Merge pull request 'feat: webhooker 1.0 MVP — entity rename, core engine, delivery, management UI' (#16) from feature/mvp-1.0 into main

Reviewed-on: #16
2026-03-04 01:19:41 +01:00
parent b5cf4c3d2f 8e00e40008
commit 687655ed49
56 changed files with 4838 additions and 2902 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -29,9 +29,9 @@ Thumbs.db
 # Environment and config files
 .env
 .env.local
 config.yaml
-# Database files
+# Data directory (SQLite databases)
 data/
 *.db
 *.sqlite
 *.sqlite3
--- a/7
+++ b/7
@@ -34,7 +34,6 @@ RUN set -eux; \
 # Copy go module files and download dependencies
 COPY go.mod go.sum ./
 COPY pkg/config/go.mod pkg/config/go.sum ./pkg/config/
 RUN go mod download
 # Copy source code
@@ -57,7 +56,11 @@ WORKDIR /app
 # Copy binary from builder
 COPY --from=builder /build/bin/webhooker .
-RUN chown -R webhooker:webhooker /app
+# Create data directory for all SQLite databases (main app DB +
 # per-webhook event DBs). DATA_DIR defaults to /data in production.
 RUN mkdir -p /data
 RUN chown -R webhooker:webhooker /app /data
 USER webhooker
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2026 Jeffrey Paul <sneak@sneak.berlin>
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@@ -50,30 +50,28 @@ make hooks      # Install git pre-commit hook that runs make check
 ### Configuration
-webhooker uses a YAML configuration file with environment-specific
+All configuration is via environment variables. For local development,
-overrides, loaded via the `pkg/config` library (Viper-based). The
+you can place variables in a `.env` file in the project root (loaded
-environment is selected by setting `WEBHOOKER_ENVIRONMENT` to `dev` or
+automatically via `godotenv/autoload`).
 `prod` (default: `dev`).
-Configuration is resolved in this order (highest priority first):
+The environment is selected by setting `WEBHOOKER_ENVIRONMENT` to `dev`
-
+or `prod` (default: `dev`).
 1. Environment variables
 2. `.env` file (loaded via `godotenv/autoload`)
 3. Config file values for the active environment
 4. Config file defaults
 | Variable                | Description                         | Default  |
 | ----------------------- | ----------------------------------- | -------- |
 | `WEBHOOKER_ENVIRONMENT` | `dev` or `prod`                     | `dev`    |
 | `PORT`                  | HTTP listen port                    | `8080`   |
-| `DBURL`                 | SQLite database connection string   | *(required)* |
+| `DATA_DIR`              | Directory for all SQLite databases  | `./data` (dev) / `/data` (prod) |
 | `SESSION_KEY`           | Base64-encoded 32-byte session key  | *(required in prod)* |
 | `DEBUG`                 | Enable debug logging                | `false`  |
 | `METRICS_USERNAME`      | Basic auth username for `/metrics`  | `""`     |
 | `METRICS_PASSWORD`      | Basic auth password for `/metrics`  | `""`     |
 | `SENTRY_DSN`            | Sentry error reporting DSN          | `""`     |
-On first startup in development mode, webhooker creates an `admin` user
+On first startup, webhooker automatically generates a cryptographically
 secure session encryption key and stores it in the database. This key
 persists across restarts — no manual key management is needed.
 On first startup, webhooker creates an `admin` user
 with a randomly generated password and logs it to stdout. This password
 is only displayed once.
@@ -83,15 +81,16 @@ is only displayed once.
 docker run -d \
  -p 8080:8080 \
  -v /path/to/data:/data \
  -e DBURL="file:/data/webhooker.db?cache=shared&mode=rwc" \
  -e SESSION_KEY="<base64-encoded-32-byte-key>" \
  -e WEBHOOKER_ENVIRONMENT=prod \
  webhooker:latest
 ```
 The container runs as a non-root user (`webhooker`, UID 1000), exposes
 port 8080, and includes a health check against
-`/.well-known/healthcheck`.
+`/.well-known/healthcheck`. The `/data` volume holds all SQLite
 databases: the main application database (`webhooker.db`) and the
 per-webhook event databases (`events-{uuid}.db`). Mount this as a
 persistent volume to preserve data across container restarts.
 ## Rationale
@@ -164,19 +163,14 @@ It uses:
 ### Naming Conventions
-This README uses the target naming scheme for the application's core
+The codebase uses consistent naming throughout (rename completed in
 entities. The current codebase uses older names that will be updated in
 a future refactor (see
 [issue #12](https://git.eeqj.de/sneak/webhooker/issues/12)):
-| README (target name) | Current code name | Description |
+| Entity           | Description |
-| --------------------- | ----------------- | ----------- |
+| ---------------- | ----------- |
-| **Webhook**           | `Processor`       | Top-level configuration entity grouping entrypoints and targets |
+| **Webhook**      | Top-level configuration entity grouping entrypoints and targets |
-| **Entrypoint**        | `Webhook`         | A receiver URL where external services POST events |
+| **Entrypoint**   | A receiver URL where external services POST events |
-| **Target**            | `Target`          | A delivery destination for events |
+| **Target**       | A delivery destination for events |
 Throughout this document, the target names are used. The code rename is
 tracked separately.
 ### Data Model
@@ -196,11 +190,15 @@ tier** (event ingestion, delivery, and logging).
 │  │          │       └──────────┘       └──────────────┘     │
 │  │          │──1:N──│  APIKey  │                             │
 │  └──────────┘       └──────────┘                             │
 │                                                             │
 │  ┌──────────┐                                               │
 │  │ Setting  │  (key-value application config)               │
 │  └──────────┘                                               │
 └─────────────────────────────────────────────────────────────┘
 ┌─────────────────────────────────────────────────────────────┐
 │                      EVENT TIER                              │
-│        (planned: per-webhook dedicated database)            │
+│            (per-webhook dedicated databases)                 │
 │                                                             │
 │  ┌──────────┐       ┌──────────┐       ┌─────────────────┐  │
 │  │  Event   │──1:N──│ Delivery │──1:N──│ DeliveryResult  │  │
@@ -208,6 +206,22 @@ tier** (event ingestion, delivery, and logging).
 └─────────────────────────────────────────────────────────────┘
 ```
 #### Setting
 A key-value pair for application-level configuration that is
 auto-managed rather than user-provided. Used to store the session
 encryption key and any future auto-generated settings.
 | Field   | Type   | Description |
 | ------- | ------ | ----------- |
 | `key`   | string | Primary key (setting name) |
 | `value` | text   | Setting value |
 Currently stored settings:
 - **`session_key`** — Base64-encoded 32-byte session encryption key,
  auto-generated on first startup.
 #### User
 A registered user of the webhooker service.
@@ -227,10 +241,10 @@ password logged to stdout.
 #### Webhook
-The top-level configuration entity (currently called "Processor" in
+The top-level configuration entity. A webhook groups together one or
-code). A webhook groups together one or more entrypoints (receiver URLs)
+more entrypoints (receiver URLs) and one or more targets (delivery
-and one or more targets (delivery destinations) into a logical unit. A
+destinations) into a logical unit. A user creates a webhook to set up
-user creates a webhook to set up event routing.
+event routing.
 | Field            | Type    | Description |
 | ---------------- | ------- | ----------- |
@@ -247,15 +261,15 @@ webhook's dedicated database before automatic cleanup.
 #### Entrypoint
-A receiver URL where external services POST webhook events (currently
+A receiver URL where external services POST webhook events. Each
-called "Webhook" in code). Each entrypoint has a unique UUID-based path.
+entrypoint has a unique UUID-based path.
 When an HTTP request arrives at an entrypoint's path, webhooker captures
 the full request and creates an Event.
 | Field          | Type    | Description |
 | -------------- | ------- | ----------- |
 | `id`           | UUID    | Primary key |
-| `processor_id` | UUID    | Foreign key → Webhook |
+| `webhook_id`   | UUID    | Foreign key → Webhook |
 | `path`         | string  | Unique URL path (UUID-based, e.g. `/webhook/{uuid}`) |
 | `description`  | string  | Optional description |
 | `active`       | boolean | Whether this entrypoint accepts events (default: true) |
@@ -275,24 +289,29 @@ events should be forwarded.
 | Field            | Type       | Description |
 | ---------------- | ---------- | ----------- |
 | `id`             | UUID       | Primary key |
-| `processor_id`   | UUID       | Foreign key → Webhook |
+| `webhook_id`     | UUID       | Foreign key → Webhook |
 | `name`           | string     | Human-readable name |
-| `type`           | TargetType | One of: `http`, `retry`, `database`, `log` |
+| `type`           | TargetType | One of: `http`, `database`, `log` |
 | `active`         | boolean    | Whether deliveries are enabled (default: true) |
 | `config`         | JSON text  | Type-specific configuration |
-| `max_retries`    | integer    | Maximum retry attempts (for retry targets) |
+| `max_retries`    | integer    | Maximum retry attempts for HTTP targets (0 = fire-and-forget, >0 = retries with backoff) |
-| `max_queue_size` | integer    | Maximum queued deliveries (for retry targets) |
+| `max_queue_size` | integer    | Maximum queued deliveries (for HTTP targets with retries) |
 **Relations:** Belongs to Webhook. Has many Deliveries.
 **Target types:**
 - **`http`** — Forward the event as an HTTP POST to a configured URL.
-  Fire-and-forget: a single attempt with no retries.
+  Behavior depends on `max_retries`: when `max_retries` is 0 (the
- **`retry`** — Forward the event via HTTP POST with automatic retry on
+  default), the target operates in fire-and-forget mode — a single
-  failure. Uses exponential backoff up to `max_retries` attempts.
+  attempt with no retries and no circuit breaker. When `max_retries` is
- **`database`** — Store the event in the webhook's database only (no
+  greater than 0, failed deliveries are retried with exponential backoff
-  external delivery). Useful for pure logging/archival.
+  up to `max_retries` attempts, protected by a per-target circuit
  breaker.
 - **`database`** — Confirm the event is stored in the webhook's
  per-webhook database (no external delivery). Since events are always
  written to the per-webhook DB on ingestion, this target marks delivery
  as immediately successful. Useful for ensuring durable event archival.
 - **`log`** — Write the event to the application log (stdout). Useful
  for debugging.
@@ -320,9 +339,9 @@ data for replay and auditing.
 | Field          | Type   | Description |
 | -------------- | ------ | ----------- |
-| `id`           | UUID   | Primary key |
+| `id`             | UUID   | Primary key |
-| `processor_id` | UUID   | Foreign key → Webhook |
+| `webhook_id`     | UUID   | Foreign key → Webhook |
-| `webhook_id`   | UUID   | Foreign key → Entrypoint |
+| `entrypoint_id`  | UUID   | Foreign key → Entrypoint |
 | `method`       | string | HTTP method (POST, PUT, etc.) |
 | `headers`      | JSON   | Complete request headers |
 | `body`         | text   | Raw request body |
@@ -389,36 +408,39 @@ All entities include these fields from `BaseModel`:
 ### Database Architecture
-#### Current Implementation
+#### Per-Webhook Event Databases
-webhooker currently uses a **single SQLite database** for all data —
+webhooker uses **separate SQLite database files**: a main application
-application configuration, user accounts, and (once implemented) event
+database for configuration data and per-webhook databases for event
-storage. The database connection is managed by GORM with a single
+storage. All database files live in the `DATA_DIR` directory.
 connection string configured via `DBURL`. On first startup the database
 is auto-migrated and an `admin` user is created.
-#### Planned: Per-Webhook Event Databases (Phase 2)
+**Main Application Database** (`{DATA_DIR}/webhooker.db`) — stores
-
+configuration and application state:
 In a future phase (see TODO Phase 2 below), webhooker will split into
 **separate SQLite database files**: a main application database for
 configuration data and per-webhook databases for event storage.
 **Main Application Database** — will store:
 - **Settings** — auto-managed key-value config (e.g. session encryption
  key)
 - **Users** — accounts and Argon2id password hashes
- **Webhooks** (Processors) — webhook configurations
+- **Webhooks** — webhook configurations
- **Entrypoints** (Webhooks) — receiver URL definitions
+- **Entrypoints** — receiver URL definitions
 - **Targets** — delivery destination configurations
 - **APIKeys** — programmatic access credentials
-**Per-Webhook Event Databases** — each webhook will get its own
+On first startup the main database is auto-migrated, a session
-dedicated SQLite file containing:
+encryption key is generated and stored, and an `admin` user is created.
 **Per-Webhook Event Databases** (`{DATA_DIR}/events-{webhook_uuid}.db`)
 — each webhook gets its own dedicated SQLite file containing:
 - **Events** — captured incoming webhook payloads
 - **Deliveries** — event-to-target pairings and their status
 - **DeliveryResults** — individual delivery attempt logs
-This planned separation will provide:
+Per-webhook databases are created automatically when a webhook is
 created (and lazily on first access for webhooks that predate this
 feature). They are managed by the `WebhookDBManager` component, which
 handles connection pooling, lazy opening, migrations, and cleanup.
 This separation provides:
 - **Isolation** — a high-volume webhook won't cause lock contention or
  WAL bloat affecting the main application or other webhooks.
@@ -426,14 +448,21 @@ This planned separation will provide:
  backed up, archived, rotated, or size-limited without impacting the
  application.
 - **Clean deletion** — removing a webhook and all its history is as
-  simple as deleting one file.
+  simple as deleting one file. Configuration is soft-deleted in the main
  DB; the event database file is hard-deleted (permanently removed).
 - **Per-webhook retention** — the `retention_days` field on each webhook
-  will control automatic cleanup of old events in that webhook's
+  controls automatic cleanup of old events in that webhook's database
-  database only.
+  only.
- **Performance** — each webhook's database will have its own WAL, its
+- **Performance** — each webhook's database has its own WAL, its own
-  own page cache, and its own lock, so concurrent event ingestion across
+  page cache, and its own lock, so concurrent event ingestion across
  webhooks won't contend.
 The **database target type** leverages this architecture: since events
 are already stored in the per-webhook database by design, the database
 target simply marks the delivery as immediately successful. The
 per-webhook DB IS the dedicated event database — that's the whole point
 of the database target type.
 The database uses the
 [modernc.org/sqlite](https://pkg.go.dev/modernc.org/sqlite) driver at
 runtime, though CGO is required at build time due to the transitive
@@ -453,22 +482,133 @@ External Service
                                                │
                     1. Look up Entrypoint by UUID
                     2. Capture full request as Event
-                     3. Queue Delivery to each active Target
+                     3. Create Delivery records for each active Target
                     4. Build self-contained DeliveryTask structs
                        (target config + event data inline for ≤16KB)
                     5. Notify Engine via channel (no DB read needed)
                                                │
                                                ▼
                                        ┌──────────────┐
-                                        │  Delivery    │
+                                        │  Delivery    │◄── retry timers
-                                        │  Engine      │
+                                        │  Engine      │    (backoff)
                                        │  (worker     │
                                        │   pool)      │
                                        └──────┬───────┘
                                               │
-                          ┌────────────────────┼────────────────────┐
+                              ┌── bounded worker pool (N workers) ──┐
-                          ▼                    ▼                    ▼
+                              ▼                ▼                    ▼
-                   ┌────────────┐       ┌────────────┐      ┌────────────┐
+                       ┌────────────┐   ┌────────────┐      ┌────────────┐
-                   │ HTTP Target│       │Retry Target│      │ Log Target │
+                       │ HTTP Target│   │ HTTP Target│      │ Log Target │
-                   │ (1 attempt)│       │ (backoff)  │      │ (stdout)   │
+                       │(max_retries│   │(max_retries│      │ (stdout)   │
-                   └────────────┘       └────────────┘      └────────────┘
+                       │   == 0)    │   │   > 0,     │      └────────────┘
                       │ fire+forget│   │ backoff +  │
                       └────────────┘   │ circuit    │
                                        │ breaker)   │
                                        └────────────┘
 ```
 ### Bounded Worker Pool
 The delivery engine uses a **fixed-size worker pool** (default: 10
 workers) to process all deliveries. At most N deliveries are in-flight
 at any time, preventing goroutine explosions regardless of queue depth.
 **Architecture:**
 - **Channels as queues:** Two buffered channels serve as bounded queues:
  a delivery channel (new tasks from the webhook handler) and a retry
  channel (tasks from backoff timers). Both are buffered to 10,000.
 - **Fan-out via channel, not goroutines:** When an event arrives with
  multiple targets, each `DeliveryTask` is sent to the delivery channel.
  Workers pick them up and process them — no goroutine-per-target.
 - **Worker goroutines:** A fixed number of worker goroutines select from
  both channels. Each worker processes one task at a time, then picks up
  the next. Workers are the ONLY goroutines doing actual HTTP delivery.
 - **Retry backpressure with DB fallback:** When a retry timer fires and
  the retry channel is full, the timer is dropped — the delivery stays
  in `retrying` status in the database. A periodic sweep (every 60s)
  scans for these "orphaned" retries and re-queues them. No blocked
  goroutines, no unbounded timer chains.
 - **Bounded concurrency:** At most N deliveries (N = number of workers)
  are in-flight simultaneously. Even if a circuit breaker is open for
  hours and thousands of retries queue up in the channels, the workers
  drain them at a controlled rate when the circuit closes.
 This means:
 - **No goroutine explosion** — even with 10,000 queued retries, only
  N worker goroutines exist.
 - **Natural backpressure** — if workers are busy, new tasks wait in the
  channel buffer rather than spawning more goroutines.
 - **Independent results** — each worker records its own delivery result
  in the per-webhook database without coordination.
 - **Graceful shutdown** — cancel the context, workers finish their
  current task and exit. `WaitGroup.Wait()` ensures clean shutdown.
 **Recovery paths:**
 1. **Startup recovery:** When the engine starts, it scans all per-webhook
   databases for `pending` and `retrying` deliveries. Pending deliveries
   are sent to the delivery channel; retrying deliveries get backoff
   timers scheduled.
 2. **Periodic retry sweep (DB-mediated fallback):** Every 60 seconds the
   engine scans for `retrying` deliveries whose backoff period has
   elapsed. This catches "orphaned" retries — ones whose in-memory timer
   was dropped because the retry channel was full. The database is the
   durable fallback that ensures no retry is permanently lost, even under
   extreme backpressure.
 ### Circuit Breaker (HTTP Targets with Retries)
 HTTP targets with `max_retries` > 0 are protected by a **per-target circuit breaker** that
 prevents hammering a down target with repeated failed delivery attempts.
 The circuit breaker is in-memory only and resets on restart (which is
 fine — startup recovery rescans the database anyway).
 **States:**
 | State       | Behavior |
 | ----------- | -------- |
 | **Closed**  | Normal operation. Deliveries flow through. Consecutive failures are counted. |
 | **Open**    | Target appears down. Deliveries are skipped and rescheduled for after the cooldown. |
 | **Half-Open** | Cooldown expired. One probe delivery is allowed to test if the target has recovered. |
 **Transitions:**
 ```
     success              ┌──────────┐
   ┌────────────────────► │  Closed  │ ◄─── probe succeeds
   │                      │ (normal) │
   │                      └────┬─────┘
   │                           │ N consecutive failures
   │                           ▼
   │                      ┌──────────┐
   │                      │   Open   │ ◄─── probe fails
   │                      │(tripped) │
   │                      └────┬─────┘
   │                           │ cooldown expires
   │                           ▼
   │                      ┌──────────┐
   └──────────────────────│Half-Open │
                          │ (probe)  │
                          └──────────┘
 ```
 **Defaults:**
 - **Failure threshold:** 5 consecutive failures before opening
 - **Cooldown:** 30 seconds in open state before probing
 **Scope:** Circuit breakers only apply to **HTTP targets with
 `max_retries` > 0**. Fire-and-forget HTTP targets (`max_retries` == 0),
 database targets (local operations), and log targets (stdout) do not use
 circuit breakers.
 When a circuit is open and a new delivery arrives, the engine marks the
 delivery as `retrying` and schedules a retry timer for after the
 remaining cooldown period. This ensures no deliveries are lost — they're
 just delayed until the target is healthy again.
 ### Rate Limiting
 Global rate limiting middleware (e.g., per-IP throttling applied at the
@@ -515,6 +655,8 @@ against a misbehaving sender).
 | `POST` | `/source/{id}/edit`      | Edit webhook submission |
 | `POST` | `/source/{id}/delete`    | Delete webhook |
 | `GET`  | `/source/{id}/logs`      | Webhook event logs |
 | `POST` | `/source/{id}/entrypoints` | Add entrypoint to webhook |
 | `POST` | `/source/{id}/targets`   | Add target to webhook |
 #### Infrastructure Endpoints
@@ -548,29 +690,34 @@ webhooker/
 │   └── main.go               # Entry point: sets globals, wires fx
 ├── internal/
 │   ├── config/
-│   │   └── config.go          # Configuration loading via pkg/config
+│   │   └── config.go          # Configuration loading from environment variables
 │   ├── database/
 │   │   ├── base_model.go      # BaseModel with UUID primary keys
 │   │   ├── database.go        # GORM connection, migrations, admin seed
-│   │   ├── models.go          # AutoMigrate for all models
+│   │   ├── models.go          # AutoMigrate for config-tier models
 │   │   ├── model_setting.go   # Setting entity (key-value app config)
 │   │   ├── model_user.go      # User entity
-│   │   ├── model_processor.go # Webhook entity (to be renamed)
+│   │   ├── model_webhook.go    # Webhook entity
-│   │   ├── model_webhook.go   # Entrypoint entity (to be renamed)
+│   │   ├── model_entrypoint.go # Entrypoint entity
 │   │   ├── model_target.go    # Target entity and TargetType enum
-│   │   ├── model_event.go     # Event entity
+│   │   ├── model_event.go     # Event entity (per-webhook DB)
-│   │   ├── model_delivery.go  # Delivery entity and DeliveryStatus enum
+│   │   ├── model_delivery.go  # Delivery entity (per-webhook DB)
-│   │   ├── model_delivery_result.go  # DeliveryResult entity
+│   │   ├── model_delivery_result.go  # DeliveryResult entity (per-webhook DB)
 │   │   ├── model_apikey.go    # APIKey entity
-│   │   └── password.go        # Argon2id hashing and verification
+│   │   ├── password.go        # Argon2id hashing and verification
 │   │   └── webhook_db_manager.go  # Per-webhook DB lifecycle manager
 │   ├── globals/
 │   │   └── globals.go         # Build-time variables (appname, version, arch)
 │   ├── delivery/
 │   │   ├── engine.go          # Event-driven delivery engine (channel + timer based)
 │   │   └── circuit_breaker.go # Per-target circuit breaker for HTTP targets with retries
 │   ├── handlers/
 │   │   ├── handlers.go        # Base handler struct, JSON helpers, template rendering
 │   │   ├── auth.go            # Login, logout handlers
 │   │   ├── healthcheck.go     # Health check handler
 │   │   ├── index.go           # Index page handler
 │   │   ├── profile.go         # User profile handler
-│   │   ├── source_management.go  # Webhook CRUD handlers (stubs)
+│   │   ├── source_management.go  # Webhook CRUD handlers
 │   │   └── webhook.go         # Webhook receiver handler
 │   ├── healthcheck/
 │   │   └── healthcheck.go     # Health check service (uptime, version)
@@ -584,14 +731,11 @@ webhooker/
 │   │   └── routes.go          # All route definitions
 │   └── session/
 │       └── session.go         # Cookie-based session management
 ├── pkg/config/                # Reusable multi-environment config library
 ├── static/
 │   ├── static.go              # //go:embed directive
 │   ├── css/style.css          # Custom stylesheet (system font stack, card effects, layout)
 │   └── js/app.js              # Client-side JavaScript (minimal bootstrap)
 ├── templates/                 # Go HTML templates (base, index, login, etc.)
 ├── configs/
 │   └── config.yaml.example    # Example configuration file
 ├── Dockerfile                 # Multi-stage: build + check, then Alpine runtime
 ├── Makefile                   # fmt, lint, test, check, build, docker targets
 ├── go.mod / go.sum
@@ -604,16 +748,26 @@ Components are wired via Uber fx in this order:
 1. `globals.New` — Build-time variables (appname, version, arch)
 2. `logger.New` — Structured logging (slog with TTY detection)
-3. `config.New` — Configuration loading (pkg/config + environment)
+3. `config.New` — Configuration loading (environment variables)
-4. `database.New` — SQLite connection, migrations, admin user seed
+4. `database.New` — Main SQLite connection, config migrations, admin
-5. `healthcheck.New` — Health check service
+   user seed
-6. `session.New` — Cookie-based session manager
+5. `database.NewWebhookDBManager` — Per-webhook event database
-7. `handlers.New` — HTTP handlers
+   lifecycle manager
-8. `middleware.New` — HTTP middleware
+6. `healthcheck.New` — Health check service
-9. `server.New` — HTTP server and router
+7. `session.New` — Cookie-based session manager (key from database)
 8. `handlers.New` — HTTP handlers
 9. `middleware.New` — HTTP middleware
 10. `delivery.New` — Event-driven delivery engine
 11. `delivery.Engine` → `handlers.DeliveryNotifier` — interface bridge
 12. `server.New` — HTTP server and router
-The server starts via `fx.Invoke(func(*server.Server) {})` which
+The server starts via `fx.Invoke(func(*server.Server, *delivery.Engine)
-triggers the fx lifecycle hooks in dependency order.
+{})` which triggers the fx lifecycle hooks in dependency order. The
 `DeliveryNotifier` interface allows the webhook handler to send
 self-contained `DeliveryTask` slices to the engine without a direct
 package dependency. Each task carries all target config and event data
 inline (for bodies ≤16KB), so the engine can deliver without reading
 from any database — it only writes to record results.
 ### Middleware Stack
@@ -643,7 +797,8 @@ Applied to all routes in this order:
 - Passwords hashed with Argon2id (64 MB memory cost)
 - Session cookies are HttpOnly, SameSite Lax, Secure (prod only)
- Session key must be a 32-byte base64-encoded value
+- Session key is a 32-byte value auto-generated on first startup and
  stored in the database
 - Prometheus metrics behind basic auth
 - Static assets embedded in binary (no filesystem access needed at
  runtime)
@@ -657,8 +812,9 @@ The Dockerfile uses a multi-stage build:
 1. **Builder stage** (Debian-based `golang:1.24`) — installs
   golangci-lint, downloads dependencies, copies source, runs `make
   check` (format verification, linting, tests, compilation).
-2. **Runtime stage** (`alpine:3.21`) — copies the binary, runs as
+2. **Runtime stage** (`alpine:3.21`) — copies the binary, creates the
-   non-root user, exposes port 8080, includes a health check.
+   `/data` directory for all SQLite databases, runs as non-root user,
   exposes port 8080, includes a health check.
 The builder uses Debian rather than Alpine because GORM's SQLite
 dialect pulls in CGO-dependent headers at compile time. The runtime
@@ -669,58 +825,73 @@ linted, tested, and compiled.
