123def456789",
-			"url": "https://github.com/myorg/myrepo/commit/abc123def456789",
-			"message": "Fix bug"
-		},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://github.com/myorg/myrepo/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
-	}`)
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()

-	event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
+	app := createTestApp(t, dbInst, "main")
+
+	payload := []byte(`{"ref": "refs/heads/develop", "after": "def789ghi012"}`)
+
+	err := svc.HandleWebhook(context.Background(), app, "push", payload)
 	require.NoError(t, err)

-	assert.Equal(t, webhook.SourceGitHub, event.Source)
-	assert.Equal(t, "refs/heads/main", event.Ref)
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, "abc123def456789", event.After)
-	assert.Equal(t, "myorg/myrepo", event.RepoName)
-	assert.Equal(t, webhook.UnparsedURL("https://github.com/myorg/myrepo.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://github.com/myorg/myrepo"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://github.com/myorg/myrepo/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
+
+	assert.Equal(t, "develop", events[0].Branch)
+	assert.False(t, events[0].Matched)
 }

-// TestParsePushPayloadGitLab tests parsing of GitLab push payloads.
-func TestParsePushPayloadGitLab(t *testing.T) {
+func TestHandleWebhookInvalidJSON(t *testing.T) {
 	t.Parallel()

-	payload := []byte(`{
-		"ref": "refs/heads/develop",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456789",
-		"user_name": "developer",
-		"user_email": "dev@example.com",
-		"project": {
-			"path_with_namespace": "mygroup/myproject",
-			"git_http_url": "https://gitlab.com/mygroup/myproject.git",
-			"git_ssh_url": "git@gitlab.com:mygroup/myproject.git",
-			"web_url": "https://gitlab.com/mygroup/myproject"
-		},
-		"commits": [
-			{
-				"id": "abc123def456789",
-				"url": "https://gitlab.com/mygroup/myproject/-/commit/abc123def456789",
-				"message": "Fix bug",
-				"author": {"name": "Developer", "email": "dev@example.com"}
-			}
-		]
-	}`)
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()

-	event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
+	app := createTestApp(t, dbInst, "main")
+
+	err := svc.HandleWebhook(context.Background(), app, "push", []byte(`{invalid json}`))
 	require.NoError(t, err)

-	assert.Equal(t, webhook.SourceGitLab, event.Source)
-	assert.Equal(t, "refs/heads/develop", event.Ref)
-	assert.Equal(t, "develop", event.Branch)
-	assert.Equal(t, "abc123def456789", event.After)
-	assert.Equal(t, "mygroup/myproject", event.RepoName)
-	assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/mygroup/myproject.git"), event.CloneURL)
-	assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/mygroup/myproject"), event.HTMLURL)
-	assert.Equal(t,
-		webhook.UnparsedURL("https://gitlab.com/mygroup/myproject/-/commit/abc123def456789"),
-		event.CommitURL,
-	)
-	assert.Equal(t, "developer", event.Pusher)
+	events, err := app.GetWebhookEvents(context.Background(), 10)
+	require.NoError(t, err)
+	require.Len(t, events, 1)
 }

-// TestParsePushPayloadUnknownFallsBackToGitea tests that unknown source uses Gitea parser.
-func TestParsePushPayloadUnknownFallsBackToGitea(t *testing.T) {
+func TestHandleWebhookEmptyPayload(t *testing.T) {
 	t.Parallel()

-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "abc123",
-		"repository": {"full_name": "user/repo"},
-		"pusher": {"username": "user"}
-	}`)
+	svc, dbInst, cleanup := setupTestService(t)
+	defer cleanup()

-	event, err := webhook.ParsePushPayload(webhook.SourceUnknown, payload)
+	app := createTestApp(t, dbInst, "main")
+
+	err := svc.HandleWebhook(context.Background(), app, "push", []byte(`{}`))
 	require.NoError(t, err)