 ## TODO
-### Phase 1: Core Webhook Engine
+### Completed: Code Quality (Phase 1 of MVP)
- [ ] Implement webhook reception and event storage at `/webhook/{uuid}`
+- [x] Rename Processor → Webhook, Webhook → Entrypoint in code
- [ ] Build event processing and target delivery engine
+      ([#12](https://git.eeqj.de/sneak/webhooker/issues/12))
- [ ] Implement HTTP target type (fire-and-forget POST)
+- [x] Embed templates via `//go:embed`
- [ ] Implement retry target type (exponential backoff)
+      ([#7](https://git.eeqj.de/sneak/webhooker/issues/7))
- [ ] Implement database target type (store only)
+- [x] Use `slog.LevelVar` for dynamic log level switching
- [ ] Implement log target type (console output)
+      ([#8](https://git.eeqj.de/sneak/webhooker/issues/8))
 - [x] Simplify configuration to prefer environment variables
      ([#10](https://git.eeqj.de/sneak/webhooker/issues/10))
 - [x] Remove redundant `godotenv/autoload` import
      ([#11](https://git.eeqj.de/sneak/webhooker/issues/11))
 - [x] Implement authentication middleware for protected routes
      ([#9](https://git.eeqj.de/sneak/webhooker/issues/9))
 - [x] Replace Bootstrap with Tailwind CSS + Alpine.js
      ([#4](https://git.eeqj.de/sneak/webhooker/issues/4))
 ### Completed: Core Webhook Engine (Phase 2 of MVP)
 - [x] Implement webhook reception and event storage at `/webhook/{uuid}`
 - [x] Build event processing and target delivery engine
 - [x] Implement HTTP target type (fire-and-forget with max_retries=0,
      retries with exponential backoff when max_retries>0)
 - [x] Implement database target type (store events in per-webhook DB)
 - [x] Implement log target type (console output)
 - [x] Webhook management pages (list, create, edit, delete)
 - [x] Webhook request log viewer with pagination
 - [x] Entrypoint and target management UI
 ### Completed: Per-Webhook Event Databases
 - [x] Split into main application DB + per-webhook event DBs
 - [x] Per-webhook database lifecycle management (create on webhook
      creation, delete on webhook removal)
 - [x] `WebhookDBManager` component with lazy connection pooling
 - [x] Event-driven delivery engine (channel notifications + timer-based retries)
 - [x] Self-contained delivery tasks: in the ≤16KB happy path, the engine
      delivers without reading from any database — target config, event
      headers, and body are all carried inline in the channel notification.
      The engine only touches the DB to record results (success/failure).
      Large bodies (≥16KB) are fetched from the per-webhook DB on demand.
 - [x] Database target type marks delivery as immediately successful
      (events are already in the per-webhook DB)
 - [x] Parallel fan-out: all targets for an event are delivered via
      the bounded worker pool (no goroutine-per-target)
 - [x] Circuit breaker for HTTP targets with retries: tracks consecutive
      failures per target, opens after 5 failures (30s cooldown),
      half-open probe to test recovery
 ### Remaining: Core Features
 - [ ] Per-webhook rate limiting in the receiver handler
 - [ ] Webhook signature verification (GitHub, Stripe formats)
 ### Phase 2: Database Separation
 - [ ] Split into main application DB + per-webhook event DBs
 - [ ] Automatic event retention cleanup based on `retention_days`
 - [ ] Per-webhook database lifecycle management (create on webhook
      creation, delete on webhook removal)
 ### Phase 3: Security & Infrastructure
 - [ ] Implement authentication middleware for protected routes
      ([#9](https://git.eeqj.de/sneak/webhooker/issues/9))
 - [ ] Security headers (HSTS, CSP, X-Frame-Options)
 - [ ] CSRF protection for forms
 - [ ] Session expiration and "remember me"
 - [ ] Password change/reset flow
 - [ ] API key authentication for programmatic access
 ### Phase 4: Web UI
 - [ ] Webhook management pages (list, create, edit, delete)
 - [ ] Webhook request log viewer with filtering
 - [ ] Delivery status and retry management UI
 - [ ] Manual event redelivery
 - [ ] Analytics dashboard (success rates, response times)
- [ ] Replace Bootstrap with Tailwind CSS + Alpine.js
+- [ ] Delivery status and retry management UI
      ([#4](https://git.eeqj.de/sneak/webhooker/issues/4))
-### Phase 5: REST API
+### Remaining: Event Maintenance
 - [ ] Automatic event retention cleanup based on `retention_days`
 ### Remaining: REST API
 - [ ] RESTful CRUD for webhooks, entrypoints, targets
 - [ ] Event viewing and filtering endpoints
 - [ ] Event redelivery endpoint
 - [ ] OpenAPI specification
 ### Phase 6: Code Quality
 - [ ] Rename Processor → Webhook, Webhook → Entrypoint in code
      ([#12](https://git.eeqj.de/sneak/webhooker/issues/12))
 - [ ] Embed templates via `//go:embed`
      ([#7](https://git.eeqj.de/sneak/webhooker/issues/7))
 - [ ] Use `slog.LevelVar` for dynamic log level switching
      ([#8](https://git.eeqj.de/sneak/webhooker/issues/8))
 - [ ] Simplify configuration to prefer environment variables
      ([#10](https://git.eeqj.de/sneak/webhooker/issues/10))
 - [ ] Remove redundant `godotenv/autoload` import
      ([#11](https://git.eeqj.de/sneak/webhooker/issues/11))
 ### Future
 - [ ] Email delivery target type
 - [ ] SNS, S3, Slack delivery targets
--- a/cmd/webhooker/main.go
+++ b/cmd/webhooker/main.go
@@ -6,6 +6,7 @@ import (
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/handlers"
 	"sneak.berlin/go/webhooker/internal/healthcheck"
@@ -32,12 +33,17 @@ func main() {
 			logger.New,
 			config.New,
 			database.New,
 			database.NewWebhookDBManager,
 			healthcheck.New,
 			session.New,
 			handlers.New,
 			middleware.New,
 			delivery.New,
 			// Wire *delivery.Engine as delivery.Notifier so the
 			// webhook handler can notify the engine of new deliveries.
 			func(e *delivery.Engine) delivery.Notifier { return e },
 			server.New,
 		),
-		fx.Invoke(func(*server.Server) {}),
+		fx.Invoke(func(*server.Server, *delivery.Engine) {}),
 	).Run()
 }
--- a/configs/config.yaml.example
+++ b/configs/config.yaml.example
@@ -1,50 +0,0 @@
 environments:
  dev:
    config:
      port: 8080
      debug: true
      maintenanceMode: false
      developmentMode: true
      environment: dev
      # Database URL for local development
      dburl: postgres://webhooker:webhooker@localhost:5432/webhooker_dev?sslmode=disable
      # Basic auth for metrics endpoint in dev
      metricsUsername: admin
      metricsPassword: admin
      # Dev admin credentials for testing
      devAdminUsername: devadmin
      devAdminPassword: devpassword
    secrets:
      # Use default insecure session key for development
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
      # Sentry DSN - usually not needed in dev
      sentryDSN: ""
  prod:
    config:
      port: $ENV:PORT
      debug: $ENV:DEBUG
      maintenanceMode: $ENV:MAINTENANCE_MODE
      developmentMode: false
      environment: prod
      dburl: $ENV:DBURL
      metricsUsername: $ENV:METRICS_USERNAME
      metricsPassword: $ENV:METRICS_PASSWORD
      # Dev admin credentials should not be set in production
      devAdminUsername: ""
      devAdminPassword: ""
    secrets:
      sessionKey: $ENV:SESSION_KEY
      sentryDSN: $ENV:SENTRY_DSN
 configDefaults:
  # These defaults apply to all environments unless overridden
  port: 8080
  debug: false
  maintenanceMode: false
  developmentMode: false
  environment: dev
  metricsUsername: ""
  metricsPassword: ""
  devAdminUsername: ""
  devAdminPassword: "" 
--- a/go.mod
+++ b/go.mod
@@ -14,35 +14,22 @@ require (
 	github.com/joho/godotenv v1.5.1
 	github.com/prometheus/client_golang v1.18.0
 	github.com/slok/go-http-metrics v0.11.0
 	github.com/spf13/afero v1.14.0
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/fx v1.20.1
 	golang.org/x/crypto v0.38.0
 	gorm.io/driver/sqlite v1.5.4
 	gorm.io/gorm v1.25.5
 	modernc.org/sqlite v1.28.0
 	sneak.berlin/go/webhooker/pkg/config v0.0.0-00010101000000-000000000000
 )
 require (
 	cloud.google.com/go/compute v1.23.3 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.5 // indirect
 	cloud.google.com/go/secretmanager v1.11.4 // indirect
 	github.com/aws/aws-sdk-go v1.50.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -53,25 +40,15 @@ require (
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/dig v1.17.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/oauth2 v0.15.0 // indirect
 	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/api v0.153.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
@@ -84,5 +61,3 @@ require (
 	modernc.org/strutil v1.1.3 // indirect
 	modernc.org/token v1.0.1 // indirect
 )
 replace sneak.berlin/go/webhooker/pkg/config => ./pkg/config
--- a/go.sum
+++ b/go.sum
@@ -1,28 +1,11 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y=
 cloud.google.com/go v0.110.10/go.mod h1:v1OoFqYxiBkUrruItNM3eT4lLByNjxmJSV/xDKJNnic=
 cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
 cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI=
 cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8=
 cloud.google.com/go/secretmanager v1.11.4 h1:krnX9qpG2kR2fJ+u+uNyNo+ACVhplIAS4Pu7u+4gd+k=
 cloud.google.com/go/secretmanager v1.11.4/go.mod h1:wreJlbS9Zdq21lMzWmJ0XhWW2ZxgPeahsqeV/vZoJ3w=
 github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8 h1:nMpu1t4amK3vJWBibQ5X/Nv0aXL+b69TQf2uK5PH7Go=
 github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8/go.mod h1:3cARGAK9CfW3HoxCy1a0G4TKrdiKke8ftOMEOHyySYs=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/aws/aws-sdk-go v1.50.0 h1:HBtrLeO+QyDKnc3t1+5DR1RxodOHCGr8ZcrHudpv7jI=
 github.com/aws/aws-sdk-go v1.50.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -30,10 +13,6 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
 github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
 github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
@@ -42,30 +21,7 @@ github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -73,15 +29,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
@@ -90,10 +39,6 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
@@ -117,7 +62,6 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
 github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
 github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
@@ -130,21 +74,12 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/slok/go-http-metrics v0.11.0 h1:ABJUpekCZSkQT1wQrFvS4kGbhea/w6ndFJaWJeh3zL0=
 github.com/slok/go-http-metrics v0.11.0/go.mod h1:ZGKeYG1ET6TEJpQx18BqAJAvxw9jBAZXCHU7bWQqqAc=
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0=
 github.com/stretchr/objx v0.5.1/go.mod h1:/iHQpkQwBD6DLUmQ4pE+s1TXdob1mORJ4/UFdrifcy0=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/dig v1.17.0 h1:5Chju+tUvcC+N7N6EV08BJz41UZuO3BmHcN4A287ZLI=
@@ -157,105 +92,32 @@ go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
 go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
 golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ=
 golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
 golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
 golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.153.0 h1:N1AwGhielyKFaUqH07/ZSIQR3uNPcV7NVw0vj+j4iR4=
 google.golang.org/api v0.153.0/go.mod h1:3qNJX5eOmhiWYc67jRA/3GsDw97UFb5ivv7Y2PrriAY=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ=
 google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY=
 google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo=
 google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f h1:ultW7fxlIvee4HYrtnaRPon9HpEgFk5zYpmfMgtKB5I=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
 google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/sqlite v1.5.4 h1:IqXwXi8M/ZlPzH/947tn5uik3aYQslP9BVveoax0nV0=
 gorm.io/driver/sqlite v1.5.4/go.mod h1:qxAuCol+2r6PannQDpOP1FP6ag3mKi4esLnB/jHed+4=
 gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls=
 gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI=
 lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 modernc.org/cc/v3 v3.40.0 h1:P3g79IUS/93SYhtoeaHW+kRCIrYaxJ27MFPv+7kaTOw=
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -4,19 +4,15 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
 	"strconv"
 	"strings"
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 	pkgconfig "sneak.berlin/go/webhooker/pkg/config"
-	// spooky action at a distance!
+	// Populates the environment from a ./.env file automatically for
-	// this populates the environment
+	// development configuration. Kept in one place only (here).
 	// from a ./.env file automatically
 	// for development configuration.
 	// .env contents should be things like
 	// `DBURL=postgres://user:pass@.../`
 	// (without the backticks, of course)
 	_ "github.com/joho/godotenv/autoload"
 )
@@ -25,9 +21,6 @@ const (
 	EnvironmentDev = "dev"
 	// EnvironmentProd represents production environment
 	EnvironmentProd = "prod"
 	// DevSessionKey is an insecure default session key for development
 	// This is "webhooker-dev-session-key-insecure!" base64 encoded
 	DevSessionKey = "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE="
 )
 // nolint:revive // ConfigParams is a standard fx naming convention
@@ -38,20 +31,16 @@ type ConfigParams struct {
 }
 type Config struct {
-	DBURL            string
+	DataDir         string
-	Debug            bool
+	Debug           bool
-	MaintenanceMode  bool
+	MaintenanceMode bool
-	DevelopmentMode  bool
+	Environment     string
-	DevAdminUsername string
+	MetricsPassword string
-	DevAdminPassword string
+	MetricsUsername string
-	Environment      string
+	Port            int
-	MetricsPassword  string
+	SentryDSN       string
-	MetricsUsername  string
+	params          *ConfigParams
-	Port             int
+	log             *slog.Logger
 	SentryDSN        string
 	SessionKey       string
 	params           *ConfigParams
 	log              *slog.Logger
 }
 // IsDev returns true if running in development environment
@@ -64,6 +53,32 @@ func (c *Config) IsProd() bool {
 	return c.Environment == EnvironmentProd
 }
 // envString returns the value of the named environment variable, or
 // an empty string if not set.
 func envString(key string) string {
 	return os.Getenv(key)
 }
 // envBool returns the value of the named environment variable parsed as a
 // boolean. Returns defaultValue if not set.
 func envBool(key string, defaultValue bool) bool {
 	if v := os.Getenv(key); v != "" {
 		return strings.EqualFold(v, "true") || v == "1"
 	}
 	return defaultValue
 }
 // envInt returns the value of the named environment variable parsed as an
 // integer. Returns defaultValue if not set or unparseable.
 func envInt(key string, defaultValue int) int {
 	if v := os.Getenv(key); v != "" {
 		if i, err := strconv.Atoi(v); err == nil {
 			return i
 		}
 	}
 	return defaultValue
 }
 // nolint:revive // lc parameter is required by fx even if unused
 func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 	log := params.Logger.Get()
@@ -80,46 +95,32 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 			EnvironmentDev, EnvironmentProd, environment)
 	}
-	// Set the environment in the config package
+	// Load configuration values from environment variables
 	pkgconfig.SetEnvironment(environment)
 	// Load configuration values
 	s := &Config{
-		DBURL:            pkgconfig.GetString("dburl"),
+		DataDir:         envString("DATA_DIR"),
-		Debug:            pkgconfig.GetBool("debug"),
+		Debug:           envBool("DEBUG", false),
-		MaintenanceMode:  pkgconfig.GetBool("maintenanceMode"),
+		MaintenanceMode: envBool("MAINTENANCE_MODE", false),
-		DevelopmentMode:  pkgconfig.GetBool("developmentMode"),
+		Environment:     environment,
-		DevAdminUsername: pkgconfig.GetString("devAdminUsername"),
+		MetricsUsername: envString("METRICS_USERNAME"),
-		DevAdminPassword: pkgconfig.GetString("devAdminPassword"),
+		MetricsPassword: envString("METRICS_PASSWORD"),
-		Environment:      pkgconfig.GetString("environment", environment),
+		Port:            envInt("PORT", 8080),
-		MetricsUsername:  pkgconfig.GetString("metricsUsername"),
+		SentryDSN:       envString("SENTRY_DSN"),
-		MetricsPassword:  pkgconfig.GetString("metricsPassword"),
+		log:             log,
-		Port:             pkgconfig.GetInt("port", 8080),
+		params:          &params,
 		SentryDSN:        pkgconfig.GetSecretString("sentryDSN"),
 		SessionKey:       pkgconfig.GetSecretString("sessionKey"),
 		log:              log,
 		params:           &params,
 	}
-	// Validate database URL
+	// Set default DataDir based on environment. All SQLite databases
-	if s.DBURL == "" {
+	// (main application DB and per-webhook event DBs) live here.
-		return nil, fmt.Errorf("database URL (dburl) is required")
+	if s.DataDir == "" {
-	}
+		if s.IsProd() {
-
+			s.DataDir = "/data"
-	// In production, require session key
+		} else {
-	if s.IsProd() && s.SessionKey == "" {
+			s.DataDir = "./data"
-		return nil, fmt.Errorf("SESSION_KEY is required in production environment")
+		}
 	}
 	// In development mode, warn if using default session key
 	if s.IsDev() && s.SessionKey == DevSessionKey {
 		log.Warn("Using insecure default session key for development mode")
 	}
 	if s.Debug {
 		params.Logger.EnableDebugLogging()
 		s.log = params.Logger.Get()
 		log.Debug("Debug mode enabled")
 	}
 	// Log configuration summary (without secrets)
@@ -128,8 +129,7 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 		"port", s.Port,
 		"debug", s.Debug,
 		"maintenanceMode", s.MaintenanceMode,
-		"developmentMode", s.DevelopmentMode,
+		"dataDir", s.DataDir,
 		"hasSessionKey", s.SessionKey != "",
 		"hasSentryDSN", s.SentryDSN != "",
 		"hasMetricsAuth", s.MetricsUsername != "" && s.MetricsPassword != "",
 	)
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -4,66 +4,14 @@ import (
 	"os"
 	"testing"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 	pkgconfig "sneak.berlin/go/webhooker/pkg/config"
 )
 // createTestConfig creates a test configuration file in memory
 func createTestConfig(fs afero.Fs) error {
 	configYAML := `
 environments:
  dev:
    config:
      port: 8080
      debug: true
      maintenanceMode: false
      developmentMode: true
      environment: dev
      dburl: postgres://test:test@localhost:5432/test_dev?sslmode=disable
      metricsUsername: testuser
      metricsPassword: testpass
      devAdminUsername: devadmin
      devAdminPassword: devpass
    secrets:
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
      sentryDSN: ""
  prod:
    config:
      port: $ENV:PORT
      debug: $ENV:DEBUG
      maintenanceMode: $ENV:MAINTENANCE_MODE
      developmentMode: false
      environment: prod
      dburl: $ENV:DBURL
      metricsUsername: $ENV:METRICS_USERNAME
      metricsPassword: $ENV:METRICS_PASSWORD
      devAdminUsername: ""
      devAdminPassword: ""
    secrets:
      sessionKey: $ENV:SESSION_KEY
      sentryDSN: $ENV:SENTRY_DSN
 configDefaults:
  port: 8080
  debug: false
  maintenanceMode: false
  developmentMode: false
  environment: dev
  metricsUsername: ""
  metricsPassword: ""
  devAdminUsername: ""
  devAdminPassword: ""
 `
 	return afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644)
 }
 func TestEnvironmentConfig(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -76,6 +24,7 @@ func TestEnvironmentConfig(t *testing.T) {
 		{
 			name:        "default is dev",
 			envValue:    "",
 			envVars:     map[string]string{},
 			expectError: false,
 			isDev:       true,
 			isProd:      false,
@@ -83,17 +32,15 @@ func TestEnvironmentConfig(t *testing.T) {
 		{
 			name:        "explicit dev",
 			envValue:    "dev",
 			envVars:     map[string]string{},
 			expectError: false,
 			isDev:       true,
 			isProd:      false,
 		},
 		{
-			name:     "explicit prod with session key",
+			name:        "explicit prod",
-			envValue: "prod",
+			envValue:    "prod",
-			envVars: map[string]string{
+			envVars:     map[string]string{},
 				"SESSION_KEY": "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 				"DBURL":       "postgres://prod:prod@localhost:5432/prod?sslmode=require",
 			},
 			expectError: false,
 			isDev:       false,
 			isProd:      true,
@@ -101,21 +48,19 @@ func TestEnvironmentConfig(t *testing.T) {
 		{
 			name:        "invalid environment",
 			envValue:    "staging",
 			envVars:     map[string]string{},
 			expectError: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create in-memory filesystem with test config
 			fs := afero.NewMemMapFs()
 			require.NoError(t, createTestConfig(fs))
 			pkgconfig.SetFs(fs)
 			// Set environment variable if specified
 			if tt.envValue != "" {
 				os.Setenv("WEBHOOKER_ENVIRONMENT", tt.envValue)
 				defer os.Unsetenv("WEBHOOKER_ENVIRONMENT")
 			} else {
 				os.Unsetenv("WEBHOOKER_ENVIRONMENT")
 			}
 			// Set additional environment variables
@@ -159,142 +104,3 @@ func TestEnvironmentConfig(t *testing.T) {
 		})
 	}
 }
 func TestSessionKeyDefaults(t *testing.T) {
 	tests := []struct {
 		name        string
 		environment string
 		sessionKey  string
 		dburl       string
 		expectError bool
 		expectedKey string
 	}{
 		{
 			name:        "dev mode with default session key",
 			environment: "dev",
 			sessionKey:  "",
 			expectError: false,
 			expectedKey: DevSessionKey,
 		},
 		{
 			name:        "dev mode with custom session key",
 			environment: "dev",
 			sessionKey:  "Y3VzdG9tLXNlc3Npb24ta2V5LTMyLWJ5dGVzLWxvbmchIQ==",
 			expectError: false,
 			expectedKey: "Y3VzdG9tLXNlc3Npb24ta2V5LTMyLWJ5dGVzLWxvbmchIQ==",
 		},
 		{
 			name:        "prod mode with no session key fails",
 			environment: "prod",
 			sessionKey:  "",
 			dburl:       "postgres://prod:prod@localhost:5432/prod",
 			expectError: true,
 		},
 		{
 			name:        "prod mode with session key succeeds",
 			environment: "prod",
 			sessionKey:  "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 			dburl:       "postgres://prod:prod@localhost:5432/prod",
 			expectError: false,
 			expectedKey: "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create in-memory filesystem with test config
 			fs := afero.NewMemMapFs()
 			// Create custom config for session key tests
 			configYAML := `
 environments:
  dev:
    config:
      environment: dev
      developmentMode: true
      dburl: postgres://test:test@localhost:5432/test_dev
    secrets:`
 			// Only add sessionKey line if it's not empty
 			if tt.sessionKey != "" {
 				configYAML += `
      sessionKey: ` + tt.sessionKey
 			} else if tt.environment == "dev" {
 				// For dev mode with no session key, use the default
 				configYAML += `
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=`
 			}
 			// Add prod config if testing prod
 			if tt.environment == "prod" {
 				configYAML += `
  prod:
    config:
      environment: prod
      developmentMode: false
      dburl: $ENV:DBURL
    secrets:
      sessionKey: $ENV:SESSION_KEY`
 			}
 			require.NoError(t, afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644))
 			pkgconfig.SetFs(fs)
 			// Clean up any existing env vars
 			os.Unsetenv("WEBHOOKER_ENVIRONMENT")
 			os.Unsetenv("SESSION_KEY")
 			os.Unsetenv("DBURL")
 			// Set environment variables
 			os.Setenv("WEBHOOKER_ENVIRONMENT", tt.environment)
 			defer os.Unsetenv("WEBHOOKER_ENVIRONMENT")
 			if tt.sessionKey != "" && tt.environment == "prod" {
 				os.Setenv("SESSION_KEY", tt.sessionKey)
 				defer os.Unsetenv("SESSION_KEY")
 			}
 			if tt.dburl != "" {
 				os.Setenv("DBURL", tt.dburl)
 				defer os.Unsetenv("DBURL")
 			}
 			if tt.expectError {
 				// Use regular fx.New for error cases
 				var cfg *Config
 				app := fx.New(
 					fx.NopLogger, // Suppress fx logs in tests
 					fx.Provide(
 						globals.New,
 						logger.New,
 						New,
 					),
 					fx.Populate(&cfg),
 				)
 				assert.Error(t, app.Err())
 			} else {
 				// Use fxtest for success cases
 				var cfg *Config
 				app := fxtest.New(
 					t,
 					fx.Provide(
 						globals.New,
 						logger.New,
 						New,
 					),
 					fx.Populate(&cfg),
 				)
 				require.NoError(t, app.Err())
 				app.RequireStart()
 				defer app.RequireStop()
 				if tt.environment == "dev" && tt.sessionKey == "" {
 					// Dev mode with no session key uses default
 					assert.Equal(t, DevSessionKey, cfg.SessionKey)
 				} else {
 					assert.Equal(t, tt.expectedKey, cfg.SessionKey)
 				}
 			}
 		})
 	}
 }
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -2,8 +2,14 @@ package database
 import (
 	"context"
 	"crypto/rand"
 	"database/sql"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"go.uber.org/fx"
 	"gorm.io/driver/sqlite"
@@ -45,13 +51,17 @@ func New(lc fx.Lifecycle, params DatabaseParams) (*Database, error) {
 }
 func (d *Database) connect() error {
-	dbURL := d.params.Config.DBURL
+	// Ensure the data directory exists before opening the database.
-	if dbURL == "" {
+	dataDir := d.params.Config.DataDir
-		// Default to SQLite for development
+	if err := os.MkdirAll(dataDir, 0750); err != nil {
-		dbURL = "file:webhooker.db?cache=shared&mode=rwc"
+		return fmt.Errorf("creating data directory %s: %w", dataDir, err)
 	}
-	// First, open the database with the pure Go driver
+	// Construct the main application database path inside DATA_DIR.
 	dbPath := filepath.Join(dataDir, "webhooker.db")
 	dbURL := fmt.Sprintf("file:%s?cache=shared&mode=rwc", dbPath)
 	// Open the database with the pure Go SQLite driver
 	sqlDB, err := sql.Open("sqlite", dbURL)
 	if err != nil {
 		d.log.Error("failed to open database", "error", err)
@@ -68,7 +78,7 @@ func (d *Database) connect() error {
 	}
 	d.db = db
-	d.log.Info("connected to database", "database", dbURL)
+	d.log.Info("connected to database", "path", dbPath)
 	// Run migrations
 	return d.migrate()
@@ -118,11 +128,11 @@ func (d *Database) migrate() error {
 			return err
 		}
 		// Log the password - this will only happen once on first startup
 		d.log.Info("admin user created",
 			"username", "admin",
 			"password", password,
-			"message", "SAVE THIS PASSWORD - it will not be shown again!")
+			"message", "SAVE THIS PASSWORD - it will not be shown again!",
 		)
 	}
 	return nil
@@ -142,3 +152,35 @@ func (d *Database) close() error {
 func (d *Database) DB() *gorm.DB {
 	return d.db
 }
 // GetOrCreateSessionKey retrieves the session encryption key from the
 // settings table. If no key exists, a cryptographically secure random
 // 32-byte key is generated, base64-encoded, and stored for future use.
 func (d *Database) GetOrCreateSessionKey() (string, error) {
 	var setting Setting
 	result := d.db.Where(&Setting{Key: "session_key"}).First(&setting)
 	if result.Error == nil {
 		return setting.Value, nil
 	}
 	if !errors.Is(result.Error, gorm.ErrRecordNotFound) {
 		return "", fmt.Errorf("failed to query session key: %w", result.Error)
 	}
 	// Generate a new cryptographically secure 32-byte key
 	keyBytes := make([]byte, 32)
 	if _, err := rand.Read(keyBytes); err != nil {
 		return "", fmt.Errorf("failed to generate session key: %w", err)
 	}
 	encoded := base64.StdEncoding.EncodeToString(keyBytes)
 	setting = Setting{
 		Key:   "session_key",
 		Value: encoded,
 	}
 	if err := d.db.Create(&setting).Error; err != nil {
 		return "", fmt.Errorf("failed to store session key: %w", err)
 	}
 	d.log.Info("generated new session key and stored in database")
 	return encoded, nil
 }
--- a/internal/database/database_test.go
+++ b/internal/database/database_test.go
@@ -4,38 +4,13 @@ import (
 	"context"
 	"testing"
 	"github.com/spf13/afero"
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 	pkgconfig "sneak.berlin/go/webhooker/pkg/config"
 )
 func TestDatabaseConnection(t *testing.T) {
 	// Set up in-memory config so the test does not depend on config.yaml on disk
 	fs := afero.NewMemMapFs()
 	testConfigYAML := `
 environments:
  dev:
    config:
      port: 8080
      debug: false
      maintenanceMode: false
      developmentMode: true
      environment: dev
      dburl: "file::memory:?cache=shared"
    secrets:
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
      sentryDSN: ""
 configDefaults:
  port: 8080
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(testConfigYAML), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	pkgconfig.SetFs(fs)
 	// Set up test dependencies
 	lc := fxtest.NewLifecycle(t)
@@ -55,18 +30,12 @@ configDefaults:
 		t.Fatalf("Failed to create logger: %v", err)
 	}
-	// Create config
+	// Create config with DataDir pointing to a temp directory
-	c, err := config.New(lc, config.ConfigParams{
+	c := &config.Config{
-		Globals: g,
+		DataDir:     t.TempDir(),
-		Logger:  l,
+		Environment: "dev",
 	})
 	if err != nil {
 		t.Fatalf("Failed to create config: %v", err)
 	}
 	// Override DBURL to use a temp file-based SQLite (in-memory doesn't persist across connections)
 	c.DBURL = "file:" + t.TempDir() + "/test.db?cache=shared&mode=rwc"
 	// Create database
 	db, err := New(lc, DatabaseParams{
 		Config: c,
--- a/internal/database/model_entrypoint.go
+++ b/internal/database/model_entrypoint.go
@@ -0,0 +1,14 @@
 package database
 // Entrypoint represents an inbound URL endpoint that feeds into a webhook
 type Entrypoint struct {
 	BaseModel
 	WebhookID   string `gorm:"type:uuid;not null" json:"webhook_id"`
 	Path        string `gorm:"uniqueIndex;not null" json:"path"` // URL path for this entrypoint
 	Description string `json:"description"`
 	Active      bool   `gorm:"default:true" json:"active"`
 	// Relations
 	Webhook Webhook `json:"webhook,omitempty"`
 }
--- a/internal/database/model_event.go
+++ b/internal/database/model_event.go
@@ -1,11 +1,11 @@
 package database
-// Event represents a webhook event
+// Event represents a captured webhook event
 type Event struct {
 	BaseModel
-	ProcessorID string `gorm:"type:uuid;not null" json:"processor_id"`
+	WebhookID    string `gorm:"type:uuid;not null" json:"webhook_id"`
-	WebhookID   string `gorm:"type:uuid;not null" json:"webhook_id"`
+	EntrypointID string `gorm:"type:uuid;not null" json:"entrypoint_id"`
 	// Request data
 	Method      string `gorm:"not null" json:"method"`
@@ -14,7 +14,7 @@ type Event struct {
 	ContentType string `json:"content_type"`
 	// Relations
 	Processor  Processor  `json:"processor,omitempty"`
 	Webhook    Webhook    `json:"webhook,omitempty"`
 	Entrypoint Entrypoint `json:"entrypoint,omitempty"`
 	Deliveries []Delivery `json:"deliveries,omitempty"`
 }
--- a/internal/database/model_processor.go
+++ b/internal/database/model_processor.go
@@ -1,16 +0,0 @@
 package database
 // Processor represents an event processor
 type Processor struct {
 	BaseModel
 	UserID        string `gorm:"type:uuid;not null" json:"user_id"`
 	Name          string `gorm:"not null" json:"name"`
 	Description   string `json:"description"`
 	RetentionDays int    `gorm:"default:30" json:"retention_days"` // Days to retain events
 	// Relations
 	User     User      `json:"user,omitempty"`
 	Webhooks []Webhook `json:"webhooks,omitempty"`
 	Targets  []Target  `json:"targets,omitempty"`
 }
--- a/internal/database/model_setting.go
+++ b/internal/database/model_setting.go
@@ -0,0 +1,8 @@
 package database
 // Setting stores application-level key-value configuration.
 // Used for auto-generated values like the session encryption key.
 type Setting struct {
 	Key   string `gorm:"primaryKey" json:"key"`
 	Value string `gorm:"type:text;not null" json:"value"`
 }
--- a/internal/database/model_target.go
+++ b/internal/database/model_target.go
@@ -5,28 +5,27 @@ type TargetType string
 const (
 	TargetTypeHTTP     TargetType = "http"
 	TargetTypeRetry    TargetType = "retry"
 	TargetTypeDatabase TargetType = "database"
 	TargetTypeLog      TargetType = "log"
 )
-// Target represents a delivery target for a processor
+// Target represents a delivery target for a webhook
 type Target struct {
 	BaseModel
-	ProcessorID string     `gorm:"type:uuid;not null" json:"processor_id"`
+	WebhookID string     `gorm:"type:uuid;not null" json:"webhook_id"`
-	Name        string     `gorm:"not null" json:"name"`
+	Name      string     `gorm:"not null" json:"name"`
-	Type        TargetType `gorm:"not null" json:"type"`
+	Type      TargetType `gorm:"not null" json:"type"`
-	Active      bool       `gorm:"default:true" json:"active"`
+	Active    bool       `gorm:"default:true" json:"active"`
 	// Configuration fields (JSON stored based on type)
 	Config string `gorm:"type:text" json:"config"` // JSON configuration
-	// For retry targets
+	// For HTTP targets (max_retries=0 means fire-and-forget, >0 enables retries with backoff)
 	MaxRetries   int `json:"max_retries,omitempty"`
 	MaxQueueSize int `json:"max_queue_size,omitempty"`
 	// Relations
-	Processor  Processor  `json:"processor,omitempty"`
+	Webhook    Webhook    `json:"webhook,omitempty"`
 	Deliveries []Delivery `json:"deliveries,omitempty"`
 }
--- a/internal/database/model_user.go
+++ b/internal/database/model_user.go
@@ -8,6 +8,6 @@ type User struct {
 	Password string `gorm:"not null" json:"-"` // Argon2 hashed
 	// Relations
-	Processors []Processor `json:"processors,omitempty"`
+	Webhooks []Webhook `json:"webhooks,omitempty"`
-	APIKeys    []APIKey    `json:"api_keys,omitempty"`
+	APIKeys  []APIKey  `json:"api_keys,omitempty"`
 }
--- a/internal/database/model_webhook.go
+++ b/internal/database/model_webhook.go
@@ -1,14 +1,16 @@
 package database
-// Webhook represents a webhook endpoint that feeds into a processor
+// Webhook represents a webhook processing unit that groups entrypoints and targets
 type Webhook struct {
 	BaseModel
-	ProcessorID string `gorm:"type:uuid;not null" json:"processor_id"`
+	UserID        string `gorm:"type:uuid;not null" json:"user_id"`
-	Path        string `gorm:"uniqueIndex;not null" json:"path"` // URL path for this webhook
+	Name          string `gorm:"not null" json:"name"`
-	Description string `json:"description"`
+	Description   string `json:"description"`
-	Active      bool   `gorm:"default:true" json:"active"`
+	RetentionDays int    `gorm:"default:30" json:"retention_days"` // Days to retain events
 	// Relations
-	Processor Processor `json:"processor,omitempty"`
+	User        User         `json:"user,omitempty"`
 	Entrypoints []Entrypoint `json:"entrypoints,omitempty"`
 	Targets     []Target     `json:"targets,omitempty"`
 }
--- a/internal/database/models.go
+++ b/internal/database/models.go
@@ -1,15 +1,16 @@
 package database
-// Migrate runs database migrations for all models
+// Migrate runs database migrations for the main application database.
 // Only configuration-tier models are stored in the main database.
 // Event-tier models (Event, Delivery, DeliveryResult) live in
 // per-webhook dedicated databases managed by WebhookDBManager.
 func (d *Database) Migrate() error {
 	return d.db.AutoMigrate(
 		&Setting{},
 		&User{},
 		&APIKey{},
 		&Processor{},
 		&Webhook{},
 		&Entrypoint{},
 		&Target{},
 		&Event{},
 		&Delivery{},
 		&DeliveryResult{},
 	)
 }
--- a/internal/database/webhook_db_manager.go
+++ b/internal/database/webhook_db_manager.go
@@ -0,0 +1,183 @@
 package database
 import (
 	"context"
 	"database/sql"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"sync"
 	"go.uber.org/fx"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/logger"
 )
 // nolint:revive // WebhookDBManagerParams is a standard fx naming convention
 type WebhookDBManagerParams struct {
 	fx.In
 	Config *config.Config
 	Logger *logger.Logger
 }
 // WebhookDBManager manages per-webhook SQLite database files for event storage.
 // Each webhook gets its own dedicated database containing Events, Deliveries,
 // and DeliveryResults. Database connections are opened lazily and cached.
 type WebhookDBManager struct {
 	dataDir string
 	dbs     sync.Map // map[webhookID]*gorm.DB
 	log     *slog.Logger
 }
 // NewWebhookDBManager creates a new WebhookDBManager and registers lifecycle hooks.
 func NewWebhookDBManager(lc fx.Lifecycle, params WebhookDBManagerParams) (*WebhookDBManager, error) {
 	m := &WebhookDBManager{
 		dataDir: params.Config.DataDir,
 		log:     params.Logger.Get(),
 	}
 	// Create data directory if it doesn't exist
 	if err := os.MkdirAll(m.dataDir, 0750); err != nil {
 		return nil, fmt.Errorf("creating data directory %s: %w", m.dataDir, err)
 	}
 	lc.Append(fx.Hook{
 		OnStop: func(_ context.Context) error { //nolint:revive // ctx unused but required by fx
 			return m.CloseAll()
 		},
 	})
 	m.log.Info("webhook database manager initialized", "data_dir", m.dataDir)
 	return m, nil
 }
 // dbPath returns the filesystem path for a webhook's database file.
 func (m *WebhookDBManager) dbPath(webhookID string) string {
 	return filepath.Join(m.dataDir, fmt.Sprintf("events-%s.db", webhookID))
 }
 // openDB opens (or creates) a per-webhook SQLite database and runs migrations.
 func (m *WebhookDBManager) openDB(webhookID string) (*gorm.DB, error) {
 	path := m.dbPath(webhookID)
 	dbURL := fmt.Sprintf("file:%s?cache=shared&mode=rwc", path)
 	sqlDB, err := sql.Open("sqlite", dbURL)
 	if err != nil {
 		return nil, fmt.Errorf("opening webhook database %s: %w", webhookID, err)
 	}
 	db, err := gorm.Open(sqlite.Dialector{
 		Conn: sqlDB,
 	}, &gorm.Config{})
 	if err != nil {
 		sqlDB.Close()
 		return nil, fmt.Errorf("connecting to webhook database %s: %w", webhookID, err)
 	}
 	// Run migrations for event-tier models only
 	if err := db.AutoMigrate(&Event{}, &Delivery{}, &DeliveryResult{}); err != nil {
 		sqlDB.Close()
 		return nil, fmt.Errorf("migrating webhook database %s: %w", webhookID, err)
 	}
 	m.log.Info("opened per-webhook database", "webhook_id", webhookID, "path", path)
 	return db, nil
 }
 // GetDB returns the database connection for a webhook, creating the database
 // file lazily if it doesn't exist. This handles both new webhooks and existing
 // webhooks that were created before per-webhook databases were introduced.
 func (m *WebhookDBManager) GetDB(webhookID string) (*gorm.DB, error) {
 	// Fast path: already open
 	if val, ok := m.dbs.Load(webhookID); ok {
 		cachedDB, castOK := val.(*gorm.DB)
 		if !castOK {
 			return nil, fmt.Errorf("invalid cached database type for webhook %s", webhookID)
 		}
 		return cachedDB, nil
 	}
 	// Slow path: open/create the database
 	db, err := m.openDB(webhookID)
 	if err != nil {
 		return nil, err
 	}
 	// Store it; if another goroutine beat us, close ours and use theirs
 	actual, loaded := m.dbs.LoadOrStore(webhookID, db)
 	if loaded {
 		// Another goroutine created it first; close our duplicate
 		if sqlDB, closeErr := db.DB(); closeErr == nil {
 			sqlDB.Close()
 		}
 		existingDB, castOK := actual.(*gorm.DB)
 		if !castOK {
 			return nil, fmt.Errorf("invalid cached database type for webhook %s", webhookID)
 		}
 		return existingDB, nil
 	}
 	return db, nil
 }
 // CreateDB explicitly creates a new per-webhook database file and runs migrations.
 // This is called when a new webhook is created.
 func (m *WebhookDBManager) CreateDB(webhookID string) error {
 	_, err := m.GetDB(webhookID)
 	return err
 }
 // DBExists checks if a per-webhook database file exists on disk.
 func (m *WebhookDBManager) DBExists(webhookID string) bool {
 	_, err := os.Stat(m.dbPath(webhookID))
 	return err == nil
 }
 // DeleteDB closes the connection and deletes the database file for a webhook.
 // This performs a hard delete — the file is permanently removed.
 func (m *WebhookDBManager) DeleteDB(webhookID string) error {
 	// Close and remove from cache
 	if val, ok := m.dbs.LoadAndDelete(webhookID); ok {
 		if gormDB, castOK := val.(*gorm.DB); castOK {
 			if sqlDB, err := gormDB.DB(); err == nil {
 				sqlDB.Close()
 			}
 		}
 	}
 	// Delete the main DB file and WAL/SHM files
 	path := m.dbPath(webhookID)
 	for _, suffix := range []string{"", "-wal", "-shm"} {
 		if err := os.Remove(path + suffix); err != nil && !os.IsNotExist(err) {
 			return fmt.Errorf("deleting webhook database file %s%s: %w", path, suffix, err)
 		}
 	}
 	m.log.Info("deleted per-webhook database", "webhook_id", webhookID)
 	return nil
 }
 // CloseAll closes all open per-webhook database connections.
 // Called during application shutdown.
 func (m *WebhookDBManager) CloseAll() error {
 	var lastErr error
 	m.dbs.Range(func(key, value interface{}) bool {
 		if gormDB, castOK := value.(*gorm.DB); castOK {
 			if sqlDB, err := gormDB.DB(); err == nil {
 				if closeErr := sqlDB.Close(); closeErr != nil {
 					lastErr = closeErr
 					m.log.Error("failed to close webhook database",
 						"webhook_id", key,
 						"error", closeErr,
 					)
 				}
 			}
 		}
 		m.dbs.Delete(key)
 		return true
 	})
 	return lastErr
 }
--- a/internal/database/webhook_db_manager_test.go
+++ b/internal/database/webhook_db_manager_test.go
@@ -0,0 +1,273 @@
 package database
 import (
 	"context"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 )
 func setupTestWebhookDBManager(t *testing.T) (*WebhookDBManager, *fxtest.Lifecycle) {
 	t.Helper()
 	lc := fxtest.NewLifecycle(t)
 	globals.Appname = "webhooker-test"
 	globals.Version = "test"
 	globals.Buildarch = "test"
 	g, err := globals.New(lc)
 	require.NoError(t, err)
 	l, err := logger.New(lc, logger.LoggerParams{Globals: g})
 	require.NoError(t, err)
 	dataDir := filepath.Join(t.TempDir(), "events")
 	cfg := &config.Config{
 		DataDir: dataDir,
 	}
 	mgr, err := NewWebhookDBManager(lc, WebhookDBManagerParams{
 		Config: cfg,
 		Logger: l,
 	})
 	require.NoError(t, err)
 	return mgr, lc
 }
 func TestWebhookDBManager_CreateAndGetDB(t *testing.T) {
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	// DB should not exist yet
 	assert.False(t, mgr.DBExists(webhookID))
 	// Create the DB
 	err := mgr.CreateDB(webhookID)
 	require.NoError(t, err)
 	// DB file should now exist
 	assert.True(t, mgr.DBExists(webhookID))
 	// Get the DB again (should use cached connection)
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	require.NotNil(t, db)
 	// Verify we can write an event
 	event := &Event{
 		WebhookID:    webhookID,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Headers:      `{"Content-Type":["application/json"]}`,
 		Body:         `{"test": true}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db.Create(event).Error)
 	assert.NotEmpty(t, event.ID)
 	// Verify we can read it back
 	var readEvent Event
 	require.NoError(t, db.First(&readEvent, "id = ?", event.ID).Error)
 	assert.Equal(t, webhookID, readEvent.WebhookID)
 	assert.Equal(t, "POST", readEvent.Method)
 	assert.Equal(t, `{"test": true}`, readEvent.Body)
 }
 func TestWebhookDBManager_DeleteDB(t *testing.T) {
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	// Create the DB and write some data
 	require.NoError(t, mgr.CreateDB(webhookID))
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	event := &Event{
 		WebhookID:    webhookID,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Body:         `{"test": true}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db.Create(event).Error)
 	// Delete the DB
 	require.NoError(t, mgr.DeleteDB(webhookID))
 	// File should no longer exist
 	assert.False(t, mgr.DBExists(webhookID))
 	// Verify the file is actually gone from disk
 	dbPath := mgr.dbPath(webhookID)
 	_, err = os.Stat(dbPath)
 	assert.True(t, os.IsNotExist(err))
 }
 func TestWebhookDBManager_LazyCreation(t *testing.T) {
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	// GetDB should lazily create the database
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	require.NotNil(t, db)
 	// File should now exist
 	assert.True(t, mgr.DBExists(webhookID))
 }
 func TestWebhookDBManager_DeliveryWorkflow(t *testing.T) {
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	targetID := uuid.New().String()
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	// Create an event
 	event := &Event{
 		WebhookID:    webhookID,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Headers:      `{"Content-Type":["application/json"]}`,
 		Body:         `{"payload": "test"}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db.Create(event).Error)
 	// Create a delivery
 	delivery := &Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   DeliveryStatusPending,
 	}
 	require.NoError(t, db.Create(delivery).Error)
 	// Query pending deliveries
 	var pending []Delivery
 	require.NoError(t, db.Where("status = ?", DeliveryStatusPending).
 		Preload("Event").
 		Find(&pending).Error)
 	require.Len(t, pending, 1)
 	assert.Equal(t, event.ID, pending[0].EventID)
 	assert.Equal(t, "POST", pending[0].Event.Method)
 	// Create a delivery result
 	result := &DeliveryResult{
 		DeliveryID: delivery.ID,
 		AttemptNum: 1,
 		Success:    true,
 		StatusCode: 200,
 		Duration:   42,
 	}
 	require.NoError(t, db.Create(result).Error)
 	// Update delivery status
 	require.NoError(t, db.Model(delivery).Update("status", DeliveryStatusDelivered).Error)
 	// Verify no more pending deliveries
 	var stillPending []Delivery
 	require.NoError(t, db.Where("status = ?", DeliveryStatusPending).Find(&stillPending).Error)
 	assert.Empty(t, stillPending)
 }
 func TestWebhookDBManager_MultipleWebhooks(t *testing.T) {
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhook1 := uuid.New().String()
 	webhook2 := uuid.New().String()
 	// Create DBs for two webhooks
 	require.NoError(t, mgr.CreateDB(webhook1))
 	require.NoError(t, mgr.CreateDB(webhook2))
 	db1, err := mgr.GetDB(webhook1)
 	require.NoError(t, err)
 	db2, err := mgr.GetDB(webhook2)
 	require.NoError(t, err)
 	// Write events to each webhook's DB
 	event1 := &Event{
 		WebhookID:    webhook1,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Body:         `{"webhook": 1}`,
 		ContentType:  "application/json",
 	}
 	event2 := &Event{
 		WebhookID:    webhook2,
 		EntrypointID: uuid.New().String(),
 		Method:       "PUT",
 		Body:         `{"webhook": 2}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db1.Create(event1).Error)
 	require.NoError(t, db2.Create(event2).Error)
 	// Verify isolation: each DB only has its own events
 	var count1 int64
 	db1.Model(&Event{}).Count(&count1)
 	assert.Equal(t, int64(1), count1)
 	var count2 int64
 	db2.Model(&Event{}).Count(&count2)
 	assert.Equal(t, int64(1), count2)
 	// Delete webhook1's DB, webhook2 should be unaffected
 	require.NoError(t, mgr.DeleteDB(webhook1))
 	assert.False(t, mgr.DBExists(webhook1))
 	assert.True(t, mgr.DBExists(webhook2))
 	// webhook2's data should still be accessible
 	var events []Event
 	require.NoError(t, db2.Find(&events).Error)
 	assert.Len(t, events, 1)
 	assert.Equal(t, "PUT", events[0].Method)
 }
 func TestWebhookDBManager_CloseAll(t *testing.T) {
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	// Create a few DBs
 	for i := 0; i < 3; i++ {
 		require.NoError(t, mgr.CreateDB(uuid.New().String()))
 	}
 	// CloseAll should close all connections without error
 	require.NoError(t, mgr.CloseAll())
 	// Stop lifecycle (CloseAll already called, but shouldn't panic)
 	require.NoError(t, lc.Stop(ctx))
 }
--- a/internal/delivery/circuit_breaker.go
+++ b/internal/delivery/circuit_breaker.go
@@ -0,0 +1,162 @@
 package delivery
 import (
 	"sync"
 	"time"
 )
 // CircuitState represents the current state of a circuit breaker.
 type CircuitState int
 const (
 	// CircuitClosed is the normal operating state. Deliveries flow through.
 	CircuitClosed CircuitState = iota
 	// CircuitOpen means the circuit has tripped. Deliveries are skipped
 	// until the cooldown expires.
 	CircuitOpen
 	// CircuitHalfOpen allows a single probe delivery to test whether
 	// the target has recovered.
 	CircuitHalfOpen
 )
 const (
 	// defaultFailureThreshold is the number of consecutive failures
 	// before a circuit breaker trips open.
 	defaultFailureThreshold = 5
 	// defaultCooldown is how long a circuit stays open before
 	// transitioning to half-open for a probe delivery.
 	defaultCooldown = 30 * time.Second
 )
 // CircuitBreaker implements the circuit breaker pattern for a single
 // delivery target. It tracks consecutive failures and prevents
 // hammering a down target by temporarily stopping delivery attempts.
 //
 // States:
 //   - Closed (normal): deliveries flow through; consecutive failures
 //     are counted.
 //   - Open (tripped): deliveries are skipped; a cooldown timer is
 //     running. After the cooldown expires the state moves to HalfOpen.
 //   - HalfOpen (probing): one probe delivery is allowed. If it
 //     succeeds the circuit closes; if it fails the circuit reopens.
 type CircuitBreaker struct {
 	mu          sync.Mutex
 	state       CircuitState
 	failures    int
 	threshold   int
 	cooldown    time.Duration
 	lastFailure time.Time
 }
 // NewCircuitBreaker creates a circuit breaker with default settings.
 func NewCircuitBreaker() *CircuitBreaker {
 	return &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: defaultFailureThreshold,
 		cooldown:  defaultCooldown,
 	}
 }
 // Allow checks whether a delivery attempt should proceed. It returns
 // true if the delivery should be attempted, false if the circuit is
 // open and the delivery should be skipped.
 //
 // When the circuit is open and the cooldown has elapsed, Allow
 // transitions to half-open and permits exactly one probe delivery.
 func (cb *CircuitBreaker) Allow() bool {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	switch cb.state {
 	case CircuitClosed:
 		return true
 	case CircuitOpen:
 		// Check if cooldown has elapsed
 		if time.Since(cb.lastFailure) >= cb.cooldown {
 			cb.state = CircuitHalfOpen
 			return true
 		}
 		return false
 	case CircuitHalfOpen:
 		// Only one probe at a time — reject additional attempts while
 		// a probe is in flight. The probe goroutine will call
 		// RecordSuccess or RecordFailure to resolve the state.
 		return false
 	default:
 		return true
 	}
 }
 // CooldownRemaining returns how much time is left before an open circuit
 // transitions to half-open. Returns zero if the circuit is not open or
 // the cooldown has already elapsed.
 func (cb *CircuitBreaker) CooldownRemaining() time.Duration {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	if cb.state != CircuitOpen {
 		return 0
 	}
 	remaining := cb.cooldown - time.Since(cb.lastFailure)
 	if remaining < 0 {
 		return 0
 	}
 	return remaining
 }
 // RecordSuccess records a successful delivery and resets the circuit
 // breaker to closed state with zero failures.
 func (cb *CircuitBreaker) RecordSuccess() {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	cb.failures = 0
 	cb.state = CircuitClosed
 }
 // RecordFailure records a failed delivery. If the failure count reaches
 // the threshold, the circuit trips open.
 func (cb *CircuitBreaker) RecordFailure() {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	cb.failures++
 	cb.lastFailure = time.Now()
 	switch cb.state {
 	case CircuitClosed:
 		if cb.failures >= cb.threshold {
 			cb.state = CircuitOpen
 		}
 	case CircuitHalfOpen:
 		// Probe failed — reopen immediately
 		cb.state = CircuitOpen
 	}
 }
 // State returns the current circuit state. Safe for concurrent use.
 func (cb *CircuitBreaker) State() CircuitState {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	return cb.state
 }
 // String returns the human-readable name of a circuit state.
 func (s CircuitState) String() string {
 	switch s {
 	case CircuitClosed:
 		return "closed"
 	case CircuitOpen:
 		return "open"
 	case CircuitHalfOpen:
 		return "half-open"
 	default:
 		return "unknown"
 	}
 }
--- a/internal/delivery/circuit_breaker_test.go
+++ b/internal/delivery/circuit_breaker_test.go
@@ -0,0 +1,243 @@
 package delivery
 import (
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestCircuitBreaker_ClosedState_AllowsDeliveries(t *testing.T) {
 	t.Parallel()
 	cb := NewCircuitBreaker()
 	assert.Equal(t, CircuitClosed, cb.State())
 	assert.True(t, cb.Allow(), "closed circuit should allow deliveries")
 	// Multiple calls should all succeed
 	for i := 0; i < 10; i++ {
 		assert.True(t, cb.Allow())
 	}
 }
 func TestCircuitBreaker_FailureCounting(t *testing.T) {
 	t.Parallel()
 	cb := NewCircuitBreaker()
 	// Record failures below threshold — circuit should stay closed
 	for i := 0; i < defaultFailureThreshold-1; i++ {
 		cb.RecordFailure()
 		assert.Equal(t, CircuitClosed, cb.State(),
 			"circuit should remain closed after %d failures", i+1)
 		assert.True(t, cb.Allow(), "should still allow after %d failures", i+1)
 	}
 }
 func TestCircuitBreaker_OpenTransition(t *testing.T) {
 	t.Parallel()
 	cb := NewCircuitBreaker()
 	// Record exactly threshold failures
 	for i := 0; i < defaultFailureThreshold; i++ {
 		cb.RecordFailure()
 	}
 	assert.Equal(t, CircuitOpen, cb.State(), "circuit should be open after threshold failures")
 	assert.False(t, cb.Allow(), "open circuit should reject deliveries")
 }
 func TestCircuitBreaker_Cooldown_StaysOpen(t *testing.T) {
 	t.Parallel()
 	// Use a circuit with a known short cooldown for testing
 	cb := &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: defaultFailureThreshold,
 		cooldown:  200 * time.Millisecond,
 	}
 	// Trip the circuit open
 	for i := 0; i < defaultFailureThreshold; i++ {
 		cb.RecordFailure()
 	}
 	require.Equal(t, CircuitOpen, cb.State())
 	// During cooldown, Allow should return false
 	assert.False(t, cb.Allow(), "should be blocked during cooldown")
 	// CooldownRemaining should be positive
 	remaining := cb.CooldownRemaining()
 	assert.Greater(t, remaining, time.Duration(0), "cooldown should have remaining time")
 }
 func TestCircuitBreaker_HalfOpen_AfterCooldown(t *testing.T) {
 	t.Parallel()
 	cb := &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: defaultFailureThreshold,
 		cooldown:  50 * time.Millisecond,
 	}
 	// Trip the circuit open
 	for i := 0; i < defaultFailureThreshold; i++ {
 		cb.RecordFailure()
 	}
 	require.Equal(t, CircuitOpen, cb.State())
 	// Wait for cooldown to expire
 	time.Sleep(60 * time.Millisecond)
 	// CooldownRemaining should be zero after cooldown
 	assert.Equal(t, time.Duration(0), cb.CooldownRemaining())
 	// First Allow after cooldown should succeed (probe)
 	assert.True(t, cb.Allow(), "should allow one probe after cooldown")
 	assert.Equal(t, CircuitHalfOpen, cb.State(), "should be half-open after probe allowed")
 	// Second Allow should be rejected (only one probe at a time)
 	assert.False(t, cb.Allow(), "should reject additional probes while half-open")
 }
 func TestCircuitBreaker_ProbeSuccess_ClosesCircuit(t *testing.T) {
 	t.Parallel()
 	cb := &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: defaultFailureThreshold,
 		cooldown:  50 * time.Millisecond,
 	}
 	// Trip open → wait for cooldown → allow probe
 	for i := 0; i < defaultFailureThreshold; i++ {
 		cb.RecordFailure()
 	}
 	time.Sleep(60 * time.Millisecond)
 	require.True(t, cb.Allow()) // probe allowed, state → half-open
 	// Probe succeeds → circuit should close
 	cb.RecordSuccess()
 	assert.Equal(t, CircuitClosed, cb.State(), "successful probe should close circuit")
 	// Should allow deliveries again
 	assert.True(t, cb.Allow(), "closed circuit should allow deliveries")
 }
 func TestCircuitBreaker_ProbeFailure_ReopensCircuit(t *testing.T) {
 	t.Parallel()
 	cb := &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: defaultFailureThreshold,
 		cooldown:  50 * time.Millisecond,
 	}
 	// Trip open → wait for cooldown → allow probe
 	for i := 0; i < defaultFailureThreshold; i++ {
 		cb.RecordFailure()
 	}
 	time.Sleep(60 * time.Millisecond)
 	require.True(t, cb.Allow()) // probe allowed, state → half-open
 	// Probe fails → circuit should reopen
 	cb.RecordFailure()
 	assert.Equal(t, CircuitOpen, cb.State(), "failed probe should reopen circuit")
 	assert.False(t, cb.Allow(), "reopened circuit should reject deliveries")
 }
 func TestCircuitBreaker_SuccessResetsFailures(t *testing.T) {
 	t.Parallel()
 	cb := NewCircuitBreaker()
 	// Accumulate failures just below threshold
 	for i := 0; i < defaultFailureThreshold-1; i++ {
 		cb.RecordFailure()
 	}
 	require.Equal(t, CircuitClosed, cb.State())
 	// Success should reset the failure counter
 	cb.RecordSuccess()
 	assert.Equal(t, CircuitClosed, cb.State())
 	// Now we should need another full threshold of failures to trip
 	for i := 0; i < defaultFailureThreshold-1; i++ {
 		cb.RecordFailure()
 	}
 	assert.Equal(t, CircuitClosed, cb.State(),
 		"circuit should still be closed — success reset the counter")
 	// One more failure should trip it
 	cb.RecordFailure()
 	assert.Equal(t, CircuitOpen, cb.State())
 }
 func TestCircuitBreaker_ConcurrentAccess(t *testing.T) {
 	t.Parallel()
 	cb := NewCircuitBreaker()
 	const goroutines = 100
 	var wg sync.WaitGroup
 	wg.Add(goroutines * 3)
 	// Concurrent Allow calls
 	for i := 0; i < goroutines; i++ {
 		go func() {
 			defer wg.Done()
 			cb.Allow()
 		}()
 	}
 	// Concurrent RecordFailure calls
 	for i := 0; i < goroutines; i++ {
 		go func() {
 			defer wg.Done()
 			cb.RecordFailure()
 		}()
 	}
 	// Concurrent RecordSuccess calls
 	for i := 0; i < goroutines; i++ {
 		go func() {
 			defer wg.Done()
 			cb.RecordSuccess()
 		}()
 	}
 	wg.Wait()
 	// No panic or data race — the test passes if -race doesn't flag anything.