-	assert.Equal(t, webhook.SourceGitea, event.Source)
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, "abc123", event.After)
-}
-
-// TestParsePushPayloadInvalidJSON tests that invalid JSON returns an error.
-func TestParsePushPayloadInvalidJSON(t *testing.T) {
-	t.Parallel()
-
-	sources := []webhook.Source{
-		webhook.SourceGitea,
-		webhook.SourceGitHub,
-		webhook.SourceGitLab,
-	}
-
-	for _, source := range sources {
-		t.Run(source.String(), func(t *testing.T) {
-			t.Parallel()
-
-			_, err := webhook.ParsePushPayload(source, []byte(`{invalid json}`))
-			require.Error(t, err)
-		})
-	}
-}
-
-// TestParsePushPayloadEmptyPayload tests parsing of empty JSON objects.
-func TestParsePushPayloadEmptyPayload(t *testing.T) {
-	t.Parallel()
-
-	sources := []webhook.Source{
-		webhook.SourceGitea,
-		webhook.SourceGitHub,
-		webhook.SourceGitLab,
-	}
-
-	for _, source := range sources {
-		t.Run(source.String(), func(t *testing.T) {
-			t.Parallel()
-
-			event, err := webhook.ParsePushPayload(source, []byte(`{}`))
+	events, err := app.GetWebhookEvents(context.Background(), 10)
 	require.NoError(t, err)
-
-			assert.Empty(t, event.Branch)
-			assert.Empty(t, event.After)
-		})
-	}
+	require.Len(t, events, 1)
+	assert.False(t, events[0].Matched)
 }

-// TestGitHubCommitURLFallback tests commit URL extraction fallback paths for GitHub.
-func TestGitHubCommitURLFallback(t *testing.T) {
-	t.Parallel()
-
-	t.Run("uses head_commit URL when available", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"head_commit": {"id": "abc123", "url": "https://github.com/u/r/commit/abc123"},
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
-
-	t.Run("falls back to commits list", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"commits": [{"id": "abc123", "url": "https://github.com/u/r/commit/abc123"}],
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
-
-	t.Run("constructs URL from repo HTML URL", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"repository": {"html_url": "https://github.com/u/r"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitHub, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://github.com/u/r/commit/abc123"), event.CommitURL)
-	})
-}
-
-// TestGitLabCommitURLFallback tests commit URL extraction fallback paths for GitLab.
-func TestGitLabCommitURLFallback(t *testing.T) {
-	t.Parallel()
-
-	t.Run("uses commit URL from list", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"project": {"web_url": "https://gitlab.com/g/p"},
-			"commits": [{"id": "abc123", "url": "https://gitlab.com/g/p/-/commit/abc123"}]
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/g/p/-/commit/abc123"), event.CommitURL)
-	})
-
-	t.Run("constructs URL from project web URL", func(t *testing.T) {
-		t.Parallel()
-
-		payload := []byte(`{
-			"ref": "refs/heads/main",
-			"after": "abc123",
-			"project": {"web_url": "https://gitlab.com/g/p"}
-		}`)
-
-		event, err := webhook.ParsePushPayload(webhook.SourceGitLab, payload)
-		require.NoError(t, err)
-		assert.Equal(t, webhook.UnparsedURL("https://gitlab.com/g/p/-/commit/abc123"), event.CommitURL)
-	})
-}
-
-// TestGiteaPushPayloadParsing tests direct deserialization of the Gitea payload struct.
 func TestGiteaPushPayloadParsing(testingT *testing.T) {
 	testingT.Parallel()

@@ -588,354 +322,6 @@ func TestGiteaPushPayloadParsing(testingT *testing.T) {
 	})
 }