 	// State should be one of the valid states.
 	state := cb.State()
 	assert.Contains(t, []CircuitState{CircuitClosed, CircuitOpen, CircuitHalfOpen}, state,
 		"state should be valid after concurrent access")
 }
 func TestCircuitBreaker_CooldownRemaining_ClosedReturnsZero(t *testing.T) {
 	t.Parallel()
 	cb := NewCircuitBreaker()
 	assert.Equal(t, time.Duration(0), cb.CooldownRemaining(),
 		"closed circuit should have zero cooldown remaining")
 }
 func TestCircuitBreaker_CooldownRemaining_HalfOpenReturnsZero(t *testing.T) {
 	t.Parallel()
 	cb := &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: defaultFailureThreshold,
 		cooldown:  50 * time.Millisecond,
 	}
 	// Trip open, wait, transition to half-open
 	for i := 0; i < defaultFailureThreshold; i++ {
 		cb.RecordFailure()
 	}
 	time.Sleep(60 * time.Millisecond)
 	require.True(t, cb.Allow()) // → half-open
 	assert.Equal(t, time.Duration(0), cb.CooldownRemaining(),
 		"half-open circuit should have zero cooldown remaining")
 }
 func TestCircuitState_String(t *testing.T) {
 	t.Parallel()
 	assert.Equal(t, "closed", CircuitClosed.String())
 	assert.Equal(t, "open", CircuitOpen.String())
 	assert.Equal(t, "half-open", CircuitHalfOpen.String())
 	assert.Equal(t, "unknown", CircuitState(99).String())
 }
--- a/internal/delivery/engine.go
+++ b/internal/delivery/engine.go
--- a/internal/delivery/engine_test.go
+++ b/internal/delivery/engine_test.go
@@ -0,0 +1,936 @@
 package delivery
 import (
 	"context"
 	"database/sql"
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	_ "modernc.org/sqlite"
 	"sneak.berlin/go/webhooker/internal/database"
 )
 // testWebhookDB creates a real SQLite per-webhook database in a temp dir
 // and runs the event-tier migrations (Event, Delivery, DeliveryResult).
 func testWebhookDB(t *testing.T) *gorm.DB {
 	t.Helper()
 	dbPath := filepath.Join(t.TempDir(), "events-test.db")
 	dsn := fmt.Sprintf("file:%s?cache=shared&mode=rwc", dbPath)
 	sqlDB, err := sql.Open("sqlite", dsn)
 	require.NoError(t, err)
 	t.Cleanup(func() { sqlDB.Close() })
 	db, err := gorm.Open(sqlite.Dialector{Conn: sqlDB}, &gorm.Config{})
 	require.NoError(t, err)
 	require.NoError(t, db.AutoMigrate(
 		&database.Event{},
 		&database.Delivery{},
 		&database.DeliveryResult{},
 	))
 	return db
 }
 // testEngine builds an Engine with custom settings for testing. It does
 // NOT call start() — callers control lifecycle for deterministic tests.
 func testEngine(t *testing.T, workers int) *Engine {
 	t.Helper()
 	return &Engine{
 		log:        slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug})),
 		client:     &http.Client{Timeout: 5 * time.Second},
 		deliveryCh: make(chan DeliveryTask, deliveryChannelSize),
 		retryCh:    make(chan DeliveryTask, retryChannelSize),
 		workers:    workers,
 	}
 }
 // newHTTPTargetConfig returns a JSON config for an HTTP target
 // pointing at the given URL.
 func newHTTPTargetConfig(url string) string {
 	cfg := HTTPTargetConfig{URL: url}
 	data, err := json.Marshal(cfg)
 	if err != nil {
 		panic("failed to marshal HTTPTargetConfig: " + err.Error())
 	}
 	return string(data)
 }
 // seedEvent inserts an event into the per-webhook DB and returns it.
 func seedEvent(t *testing.T, db *gorm.DB, body string) database.Event {
 	t.Helper()
 	event := database.Event{
 		WebhookID:    uuid.New().String(),
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Headers:      `{"Content-Type":["application/json"]}`,
 		Body:         body,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db.Create(&event).Error)
 	return event
 }
 // seedDelivery inserts a delivery for an event + target and returns it.
 func seedDelivery(t *testing.T, db *gorm.DB, eventID, targetID string, status database.DeliveryStatus) database.Delivery {
 	t.Helper()
 	d := database.Delivery{
 		EventID:  eventID,
 		TargetID: targetID,
 		Status:   status,
 	}
 	require.NoError(t, db.Create(&d).Error)
 	return d
 }
 // --- Tests ---
 func TestNotify_NonBlocking(t *testing.T) {
 	t.Parallel()
 	e := testEngine(t, 1)
 	// Fill the delivery channel to capacity
 	for i := 0; i < deliveryChannelSize; i++ {
 		e.deliveryCh <- DeliveryTask{DeliveryID: fmt.Sprintf("fill-%d", i)}
 	}
 	// Notify should NOT block even though channel is full
 	done := make(chan struct{})
 	go func() {
 		e.Notify([]DeliveryTask{
 			{DeliveryID: "overflow-1"},
 			{DeliveryID: "overflow-2"},
 		})
 		close(done)
 	}()
 	select {
 	case <-done:
 		// success: Notify returned without blocking
 	case <-time.After(2 * time.Second):
 		t.Fatal("Notify blocked when delivery channel was full")
 	}
 }
 func TestDeliverHTTP_Success(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	var received atomic.Bool
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		received.Store(true)
 		w.WriteHeader(http.StatusOK)
 		fmt.Fprint(w, `{"ok":true}`)
 	}))
 	defer ts.Close()
 	e := testEngine(t, 1)
 	targetID := uuid.New().String()
 	event := seedEvent(t, db, `{"hello":"world"}`)
 	delivery := seedDelivery(t, db, event.ID, targetID, database.DeliveryStatusPending)
 	task := &DeliveryTask{
 		DeliveryID:   delivery.ID,
 		EventID:      event.ID,
 		WebhookID:    event.WebhookID,
 		TargetID:     targetID,
 		TargetName:   "test-http",
 		TargetType:   database.TargetTypeHTTP,
 		TargetConfig: newHTTPTargetConfig(ts.URL),
 		MaxRetries:   0,
 		AttemptNum:   1,
 	}
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   database.DeliveryStatusPending,
 		Event:    event,
 		Target: database.Target{
 			Name:   "test-http",
 			Type:   database.TargetTypeHTTP,
 			Config: newHTTPTargetConfig(ts.URL),
 		},
 	}
 	d.ID = delivery.ID
 	e.deliverHTTP(context.TODO(), db, d, task)
 	assert.True(t, received.Load(), "HTTP target should have received request")
 	// Check DB: delivery should be delivered
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusDelivered, updated.Status)
 	// Check that a result was recorded
 	var result database.DeliveryResult
 	require.NoError(t, db.Where("delivery_id = ?", delivery.ID).First(&result).Error)
 	assert.True(t, result.Success)
 	assert.Equal(t, http.StatusOK, result.StatusCode)
 }
 func TestDeliverHTTP_Failure(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusInternalServerError)
 		fmt.Fprint(w, "internal error")
 	}))
 	defer ts.Close()
 	e := testEngine(t, 1)
 	targetID := uuid.New().String()
 	event := seedEvent(t, db, `{"test":true}`)
 	delivery := seedDelivery(t, db, event.ID, targetID, database.DeliveryStatusPending)
 	task := &DeliveryTask{
 		DeliveryID:   delivery.ID,
 		EventID:      event.ID,
 		WebhookID:    event.WebhookID,
 		TargetID:     targetID,
 		TargetName:   "test-http-fail",
 		TargetType:   database.TargetTypeHTTP,
 		TargetConfig: newHTTPTargetConfig(ts.URL),
 		MaxRetries:   0,
 		AttemptNum:   1,
 	}
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   database.DeliveryStatusPending,
 		Event:    event,
 		Target: database.Target{
 			Name:   "test-http-fail",
 			Type:   database.TargetTypeHTTP,
 			Config: newHTTPTargetConfig(ts.URL),
 		},
 	}
 	d.ID = delivery.ID
 	e.deliverHTTP(context.TODO(), db, d, task)
 	// HTTP (fire-and-forget) marks as failed on non-2xx
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusFailed, updated.Status)
 	var result database.DeliveryResult
 	require.NoError(t, db.Where("delivery_id = ?", delivery.ID).First(&result).Error)
 	assert.False(t, result.Success)
 	assert.Equal(t, http.StatusInternalServerError, result.StatusCode)
 }
 func TestDeliverDatabase_ImmediateSuccess(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	e := testEngine(t, 1)
 	event := seedEvent(t, db, `{"db":"target"}`)
 	delivery := seedDelivery(t, db, event.ID, uuid.New().String(), database.DeliveryStatusPending)
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: delivery.TargetID,
 		Status:   database.DeliveryStatusPending,
 		Event:    event,
 		Target: database.Target{
 			Name: "test-db",
 			Type: database.TargetTypeDatabase,
 		},
 	}
 	d.ID = delivery.ID
 	e.deliverDatabase(db, d)
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusDelivered, updated.Status,
 		"database target should immediately succeed")
 	var result database.DeliveryResult
 	require.NoError(t, db.Where("delivery_id = ?", delivery.ID).First(&result).Error)
 	assert.True(t, result.Success)
 	assert.Equal(t, 0, result.StatusCode, "database target should not have an HTTP status code")
 }
 func TestDeliverLog_ImmediateSuccess(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	e := testEngine(t, 1)
 	event := seedEvent(t, db, `{"log":"target"}`)
 	delivery := seedDelivery(t, db, event.ID, uuid.New().String(), database.DeliveryStatusPending)
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: delivery.TargetID,
 		Status:   database.DeliveryStatusPending,
 		Event:    event,
 		Target: database.Target{
 			Name: "test-log",
 			Type: database.TargetTypeLog,
 		},
 	}
 	d.ID = delivery.ID
 	e.deliverLog(db, d)
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusDelivered, updated.Status,
 		"log target should immediately succeed")
 	var result database.DeliveryResult
 	require.NoError(t, db.Where("delivery_id = ?", delivery.ID).First(&result).Error)
 	assert.True(t, result.Success)
 }
 func TestDeliverHTTP_WithRetries_Success(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	defer ts.Close()
 	e := testEngine(t, 1)
 	targetID := uuid.New().String()
 	event := seedEvent(t, db, `{"retry":"ok"}`)
 	delivery := seedDelivery(t, db, event.ID, targetID, database.DeliveryStatusPending)
 	task := &DeliveryTask{
 		DeliveryID:   delivery.ID,
 		EventID:      event.ID,
 		WebhookID:    event.WebhookID,
 		TargetID:     targetID,
 		TargetName:   "test-http-retry",
 		TargetType:   database.TargetTypeHTTP,
 		TargetConfig: newHTTPTargetConfig(ts.URL),
 		MaxRetries:   5,
 		AttemptNum:   1,
 	}
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   database.DeliveryStatusPending,
 		Event:    event,
 		Target: database.Target{
 			Name:       "test-http-retry",
 			Type:       database.TargetTypeHTTP,
 			Config:     newHTTPTargetConfig(ts.URL),
 			MaxRetries: 5,
 		},
 	}
 	d.ID = delivery.ID
 	d.Target.ID = targetID
 	e.deliverHTTP(context.TODO(), db, d, task)
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusDelivered, updated.Status)
 	// Circuit breaker should have recorded success
 	cb := e.getCircuitBreaker(targetID)
 	assert.Equal(t, CircuitClosed, cb.State())
 }
 func TestDeliverHTTP_MaxRetriesExhausted(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusBadGateway)
 	}))
 	defer ts.Close()
 	e := testEngine(t, 1)
 	targetID := uuid.New().String()
 	event := seedEvent(t, db, `{"retry":"exhaust"}`)
 	delivery := seedDelivery(t, db, event.ID, targetID, database.DeliveryStatusRetrying)
 	maxRetries := 3
 	task := &DeliveryTask{
 		DeliveryID:   delivery.ID,
 		EventID:      event.ID,
 		WebhookID:    event.WebhookID,
 		TargetID:     targetID,
 		TargetName:   "test-http-exhaust",
 		TargetType:   database.TargetTypeHTTP,
 		TargetConfig: newHTTPTargetConfig(ts.URL),
 		MaxRetries:   maxRetries,
 		AttemptNum:   maxRetries, // final attempt
 	}
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   database.DeliveryStatusRetrying,
 		Event:    event,
 		Target: database.Target{
 			Name:       "test-http-exhaust",
 			Type:       database.TargetTypeHTTP,
 			Config:     newHTTPTargetConfig(ts.URL),
 			MaxRetries: maxRetries,
 		},
 	}
 	d.ID = delivery.ID
 	d.Target.ID = targetID
 	e.deliverHTTP(context.TODO(), db, d, task)
 	// After max retries exhausted, delivery should be failed
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusFailed, updated.Status,
 		"delivery should be failed after max retries exhausted")
 }
 func TestDeliverHTTP_SchedulesRetryOnFailure(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusServiceUnavailable)
 	}))
 	defer ts.Close()
 	e := testEngine(t, 1)
 	targetID := uuid.New().String()
 	event := seedEvent(t, db, `{"retry":"schedule"}`)
 	delivery := seedDelivery(t, db, event.ID, targetID, database.DeliveryStatusPending)
 	task := &DeliveryTask{
 		DeliveryID:   delivery.ID,
 		EventID:      event.ID,
 		WebhookID:    event.WebhookID,
 		TargetID:     targetID,
 		TargetName:   "test-http-schedule",
 		TargetType:   database.TargetTypeHTTP,
 		TargetConfig: newHTTPTargetConfig(ts.URL),
 		MaxRetries:   5,
 		AttemptNum:   1,
 	}
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   database.DeliveryStatusPending,
 		Event:    event,
 		Target: database.Target{
 			Name:       "test-http-schedule",
 			Type:       database.TargetTypeHTTP,
 			Config:     newHTTPTargetConfig(ts.URL),
 			MaxRetries: 5,
 		},
 	}
 	d.ID = delivery.ID
 	d.Target.ID = targetID
 	e.deliverHTTP(context.TODO(), db, d, task)
 	// Delivery should be in retrying status (not failed — retries remain)
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusRetrying, updated.Status,
 		"delivery should be retrying when retries remain")
 	// The timer should fire a task into the retry channel. Wait briefly
 	// for the timer (backoff for attempt 1 is 1s, but we're just verifying
 	// the status was set correctly and a result was recorded).
 	var result database.DeliveryResult
 	require.NoError(t, db.Where("delivery_id = ?", delivery.ID).First(&result).Error)
 	assert.False(t, result.Success)
 	assert.Equal(t, 1, result.AttemptNum)
 }
 func TestExponentialBackoff_Durations(t *testing.T) {
 	t.Parallel()
 	// The engine uses: backoff = 2^(attemptNum-1) seconds
 	// attempt 1 → shift=0 → 1s
 	// attempt 2 → shift=1 → 2s
 	// attempt 3 → shift=2 → 4s
 	// attempt 4 → shift=3 → 8s
 	// attempt 5 → shift=4 → 16s
 	expected := []time.Duration{
 		1 * time.Second,
 		2 * time.Second,
 		4 * time.Second,
 		8 * time.Second,
 		16 * time.Second,
 	}
 	for attemptNum := 1; attemptNum <= 5; attemptNum++ {
 		shift := attemptNum - 1
 		if shift > 30 {
 			shift = 30
 		}
 		backoff := time.Duration(1<<uint(shift)) * time.Second //nolint:gosec // bounded above
 		assert.Equal(t, expected[attemptNum-1], backoff,
 			"backoff for attempt %d should be %v", attemptNum, expected[attemptNum-1])
 	}
 }
 func TestExponentialBackoff_CappedAt30(t *testing.T) {
 	t.Parallel()
 	// Verify shift is capped at 30 to avoid overflow
 	attemptNum := 50
 	shift := attemptNum - 1
 	if shift > 30 {
 		shift = 30
 	}
 	backoff := time.Duration(1<<uint(shift)) * time.Second //nolint:gosec // bounded above
 	assert.Equal(t, time.Duration(1<<30)*time.Second, backoff,
 		"backoff shift should be capped at 30")
 }
 func TestBodyPointer_SmallBodyInline(t *testing.T) {
 	t.Parallel()
 	// Body under MaxInlineBodySize should be included inline
 	smallBody := `{"small": true}`
 	assert.Less(t, len(smallBody), MaxInlineBodySize)
 	var bodyPtr *string
 	if len(smallBody) < MaxInlineBodySize {
 		bodyPtr = &smallBody
 	}
 	require.NotNil(t, bodyPtr, "small body should be inline (non-nil)")
 	assert.Equal(t, smallBody, *bodyPtr)
 }
 func TestBodyPointer_LargeBodyNil(t *testing.T) {
 	t.Parallel()
 	// Body at or above MaxInlineBodySize should be nil
 	largeBody := strings.Repeat("x", MaxInlineBodySize)
 	assert.GreaterOrEqual(t, len(largeBody), MaxInlineBodySize)
 	var bodyPtr *string
 	if len(largeBody) < MaxInlineBodySize {
 		bodyPtr = &largeBody
 	}
 	assert.Nil(t, bodyPtr, "large body (≥16KB) should be nil")
 }
 func TestBodyPointer_ExactBoundary(t *testing.T) {
 	t.Parallel()
 	// Body of exactly MaxInlineBodySize should be nil (the check is <, not <=)
 	exactBody := strings.Repeat("y", MaxInlineBodySize)
 	assert.Equal(t, MaxInlineBodySize, len(exactBody))
 	var bodyPtr *string
 	if len(exactBody) < MaxInlineBodySize {
 		bodyPtr = &exactBody
 	}
 	assert.Nil(t, bodyPtr, "body at exactly MaxInlineBodySize should be nil")
 }
 func TestWorkerPool_BoundedConcurrency(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping concurrency test in short mode")
 	}
 	t.Parallel()
 	const numWorkers = 3
 	db := testWebhookDB(t)
 	// Track concurrent tasks
 	var (
 		mu         sync.Mutex
 		concurrent int
 		maxSeen    int
 	)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		mu.Lock()
 		concurrent++
 		if concurrent > maxSeen {
 			maxSeen = concurrent
 		}
 		mu.Unlock()
 		time.Sleep(100 * time.Millisecond) // simulate slow target
 		mu.Lock()
 		concurrent--
 		mu.Unlock()
 		w.WriteHeader(http.StatusOK)
 	}))
 	defer ts.Close()
 	e := testEngine(t, numWorkers)
 	// We need a minimal dbManager-like setup. Since processNewTask
 	// needs dbManager, we'll drive workers by sending tasks through
 	// the delivery channel and manually calling deliverHTTP instead.
 	// Instead, let's directly test the worker pool by creating tasks
 	// and processing them through the channel.