-// TestGitHubPushPayloadParsing tests direct deserialization of the GitHub payload struct.
-func TestGitHubPushPayloadParsing(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000",
-		"after": "abc123",
-		"compare": "https://github.com/o/r/compare/000...abc",
-		"repository": {
-			"full_name": "o/r",
-			"clone_url": "https://github.com/o/r.git",
-			"ssh_url": "git@github.com:o/r.git",
-			"html_url": "https://github.com/o/r"
-		},
-		"pusher": {"name": "octocat", "email": "octocat@github.com"},
-		"head_commit": {
-			"id": "abc123",
-			"url": "https://github.com/o/r/commit/abc123",
-			"message": "Update README"
-		},
-		"commits": [
-			{
-				"id": "abc123",
-				"url": "https://github.com/o/r/commit/abc123",
-				"message": "Update README",
-				"author": {"name": "Octocat", "email": "octocat@github.com"}
-			}
-		]
-	}`)
-
-	var p webhook.GitHubPushPayload
-
-	err := json.Unmarshal(payload, &p)
-	require.NoError(t, err)
-
-	assert.Equal(t, "refs/heads/main", p.Ref)
-	assert.Equal(t, "abc123", p.After)
-	assert.Equal(t, "o/r", p.Repository.FullName)
-	assert.Equal(t, "octocat", p.Pusher.Name)
-	assert.NotNil(t, p.HeadCommit)
-	assert.Equal(t, "abc123", p.HeadCommit.ID)
-	assert.Len(t, p.Commits, 1)
-}
-
-// TestGitLabPushPayloadParsing tests direct deserialization of the GitLab payload struct.
-func TestGitLabPushPayloadParsing(t *testing.T) {
-	t.Parallel()
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000",
-		"after": "abc123",
-		"user_name": "gitlab-user",
-		"user_email": "user@gitlab.com",
-		"project": {
-			"path_with_namespace": "group/project",
-			"git_http_url": "https://gitlab.com/group/project.git",
-			"git_ssh_url": "git@gitlab.com:group/project.git",
-			"web_url": "https://gitlab.com/group/project"
-		},
-		"commits": [
-			{
-				"id": "abc123",
-				"url": "https://gitlab.com/group/project/-/commit/abc123",
-				"message": "Fix pipeline",
-				"author": {"name": "GitLab User", "email": "user@gitlab.com"}
-			}
-		]
-	}`)
-
-	var p webhook.GitLabPushPayload
-
-	err := json.Unmarshal(payload, &p)
-	require.NoError(t, err)
-
-	assert.Equal(t, "refs/heads/main", p.Ref)
-	assert.Equal(t, "abc123", p.After)
-	assert.Equal(t, "group/project", p.Project.PathWithNamespace)
-	assert.Equal(t, "gitlab-user", p.UserName)
-	assert.Len(t, p.Commits, 1)
-}
-
-// TestExtractBranch tests branch extraction via HandleWebhook integration (extractBranch is unexported).
-//
-//nolint:funlen // table-driven test with comprehensive test cases
-func TestExtractBranch(testingT *testing.T) {
-	testingT.Parallel()
-
-	tests := []struct {
-		name     string
-		ref      string
-		expected string
-	}{
-		{
-			name:     "extracts main branch",
-			ref:      "refs/heads/main",
-			expected: "main",
-		},
-		{
-			name:     "extracts feature branch",
-			ref:      "refs/heads/feature/new-feature",
-			expected: "feature/new-feature",
-		},
-		{
-			name:     "extracts develop branch",
-			ref:      "refs/heads/develop",
-			expected: "develop",
-		},
-		{
-			name:     "returns raw ref if no prefix",
-			ref:      "main",
-			expected: "main",
-		},
-		{
-			name:     "handles empty ref",
-			ref:      "",
-			expected: "",
-		},
-		{
-			name:     "handles partial prefix",
-			ref:      "refs/heads/",
-			expected: "",
-		},
-	}
-
-	for _, testCase := range tests {
-		testingT.Run(testCase.name, func(t *testing.T) {
-			t.Parallel()
-
-			// We test via HandleWebhook since extractBranch is not exported.
-			// The test verifies behavior indirectly through the webhook event's branch.
-			svc, dbInst, cleanup := setupTestService(t)
-			defer cleanup()
-
-			app := createTestApp(t, dbInst, testCase.expected)
-
-			payload := []byte(`{"ref": "` + testCase.ref + `"}`)
-
-			err := svc.HandleWebhook(
-				context.Background(), app, webhook.SourceGitea, "push", payload,
-			)
-			require.NoError(t, err)
-
-			// Allow async deployment goroutine to complete before test cleanup
-			time.Sleep(100 * time.Millisecond)
-
-			events, err := app.GetWebhookEvents(context.Background(), 10)
-			require.NoError(t, err)
-			require.Len(t, events, 1)
-
-			assert.Equal(t, testCase.expected, events[0].Branch)
-		})
-	}
-}
-
-func TestHandleWebhookMatchingBranch(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"before": "0000000000000000000000000000000000000000",
-		"after": "abc123def456",
-		"repository": {
-			"full_name": "user/repo",
-			"clone_url": "https://gitea.example.com/user/repo.git",
-			"ssh_url": "git@gitea.example.com:user/repo.git"
-		},
-		"pusher": {"username": "testuser", "email": "test@example.com"},
-		"commits": [{"id": "abc123def456", "message": "Test commit",
-			"author": {"name": "Test User", "email": "test@example.com"}}]
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "push", event.EventType)
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "abc123def456", event.CommitSHA.String)
-}
-
-func TestHandleWebhookNonMatchingBranch(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{"ref": "refs/heads/develop", "after": "def789ghi012"}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", payload,
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	assert.Equal(t, "develop", events[0].Branch)
-	assert.False(t, events[0].Matched)
-}
-
-func TestHandleWebhookInvalidJSON(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", []byte(`{invalid json}`),
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-}
-
-func TestHandleWebhookEmptyPayload(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitea, "push", []byte(`{}`),
-	)
-	require.NoError(t, err)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-	assert.False(t, events[0].Matched)
-}
-
-// TestHandleWebhookGitHubSource tests HandleWebhook with a GitHub push payload.
-func TestHandleWebhookGitHubSource(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "github123",
-		"repository": {
-			"full_name": "org/repo",
-			"clone_url": "https://github.com/org/repo.git",
-			"html_url": "https://github.com/org/repo"
-		},
-		"pusher": {"name": "octocat", "email": "octocat@github.com"},
-		"head_commit": {
-			"id": "github123",
-			"url": "https://github.com/org/repo/commit/github123",
-			"message": "Update feature"
-		}
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitHub, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "github123", event.CommitSHA.String)
-	assert.Equal(t, "https://github.com/org/repo/commit/github123", event.CommitURL.String)
-}
-
-// TestHandleWebhookGitLabSource tests HandleWebhook with a GitLab push payload.
-func TestHandleWebhookGitLabSource(t *testing.T) {
-	t.Parallel()
-
-	svc, dbInst, cleanup := setupTestService(t)
-	defer cleanup()
-
-	app := createTestApp(t, dbInst, "main")
-
-	payload := []byte(`{
-		"ref": "refs/heads/main",
-		"after": "gitlab456",
-		"user_name": "gitlab-dev",
-		"user_email": "dev@gitlab.com",
-		"project": {
-			"path_with_namespace": "group/project",
-			"git_http_url": "https://gitlab.com/group/project.git",
-			"web_url": "https://gitlab.com/group/project"
-		},
-		"commits": [
-			{
-				"id": "gitlab456",
-				"url": "https://gitlab.com/group/project/-/commit/gitlab456",
-				"message": "Deploy fix"
-			}
-		]
-	}`)
-
-	err := svc.HandleWebhook(
-		context.Background(), app, webhook.SourceGitLab, "push", payload,
-	)
-	require.NoError(t, err)
-
-	// Allow async deployment goroutine to complete before test cleanup
-	time.Sleep(100 * time.Millisecond)
-
-	events, err := app.GetWebhookEvents(context.Background(), 10)
-	require.NoError(t, err)
-	require.Len(t, events, 1)
-
-	event := events[0]
-	assert.Equal(t, "main", event.Branch)
-	assert.True(t, event.Matched)
-	assert.Equal(t, "gitlab456", event.CommitSHA.String)
-	assert.Equal(t, "https://gitlab.com/group/project/-/commit/gitlab456", event.CommitURL.String)
-}
-
 // TestSetupTestService verifies the test helper creates a working test service.
 func TestSetupTestService(testingT *testing.T) {
 	testingT.Parallel()
@@ -955,25 +341,3 @@ func TestSetupTestService(testingT *testing.T) {
 		require.NoError(t, err)
 	})
 }
-
-// TestPushEventConstruction tests that PushEvent can be constructed directly.
-func TestPushEventConstruction(t *testing.T) {
-	t.Parallel()
-
-	event := webhook.PushEvent{
-		Source:    webhook.SourceGitHub,
-		Ref:       "refs/heads/main",
-		Before:    "000",
-		After:     "abc",
-		Branch:    "main",
-		RepoName:  "org/repo",
-		CloneURL:  webhook.UnparsedURL("https://github.com/org/repo.git"),
-		HTMLURL:   webhook.UnparsedURL("https://github.com/org/repo"),
-		CommitURL: webhook.UnparsedURL("https://github.com/org/repo/commit/abc"),
-		Pusher:    "user",
-	}
-
-	assert.Equal(t, "main", event.Branch)
-	assert.Equal(t, webhook.SourceGitHub, event.Source)
-	assert.Equal(t, "abc", event.After)
-}
--- a/templates/app_edit.html
+++ b/templates/app_edit.html
@@ -114,36 +114,17 @@
                >
            </div>

-            <hr class="border-gray-200">
-
-            <h3 class="text-lg font-medium text-gray-900">Resource Limits</h3>
-
-            <div class="grid grid-cols-2 gap-4">
            <div class="form-group">
-                    <label for="cpu_limit" class="label">CPU Limit (cores)</label>
+                <label for="healthcheck_command" class="label">Health Check Command</label>
                <input
                    type="text"
-                        id="cpu_limit"
-                        name="cpu_limit"
-                        value="{{if .App.CPULimit.Valid}}{{.App.CPULimit.Float64}}{{end}}"
-                        class="input"
-                        placeholder="e.g. 0.5, 1, 2"
+                    id="healthcheck_command"
+                    name="healthcheck_command"
+                    value="{{if .App.HealthcheckCommand.Valid}}{{.App.HealthcheckCommand.String}}{{end}}"
+                    class="input font-mono"
+                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
                >
-                    <p class="text-sm text-gray-500 mt-1">Number of CPU cores (e.g. 0.5 = half a core)</p>
-                </div>
-
-                <div class="form-group">
-                    <label for="memory_limit" class="label">Memory Limit</label>
-                    <input
-                        type="text"
-                        id="memory_limit"
-                        name="memory_limit"
-                        value="{{if .App.MemoryLimit.Valid}}{{formatMemoryBytes .App.MemoryLimit.Int64}}{{end}}"
-                        class="input"
-                        placeholder="e.g. 256m, 1g"
-                    >
-                    <p class="text-sm text-gray-500 mt-1">Memory with unit suffix (k, m, g) or plain bytes</p>
-                </div>
+                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
            </div>