 	// Create tasks for more work than workers
 	const numTasks = 10
 	tasks := make([]database.Delivery, numTasks)
 	targetCfg := newHTTPTargetConfig(ts.URL)
 	for i := 0; i < numTasks; i++ {
 		event := seedEvent(t, db, fmt.Sprintf(`{"task":%d}`, i))
 		delivery := seedDelivery(t, db, event.ID, uuid.New().String(), database.DeliveryStatusPending)
 		tasks[i] = database.Delivery{
 			EventID:  event.ID,
 			TargetID: delivery.TargetID,
 			Status:   database.DeliveryStatusPending,
 			Event:    event,
 			Target: database.Target{
 				Name:   fmt.Sprintf("task-%d", i),
 				Type:   database.TargetTypeHTTP,
 				Config: targetCfg,
 			},
 		}
 		tasks[i].ID = delivery.ID
 	}
 	// Build DeliveryTask structs for each delivery (needed by deliverHTTP)
 	deliveryTasks := make([]DeliveryTask, numTasks)
 	for i := 0; i < numTasks; i++ {
 		deliveryTasks[i] = DeliveryTask{
 			DeliveryID:   tasks[i].ID,
 			EventID:      tasks[i].EventID,
 			TargetID:     tasks[i].TargetID,
 			TargetName:   tasks[i].Target.Name,
 			TargetType:   tasks[i].Target.Type,
 			TargetConfig: tasks[i].Target.Config,
 			MaxRetries:   0,
 			AttemptNum:   1,
 		}
 	}
 	// Process all tasks through a bounded pool of goroutines to simulate
 	// the engine's worker pool behavior
 	var wg sync.WaitGroup
 	taskCh := make(chan int, numTasks)
 	for i := 0; i < numTasks; i++ {
 		taskCh <- i
 	}
 	close(taskCh)
 	// Start exactly numWorkers goroutines
 	for w := 0; w < numWorkers; w++ {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
 			for idx := range taskCh {
 				e.deliverHTTP(context.TODO(), db, &tasks[idx], &deliveryTasks[idx])
 			}
 		}()
 	}
 	wg.Wait()
 	mu.Lock()
 	observedMax := maxSeen
 	mu.Unlock()
 	assert.LessOrEqual(t, observedMax, numWorkers,
 		"should never exceed %d concurrent deliveries, saw %d", numWorkers, observedMax)
 	// All deliveries should be completed
 	for i := 0; i < numTasks; i++ {
 		var d database.Delivery
 		require.NoError(t, db.First(&d, "id = ?", tasks[i].ID).Error)
 		assert.Equal(t, database.DeliveryStatusDelivered, d.Status,
 			"task %d should be delivered", i)
 	}
 }
 func TestDeliverHTTP_CircuitBreakerBlocks(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	e := testEngine(t, 1)
 	targetID := uuid.New().String()
 	// Pre-trip the circuit breaker for this target
 	cb := e.getCircuitBreaker(targetID)
 	for i := 0; i < defaultFailureThreshold; i++ {
 		cb.RecordFailure()
 	}
 	require.Equal(t, CircuitOpen, cb.State())
 	event := seedEvent(t, db, `{"cb":"blocked"}`)
 	delivery := seedDelivery(t, db, event.ID, targetID, database.DeliveryStatusPending)
 	task := &DeliveryTask{
 		DeliveryID:   delivery.ID,
 		EventID:      event.ID,
 		WebhookID:    event.WebhookID,
 		TargetID:     targetID,
 		TargetName:   "test-cb-block",
 		TargetType:   database.TargetTypeHTTP,
 		TargetConfig: newHTTPTargetConfig("http://will-not-be-called.invalid"),
 		MaxRetries:   5,
 		AttemptNum:   1,
 	}
 	d := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   database.DeliveryStatusPending,
 		Event:    event,
 		Target: database.Target{
 			Name:       "test-cb-block",
 			Type:       database.TargetTypeHTTP,
 			Config:     newHTTPTargetConfig("http://will-not-be-called.invalid"),
 			MaxRetries: 5,
 		},
 	}
 	d.ID = delivery.ID
 	d.Target.ID = targetID
 	e.deliverHTTP(context.TODO(), db, d, task)
 	// Delivery should be retrying (circuit open, no attempt made)
 	var updated database.Delivery
 	require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 	assert.Equal(t, database.DeliveryStatusRetrying, updated.Status,
 		"delivery should be retrying when circuit breaker is open")
 	// No delivery result should have been recorded (no attempt was made)
 	var resultCount int64
 	db.Model(&database.DeliveryResult{}).Where("delivery_id = ?", delivery.ID).Count(&resultCount)
 	assert.Equal(t, int64(0), resultCount,
 		"no delivery result should be recorded when circuit is open")
 }
 func TestGetCircuitBreaker_CreatesOnDemand(t *testing.T) {
 	t.Parallel()
 	e := testEngine(t, 1)
 	targetID := uuid.New().String()
 	cb1 := e.getCircuitBreaker(targetID)
 	require.NotNil(t, cb1)
 	assert.Equal(t, CircuitClosed, cb1.State())
 	// Same target should return the same circuit breaker
 	cb2 := e.getCircuitBreaker(targetID)
 	assert.Same(t, cb1, cb2, "same target ID should return the same circuit breaker")
 	// Different target should return a different circuit breaker
 	otherID := uuid.New().String()
 	cb3 := e.getCircuitBreaker(otherID)
 	assert.NotSame(t, cb1, cb3, "different target ID should return a different circuit breaker")
 }
 func TestParseHTTPConfig_Valid(t *testing.T) {
 	t.Parallel()
 	e := testEngine(t, 1)
 	cfg, err := e.parseHTTPConfig(`{"url":"https://example.com/hook","headers":{"X-Token":"secret"}}`)
 	require.NoError(t, err)
 	assert.Equal(t, "https://example.com/hook", cfg.URL)
 	assert.Equal(t, "secret", cfg.Headers["X-Token"])
 }
 func TestParseHTTPConfig_Empty(t *testing.T) {
 	t.Parallel()
 	e := testEngine(t, 1)
 	_, err := e.parseHTTPConfig("")
 	assert.Error(t, err, "empty config should return error")
 }
 func TestParseHTTPConfig_MissingURL(t *testing.T) {
 	t.Parallel()
 	e := testEngine(t, 1)
 	_, err := e.parseHTTPConfig(`{"headers":{"X-Token":"secret"}}`)
 	assert.Error(t, err, "config without URL should return error")
 }
 func TestScheduleRetry_SendsToRetryChannel(t *testing.T) {
 	t.Parallel()
 	e := testEngine(t, 1)
 	task := DeliveryTask{
 		DeliveryID: uuid.New().String(),
 		EventID:    uuid.New().String(),
 		WebhookID:  uuid.New().String(),
 		TargetID:   uuid.New().String(),
 		AttemptNum: 2,
 	}
 	e.scheduleRetry(task, 10*time.Millisecond)
 	// Wait for the timer to fire
 	select {
 	case received := <-e.retryCh:
 		assert.Equal(t, task.DeliveryID, received.DeliveryID)
 		assert.Equal(t, task.AttemptNum, received.AttemptNum)
 	case <-time.After(2 * time.Second):
 		t.Fatal("retry task was not sent to retry channel within timeout")
 	}
 }
 func TestScheduleRetry_DropsWhenChannelFull(t *testing.T) {
 	t.Parallel()
 	e := &Engine{
 		log:     slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug})),
 		retryCh: make(chan DeliveryTask, 1), // tiny buffer
 	}
 	// Fill the retry channel
 	e.retryCh <- DeliveryTask{DeliveryID: "fill"}
 	task := DeliveryTask{
 		DeliveryID: "overflow",
 		AttemptNum: 2,
 	}
 	// Should not panic or block
 	e.scheduleRetry(task, 0)
 	// Give timer a moment to fire
 	time.Sleep(50 * time.Millisecond)
 	// Only the original task should be in the channel
 	received := <-e.retryCh
 	assert.Equal(t, "fill", received.DeliveryID,
 		"only the original task should be in the channel (overflow was dropped)")
 }
 func TestIsForwardableHeader(t *testing.T) {
 	t.Parallel()
 	// Should forward
 	assert.True(t, isForwardableHeader("X-Custom-Header"))
 	assert.True(t, isForwardableHeader("Authorization"))
 	assert.True(t, isForwardableHeader("Accept"))
 	assert.True(t, isForwardableHeader("X-GitHub-Event"))
 	// Should NOT forward (hop-by-hop)
 	assert.False(t, isForwardableHeader("Host"))
 	assert.False(t, isForwardableHeader("Connection"))
 	assert.False(t, isForwardableHeader("Keep-Alive"))
 	assert.False(t, isForwardableHeader("Transfer-Encoding"))
 	assert.False(t, isForwardableHeader("Content-Length"))
 }
 func TestTruncate(t *testing.T) {
 	t.Parallel()
 	assert.Equal(t, "hello", truncate("hello", 10))
 	assert.Equal(t, "hello", truncate("hello", 5))
 	assert.Equal(t, "hel", truncate("hello", 3))
 	assert.Equal(t, "", truncate("", 5))
 }
 func TestDoHTTPRequest_ForwardsHeaders(t *testing.T) {
 	t.Parallel()
 	var receivedHeaders http.Header
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		receivedHeaders = r.Header.Clone()
 		w.WriteHeader(http.StatusOK)
 	}))
 	defer ts.Close()
 	e := testEngine(t, 1)
 	cfg := &HTTPTargetConfig{
 		URL:     ts.URL,
 		Headers: map[string]string{"X-Target-Auth": "bearer xyz"},
 	}
 	event := &database.Event{
 		Method:      "POST",
 		Headers:     `{"X-Custom":["value1"],"Content-Type":["application/json"]}`,
 		Body:        `{"test":true}`,
 		ContentType: "application/json",
 	}
 	statusCode, _, _, err := e.doHTTPRequest(cfg, event)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, statusCode)
 	// Check forwarded headers
 	assert.Equal(t, "value1", receivedHeaders.Get("X-Custom"))
 	assert.Equal(t, "bearer xyz", receivedHeaders.Get("X-Target-Auth"))
 	assert.Equal(t, "application/json", receivedHeaders.Get("Content-Type"))
 	assert.Equal(t, "webhooker/1.0", receivedHeaders.Get("User-Agent"))
 }
 func TestProcessDelivery_RoutesToCorrectHandler(t *testing.T) {
 	t.Parallel()
 	db := testWebhookDB(t)
 	e := testEngine(t, 1)
 	tests := []struct {
 		name       string
 		targetType database.TargetType
 		wantStatus database.DeliveryStatus
 	}{
 		{"database target", database.TargetTypeDatabase, database.DeliveryStatusDelivered},
 		{"log target", database.TargetTypeLog, database.DeliveryStatusDelivered},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			event := seedEvent(t, db, `{"routing":"test"}`)
 			delivery := seedDelivery(t, db, event.ID, uuid.New().String(), database.DeliveryStatusPending)
 			d := &database.Delivery{
 				EventID:  event.ID,
 				TargetID: delivery.TargetID,
 				Status:   database.DeliveryStatusPending,
 				Event:    event,
 				Target: database.Target{
 					Name: "test-" + string(tt.targetType),
 					Type: tt.targetType,
 				},
 			}
 			d.ID = delivery.ID
 			task := &DeliveryTask{
 				DeliveryID: delivery.ID,
 				TargetType: tt.targetType,
 			}
 			e.processDelivery(context.TODO(), db, d, task)
 			var updated database.Delivery
 			require.NoError(t, db.First(&updated, "id = ?", delivery.ID).Error)
 			assert.Equal(t, tt.wantStatus, updated.Status)
 		})
 	}
 }
 func TestMaxInlineBodySize_Constant(t *testing.T) {
 	t.Parallel()
 	// Verify the constant is 16KB as documented
 	assert.Equal(t, 16*1024, MaxInlineBodySize,
 		"MaxInlineBodySize should be 16KB (16384 bytes)")
 }
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -21,7 +21,7 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 			"Error": "",
 		}
-		h.renderTemplate(w, r, []string{"templates/base.html", "templates/login.html"}, data)
+		h.renderTemplate(w, r, "login.html", data)
 	}
 }
@@ -44,7 +44,7 @@ func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 				"Error": "Username and password are required",
 			}
 			w.WriteHeader(http.StatusBadRequest)
-			h.renderTemplate(w, r, []string{"templates/base.html", "templates/login.html"}, data)
+			h.renderTemplate(w, r, "login.html", data)
 			return
 		}
@@ -56,7 +56,7 @@ func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 				"Error": "Invalid username or password",
 			}
 			w.WriteHeader(http.StatusUnauthorized)
-			h.renderTemplate(w, r, []string{"templates/base.html", "templates/login.html"}, data)
+			h.renderTemplate(w, r, "login.html", data)
 			return
 		}
@@ -74,7 +74,7 @@ func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 				"Error": "Invalid username or password",
 			}
 			w.WriteHeader(http.StatusUnauthorized)
-			h.renderTemplate(w, r, []string{"templates/base.html", "templates/login.html"}, data)
+			h.renderTemplate(w, r, "login.html", data)
 			return
 		}
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -9,28 +9,47 @@ import (
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/healthcheck"
 	"sneak.berlin/go/webhooker/internal/logger"
 	"sneak.berlin/go/webhooker/internal/session"
 	"sneak.berlin/go/webhooker/templates"
 )
 // nolint:revive // HandlersParams is a standard fx naming convention
 type HandlersParams struct {
 	fx.In
-	Logger      *logger.Logger
+	Logger       *logger.Logger
-	Globals     *globals.Globals
+	Globals      *globals.Globals
-	Database    *database.Database
+	Database     *database.Database
-	Healthcheck *healthcheck.Healthcheck
+	WebhookDBMgr *database.WebhookDBManager
-	Session     *session.Session
+	Healthcheck  *healthcheck.Healthcheck
 	Session      *session.Session
 	Notifier     delivery.Notifier
 }
 type Handlers struct {
-	params  *HandlersParams
+	params    *HandlersParams
-	log     *slog.Logger
+	log       *slog.Logger
-	hc      *healthcheck.Healthcheck
+	hc        *healthcheck.Healthcheck
-	db      *database.Database
+	db        *database.Database
-	session *session.Session
+	dbMgr     *database.WebhookDBManager
 	session   *session.Session
 	notifier  delivery.Notifier
 	templates map[string]*template.Template
 }
 // parsePageTemplate parses a page-specific template set from the embedded FS.
 // Each page template is combined with the shared base, htmlheader, and navbar templates.
 // The page file must be listed first so that its root action ({{template "base" .}})
 // becomes the template set's entry point. If a shared partial (e.g. htmlheader.html)
 // is listed first, its {{define}} block becomes the root — which is empty — and
 // Execute() produces no output.
 func parsePageTemplate(pageFile string) *template.Template {
 	return template.Must(
 		template.ParseFS(templates.Templates, pageFile, "base.html", "htmlheader.html", "navbar.html"),
 	)
 }
 func New(lc fx.Lifecycle, params HandlersParams) (*Handlers, error) {
@@ -39,10 +58,24 @@ func New(lc fx.Lifecycle, params HandlersParams) (*Handlers, error) {
 	s.log = params.Logger.Get()
 	s.hc = params.Healthcheck
 	s.db = params.Database
 	s.dbMgr = params.WebhookDBMgr
 	s.session = params.Session
 	s.notifier = params.Notifier
 	// Parse all page templates once at startup
 	s.templates = map[string]*template.Template{
 		"index.html":         parsePageTemplate("index.html"),
 		"login.html":         parsePageTemplate("login.html"),
 		"profile.html":       parsePageTemplate("profile.html"),
 		"sources_list.html":  parsePageTemplate("sources_list.html"),
 		"sources_new.html":   parsePageTemplate("sources_new.html"),
 		"source_detail.html": parsePageTemplate("source_detail.html"),
 		"source_edit.html":   parsePageTemplate("source_edit.html"),
 		"source_logs.html":   parsePageTemplate("source_logs.html"),
 	}
 	lc.Append(fx.Hook{
 		OnStart: func(ctx context.Context) error {
 			// FIXME compile some templates here or something
 			return nil
 		},
 	})
@@ -66,30 +99,17 @@ func (s *Handlers) decodeJSON(w http.ResponseWriter, r *http.Request, v interfac
 	return json.NewDecoder(r.Body).Decode(v)
 }
 // TemplateData represents the common data passed to templates
 type TemplateData struct {
 	User      *UserInfo
 	Version   string
 	UserCount int64
 	Uptime    string
 }
 // UserInfo represents user information for templates
 type UserInfo struct {
 	ID       string
 	Username string
 }
-// renderTemplate renders a template with common data
+// renderTemplate renders a pre-parsed template with common data
-func (s *Handlers) renderTemplate(w http.ResponseWriter, r *http.Request, templateFiles []string, data interface{}) {
+func (s *Handlers) renderTemplate(w http.ResponseWriter, r *http.Request, pageTemplate string, data interface{}) {
-	// Always include the common templates
+	tmpl, ok := s.templates[pageTemplate]
-	allTemplates := []string{"templates/htmlheader.html", "templates/navbar.html"}
+	if !ok {
-	allTemplates = append(allTemplates, templateFiles...)
+		s.log.Error("template not found", "template", pageTemplate)
 	// Parse templates
 	tmpl, err := template.ParseFiles(allTemplates...)
 	if err != nil {
 		s.log.Error("failed to parse template", "error", err)
 		http.Error(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
@@ -108,6 +128,16 @@ func (s *Handlers) renderTemplate(w http.ResponseWriter, r *http.Request, templa
 		}
 	}
 	// If data is a map, merge user info into it
 	if m, ok := data.(map[string]interface{}); ok {
 		m["User"] = userInfo
 		if err := tmpl.Execute(w, m); err != nil {
 			s.log.Error("failed to execute template", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 		}
 		return
 	}
 	// Wrap data with base template data
 	type templateDataWrapper struct {
 		User *UserInfo
@@ -119,17 +149,6 @@ func (s *Handlers) renderTemplate(w http.ResponseWriter, r *http.Request, templa
 		Data: data,
 	}
 	// If data is a map, merge user info into it
 	if m, ok := data.(map[string]interface{}); ok {
 		m["User"] = userInfo
 		if err := tmpl.Execute(w, m); err != nil {
 			s.log.Error("failed to execute template", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 		}
 		return
 	}
 	// Otherwise use wrapper
 	if err := tmpl.Execute(w, wrapper); err != nil {
 		s.log.Error("failed to execute template", "error", err)
 		http.Error(w, "Internal server error", http.StatusInternalServerError)
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -12,12 +12,18 @@ import (
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/healthcheck"
 	"sneak.berlin/go/webhooker/internal/logger"
 	"sneak.berlin/go/webhooker/internal/session"
 )
 // noopNotifier is a no-op delivery.Notifier for tests.
 type noopNotifier struct{}
 func (n *noopNotifier) Notify([]delivery.DeliveryTask) {}
 func TestHandleIndex(t *testing.T) {
 	var h *Handlers
@@ -28,17 +34,14 @@ func TestHandleIndex(t *testing.T) {
 			logger.New,
 			func() *config.Config {
 				return &config.Config{
-					// This is a base64 encoded 32-byte key: "test-session-key-32-bytes-long!!"
+					DataDir: t.TempDir(),
 					SessionKey: "dGVzdC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 				}
 			},
-			func() *database.Database {
+			database.New,
-				// Mock database with a mock DB method
+			database.NewWebhookDBManager,
 				db := &database.Database{}
 				return db
 			},
 			healthcheck.New,
 			session.New,
 			func() delivery.Notifier { return &noopNotifier{} },
 			New,
 		),
 		fx.Populate(&h),
@@ -62,16 +65,14 @@ func TestRenderTemplate(t *testing.T) {
 			logger.New,
 			func() *config.Config {
 				return &config.Config{
-					// This is a base64 encoded 32-byte key: "test-session-key-32-bytes-long!!"
+					DataDir: t.TempDir(),
 					SessionKey: "dGVzdC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 				}
 			},
-			func() *database.Database {
+			database.New,
-				// Mock database
+			database.NewWebhookDBManager,
 				return &database.Database{}
 			},
 			healthcheck.New,
 			session.New,
 			func() delivery.Notifier { return &noopNotifier{} },
 			New,
 		),
 		fx.Populate(&h),
@@ -87,10 +88,11 @@ func TestRenderTemplate(t *testing.T) {
 			"Version": "1.0.0",
 		}
-		// When templates don't exist, renderTemplate should return an error
+		// When a non-existent template name is requested, renderTemplate
-		h.renderTemplate(w, req, []string{"nonexistent.html"}, data)
+		// should return an internal server error
 		h.renderTemplate(w, req, "nonexistent.html", data)
-		// Should return internal server error when template parsing fails
+		// Should return internal server error when template is not found
 		assert.Equal(t, http.StatusInternalServerError, w.Code)
 	})
 }
--- a/internal/handlers/index.go
+++ b/internal/handlers/index.go
@@ -8,11 +8,6 @@ import (
 	"sneak.berlin/go/webhooker/internal/database"
 )
 type IndexResponse struct {
 	Message string `json:"message"`
 	Version string `json:"version"`
 }
 func (s *Handlers) HandleIndex() http.HandlerFunc {
 	// Calculate server start time
 	startTime := time.Now()
@@ -34,7 +29,7 @@ func (s *Handlers) HandleIndex() http.HandlerFunc {
 		}
 		// Render the template
-		s.renderTemplate(w, req, []string{"templates/base.html", "templates/index.html"}, data)
+		s.renderTemplate(w, req, "index.html", data)
 	}
 }
--- a/internal/handlers/profile.go
+++ b/internal/handlers/profile.go
@@ -54,6 +54,6 @@ func (h *Handlers) HandleProfile() http.HandlerFunc {
 		}
 		// Render the profile page
-		h.renderTemplate(w, r, []string{"templates/base.html", "templates/profile.html"}, data)
+		h.renderTemplate(w, r, "profile.html", data)
 	}
 }
--- a/internal/handlers/source_management.go
+++ b/internal/handlers/source_management.go
@@ -1,69 +1,721 @@
 package handlers
 import (
 	"encoding/json"
 	"net/http"
 	"strconv"
 	"github.com/go-chi/chi"
 	"github.com/google/uuid"
 	"sneak.berlin/go/webhooker/internal/database"
 )
-// HandleSourceList shows a list of user's webhook sources
+// WebhookListItem holds data for the webhook list view.
 type WebhookListItem struct {
 	database.Webhook
 	EntrypointCount int64
 	TargetCount     int64
 	EventCount      int64
 }
 // HandleSourceList shows a list of user's webhooks.
 func (h *Handlers) HandleSourceList() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source list page
+		userID, ok := h.getUserID(r)
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		var webhooks []database.Webhook
 		if err := h.db.DB().Where("user_id = ?", userID).Order("created_at DESC").Find(&webhooks).Error; err != nil {
 			h.log.Error("failed to list webhooks", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Build list items with counts
 		items := make([]WebhookListItem, len(webhooks))
 		for i := range webhooks {
 			items[i].Webhook = webhooks[i]
 			h.db.DB().Model(&database.Entrypoint{}).Where("webhook_id = ?", webhooks[i].ID).Count(&items[i].EntrypointCount)
 			h.db.DB().Model(&database.Target{}).Where("webhook_id = ?", webhooks[i].ID).Count(&items[i].TargetCount)
 			// Event count comes from per-webhook DB
 			if h.dbMgr.DBExists(webhooks[i].ID) {
 				if webhookDB, err := h.dbMgr.GetDB(webhooks[i].ID); err == nil {
 					webhookDB.Model(&database.Event{}).Count(&items[i].EventCount)
 				}
 			}
 		}
 		data := map[string]interface{}{
 			"Webhooks": items,
 		}
 		h.renderTemplate(w, r, "sources_list.html", data)
 	}
 }
-// HandleSourceCreate shows the form to create a new webhook source
+// HandleSourceCreate shows the form to create a new webhook.
 func (h *Handlers) HandleSourceCreate() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source creation form
+		data := map[string]interface{}{
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+			"Error": "",
 		}
 		h.renderTemplate(w, r, "sources_new.html", data)
 	}
 }
-// HandleSourceCreateSubmit handles the source creation form submission
+// HandleSourceCreateSubmit handles the webhook creation form submission.
 func (h *Handlers) HandleSourceCreateSubmit() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source creation logic
+		userID, ok := h.getUserID(r)
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
 		}
 		name := r.FormValue("name")
 		description := r.FormValue("description")
 		retentionStr := r.FormValue("retention_days")
 		if name == "" {
 			data := map[string]interface{}{
 				"Error": "Name is required",
 			}
 			w.WriteHeader(http.StatusBadRequest)
 			h.renderTemplate(w, r, "sources_new.html", data)
 			return
 		}
 		retentionDays := 30
 		if retentionStr != "" {
 			if v, err := strconv.Atoi(retentionStr); err == nil && v > 0 {
 				retentionDays = v
 			}
 		}
 		tx := h.db.DB().Begin()
 		if tx.Error != nil {
 			h.log.Error("failed to begin transaction", "error", tx.Error)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		webhook := &database.Webhook{
 			UserID:        userID,
 			Name:          name,
 			Description:   description,
 			RetentionDays: retentionDays,
 		}
 		if err := tx.Create(webhook).Error; err != nil {
 			tx.Rollback()
 			h.log.Error("failed to create webhook", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Auto-create one entrypoint
 		entrypoint := &database.Entrypoint{
 			WebhookID:   webhook.ID,
 			Path:        uuid.New().String(),
 			Description: "Default entrypoint",
 			Active:      true,
 		}
 		if err := tx.Create(entrypoint).Error; err != nil {
 			tx.Rollback()
 			h.log.Error("failed to create entrypoint", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		if err := tx.Commit().Error; err != nil {
 			h.log.Error("failed to commit transaction", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Create per-webhook event database
 		if err := h.dbMgr.CreateDB(webhook.ID); err != nil {
 			h.log.Error("failed to create webhook event database",
 				"webhook_id", webhook.ID,
 				"error", err,
 			)
 			// Non-fatal: the DB will be created lazily on first event
 		}
 		h.log.Info("webhook created",
 			"webhook_id", webhook.ID,
 			"name", name,
 			"user_id", userID,
 		)
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
-// HandleSourceDetail shows details for a specific webhook source
+// HandleSourceDetail shows details for a specific webhook.
 func (h *Handlers) HandleSourceDetail() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source detail page
+		userID, ok := h.getUserID(r)
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		var entrypoints []database.Entrypoint
 		h.db.DB().Where("webhook_id = ?", webhook.ID).Find(&entrypoints)
 		var targets []database.Target
 		h.db.DB().Where("webhook_id = ?", webhook.ID).Find(&targets)
 		// Recent events from per-webhook database
 		var events []database.Event
 		if h.dbMgr.DBExists(webhook.ID) {
 			if webhookDB, err := h.dbMgr.GetDB(webhook.ID); err == nil {
 				webhookDB.Where("webhook_id = ?", webhook.ID).Order("created_at DESC").Limit(20).Find(&events)
 			}
 		}
 		// Build host URL for display
 		host := r.Host
 		scheme := "https"
 		if r.TLS == nil {
 			scheme = "http"
 		}
 		// Check X-Forwarded headers
 		if fwdProto := r.Header.Get("X-Forwarded-Proto"); fwdProto != "" {
 			scheme = fwdProto
 		}
 		data := map[string]interface{}{
 			"Webhook":     webhook,
 			"Entrypoints": entrypoints,
 			"Targets":     targets,
 			"Events":      events,
 			"BaseURL":     scheme + "://" + host,
 		}
 		h.renderTemplate(w, r, "source_detail.html", data)
 	}
 }
-// HandleSourceEdit shows the form to edit a webhook source
+// HandleSourceEdit shows the form to edit a webhook.
 func (h *Handlers) HandleSourceEdit() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source edit form
+		userID, ok := h.getUserID(r)
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		data := map[string]interface{}{
 			"Webhook": webhook,
 			"Error":   "",
 		}
 		h.renderTemplate(w, r, "source_edit.html", data)
 	}
 }
-// HandleSourceEditSubmit handles the source edit form submission
+// HandleSourceEditSubmit handles the webhook edit form submission.
 func (h *Handlers) HandleSourceEditSubmit() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source update logic
+		userID, ok := h.getUserID(r)
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
 		}
 		name := r.FormValue("name")
 		if name == "" {
 			data := map[string]interface{}{
 				"Webhook": webhook,
 				"Error":   "Name is required",
 			}
 			w.WriteHeader(http.StatusBadRequest)
 			h.renderTemplate(w, r, "source_edit.html", data)
 			return
 		}
 		webhook.Name = name
 		webhook.Description = r.FormValue("description")
 		if retStr := r.FormValue("retention_days"); retStr != "" {
 			if v, err := strconv.Atoi(retStr); err == nil && v > 0 {
 				webhook.RetentionDays = v
 			}
 		}
 		if err := h.db.DB().Save(&webhook).Error; err != nil {
 			h.log.Error("failed to update webhook", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
-// HandleSourceDelete handles webhook source deletion
+// HandleSourceDelete handles webhook deletion.
 // Configuration data is soft-deleted in the main DB.
 // The per-webhook event database file is hard-deleted (permanently removed).
 func (h *Handlers) HandleSourceDelete() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source deletion logic
+		userID, ok := h.getUserID(r)
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Soft-delete configuration in the main application database
 		tx := h.db.DB().Begin()
 		if tx.Error != nil {
 			h.log.Error("failed to begin transaction", "error", tx.Error)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Soft-delete entrypoints and targets (config tier)
 		tx.Where("webhook_id = ?", webhook.ID).Delete(&database.Entrypoint{})
 		tx.Where("webhook_id = ?", webhook.ID).Delete(&database.Target{})
 		tx.Delete(&webhook)
 		if err := tx.Commit().Error; err != nil {
 			h.log.Error("failed to commit deletion", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Hard-delete the per-webhook event database file
 		if err := h.dbMgr.DeleteDB(webhook.ID); err != nil {
 			h.log.Error("failed to delete webhook event database",
 				"webhook_id", webhook.ID,
 				"error", err,
 			)
 			// Non-fatal: file may not exist if no events were ever received
 		}
 		h.log.Info("webhook deleted", "webhook_id", webhook.ID, "user_id", userID)
 		http.Redirect(w, r, "/sources", http.StatusSeeOther)
 	}
 }
-// HandleSourceLogs shows the request/response logs for a webhook source
+// HandleSourceLogs shows the request/response logs for a webhook.
 // Events and deliveries are read from the per-webhook database.
 // Target information is loaded from the main application database.
 func (h *Handlers) HandleSourceLogs() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// TODO: Implement source logs page
+		userID, ok := h.getUserID(r)
-		http.Error(w, "Not implemented", http.StatusNotImplemented)
+		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Load targets from main DB for display
 		var targets []database.Target
 		h.db.DB().Where("webhook_id = ?", webhook.ID).Find(&targets)
 		targetMap := make(map[string]database.Target, len(targets))
 		for _, t := range targets {
 			targetMap[t.ID] = t
 		}
 		// Pagination
 		page := 1
 		if p := r.URL.Query().Get("page"); p != "" {
 			if v, err := strconv.Atoi(p); err == nil && v > 0 {
 				page = v
 			}
 		}
 		perPage := 25
 		offset := (page - 1) * perPage
 		// EventWithDeliveries holds an event with its associated deliveries
 		type EventWithDeliveries struct {
 			database.Event
 			Deliveries []database.Delivery
 		}
 		var totalEvents int64
 		var eventsWithDeliveries []EventWithDeliveries
 		// Read events and deliveries from per-webhook database
 		if h.dbMgr.DBExists(webhook.ID) {
 			webhookDB, err := h.dbMgr.GetDB(webhook.ID)
 			if err != nil {
 				h.log.Error("failed to get webhook database",
 					"webhook_id", webhook.ID,
 					"error", err,
 				)
 				http.Error(w, "Internal server error", http.StatusInternalServerError)
 				return
 			}
 			webhookDB.Model(&database.Event{}).Where("webhook_id = ?", webhook.ID).Count(&totalEvents)
 			var events []database.Event
 			webhookDB.Where("webhook_id = ?", webhook.ID).
 				Order("created_at DESC").
 				Offset(offset).
 				Limit(perPage).
 				Find(&events)
 			eventsWithDeliveries = make([]EventWithDeliveries, len(events))
 			for i := range events {
 				eventsWithDeliveries[i].Event = events[i]
 				// Load deliveries from per-webhook DB (without Target preload)
 				webhookDB.Where("event_id = ?", events[i].ID).Find(&eventsWithDeliveries[i].Deliveries)
 				// Manually assign targets from main DB
 				for j := range eventsWithDeliveries[i].Deliveries {
 					if target, ok := targetMap[eventsWithDeliveries[i].Deliveries[j].TargetID]; ok {
 						eventsWithDeliveries[i].Deliveries[j].Target = target
 					}
 				}
 			}
 		}
 		totalPages := int(totalEvents) / perPage
 		if int(totalEvents)%perPage != 0 {
 			totalPages++
 		}
 		data := map[string]interface{}{
 			"Webhook":     webhook,
 			"Events":      eventsWithDeliveries,
 			"Page":        page,
 			"TotalPages":  totalPages,
 			"TotalEvents": totalEvents,
 			"HasPrev":     page > 1,
 			"HasNext":     page < totalPages,
 			"PrevPage":    page - 1,
 			"NextPage":    page + 1,
 		}
 		h.renderTemplate(w, r, "source_logs.html", data)
 	}
 }
 // HandleEntrypointCreate handles adding a new entrypoint to a webhook.
 func (h *Handlers) HandleEntrypointCreate() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := h.getUserID(r)
 		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		// Verify ownership
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
 		}
 		description := r.FormValue("description")
 		entrypoint := &database.Entrypoint{
 			WebhookID:   webhook.ID,
 			Path:        uuid.New().String(),
 			Description: description,
 			Active:      true,
 		}
 		if err := h.db.DB().Create(entrypoint).Error; err != nil {
 			h.log.Error("failed to create entrypoint", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
 // HandleTargetCreate handles adding a new target to a webhook.
 func (h *Handlers) HandleTargetCreate() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := h.getUserID(r)
 		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
 		}
 		name := r.FormValue("name")
 		targetType := database.TargetType(r.FormValue("type"))
 		url := r.FormValue("url")
 		maxRetriesStr := r.FormValue("max_retries")
 		if name == "" {
 			http.Error(w, "Name is required", http.StatusBadRequest)
 			return
 		}
 		// Validate target type
 		switch targetType {
 		case database.TargetTypeHTTP, database.TargetTypeDatabase, database.TargetTypeLog:
 			// valid
 		default:
 			http.Error(w, "Invalid target type", http.StatusBadRequest)
 			return
 		}
 		// Build config JSON for HTTP targets
 		var configJSON string
 		if targetType == database.TargetTypeHTTP {
 			if url == "" {
 				http.Error(w, "URL is required for HTTP targets", http.StatusBadRequest)
 				return
 			}
 			cfg := map[string]interface{}{
 				"url": url,
 			}
 			configBytes, err := json.Marshal(cfg)
 			if err != nil {
 				http.Error(w, "Internal server error", http.StatusInternalServerError)
 				return
 			}
 			configJSON = string(configBytes)
 		}
 		maxRetries := 0 // default: fire-and-forget (no retries)
 		if maxRetriesStr != "" {
 			if v, err := strconv.Atoi(maxRetriesStr); err == nil && v >= 0 {
 				maxRetries = v
 			}
 		}
 		target := &database.Target{
 			WebhookID:  webhook.ID,
 			Name:       name,
 			Type:       targetType,
 			Active:     true,
 			Config:     configJSON,
 			MaxRetries: maxRetries,
 		}
 		if err := h.db.DB().Create(target).Error; err != nil {
 			h.log.Error("failed to create target", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
 // HandleEntrypointDelete handles deleting an individual entrypoint.
 func (h *Handlers) HandleEntrypointDelete() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := h.getUserID(r)
 		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		entrypointID := chi.URLParam(r, "entrypointID")
 		// Verify webhook ownership
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Delete entrypoint (must belong to this webhook)
 		result := h.db.DB().Where("id = ? AND webhook_id = ?", entrypointID, webhook.ID).Delete(&database.Entrypoint{})
 		if result.Error != nil {
 			h.log.Error("failed to delete entrypoint", "error", result.Error)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
 // HandleEntrypointToggle handles toggling the active state of an entrypoint.
 func (h *Handlers) HandleEntrypointToggle() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := h.getUserID(r)
 		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		entrypointID := chi.URLParam(r, "entrypointID")
 		// Verify webhook ownership
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Find the entrypoint
 		var entrypoint database.Entrypoint
 		if err := h.db.DB().Where("id = ? AND webhook_id = ?", entrypointID, webhook.ID).First(&entrypoint).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Toggle active state
 		entrypoint.Active = !entrypoint.Active
 		if err := h.db.DB().Save(&entrypoint).Error; err != nil {
 			h.log.Error("failed to toggle entrypoint", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
 // HandleTargetDelete handles deleting an individual target.
 func (h *Handlers) HandleTargetDelete() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := h.getUserID(r)
 		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		targetID := chi.URLParam(r, "targetID")
 		// Verify webhook ownership
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Delete target (must belong to this webhook)
 		result := h.db.DB().Where("id = ? AND webhook_id = ?", targetID, webhook.ID).Delete(&database.Target{})
 		if result.Error != nil {
 			h.log.Error("failed to delete target", "error", result.Error)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
 // HandleTargetToggle handles toggling the active state of a target.
 func (h *Handlers) HandleTargetToggle() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		userID, ok := h.getUserID(r)
 		if !ok {
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
 		sourceID := chi.URLParam(r, "sourceID")
 		targetID := chi.URLParam(r, "targetID")
 		// Verify webhook ownership
 		var webhook database.Webhook
 		if err := h.db.DB().Where("id = ? AND user_id = ?", sourceID, userID).First(&webhook).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Find the target
 		var target database.Target
 		if err := h.db.DB().Where("id = ? AND webhook_id = ?", targetID, webhook.ID).First(&target).Error; err != nil {
 			http.NotFound(w, r)
 			return
 		}
 		// Toggle active state
 		target.Active = !target.Active
 		if err := h.db.DB().Save(&target).Error; err != nil {
 			h.log.Error("failed to toggle target", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		http.Redirect(w, r, "/source/"+webhook.ID, http.StatusSeeOther)
 	}
 }
 // getUserID extracts the user ID from the session.
 func (h *Handlers) getUserID(r *http.Request) (string, bool) {
 	sess, err := h.session.Get(r)
 	if err != nil {
 		return "", false
 	}
 	if !h.session.IsAuthenticated(sess) {
 		return "", false
 	}
 	return h.session.GetUserID(sess)
 }
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -1,41 +1,190 @@
 package handlers
 import (
 	"encoding/json"
 	"io"
 	"net/http"
 	"github.com/go-chi/chi"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 )
-// HandleWebhook handles incoming webhook requests
+const (
 	// maxWebhookBodySize is the maximum allowed webhook request body (1 MB).
 	maxWebhookBodySize = 1 << 20
 )
 // HandleWebhook handles incoming webhook requests at entrypoint URLs.
 // Only POST requests are accepted; all other methods return 405 Method Not Allowed.
 // Events and deliveries are stored in the per-webhook database. The handler
 // builds self-contained DeliveryTask structs with all target and event data
 // so the delivery engine can process them without additional DB reads.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// Get webhook UUID from URL
+		if r.Method != http.MethodPost {
-		webhookUUID := chi.URLParam(r, "uuid")
+			w.Header().Set("Allow", "POST")
-		if webhookUUID == "" {
+			http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
 			return
 		}
 		entrypointUUID := chi.URLParam(r, "uuid")
 		if entrypointUUID == "" {
 			http.NotFound(w, r)
 			return
 		}
 		// Log the incoming webhook request
 		h.log.Info("webhook request received",
-			"uuid", webhookUUID,
+			"entrypoint_uuid", entrypointUUID,
 			"method", r.Method,
 			"remote_addr", r.RemoteAddr,
 			"user_agent", r.UserAgent(),
 		)
-		// Only POST methods are allowed for webhooks
+		// Look up entrypoint by path (from main application DB)
-		if r.Method != http.MethodPost {
+		var entrypoint database.Entrypoint
-			w.Header().Set("Allow", "POST")
+		result := h.db.DB().Where("path = ?", entrypointUUID).First(&entrypoint)
-			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		if result.Error != nil {
 			h.log.Debug("entrypoint not found", "path", entrypointUUID)
 			http.NotFound(w, r)
 			return
 		}
-		// TODO: Implement webhook handling logic
+		// Check if active
-		// For now, return "unimplemented" for all webhook POST requests
+		if !entrypoint.Active {
-		w.WriteHeader(http.StatusNotFound)
+			http.Error(w, "Gone", http.StatusGone)
-		_, err := w.Write([]byte("unimplemented"))
+			return
 		}
 		// Read body with size limit
 		body, err := io.ReadAll(io.LimitReader(r.Body, maxWebhookBodySize+1))
 		if err != nil {
 			h.log.Error("failed to read request body", "error", err)
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
 		}
 		if len(body) > maxWebhookBodySize {
 			http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
 			return
 		}
 		// Serialize headers as JSON
 		headersJSON, err := json.Marshal(r.Header)
 		if err != nil {
 			h.log.Error("failed to serialize headers", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Find all active targets for this webhook (from main application DB)
 		var targets []database.Target
 		if targetErr := h.db.DB().Where("webhook_id = ? AND active = ?", entrypoint.WebhookID, true).Find(&targets).Error; targetErr != nil {
 			h.log.Error("failed to query targets", "error", targetErr)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Get the per-webhook database for event storage
 		webhookDB, err := h.dbMgr.GetDB(entrypoint.WebhookID)
 		if err != nil {
 			h.log.Error("failed to get webhook database",
 				"webhook_id", entrypoint.WebhookID,
 				"error", err,
 			)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Create the event and deliveries in a transaction on the per-webhook DB
 		tx := webhookDB.Begin()
 		if tx.Error != nil {
 			h.log.Error("failed to begin transaction", "error", tx.Error)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		event := &database.Event{
 			WebhookID:    entrypoint.WebhookID,
 			EntrypointID: entrypoint.ID,
 			Method:       r.Method,
 			Headers:      string(headersJSON),
 			Body:         string(body),
 			ContentType:  r.Header.Get("Content-Type"),
 		}
 		if err := tx.Create(event).Error; err != nil {
 			tx.Rollback()
 			h.log.Error("failed to create event", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Prepare body pointer for inline transport (≤16KB bodies are
 		// included in the DeliveryTask so the engine needs no DB read).
 		var bodyPtr *string
 		if len(body) < delivery.MaxInlineBodySize {
 			bodyStr := string(body)
 			bodyPtr = &bodyStr
 		}
 		// Create delivery records and build self-contained delivery tasks
 		tasks := make([]delivery.DeliveryTask, 0, len(targets))
 		for i := range targets {
 			dlv := &database.Delivery{
 				EventID:  event.ID,
 				TargetID: targets[i].ID,
 				Status:   database.DeliveryStatusPending,
 			}
 			if err := tx.Create(dlv).Error; err != nil {
 				tx.Rollback()
 				h.log.Error("failed to create delivery",
 					"target_id", targets[i].ID,
 					"error", err,
 				)
 				http.Error(w, "Internal server error", http.StatusInternalServerError)
 				return
 			}
 			tasks = append(tasks, delivery.DeliveryTask{
 				DeliveryID:   dlv.ID,
 				EventID:      event.ID,
 				WebhookID:    entrypoint.WebhookID,
 				TargetID:     targets[i].ID,
 				TargetName:   targets[i].Name,
 				TargetType:   targets[i].Type,
 				TargetConfig: targets[i].Config,
 				MaxRetries:   targets[i].MaxRetries,
 				Method:       event.Method,
 				Headers:      event.Headers,
 				ContentType:  event.ContentType,
 				Body:         bodyPtr,
 				AttemptNum:   1,
 			})
 		}
 		if err := tx.Commit().Error; err != nil {
 			h.log.Error("failed to commit transaction", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// Notify the delivery engine with self-contained delivery tasks.
 		// Each task carries all target config and event data inline so
 		// the engine can deliver without touching any database (in the
 		// ≤16KB happy path). The engine only writes to the DB to record
 		// delivery results after each attempt.
 		if len(tasks) > 0 {
 			h.notifier.Notify(tasks)
 		}
 		h.log.Info("webhook event created",
 			"event_id", event.ID,
 			"webhook_id", entrypoint.WebhookID,
 			"entrypoint_id", entrypoint.ID,
 			"target_count", len(targets),
 		)
 		w.WriteHeader(http.StatusOK)
 		if _, err := w.Write([]byte(`{"status":"ok"}`)); err != nil {
 			h.log.Error("failed to write response", "error", err)
 		}
 	}
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -17,8 +17,9 @@ type LoggerParams struct {
 }
 type Logger struct {
-	logger *slog.Logger
+	logger   *slog.Logger
-	params LoggerParams
+	levelVar *slog.LevelVar
 	params   LoggerParams
 }
 // nolint:revive // lc parameter is required by fx even if unused
@@ -26,24 +27,30 @@ func New(lc fx.Lifecycle, params LoggerParams) (*Logger, error) {
 	l := new(Logger)
 	l.params = params
 	// Use slog.LevelVar for dynamic log level changes
 	l.levelVar = new(slog.LevelVar)
 	l.levelVar.Set(slog.LevelInfo)
 	// Determine if we're running in a terminal
 	tty := false
 	if fileInfo, _ := os.Stdout.Stat(); (fileInfo.Mode() & os.ModeCharDevice) != 0 {
 		tty = true
 	}
 	replaceAttr := func(_ []string, a slog.Attr) slog.Attr { // nolint:revive // groups unused
 		// Always use UTC for timestamps
 		if a.Key == slog.TimeKey {
 			if t, ok := a.Value.Any().(time.Time); ok {
 				return slog.Time(slog.TimeKey, t.UTC())
 			}
 		}
 		return a
 	}
 	var handler slog.Handler
 	opts := &slog.HandlerOptions{
-		Level: slog.LevelInfo,
+		Level:       l.levelVar,
-		ReplaceAttr: func(_ []string, a slog.Attr) slog.Attr { // nolint:revive // groups unused
+		ReplaceAttr: replaceAttr,
 			// Always use UTC for timestamps
 			if a.Key == slog.TimeKey {
 				if t, ok := a.Value.Any().(time.Time); ok {
 					return slog.Time(slog.TimeKey, t.UTC())
 				}
 			}
 			return a
 		},
 	}
 	if tty {
@@ -63,34 +70,7 @@ func New(lc fx.Lifecycle, params LoggerParams) (*Logger, error) {
 }
 func (l *Logger) EnableDebugLogging() {
-	// Recreate logger with debug level
+	l.levelVar.Set(slog.LevelDebug)
 	tty := false
 	if fileInfo, _ := os.Stdout.Stat(); (fileInfo.Mode() & os.ModeCharDevice) != 0 {
 		tty = true
 	}
 	var handler slog.Handler
 	opts := &slog.HandlerOptions{
 		Level: slog.LevelDebug,
 		ReplaceAttr: func(_ []string, a slog.Attr) slog.Attr { // nolint:revive // groups unused
 			// Always use UTC for timestamps
 			if a.Key == slog.TimeKey {
 				if t, ok := a.Value.Any().(time.Time); ok {
 					return slog.Time(slog.TimeKey, t.UTC())
 				}
 			}
 			return a
 		},
 	}
 	if tty {
 		handler = slog.NewTextHandler(os.Stdout, opts)
 	} else {
 		handler = slog.NewJSONHandler(os.Stdout, opts)
 	}
 	l.logger = slog.New(handler)
 	slog.SetDefault(l.logger)
 	l.logger.Debug("debug logging enabled", "debug", true)
 }
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -16,6 +16,7 @@ import (
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 	"sneak.berlin/go/webhooker/internal/session"
 )
 // nolint:revive // MiddlewareParams is a standard fx naming convention
@@ -24,17 +25,20 @@ type MiddlewareParams struct {
 	Logger  *logger.Logger
 	Globals *globals.Globals
 	Config  *config.Config
 	Session *session.Session
 }
 type Middleware struct {
-	log    *slog.Logger
+	log     *slog.Logger
-	params *MiddlewareParams
+	params  *MiddlewareParams
 	session *session.Session
 }
 func New(lc fx.Lifecycle, params MiddlewareParams) (*Middleware, error) {
 	s := new(Middleware)
 	s.params = &params
 	s.log = params.Logger.Get()
 	s.session = params.Session
 	return s, nil
 }
@@ -104,25 +108,45 @@ func (s *Middleware) Logging() func(http.Handler) http.Handler {
 }
 func (s *Middleware) CORS() func(http.Handler) http.Handler {
-	return cors.Handler(cors.Options{
+	if s.params.Config.IsDev() {
-		// CHANGEME! these are defaults, change them to suit your needs or
+		// In development, allow any origin for local testing.
-		// read from environment/viper.
+		return cors.Handler(cors.Options{
-		// AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts
+			AllowedOrigins:   []string{"*"},
-		AllowedOrigins: []string{"*"},
+			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-		// AllowOriginFunc:  func(r *http.Request, origin string) bool { return true },
+			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
-		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+			ExposedHeaders:   []string{"Link"},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+			AllowCredentials: false,
-		ExposedHeaders:   []string{"Link"},
+			MaxAge:           300,
-		AllowCredentials: false,
+		})
-		MaxAge:           300, // Maximum value not ignored by any of major browsers
+	}
-	})
+	// In production, the web UI is server-rendered so cross-origin
 	// requests are not expected. Return a no-op middleware.
 	return func(next http.Handler) http.Handler {
 		return next
 	}
 }
-func (s *Middleware) Auth() func(http.Handler) http.Handler {
+// RequireAuth returns middleware that checks for a valid session.
 // Unauthenticated users are redirected to the login page.
 func (s *Middleware) RequireAuth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// TODO: implement proper authentication
+			sess, err := s.session.Get(r)
-			s.log.Debug("AUTH: before request")
+			if err != nil {
 				s.log.Debug("auth middleware: failed to get session", "error", err)
 				http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 				return
 			}
 			if !s.session.IsAuthenticated(sess) {
 				s.log.Debug("auth middleware: unauthenticated request",
 					"path", r.URL.Path,
 					"method", r.Method,
 				)
 				http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 				return
 			}
 			next.ServeHTTP(w, r)
 		})
 	}
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -14,46 +14,29 @@ import (
 func (s *Server) SetupRoutes() {
 	s.router = chi.NewRouter()
-	// the mux .Use() takes a http.Handler wrapper func, like most
+	// Global middleware stack — applied to every request.
 	// things that deal with "middlewares" like alice et c, and will
 	// call ServeHTTP on it.  These middlewares applied by the mux (you
 	// can .Use() more than one) will be applied to every request into
 	// the service.
 	s.router.Use(middleware.Recoverer)
 	s.router.Use(middleware.RequestID)
 	s.router.Use(s.mw.Logging())
-	// add metrics middleware only if we can serve them behind auth
+	// Metrics middleware (only if credentials are configured)
 	if s.params.Config.MetricsUsername != "" {
 		s.router.Use(s.mw.Metrics())
 	}
 	// set up CORS headers
 	s.router.Use(s.mw.CORS())
 	// timeout for request context; your handlers must finish within
 	// this window:
 	s.router.Use(middleware.Timeout(60 * time.Second))
-	// this adds a sentry reporting middleware if and only if sentry is
+	// Sentry error reporting (if SENTRY_DSN is set). Repanic is true
-	// enabled via setting of SENTRY_DSN in env.
+	// so panics still bubble up to the Recoverer middleware above.
 	if s.sentryEnabled {
 		// Options docs at
 		// https://docs.sentry.io/platforms/go/guides/http/
 		// we set sentry to repanic so that all panics bubble up to the
 		// Recoverer chi middleware above.
 		sentryHandler := sentryhttp.New(sentryhttp.Options{
 			Repanic: true,
 		})
 		s.router.Use(sentryHandler.Handle)
 	}
-	////////////////////////////////////////////////////////////////////////
+	// Routes
 	// ROUTES
 	// complete docs: https://github.com/go-chi/chi
 	////////////////////////////////////////////////////////////////////////
 	s.router.Get("/", s.h.HandleIndex())
 	s.router.Mount("/s", http.StripPrefix("/s", http.FileServer(http.FS(static.Static))))
@@ -90,23 +73,31 @@ func (s *Server) SetupRoutes() {
 		r.Get("/", s.h.HandleProfile())
 	})
-	// Webhook source management routes (require authentication)
+	// Webhook management routes (require authentication)
 	s.router.Route("/sources", func(r chi.Router) {
-		// TODO: Add authentication middleware here
+		r.Use(s.mw.RequireAuth())
-		r.Get("/", s.h.HandleSourceList())             // List all sources
+		r.Get("/", s.h.HandleSourceList())             // List all webhooks
 		r.Get("/new", s.h.HandleSourceCreate())        // Show create form
 		r.Post("/new", s.h.HandleSourceCreateSubmit()) // Handle create submission
 	})
 	s.router.Route("/source/{sourceID}", func(r chi.Router) {
-		// TODO: Add authentication middleware here
+		r.Use(s.mw.RequireAuth())
-		r.Get("/", s.h.HandleSourceDetail())          // View source details
+		r.Get("/", s.h.HandleSourceDetail())                                       // View webhook details
-		r.Get("/edit", s.h.HandleSourceEdit())        // Show edit form
+		r.Get("/edit", s.h.HandleSourceEdit())                                     // Show edit form
-		r.Post("/edit", s.h.HandleSourceEditSubmit()) // Handle edit submission
+		r.Post("/edit", s.h.HandleSourceEditSubmit())                              // Handle edit submission
-		r.Post("/delete", s.h.HandleSourceDelete())   // Delete source
+		r.Post("/delete", s.h.HandleSourceDelete())                                // Delete webhook
-		r.Get("/logs", s.h.HandleSourceLogs())        // View source logs
+		r.Get("/logs", s.h.HandleSourceLogs())                                     // View webhook logs
 		r.Post("/entrypoints", s.h.HandleEntrypointCreate())                       // Add entrypoint
 		r.Post("/entrypoints/{entrypointID}/delete", s.h.HandleEntrypointDelete()) // Delete entrypoint
 		r.Post("/entrypoints/{entrypointID}/toggle", s.h.HandleEntrypointToggle()) // Toggle entrypoint active
 		r.Post("/targets", s.h.HandleTargetCreate())                               // Add target
 		r.Post("/targets/{targetID}/delete", s.h.HandleTargetDelete())             // Delete target
 		r.Post("/targets/{targetID}/toggle", s.h.HandleTargetToggle())             // Toggle target active
 	})
-	// Webhook endpoint - accepts all HTTP methods
+	// Entrypoint endpoint — accepts incoming webhook POST requests only.
 	// Using HandleFunc so the handler itself can return 405 for non-POST
 	// methods (chi's Method routing returns 405 without Allow header).
 	s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
 }
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -19,19 +19,9 @@ import (
 	"github.com/getsentry/sentry-go"
 	"github.com/go-chi/chi"
 	// spooky action at a distance!
 	// this populates the environment
 	// from a ./.env file automatically
 	// for development configuration.
 	// .env contents should be things like
 	// `DBURL=postgres://user:pass@.../`
 	// (without the backticks, of course)
 	_ "github.com/joho/godotenv/autoload"
 )
-// ServerParams is a standard fx naming convention for dependency injection
+// nolint:revive // ServerParams is a standard fx naming convention
 // nolint:golint
 type ServerParams struct {
 	fx.In
 	Logger     *logger.Logger
@@ -118,7 +108,7 @@ func (s *Server) serve() int {
 		s.log.Info("signal received", "signal", sig.String())
 		if s.cancelFunc != nil {
 			// cancelling the main context will trigger a clean
-			// shutdown.
+			// shutdown via the fx OnStop hook.
 			s.cancelFunc()
 		}
 	}()
@@ -126,13 +116,13 @@ func (s *Server) serve() int {
 	go s.serveUntilShutdown()
 	<-s.ctx.Done()
-	s.cleanShutdown()
+	// Shutdown is handled by the fx OnStop hook (cleanShutdown).
 	// Do not call cleanShutdown() here to avoid a double invocation.
 	return s.exitCode
 }
 func (s *Server) cleanupForExit() {
 	s.log.Info("cleaning up")
 	// TODO: close database connections, flush buffers, etc.
 }
 func (s *Server) cleanShutdown() {
--- a/internal/session/session.go
+++ b/internal/session/session.go
@@ -1,6 +1,7 @@
 package session
 import (
 	"context"
 	"encoding/base64"
 	"fmt"
 	"log/slog"
@@ -9,6 +10,7 @@ import (
 	"github.com/gorilla/sessions"
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/logger"
 )
@@ -29,8 +31,9 @@ const (
 // nolint:revive // SessionParams is a standard fx naming convention
 type SessionParams struct {
 	fx.In
-	Config *config.Config
+	Config   *config.Config
-	Logger *logger.Logger
+	Database *database.Database
 	Logger   *logger.Logger
 }
 // Session manages encrypted session storage
@@ -40,39 +43,48 @@ type Session struct {
 	config *config.Config
 }
-// New creates a new session manager
+// New creates a new session manager. The cookie store is initialized
 // during the fx OnStart phase after the database is connected, using
 // a session key that is auto-generated and stored in the database.
 func New(lc fx.Lifecycle, params SessionParams) (*Session, error) {
 	if params.Config.SessionKey == "" {
 		return nil, fmt.Errorf("SESSION_KEY environment variable is required")
 	}
 	// Decode the base64 session key
 	keyBytes, err := base64.StdEncoding.DecodeString(params.Config.SessionKey)
 	if err != nil {
 		return nil, fmt.Errorf("invalid SESSION_KEY format: %w", err)
 	}
 	if len(keyBytes) != 32 {
 		return nil, fmt.Errorf("SESSION_KEY must be 32 bytes (got %d)", len(keyBytes))
 	}
 	store := sessions.NewCookieStore(keyBytes)
 	// Configure cookie options for security
 	store.Options = &sessions.Options{
 		Path:     "/",
 		MaxAge:   86400 * 7, // 7 days
 		HttpOnly: true,
 		Secure:   !params.Config.IsDev(), // HTTPS in production
 		SameSite: http.SameSiteLaxMode,
 	}
 	s := &Session{
 		store:  store,
 		log:    params.Logger.Get(),
 		config: params.Config,
 	}
 	lc.Append(fx.Hook{
 		OnStart: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
 			sessionKey, err := params.Database.GetOrCreateSessionKey()
 			if err != nil {
 				return fmt.Errorf("failed to get session key: %w", err)
 			}
 			keyBytes, err := base64.StdEncoding.DecodeString(sessionKey)
 			if err != nil {
 				return fmt.Errorf("invalid session key format: %w", err)
 			}
 			if len(keyBytes) != 32 {
 				return fmt.Errorf("session key must be 32 bytes (got %d)", len(keyBytes))
 			}
 			store := sessions.NewCookieStore(keyBytes)
 			// Configure cookie options for security
 			store.Options = &sessions.Options{
 				Path:     "/",
 				MaxAge:   86400 * 7, // 7 days
 				HttpOnly: true,
 				Secure:   !params.Config.IsDev(), // HTTPS in production
 				SameSite: http.SameSiteLaxMode,
 			}
 			s.store = store
 			s.log.Info("session manager initialized")
 			return nil
 		},
 	})
 	return s, nil
 }
--- a/pkg/config/.gitignore
+++ b/pkg/config/.gitignore
@@ -1 +0,0 @@
--- a/pkg/config/README.md
+++ b/pkg/config/README.md
@@ -1,303 +0,0 @@
 # Configuration Module (Go)
 A simple, clean, and generic configuration management system that supports multiple environments and automatic value resolution. This module is completely standalone and can be used in any Go project.