            <div class="flex justify-end gap-3 pt-4">
--- a/templates/app_new.html
+++ b/templates/app_new.html
@@ -117,6 +117,19 @@
                >
            </div>

+            <div class="form-group">
+                <label for="healthcheck_command" class="label">Health Check Command</label>
+                <input
+                    type="text"
+                    id="healthcheck_command"
+                    name="healthcheck_command"
+                    value="{{.HealthcheckCommand}}"
+                    class="input font-mono"
+                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
+                >
+                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
+            </div>
+
            <div class="flex justify-end gap-3 pt-4">
                <a href="/" class="btn-secondary">Cancel</a>
                <button type="submit" class="btn-primary">Create App</button>
--- a/templates/templates.go
+++ b/templates/templates.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"html/template"
 	"io"
-	"strconv"
 	"sync"
 )

@@ -24,34 +23,6 @@ var (
 	templatesMutex sync.RWMutex
 )

-// templateFuncs returns the custom template function map.
-func templateFuncs() template.FuncMap {
-	return template.FuncMap{
-		"formatMemoryBytes": formatMemoryBytes,
-	}
-}
-
-// Memory unit constants.
-const (
-	memGigabyte = 1024 * 1024 * 1024
-	memMegabyte = 1024 * 1024
-	memKilobyte = 1024
-)
-
-// formatMemoryBytes formats bytes into a human-readable string with unit suffix.
-func formatMemoryBytes(bytes int64) string {
-	switch {
-	case bytes >= memGigabyte && bytes%memGigabyte == 0:
-		return strconv.FormatInt(bytes/memGigabyte, 10) + "g"
-	case bytes >= memMegabyte && bytes%memMegabyte == 0:
-		return strconv.FormatInt(bytes/memMegabyte, 10) + "m"
-	case bytes >= memKilobyte && bytes%memKilobyte == 0:
-		return strconv.FormatInt(bytes/memKilobyte, 10) + "k"
-	default:
-		return strconv.FormatInt(bytes, 10)
-	}
-}
-
 // initTemplates parses base template and creates cloned templates for each page.
 func initTemplates() {
 	templatesMutex.Lock()
@@ -61,10 +32,8 @@ func initTemplates() {
 		return
 	}

-	// Parse base template with shared components and custom functions
-	baseTemplate = template.Must(
-		template.New("base.html").Funcs(templateFuncs()).ParseFS(templatesRaw, "base.html"),
-	)
+	// Parse base template with shared components
+	baseTemplate = template.Must(template.ParseFS(templatesRaw, "base.html"))

 	// Pages that extend base
 	pages := []string{
--- a/templates/templates_test.go
+++ b/templates/templates_test.go
@@ -1,34 +0,0 @@
-package templates //nolint:testpackage // tests unexported formatMemoryBytes
-
-import (
-	"testing"
-)
-
-func TestFormatMemoryBytes(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name     string
-		bytes    int64
-		expected string
-	}{
-		{"gigabytes", 1024 * 1024 * 1024, "1g"},
-		{"two gigabytes", 2 * 1024 * 1024 * 1024, "2g"},
-		{"megabytes", 256 * 1024 * 1024, "256m"},
-		{"kilobytes", 512 * 1024, "512k"},
-		{"plain bytes", 12345, "12345"},
-		{"non-even megabytes", 256*1024*1024 + 1, "268435457"},
-		{"zero", 0, "0"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			got := formatMemoryBytes(tt.bytes)
-			if got != tt.expected {
-				t.Errorf("formatMemoryBytes(%d) = %q, want %q", tt.bytes, got, tt.expected)
-			}
-		})
-	}
-}