 ## Features
 - **Simple API**: Just `config.Get()` and `config.GetSecret()`
 - **Type-safe helpers**: `config.GetString()`, `config.GetInt()`, `config.GetBool()`
 - **Environment Support**: Separate configs for different environments (dev/prod/staging/etc)
 - **Value Resolution**: Automatic resolution of special values:
  - `$ENV:VARIABLE` - Read from environment variable
  - `$GSM:secret-name` - Read from Google Secret Manager
  - `$ASM:secret-name` - Read from AWS Secrets Manager
  - `$FILE:/path/to/file` - Read from file contents
 - **Hierarchical Defaults**: Environment-specific values override defaults
 - **YAML-based**: Easy to read and edit configuration files
 - **Thread-safe**: Safe for concurrent use
 - **Testable**: Uses afero filesystem abstraction for easy testing
 - **Minimal Dependencies**: Only requires YAML parser and cloud SDKs (optional)
 ## Installation
 ```bash
 go get git.eeqj.de/sneak/webhooker/pkg/config
 ```
 ## Usage
 ```go
 package main
 import (
    "fmt"
    "git.eeqj.de/sneak/webhooker/pkg/config"
 )
 func main() {
    // Set the environment explicitly
    config.SetEnvironment("prod")
    // Get configuration values
    baseURL := config.GetString("baseURL")
    apiTimeout := config.GetInt("timeout", 30)
    debugMode := config.GetBool("debugMode", false)
    // Get secret values
    apiKey := config.GetSecretString("api_key")
    dbPassword := config.GetSecretString("db_password", "default")
    // Get all values (for debugging)
    allConfig := config.GetAllConfig()
    allSecrets := config.GetAllSecrets()
    // Reload configuration from file
    if err := config.Reload(); err != nil {
        fmt.Printf("Failed to reload config: %v\n", err)
    }
 }
 ```
 ## Configuration File Structure
 Create a `config.yaml` file in your project root:
 ```yaml
 environments:
  dev:
    config:
      baseURL: https://dev.example.com
      debugMode: true
      timeout: 30
    secrets:
      api_key: dev-key-12345
      db_password: $ENV:DEV_DB_PASSWORD
  prod:
    config:
      baseURL: https://prod.example.com
      debugMode: false
      timeout: 10
      GCPProject: my-project-123
      AWSRegion: us-west-2
    secrets:
      api_key: $GSM:prod-api-key
      db_password: $ASM:prod/db/password
 configDefaults:
  app_name: my-app
  timeout: 30
  log_level: INFO
  port: 8080
 ```
 ## How It Works
 1. **Environment Selection**: Call `config.SetEnvironment("prod")` to select which environment to use
 2. **Value Lookup**: When you call `config.Get("key")`:
   - First checks `environments.<env>.config.key`
   - Falls back to `configDefaults.key`
   - Returns the default value if not found
 3. **Secret Lookup**: When you call `config.GetSecret("key")`:
   - Looks in `environments.<env>.secrets.key`
   - Returns the default value if not found
 4. **Value Resolution**: If a value starts with a special prefix:
   - `$ENV:` - Reads from environment variable
   - `$GSM:` - Fetches from Google Secret Manager (requires GCPProject to be set in config)
   - `$ASM:` - Fetches from AWS Secrets Manager (uses AWSRegion from config or defaults to us-east-1)
   - `$FILE:` - Reads from file (supports `~` expansion)
 ## Type-Safe Access
 The module provides type-safe helper functions:
 ```go
 // String values
 baseURL := config.GetString("baseURL", "http://localhost")
 // Integer values
 port := config.GetInt("port", 8080)
 // Boolean values
 debug := config.GetBool("debug", false)
 // Secret string values
 apiKey := config.GetSecretString("api_key", "default-key")
 ```
 ## Local Development
 For local development, you can:
 1. Use environment variables:
   ```yaml
   secrets:
     api_key: $ENV:LOCAL_API_KEY
   ```
 2. Use local files:
   ```yaml
   secrets:
     api_key: $FILE:~/.secrets/api-key.txt
   ```
 3. Create a `config.local.yaml` (gitignored) with literal values for testing
 ## Cloud Provider Support
 ### Google Secret Manager
 To use GSM resolution (`$GSM:` prefix):
 1. Set `GCPProject` in your config
 2. Ensure proper authentication (e.g., `GOOGLE_APPLICATION_CREDENTIALS` environment variable)
 3. The module will automatically initialize the GSM client when needed
 ### AWS Secrets Manager
 To use ASM resolution (`$ASM:` prefix):
 1. Optionally set `AWSRegion` in your config (defaults to us-east-1)
 2. Ensure proper authentication (e.g., AWS credentials in environment or IAM role)
 3. The module will automatically initialize the ASM client when needed
 ## Advanced Usage
 ### Loading from a Specific File
 ```go
 // Load configuration from a specific file
 if err := config.LoadFile("/path/to/config.yaml"); err != nil {
    log.Fatal(err)
 }
 ```
 ### Checking Configuration Values
 ```go
 // Get all configuration for current environment
 allConfig := config.GetAllConfig()
 for key, value := range allConfig {
    fmt.Printf("%s: %v\n", key, value)
 }
 // Get all secrets (be careful with logging!)
 allSecrets := config.GetAllSecrets()
 ```
 ## Testing
 The module uses the [afero](https://github.com/spf13/afero) filesystem abstraction, making it easy to test without real files:
 ```go
 package myapp_test
 import (
    "testing"
    "github.com/spf13/afero"
    "git.eeqj.de/sneak/webhooker/pkg/config"
 )
 func TestMyApp(t *testing.T) {
    // Create an in-memory filesystem for testing
    fs := afero.NewMemMapFs()
    // Write a test config file
    testConfig := `
 environments:
  test:
    config:
      apiURL: http://test.example.com
    secrets:
      apiKey: test-key-123
 `
    afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644)
    // Use the test filesystem
    config.SetFs(fs)
    config.SetEnvironment("test")
    // Now your tests use the in-memory config
    if url := config.GetString("apiURL"); url != "http://test.example.com" {
        t.Errorf("Expected test URL, got %s", url)
    }
 }
 ```
 ### Unit Testing with Isolated Config
 For unit tests, you can create isolated configuration managers:
 ```go
 func TestMyComponent(t *testing.T) {
    // Create a test-specific manager
    manager := config.NewManager()
    // Use in-memory filesystem
    fs := afero.NewMemMapFs()
    afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644)
    manager.SetFs(fs)
    // Test with isolated configuration
    manager.SetEnvironment("test")
    value := manager.Get("someKey", "default")
 }
 ```
 ## Error Handling
 - If a config file is not found when using the default loader, an error is returned
 - If a key is not found, the default value is returned
 - If a special value cannot be resolved (e.g., env var not set, file not found), `nil` is returned
 - Cloud provider errors are logged but return `nil` to allow graceful degradation
 ## Thread Safety
 All operations are thread-safe. The module uses read-write mutexes to ensure safe concurrent access to configuration data.
 ## Example Integration
 ```go
 package main
 import (
    "log"
    "os"
    "git.eeqj.de/sneak/webhooker/pkg/config"
 )
 func main() {
    // Read environment from your app-specific env var
    environment := os.Getenv("APP_ENV")
    if environment == "" {
        environment = "dev"
    }
    config.SetEnvironment(environment)
    // Now use configuration throughout your app
    databaseURL := config.GetString("database_url")
    apiKey := config.GetSecretString("api_key")
    log.Printf("Running in %s environment", environment)
    log.Printf("Database URL: %s", databaseURL)
 }
 ```
 ## Migration from Python Version
 The Go version maintains API compatibility with the Python version where possible:
 | Python | Go |
 |--------|-----|
 | `config.get('key')` | `config.Get("key")` or `config.GetString("key")` |
 | `config.getSecret('key')` | `config.GetSecret("key")` or `config.GetSecretString("key")` |
 | `config.set_environment('prod')` | `config.SetEnvironment("prod")` |
 | `config.reload()` | `config.Reload()` |
 | `config.get_all_config()` | `config.GetAllConfig()` |
 | `config.get_all_secrets()` | `config.GetAllSecrets()` |
 ## License
 This module is designed to be standalone and can be extracted into its own repository with your preferred license. 
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -1,180 +0,0 @@
 // Package config provides a simple, clean, and generic configuration management system
 // that supports multiple environments and automatic value resolution.
 //
 // Features:
 //   - Simple API: Just config.Get() and config.GetSecret()
 //   - Environment Support: Separate configs for different environments (dev/prod/staging/etc)
 //   - Value Resolution: Automatic resolution of special values:
 //   - $ENV:VARIABLE - Read from environment variable
 //   - $GSM:secret-name - Read from Google Secret Manager
 //   - $ASM:secret-name - Read from AWS Secrets Manager
 //   - $FILE:/path/to/file - Read from file contents
 //   - Hierarchical Defaults: Environment-specific values override defaults
 //   - YAML-based: Easy to read and edit configuration files
 //   - Zero Dependencies: Only depends on yaml and cloud provider SDKs (optional)
 //
 // Usage:
 //
 //	import "sneak.berlin/go/webhooker/pkg/config"
 //
 //	// Set the environment explicitly
 //	config.SetEnvironment("prod")
 //
 //	// Get configuration values
 //	baseURL := config.Get("baseURL")
 //	apiTimeout := config.GetInt("timeout", 30)
 //
 //	// Get secret values
 //	apiKey := config.GetSecret("api_key")
 //	dbPassword := config.GetSecret("db_password", "default")
 package config
 import (
 	"sync"
 	"github.com/spf13/afero"
 )
 // Global configuration manager instance
 var (
 	globalManager *Manager
 	mu            sync.Mutex // Protect global manager updates
 )
 // getManager returns the global configuration manager, creating it if necessary
 func getManager() *Manager {
 	mu.Lock()
 	defer mu.Unlock()
 	if globalManager == nil {
 		globalManager = NewManager()
 	}
 	return globalManager
 }
 // SetEnvironment sets the active environment.
 func SetEnvironment(environment string) {
 	getManager().SetEnvironment(environment)
 }
 // SetFs sets the filesystem to use for all file operations.
 // This is primarily useful for testing with an in-memory filesystem.
 func SetFs(fs afero.Fs) {
 	mu.Lock()
 	defer mu.Unlock()
 	// Create a new manager with the specified filesystem
 	newManager := NewManager()
 	newManager.SetFs(fs)
 	// Replace the global manager
 	globalManager = newManager
 }
 // Get retrieves a configuration value.
 //
 // This looks for values in the following order:
 //  1. Environment-specific config (environments.<env>.config.<key>)
 //  2. Config defaults (configDefaults.<key>)
 //
 // Values are resolved if they contain special prefixes:
 //   - $ENV:VARIABLE_NAME - reads from environment variable
 //   - $GSM:secret-name - reads from Google Secret Manager
 //   - $ASM:secret-name - reads from AWS Secrets Manager
 //   - $FILE:/path/to/file - reads from file
 func Get(key string, defaultValue ...interface{}) interface{} {
 	var def interface{}
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	return getManager().Get(key, def)
 }
 // GetString retrieves a configuration value as a string.
 func GetString(key string, defaultValue ...string) string {
 	var def string
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := Get(key, def)
 	if s, ok := val.(string); ok {
 		return s
 	}
 	return def
 }
 // GetInt retrieves a configuration value as an integer.
 func GetInt(key string, defaultValue ...int) int {
 	var def int
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := Get(key, def)
 	switch v := val.(type) {
 	case int:
 		return v
 	case int64:
 		return int(v)
 	case float64:
 		return int(v)
 	default:
 		return def
 	}
 }
 // GetBool retrieves a configuration value as a boolean.
 func GetBool(key string, defaultValue ...bool) bool {
 	var def bool
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := Get(key, def)
 	if b, ok := val.(bool); ok {
 		return b
 	}
 	return def
 }
 // GetSecret retrieves a secret value.
 //
 // This looks for secrets defined in environments.<env>.secrets.<key>
 func GetSecret(key string, defaultValue ...interface{}) interface{} {
 	var def interface{}
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	return getManager().GetSecret(key, def)
 }
 // GetSecretString retrieves a secret value as a string.
 func GetSecretString(key string, defaultValue ...string) string {
 	var def string
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := GetSecret(key, def)
 	if s, ok := val.(string); ok {
 		return s
 	}
 	return def
 }
 // Reload reloads the configuration from file.
 func Reload() error {
 	return getManager().Reload()
 }
 // GetAllConfig returns all configuration values for the current environment.
 func GetAllConfig() map[string]interface{} {
 	return getManager().GetAllConfig()
 }
 // GetAllSecrets returns all secrets for the current environment.
 func GetAllSecrets() map[string]interface{} {
 	return getManager().GetAllSecrets()
 }
 // LoadFile loads configuration from a specific file.
 func LoadFile(configFile string) error {
 	return getManager().LoadFile(configFile)
 }
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -1,306 +0,0 @@
 package config
 import (
 	"os"
 	"testing"
 	"github.com/spf13/afero"
 )
 func TestNewManager(t *testing.T) {
 	manager := NewManager()
 	if manager == nil {
 		t.Fatal("NewManager returned nil")
 	}
 	if manager.config == nil {
 		t.Error("Manager config map is nil")
 	}
 	if manager.loader == nil {
 		t.Error("Manager loader is nil")
 	}
 	if manager.resolvedCache == nil {
 		t.Error("Manager resolvedCache is nil")
 	}
 	if manager.fs == nil {
 		t.Error("Manager fs is nil")
 	}
 }
 func TestLoader_FindConfigFile(t *testing.T) {
 	// Create an in-memory filesystem for testing
 	fs := afero.NewMemMapFs()
 	loader := NewLoader(fs)
 	// Create a config file in the filesystem
 	configContent := `
 environments:
  test:
    config:
      testKey: testValue
    secrets:
      testSecret: secretValue
 configDefaults:
  defaultKey: defaultValue
 `
 	// Create the file in the current directory
 	if err := afero.WriteFile(fs, "config.yaml", []byte(configContent), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Test finding the config file
 	foundPath, err := loader.FindConfigFile("config.yaml")
 	if err != nil {
 		t.Errorf("FindConfigFile failed: %v", err)
 	}
 	// In memory fs, the path should be exactly what we created
 	if foundPath != "config.yaml" {
 		t.Errorf("Expected config.yaml, got %s", foundPath)
 	}
 }
 func TestLoader_LoadYAML(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	loader := NewLoader(fs)
 	// Create a test config file
 	testConfig := `
 environments:
  test:
    config:
      testKey: testValue
 configDefaults:
  defaultKey: defaultValue
 `
 	if err := afero.WriteFile(fs, "test-config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Load the YAML
 	config, err := loader.LoadYAML("test-config.yaml")
 	if err != nil {
 		t.Fatalf("LoadYAML failed: %v", err)
 	}
 	// Verify the structure
 	envs, ok := config["environments"].(map[string]interface{})
 	if !ok {
 		t.Fatal("environments not found or wrong type")
 	}
 	testEnv, ok := envs["test"].(map[string]interface{})
 	if !ok {
 		t.Fatal("test environment not found")
 	}
 	testConfig2, ok := testEnv["config"].(map[string]interface{})
 	if !ok {
 		t.Fatal("test config not found")
 	}
 	if testConfig2["testKey"] != "testValue" {
 		t.Errorf("Expected testKey=testValue, got %v", testConfig2["testKey"])
 	}
 }
 func TestResolver_ResolveEnv(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	resolver := NewResolver("", "", fs)
 	// Set a test environment variable
 	os.Setenv("TEST_CONFIG_VAR", "test-value")
 	defer os.Unsetenv("TEST_CONFIG_VAR")
 	// Test resolving environment variable
 	result := resolver.Resolve("$ENV:TEST_CONFIG_VAR")
 	if result != "test-value" {
 		t.Errorf("Expected 'test-value', got %v", result)
 	}
 	// Test non-existent env var
 	result = resolver.Resolve("$ENV:NON_EXISTENT_VAR")
 	if result != nil {
 		t.Errorf("Expected nil for non-existent env var, got %v", result)
 	}
 }
 func TestResolver_ResolveFile(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	resolver := NewResolver("", "", fs)
 	// Create a test file
 	secretContent := "my-secret-value"
 	if err := afero.WriteFile(fs, "/test-secret.txt", []byte(secretContent+"\n"), 0644); err != nil {
 		t.Fatalf("Failed to write test file: %v", err)
 	}
 	// Test resolving file
 	result := resolver.Resolve("$FILE:/test-secret.txt")
 	if result != secretContent {
 		t.Errorf("Expected '%s', got %v", secretContent, result)
 	}
 	// Test non-existent file
 	result = resolver.Resolve("$FILE:/non/existent/file")
 	if result != nil {
 		t.Errorf("Expected nil for non-existent file, got %v", result)
 	}
 }
 func TestManager_GetAndSet(t *testing.T) {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a test config file
 	testConfig := `
 environments:
  dev:
    config:
      apiURL: http://dev.example.com
      timeout: 30
      debug: true
    secrets:
      apiKey: dev-key-123
  prod:
    config:
      apiURL: https://prod.example.com
      timeout: 10
      debug: false
    secrets:
      apiKey: $ENV:PROD_API_KEY
 configDefaults:
  appName: TestApp
  timeout: 20
  port: 8080
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Create manager and set the filesystem
 	manager := NewManager()
 	manager.SetFs(fs)
 	// Load config should find the file automatically
 	manager.SetEnvironment("dev")
 	// Test getting config values
 	if v := manager.Get("apiURL", ""); v != "http://dev.example.com" {
 		t.Errorf("Expected dev apiURL, got %v", v)
 	}
 	if v := manager.Get("timeout", 0); v != 30 {
 		t.Errorf("Expected timeout=30, got %v", v)
 	}
 	if v := manager.Get("debug", false); v != true {
 		t.Errorf("Expected debug=true, got %v", v)
 	}
 	// Test default values
 	if v := manager.Get("appName", ""); v != "TestApp" {
 		t.Errorf("Expected appName from defaults, got %v", v)
 	}
 	// Test getting secrets
 	if v := manager.GetSecret("apiKey", ""); v != "dev-key-123" {
 		t.Errorf("Expected dev apiKey, got %v", v)
 	}
 	// Switch to prod environment
 	manager.SetEnvironment("prod")
 	if v := manager.Get("apiURL", ""); v != "https://prod.example.com" {
 		t.Errorf("Expected prod apiURL, got %v", v)
 	}
 	// Test environment variable resolution in secrets
 	os.Setenv("PROD_API_KEY", "prod-key-456")
 	defer os.Unsetenv("PROD_API_KEY")
 	if v := manager.GetSecret("apiKey", ""); v != "prod-key-456" {
 		t.Errorf("Expected resolved env var for apiKey, got %v", v)
 	}
 }
 func TestGlobalAPI(t *testing.T) {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a test config file
 	testConfig := `
 environments:
  test:
    config:
      stringVal: hello
      intVal: 42
      boolVal: true
    secrets:
      secret1: test-secret
 configDefaults:
  defaultString: world
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Use the global API with the test filesystem
 	SetFs(fs)
 	SetEnvironment("test")
 	// Test type-safe getters
 	if v := GetString("stringVal"); v != "hello" {
 		t.Errorf("Expected 'hello', got %v", v)
 	}
 	if v := GetInt("intVal"); v != 42 {
 		t.Errorf("Expected 42, got %v", v)
 	}
 	if v := GetBool("boolVal"); v != true {
 		t.Errorf("Expected true, got %v", v)
 	}
 	if v := GetSecretString("secret1"); v != "test-secret" {
 		t.Errorf("Expected 'test-secret', got %v", v)
 	}
 	// Test defaults
 	if v := GetString("defaultString"); v != "world" {
 		t.Errorf("Expected 'world', got %v", v)
 	}
 }
 func TestManager_SetFs(t *testing.T) {
 	// Create manager with default OS filesystem
 	manager := NewManager()
 	// Create an in-memory filesystem
 	memFs := afero.NewMemMapFs()
 	// Write a config file to the memory fs
 	testConfig := `
 environments:
  test:
    config:
      testKey: fromMemory
 configDefaults:
  defaultKey: memoryDefault
 `
 	if err := afero.WriteFile(memFs, "config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Set the filesystem
 	manager.SetFs(memFs)
 	manager.SetEnvironment("test")
 	// Test that it reads from the memory filesystem
 	if v := manager.Get("testKey", ""); v != "fromMemory" {
 		t.Errorf("Expected 'fromMemory', got %v", v)
 	}
 	if v := manager.Get("defaultKey", ""); v != "memoryDefault" {
 		t.Errorf("Expected 'memoryDefault', got %v", v)
 	}
 }
--- a/pkg/config/example_afero_test.go
+++ b/pkg/config/example_afero_test.go
@@ -1,146 +0,0 @@
 package config_test
 import (
 	"fmt"
 	"testing"
 	"github.com/spf13/afero"
 	"sneak.berlin/go/webhooker/pkg/config"
 )
 // ExampleSetFs demonstrates how to use an in-memory filesystem for testing
 func ExampleSetFs() {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a test configuration file
 	configYAML := `
 environments:
  test:
    config:
      baseURL: https://test.example.com
      debugMode: true
    secrets:
      apiKey: test-key-12345
  production:
    config:
      baseURL: https://api.example.com
      debugMode: false
 configDefaults:
  appName: Test Application
  timeout: 30
 `
 	// Write the config to the in-memory filesystem
 	if err := afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644); err != nil {
 		panic(err)
 	}
 	// Use the in-memory filesystem
 	config.SetFs(fs)
 	config.SetEnvironment("test")
 	// Now all config operations use the in-memory filesystem
 	fmt.Printf("Base URL: %s\n", config.GetString("baseURL"))
 	fmt.Printf("Debug Mode: %v\n", config.GetBool("debugMode"))
 	fmt.Printf("App Name: %s\n", config.GetString("appName"))
 	// Output:
 	// Base URL: https://test.example.com
 	// Debug Mode: true
 	// App Name: Test Application
 }
 // TestWithAferoFilesystem shows how to test with different filesystem implementations
 func TestWithAferoFilesystem(t *testing.T) {
 	tests := []struct {
 		name        string
 		setupFs     func() afero.Fs
 		environment string
 		key         string
 		expected    string
 	}{
 		{
 			name: "in-memory filesystem",
 			setupFs: func() afero.Fs {
 				fs := afero.NewMemMapFs()
 				config := `
 environments:
  dev:
    config:
      apiURL: http://localhost:8080
 `
 				afero.WriteFile(fs, "config.yaml", []byte(config), 0644)
 				return fs
 			},
 			environment: "dev",
 			key:         "apiURL",
 			expected:    "http://localhost:8080",
 		},
 		{
 			name: "readonly filesystem",
 			setupFs: func() afero.Fs {
 				memFs := afero.NewMemMapFs()
 				config := `
 environments:
  staging:
    config:
      apiURL: https://staging.example.com
 `
 				afero.WriteFile(memFs, "config.yaml", []byte(config), 0644)
 				// Wrap in a read-only filesystem
 				return afero.NewReadOnlyFs(memFs)
 			},
 			environment: "staging",
 			key:         "apiURL",
 			expected:    "https://staging.example.com",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create a new manager for each test to ensure isolation
 			manager := config.NewManager()
 			manager.SetFs(tt.setupFs())
 			manager.SetEnvironment(tt.environment)
 			result := manager.Get(tt.key, "")
 			if result != tt.expected {
 				t.Errorf("Expected %s, got %v", tt.expected, result)
 			}
 		})
 	}
 }
 // TestFileResolution shows how $FILE: resolution works with afero
 func TestFileResolution(t *testing.T) {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a secret file
 	secretContent := "super-secret-api-key"
 	if err := afero.WriteFile(fs, "/secrets/api-key.txt", []byte(secretContent), 0600); err != nil {
 		t.Fatal(err)
 	}
 	// Create a config that references the file
 	configYAML := `
 environments:
  prod:
    secrets:
      apiKey: $FILE:/secrets/api-key.txt
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644); err != nil {
 		t.Fatal(err)
 	}
 	// Use the filesystem
 	config.SetFs(fs)
 	config.SetEnvironment("prod")
 	// Get the secret - it should resolve from the file
 	apiKey := config.GetSecretString("apiKey")
 	if apiKey != secretContent {
 		t.Errorf("Expected %s, got %s", secretContent, apiKey)
 	}
 }
--- a/pkg/config/example_test.go
+++ b/pkg/config/example_test.go
@@ -1,139 +0,0 @@
 package config_test
 import (
 	"fmt"
 	"log"
 	"os"
 	"sneak.berlin/go/webhooker/pkg/config"
 )
 func Example() {
 	// Set the environment explicitly
 	config.SetEnvironment("dev")
 	// Get configuration values
 	baseURL := config.GetString("baseURL")
 	timeout := config.GetInt("timeout", 30)
 	debugMode := config.GetBool("debugMode", false)
 	fmt.Printf("Base URL: %s\n", baseURL)
 	fmt.Printf("Timeout: %d\n", timeout)
 	fmt.Printf("Debug Mode: %v\n", debugMode)
 	// Get secret values
 	apiKey := config.GetSecretString("api_key")
 	if apiKey != "" {
 		fmt.Printf("API Key: %s...\n", apiKey[:8])
 	}
 }
 func ExampleSetEnvironment() {
 	// Your application determines which environment to use
 	// This could come from command line args, env vars, etc.
 	environment := os.Getenv("APP_ENV")
 	if environment == "" {
 		environment = "development"
 	}
 	// Set the environment explicitly
 	config.SetEnvironment(environment)
 	// Now use configuration throughout your application
 	fmt.Printf("Environment: %s\n", environment)
 	fmt.Printf("App Name: %s\n", config.GetString("app_name"))
 }
 func ExampleGetString() {
 	config.SetEnvironment("prod")
 	// Get a string configuration value with a default
 	baseURL := config.GetString("baseURL", "http://localhost:8080")
 	fmt.Printf("Base URL: %s\n", baseURL)
 }
 func ExampleGetInt() {
 	config.SetEnvironment("prod")
 	// Get an integer configuration value with a default
 	port := config.GetInt("port", 8080)
 	fmt.Printf("Port: %d\n", port)
 }
 func ExampleGetBool() {
 	config.SetEnvironment("dev")
 	// Get a boolean configuration value with a default
 	debugMode := config.GetBool("debugMode", false)
 	fmt.Printf("Debug Mode: %v\n", debugMode)
 }
 func ExampleGetSecretString() {
 	config.SetEnvironment("prod")
 	// Get a secret string value
 	apiKey := config.GetSecretString("api_key")
 	if apiKey != "" {
 		// Be careful not to log the full secret!
 		fmt.Printf("API Key configured: yes\n")
 	}
 }
 func ExampleLoadFile() {
 	// Load configuration from a specific file
 	if err := config.LoadFile("/path/to/config.yaml"); err != nil {
 		log.Printf("Failed to load config: %v", err)
 		return
 	}
 	config.SetEnvironment("staging")
 	fmt.Printf("Loaded configuration from custom file\n")
 }
 func ExampleReload() {
 	config.SetEnvironment("dev")
 	// Get initial value
 	oldValue := config.GetString("some_key")
 	// ... config file might have been updated ...
 	// Reload configuration from file
 	if err := config.Reload(); err != nil {
 		log.Printf("Failed to reload config: %v", err)
 		return
 	}
 	// Get potentially updated value
 	newValue := config.GetString("some_key")
 	fmt.Printf("Value changed: %v\n", oldValue != newValue)
 }
 // Example config.yaml structure:
 /*
 environments:
  development:
    config:
      baseURL: http://localhost:8000
      debugMode: true
      port: 8000
    secrets:
      api_key: dev-key-12345
  production:
    config:
      baseURL: https://api.example.com
      debugMode: false
      port: 443
      GCPProject: my-project-123
      AWSRegion: us-west-2
    secrets:
      api_key: $GSM:prod-api-key
      db_password: $ASM:prod/db/password
 configDefaults:
  app_name: My Application
  timeout: 30
  log_level: INFO
  port: 8080
 */
--- a/pkg/config/go.mod
+++ b/pkg/config/go.mod
@@ -1,41 +0,0 @@
 module sneak.berlin/go/webhooker/pkg/config
 go 1.23.0
 toolchain go1.24.1
 require (
 	github.com/aws/aws-sdk-go v1.50.0
 	github.com/spf13/afero v1.14.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 require (
 	cloud.google.com/go/compute v1.23.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.3 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	google.golang.org/api v0.149.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 )
 require (
 	cloud.google.com/go/secretmanager v1.11.4
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 )
--- a/pkg/config/go.sum
+++ b/pkg/config/go.sum
@@ -1,161 +0,0 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME=
 cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk=
 cloud.google.com/go/compute v1.23.1 h1:V97tBoDaZHb6leicZ1G6DLK2BAaZLJ/7+9BB/En3hR0=
 cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/iam v1.1.3 h1:18tKG7DzydKWUnLjonWcJO6wjSCAtzh4GcRKlH/Hrzc=
 cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE=
 cloud.google.com/go/secretmanager v1.11.4 h1:krnX9qpG2kR2fJ+u+uNyNo+ACVhplIAS4Pu7u+4gd+k=
 cloud.google.com/go/secretmanager v1.11.4/go.mod h1:wreJlbS9Zdq21lMzWmJ0XhWW2ZxgPeahsqeV/vZoJ3w=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/aws/aws-sdk-go v1.50.0 h1:HBtrLeO+QyDKnc3t1+5DR1RxodOHCGr8ZcrHudpv7jI=
 github.com/aws/aws-sdk-go v1.50.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
 golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.149.0 h1:b2CqT6kG+zqJIVKRQ3ELJVLN1PwHZ6DJ3dW8yl82rgY=
 google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA=
 google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI=
 google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k=
 google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
 google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/pkg/config/loader.go
+++ b/pkg/config/loader.go
@@ -1,104 +0,0 @@
 package config
 import (
 	"fmt"
 	"path/filepath"
 	"github.com/spf13/afero"
 	"gopkg.in/yaml.v3"
 )
 // Loader handles loading configuration from YAML files.
 type Loader struct {
 	fs afero.Fs
 }
 // NewLoader creates a new configuration loader.
 func NewLoader(fs afero.Fs) *Loader {
 	return &Loader{
 		fs: fs,
 	}
 }
 // FindConfigFile searches for a configuration file by looking up the directory tree.
 func (l *Loader) FindConfigFile(filename string) (string, error) {
 	if filename == "" {
 		filename = "config.yaml"
 	}
 	// First check if the file exists in the current directory (simple case)
 	if _, err := l.fs.Stat(filename); err == nil {
 		return filename, nil
 	}
 	// For more complex cases, try to walk up the directory tree
 	// Start from current directory or root for in-memory filesystems
 	currentDir := "."
 	// Try to get the absolute path, but if it fails (e.g., in-memory fs),
 	// just use the current directory
 	if absPath, err := filepath.Abs("."); err == nil {
 		currentDir = absPath
 	}
 	// Search up the directory tree
 	for {
 		configPath := filepath.Join(currentDir, filename)
 		if _, err := l.fs.Stat(configPath); err == nil {
 			return configPath, nil
 		}
 		// Move up one directory
 		parentDir := filepath.Dir(currentDir)
 		if parentDir == currentDir || currentDir == "." || currentDir == "/" {
 			// Reached the root directory or can't go up further
 			break
 		}
 		currentDir = parentDir
 	}
 	return "", fmt.Errorf("configuration file %s not found in directory tree", filename)
 }
 // LoadYAML loads a YAML file and returns the parsed configuration.
 func (l *Loader) LoadYAML(filePath string) (map[string]interface{}, error) {
 	data, err := afero.ReadFile(l.fs, filePath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read file %s: %w", filePath, err)
 	}
 	var config map[string]interface{}
 	if err := yaml.Unmarshal(data, &config); err != nil {
 		return nil, fmt.Errorf("failed to parse YAML from %s: %w", filePath, err)
 	}
 	if config == nil {
 		config = make(map[string]interface{})
 	}
 	return config, nil
 }
 // MergeConfigs performs a deep merge of two configuration maps.
 // The override map values take precedence over the base map.
 func (l *Loader) MergeConfigs(base, override map[string]interface{}) map[string]interface{} {
 	if base == nil {
 		base = make(map[string]interface{})
 	}
 	for key, value := range override {
 		if baseValue, exists := base[key]; exists {
 			// If both values are maps, merge them recursively
 			if baseMap, baseOk := baseValue.(map[string]interface{}); baseOk {
 				if overrideMap, overrideOk := value.(map[string]interface{}); overrideOk {
 					base[key] = l.MergeConfigs(baseMap, overrideMap)
 					continue
 				}
 			}
 		}
 		// Otherwise, override the value
 		base[key] = value
 	}
 	return base
 }
--- a/pkg/config/manager.go
+++ b/pkg/config/manager.go
@@ -1,373 +0,0 @@
 package config
 import (
 	"fmt"
 	"log"
 	"strings"
 	"sync"
 	"github.com/spf13/afero"
 )
 // Manager manages application configuration with value resolution.
 type Manager struct {
 	mu            sync.RWMutex
 	config        map[string]interface{}
 	environment   string
 	resolver      *Resolver
 	loader        *Loader
 	configFile    string
 	resolvedCache map[string]interface{}
 	fs            afero.Fs
 }
 // NewManager creates a new configuration manager.
 func NewManager() *Manager {
 	fs := afero.NewOsFs()
 	return &Manager{
 		config:        make(map[string]interface{}),
 		loader:        NewLoader(fs),
 		resolvedCache: make(map[string]interface{}),
 		fs:            fs,
 	}
 }
 // SetFs sets the filesystem to use for all file operations.
 // This is primarily useful for testing with an in-memory filesystem.
 func (m *Manager) SetFs(fs afero.Fs) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.fs = fs
 	m.loader = NewLoader(fs)
 	// If we have a resolver, recreate it with the new fs
 	if m.resolver != nil {
 		gcpProject := ""
 		awsRegion := "us-east-1"
 		// Try to get the current settings
 		if gcpProj := m.getConfigValue("GCPProject", ""); gcpProj != nil {
 			if str, ok := gcpProj.(string); ok {
 				gcpProject = str
 			}
 		}
 		if awsReg := m.getConfigValue("AWSRegion", "us-east-1"); awsReg != nil {
 			if str, ok := awsReg.(string); ok {
 				awsRegion = str
 			}
 		}
 		m.resolver = NewResolver(gcpProject, awsRegion, fs)
 	}
 	// Clear caches as filesystem changed
 	m.resolvedCache = make(map[string]interface{})
 }
 // LoadFile loads configuration from a specific file.
 func (m *Manager) LoadFile(configFile string) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	config, err := m.loader.LoadYAML(configFile)
 	if err != nil {
 		return err
 	}
 	m.config = config
 	m.configFile = configFile
 	m.resolvedCache = make(map[string]interface{}) // Clear cache
 	return nil
 }
 // loadConfig loads the configuration from file.
 func (m *Manager) loadConfig() error {
 	if m.configFile == "" {
 		// Try to find config.yaml
 		configPath, err := m.loader.FindConfigFile("config.yaml")
 		if err != nil {
 			return err
 		}
 		m.configFile = configPath
 	}
 	config, err := m.loader.LoadYAML(m.configFile)
 	if err != nil {
 		return err
 	}
 	m.config = config
 	m.resolvedCache = make(map[string]interface{}) // Clear cache
 	return nil
 }
 // SetEnvironment sets the active environment.
 func (m *Manager) SetEnvironment(environment string) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.environment = strings.ToLower(environment)
 	// Create resolver with GCP project and AWS region if available
 	gcpProject := m.getConfigValue("GCPProject", "")
 	awsRegion := m.getConfigValue("AWSRegion", "us-east-1")
 	if gcpProjectStr, ok := gcpProject.(string); ok {
 		if awsRegionStr, ok := awsRegion.(string); ok {
 			m.resolver = NewResolver(gcpProjectStr, awsRegionStr, m.fs)
 		}
 	}
 	// Clear resolved cache when environment changes
 	m.resolvedCache = make(map[string]interface{})
 }
 // Get retrieves a configuration value.
 func (m *Manager) Get(key string, defaultValue interface{}) interface{} {
 	m.mu.RLock()
 	// Ensure config is loaded
 	if m.config == nil || len(m.config) == 0 {
 		// Need to upgrade to write lock to load config
 		m.mu.RUnlock()
 		m.mu.Lock()
 		// Double-check after acquiring write lock
 		if m.config == nil || len(m.config) == 0 {
 			if err := m.loadConfig(); err != nil {
 				log.Printf("Failed to load config: %v", err)
 				m.mu.Unlock()
 				return defaultValue
 			}
 		}
 		// Downgrade back to read lock
 		m.mu.Unlock()
 		m.mu.RLock()
 	}
 	defer m.mu.RUnlock()
 	// Check cache first
 	cacheKey := fmt.Sprintf("config.%s", key)
 	if cached, ok := m.resolvedCache[cacheKey]; ok {
 		return cached
 	}
 	// Try environment-specific config first
 	var rawValue interface{}
 	if m.environment != "" {
 		envMap, ok := m.config["environments"].(map[string]interface{})
 		if ok {
 			if env, ok := envMap[m.environment].(map[string]interface{}); ok {
 				if config, ok := env["config"].(map[string]interface{}); ok {
 					if val, exists := config[key]; exists {
 						rawValue = val
 					}
 				}
 			}
 		}
 	}
 	// Fall back to configDefaults
 	if rawValue == nil {
 		if defaults, ok := m.config["configDefaults"].(map[string]interface{}); ok {
 			if val, exists := defaults[key]; exists {
 				rawValue = val
 			}
 		}
 	}
 	if rawValue == nil {
 		return defaultValue
 	}
 	// Resolve the value if we have a resolver
 	var resolvedValue interface{}
 	if m.resolver != nil {
 		resolvedValue = m.resolver.Resolve(rawValue)
 	} else {
 		resolvedValue = rawValue
 	}
 	// Cache the resolved value
 	m.resolvedCache[cacheKey] = resolvedValue
 	return resolvedValue
 }
 // GetSecret retrieves a secret value for the current environment.
 func (m *Manager) GetSecret(key string, defaultValue interface{}) interface{} {
 	m.mu.RLock()
 	// Ensure config is loaded
 	if m.config == nil || len(m.config) == 0 {
 		// Need to upgrade to write lock to load config
 		m.mu.RUnlock()
 		m.mu.Lock()
 		// Double-check after acquiring write lock
 		if m.config == nil || len(m.config) == 0 {
 			if err := m.loadConfig(); err != nil {
 				log.Printf("Failed to load config: %v", err)
 				m.mu.Unlock()
 				return defaultValue
 			}
 		}
 		// Downgrade back to read lock
 		m.mu.Unlock()
 		m.mu.RLock()
 	}
 	defer m.mu.RUnlock()
 	if m.environment == "" {
 		log.Printf("No environment set when getting secret '%s'", key)
 		return defaultValue
 	}
 	// Get the current environment's config
 	envMap, ok := m.config["environments"].(map[string]interface{})
 	if !ok {
 		return defaultValue
 	}
 	env, ok := envMap[m.environment].(map[string]interface{})
 	if !ok {
 		return defaultValue
 	}
 	secrets, ok := env["secrets"].(map[string]interface{})
 	if !ok {
 		return defaultValue
 	}
 	secretValue, exists := secrets[key]
 	if !exists {
 		return defaultValue
 	}
 	// Resolve the value
 	if m.resolver != nil {
 		resolved := m.resolver.Resolve(secretValue)
 		if resolved == nil {
 			return defaultValue
 		}
 		return resolved
 	}
 	return secretValue
 }
 // getConfigValue is an internal helper to get config values without locking.
 func (m *Manager) getConfigValue(key string, defaultValue interface{}) interface{} {
 	// Try environment-specific config first
 	var rawValue interface{}
 	if m.environment != "" {
 		envMap, ok := m.config["environments"].(map[string]interface{})
 		if ok {
 			if env, ok := envMap[m.environment].(map[string]interface{}); ok {
 				if config, ok := env["config"].(map[string]interface{}); ok {
 					if val, exists := config[key]; exists {
 						rawValue = val
 					}
 				}
 			}
 		}
 	}
 	// Fall back to configDefaults
 	if rawValue == nil {
 		if defaults, ok := m.config["configDefaults"].(map[string]interface{}); ok {
 			if val, exists := defaults[key]; exists {
 				rawValue = val
 			}
 		}
 	}
 	if rawValue == nil {
 		return defaultValue
 	}
 	return rawValue
 }
 // Reload reloads the configuration from file.
 func (m *Manager) Reload() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	return m.loadConfig()
 }
 // GetAllConfig returns all configuration values for the current environment.
 func (m *Manager) GetAllConfig() map[string]interface{} {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
 	result := make(map[string]interface{})
 	// Start with configDefaults
 	if defaults, ok := m.config["configDefaults"].(map[string]interface{}); ok {
 		for k, v := range defaults {
 			if m.resolver != nil {
 				result[k] = m.resolver.Resolve(v)
 			} else {
 				result[k] = v
 			}
 		}
 	}
 	// Override with environment-specific config
 	if m.environment != "" {
 		envMap, ok := m.config["environments"].(map[string]interface{})
 		if ok {
 			if env, ok := envMap[m.environment].(map[string]interface{}); ok {
 				if config, ok := env["config"].(map[string]interface{}); ok {
 					for k, v := range config {
 						if m.resolver != nil {
 							result[k] = m.resolver.Resolve(v)
 						} else {
 							result[k] = v
 						}
 					}
 				}
 			}
 		}
 	}
 	return result
 }
 // GetAllSecrets returns all secrets for the current environment.
 func (m *Manager) GetAllSecrets() map[string]interface{} {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
 	if m.environment == "" {
 		return make(map[string]interface{})
 	}
 	envMap, ok := m.config["environments"].(map[string]interface{})
 	if !ok {
 		return make(map[string]interface{})
 	}
 	env, ok := envMap[m.environment].(map[string]interface{})
 	if !ok {
 		return make(map[string]interface{})
 	}
 	secrets, ok := env["secrets"].(map[string]interface{})
 	if !ok {
 		return make(map[string]interface{})
 	}
 	// Resolve all secrets
 	result := make(map[string]interface{})
 	for k, v := range secrets {
 		if m.resolver != nil {
 			result[k] = m.resolver.Resolve(v)
 		} else {
 			result[k] = v
 		}
 	}
 	return result
 }
--- a/pkg/config/resolver.go
+++ b/pkg/config/resolver.go
@@ -1,204 +0,0 @@
 package config
 import (
 	"context"
 	"fmt"
 	"log"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
 	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/spf13/afero"
 )
 // Resolver handles resolution of configuration values with special prefixes.
 type Resolver struct {
 	gcpProject   string
 	awsRegion    string
 	gsmClient    *secretmanager.Client
 	asmClient    *secretsmanager.SecretsManager
 	awsSession   *session.Session
 	specialValue *regexp.Regexp
 	fs           afero.Fs
 }
 // NewResolver creates a new value resolver.
 func NewResolver(gcpProject, awsRegion string, fs afero.Fs) *Resolver {
 	return &Resolver{
 		gcpProject:   gcpProject,
 		awsRegion:    awsRegion,
 		specialValue: regexp.MustCompile(`^\$([A-Z]+):(.+)$`),
 		fs:           fs,
 	}
 }
 // Resolve resolves a configuration value that may contain special prefixes.
 func (r *Resolver) Resolve(value interface{}) interface{} {
 	switch v := value.(type) {
 	case string:
 		return r.resolveString(v)
 	case map[string]interface{}:
 		// Recursively resolve map values
 		result := make(map[string]interface{})
 		for k, val := range v {
 			result[k] = r.Resolve(val)
 		}
 		return result
 	case []interface{}:
 		// Recursively resolve slice items
 		result := make([]interface{}, len(v))
 		for i, val := range v {
 			result[i] = r.Resolve(val)
 		}
 		return result
 	default:
 		// Return non-string values as-is
 		return value
 	}
 }
 // resolveString resolves a string value that may contain a special prefix.
 func (r *Resolver) resolveString(value string) interface{} {
 	matches := r.specialValue.FindStringSubmatch(value)
 	if matches == nil {
 		return value
 	}
 	resolverType := matches[1]
 	resolverValue := matches[2]
 	switch resolverType {
 	case "ENV":
 		return r.resolveEnv(resolverValue)
 	case "GSM":
 		return r.resolveGSM(resolverValue)
 	case "ASM":
 		return r.resolveASM(resolverValue)
 	case "FILE":
 		return r.resolveFile(resolverValue)
 	default:
 		log.Printf("Unknown resolver type: %s", resolverType)
 		return value
 	}
 }
 // resolveEnv resolves an environment variable.
 func (r *Resolver) resolveEnv(envVar string) interface{} {
 	value := os.Getenv(envVar)
 	if value == "" {
 		return nil
 	}
 	return value
 }
 // resolveGSM resolves a Google Secret Manager secret.
 func (r *Resolver) resolveGSM(secretName string) interface{} {
 	if r.gcpProject == "" {
 		log.Printf("GCP project not configured for GSM resolution")
 		return nil
 	}
 	// Initialize GSM client if needed
 	if r.gsmClient == nil {
 		ctx := context.Background()
 		client, err := secretmanager.NewClient(ctx)
 		if err != nil {
 			log.Printf("Failed to create GSM client: %v", err)
 			return nil
 		}
 		r.gsmClient = client
 	}
 	// Build the resource name
 	name := fmt.Sprintf("projects/%s/secrets/%s/versions/latest", r.gcpProject, secretName)
 	// Access the secret
 	ctx := context.Background()
 	req := &secretmanagerpb.AccessSecretVersionRequest{
 		Name: name,
 	}
 	result, err := r.gsmClient.AccessSecretVersion(ctx, req)
 	if err != nil {
 		log.Printf("Failed to access GSM secret %s: %v", secretName, err)
 		return nil
 	}
 	return string(result.Payload.Data)
 }
 // resolveASM resolves an AWS Secrets Manager secret.
 func (r *Resolver) resolveASM(secretName string) interface{} {
 	// Initialize AWS session if needed
 	if r.awsSession == nil {
 		sess, err := session.NewSession(&aws.Config{
 			Region: aws.String(r.awsRegion),
 		})
 		if err != nil {
 			log.Printf("Failed to create AWS session: %v", err)
 			return nil
 		}
 		r.awsSession = sess
 	}
 	// Initialize ASM client if needed
 	if r.asmClient == nil {
 		r.asmClient = secretsmanager.New(r.awsSession)
 	}
 	// Get the secret value
 	input := &secretsmanager.GetSecretValueInput{
 		SecretId: aws.String(secretName),
 	}
 	result, err := r.asmClient.GetSecretValue(input)
 	if err != nil {
 		log.Printf("Failed to access ASM secret %s: %v", secretName, err)
 		return nil
 	}
 	// Return the secret string
 	if result.SecretString != nil {
 		return *result.SecretString
 	}
 	// If it's binary data, we can't handle it as a string config value
 	log.Printf("ASM secret %s contains binary data, which is not supported", secretName)
 	return nil
 }
 // resolveFile resolves a file's contents.
 func (r *Resolver) resolveFile(filePath string) interface{} {
 	// Expand user home directory if present
 	if strings.HasPrefix(filePath, "~/") {
 		home, err := os.UserHomeDir()
 		if err != nil {
 			log.Printf("Failed to get user home directory: %v", err)
 			return nil
 		}
 		filePath = filepath.Join(home, filePath[2:])
 	}
 	data, err := afero.ReadFile(r.fs, filePath)
 	if err != nil {
 		log.Printf("Failed to read file %s: %v", filePath, err)
 		return nil
 	}
 	// Strip whitespace/newlines from file contents
 	return strings.TrimSpace(string(data))
 }
 // Close closes any open clients.
 func (r *Resolver) Close() error {
 	if r.gsmClient != nil {
 		return r.gsmClient.Close()
 	}
 	return nil
 }
--- a/static/css/tailwind.css
+++ b/static/css/tailwind.css
--- a/templates/source_detail.html
+++ b/templates/source_detail.html
@@ -0,0 +1,171 @@
 {{template "base" .}}
 {{define "title"}}{{.Webhook.Name}} - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-6xl mx-auto px-6 py-8" x-data="{ showAddEntrypoint: false, showAddTarget: false }">
    <div class="mb-6">
        <a href="/sources" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to webhooks</a>
        <div class="flex justify-between items-center mt-2">
            <div>
                <h1 class="text-2xl font-medium text-gray-900">{{.Webhook.Name}}</h1>
                {{if .Webhook.Description}}
                <p class="text-sm text-gray-500 mt-1">{{.Webhook.Description}}</p>
                {{end}}
            </div>
            <div class="flex gap-2">
                <a href="/source/{{.Webhook.ID}}/logs" class="btn-secondary">Event Log</a>
                <a href="/source/{{.Webhook.ID}}/edit" class="btn-secondary">Edit</a>
                <form method="POST" action="/source/{{.Webhook.ID}}/delete" onsubmit="return confirm('Delete this webhook and all its data?')">
                    <button type="submit" class="btn-danger">Delete</button>
                </form>
            </div>
        </div>
    </div>
    <div class="grid grid-cols-1 lg:grid-cols-2 gap-6">
        <!-- Entrypoints -->
        <div class="card">
            <div class="p-4 border-b border-gray-200 flex justify-between items-center">
                <h2 class="text-lg font-medium text-gray-900">Entrypoints</h2>
                <button @click="showAddEntrypoint = !showAddEntrypoint" class="btn-text text-sm">
                    <svg class="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
                    </svg>
                    Add
                </button>
            </div>
            <!-- Add entrypoint form -->
            <div x-show="showAddEntrypoint" x-cloak class="p-4 bg-gray-50 border-b border-gray-200">
                <form method="POST" action="/source/{{.Webhook.ID}}/entrypoints" class="flex gap-2">
                    <input type="text" name="description" placeholder="Description (optional)" class="input text-sm flex-1">
                    <button type="submit" class="btn-primary text-sm">Add</button>
                </form>
            </div>
            <div class="divide-y divide-gray-100">
                {{range .Entrypoints}}
                <div class="p-4">
                    <div class="flex items-center justify-between mb-1">
                        <span class="text-sm font-medium text-gray-900">{{if .Description}}{{.Description}}{{else}}Entrypoint{{end}}</span>
                        <div class="flex items-center gap-2">
                            {{if .Active}}
                            <span class="badge-success">Active</span>
                            {{else}}
                            <span class="badge-error">Inactive</span>
                            {{end}}
                            <form method="POST" action="/source/{{$.Webhook.ID}}/entrypoints/{{.ID}}/toggle" class="inline">
                                <button type="submit" class="text-xs text-gray-500 hover:text-primary-600" title="{{if .Active}}Deactivate{{else}}Activate{{end}}">
                                    {{if .Active}}Deactivate{{else}}Activate{{end}}
                                </button>
                            </form>
                            <form method="POST" action="/source/{{$.Webhook.ID}}/entrypoints/{{.ID}}/delete" onsubmit="return confirm('Delete this entrypoint?')" class="inline">
                                <button type="submit" class="text-xs text-red-500 hover:text-red-700" title="Delete">Delete</button>
                            </form>
                        </div>
                    </div>
                    <code class="text-xs text-gray-500 break-all block mt-1">{{$.BaseURL}}/webhook/{{.Path}}</code>
                </div>
                {{else}}
                <div class="p-4 text-sm text-gray-500">No entrypoints configured.</div>
                {{end}}
            </div>
        </div>
        <!-- Targets -->
        <div class="card">
            <div class="p-4 border-b border-gray-200 flex justify-between items-center">
                <h2 class="text-lg font-medium text-gray-900">Targets</h2>
                <button @click="showAddTarget = !showAddTarget" class="btn-text text-sm">
                    <svg class="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
                    </svg>
                    Add
                </button>
            </div>
            <!-- Add target form -->
            <div x-show="showAddTarget" x-cloak class="p-4 bg-gray-50 border-b border-gray-200">
                <form method="POST" action="/source/{{.Webhook.ID}}/targets" x-data="{ targetType: 'http' }" class="space-y-3">
                    <div class="flex gap-2">
                        <input type="text" name="name" placeholder="Target name" required class="input text-sm flex-1">
                        <select name="type" x-model="targetType" class="input text-sm w-32">
                            <option value="http">HTTP</option>
                            <option value="database">Database</option>
                            <option value="log">Log</option>
                        </select>
                    </div>
                    <div x-show="targetType === 'http'">
                        <input type="url" name="url" placeholder="https://example.com/webhook" class="input text-sm">
                    </div>
                    <div x-show="targetType === 'http'" class="flex gap-2 items-center">
                        <label class="text-sm text-gray-700">Max retries (0 = fire-and-forget):</label>
                        <input type="number" name="max_retries" value="0" min="0" max="20" class="input text-sm w-24">
                    </div>
                    <button type="submit" class="btn-primary text-sm">Add Target</button>
                </form>
            </div>
            <div class="divide-y divide-gray-100">
                {{range .Targets}}
                <div class="p-4">
                    <div class="flex items-center justify-between mb-1">
                        <span class="text-sm font-medium text-gray-900">{{.Name}}</span>
                        <div class="flex items-center gap-2">
                            <span class="badge-info">{{.Type}}</span>
                            {{if .Active}}
                            <span class="badge-success">Active</span>
                            {{else}}
                            <span class="badge-error">Inactive</span>
                            {{end}}
                            <form method="POST" action="/source/{{$.Webhook.ID}}/targets/{{.ID}}/toggle" class="inline">
                                <button type="submit" class="text-xs text-gray-500 hover:text-primary-600" title="{{if .Active}}Deactivate{{else}}Activate{{end}}">
                                    {{if .Active}}Deactivate{{else}}Activate{{end}}
                                </button>
                            </form>
                            <form method="POST" action="/source/{{$.Webhook.ID}}/targets/{{.ID}}/delete" onsubmit="return confirm('Delete this target?')" class="inline">
                                <button type="submit" class="text-xs text-red-500 hover:text-red-700" title="Delete">Delete</button>
                            </form>
                        </div>
                    </div>
                    {{if .Config}}
                    <code class="text-xs text-gray-500 break-all block mt-1">{{.Config}}</code>
                    {{end}}
                </div>
                {{else}}
                <div class="p-4 text-sm text-gray-500">No targets configured.</div>
                {{end}}
            </div>
        </div>
    </div>
    <!-- Recent Events -->
    <div class="card mt-6">
        <div class="p-4 border-b border-gray-200 flex justify-between items-center">
            <h2 class="text-lg font-medium text-gray-900">Recent Events</h2>
            <a href="/source/{{.Webhook.ID}}/logs" class="btn-text text-sm">View All</a>
        </div>
        <div class="divide-y divide-gray-100">
            {{range .Events}}
            <div class="p-4">
                <div class="flex items-center justify-between">
                    <div class="flex items-center gap-3">
                        <span class="badge-info">{{.Method}}</span>
                        <span class="text-sm text-gray-500">{{.ContentType}}</span>
                    </div>
                    <span class="text-xs text-gray-400">{{.CreatedAt.Format "2006-01-02 15:04:05 UTC"}}</span>
                </div>
            </div>
            {{else}}
            <div class="p-8 text-center text-sm text-gray-500">No events received yet.</div>
            {{end}}
        </div>
    </div>
    <!-- Info -->
    <div class="mt-4 text-sm text-gray-400">
        <p>Retention: {{.Webhook.RetentionDays}} days &middot; Created: {{.Webhook.CreatedAt.Format "2006-01-02 15:04:05 UTC"}}</p>
    </div>
 </div>
 {{end}}
--- a/templates/source_edit.html
+++ b/templates/source_edit.html
@@ -0,0 +1,40 @@
 {{template "base" .}}
 {{define "title"}}Edit {{.Webhook.Name}} - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-2xl mx-auto px-6 py-8">
    <div class="mb-6">
        <a href="/source/{{.Webhook.ID}}" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to {{.Webhook.Name}}</a>
        <h1 class="text-2xl font-medium text-gray-900 mt-2">Edit Webhook</h1>
    </div>
    <div class="card p-6">
        {{if .Error}}
        <div class="alert-error">{{.Error}}</div>
        {{end}}
        <form method="POST" action="/source/{{.Webhook.ID}}/edit" class="space-y-6">
            <div class="form-group">
                <label for="name" class="label">Name</label>
                <input type="text" id="name" name="name" value="{{.Webhook.Name}}" required class="input">
            </div>
            <div class="form-group">
                <label for="description" class="label">Description</label>
                <textarea id="description" name="description" rows="3" class="input">{{.Webhook.Description}}</textarea>
            </div>
            <div class="form-group">
                <label for="retention_days" class="label">Retention (days)</label>
                <input type="number" id="retention_days" name="retention_days" value="{{.Webhook.RetentionDays}}" min="1" max="365" class="input">
            </div>
            <div class="flex gap-3">
                <button type="submit" class="btn-primary">Save Changes</button>
                <a href="/source/{{.Webhook.ID}}" class="btn-secondary">Cancel</a>
            </div>
        </form>
    </div>
 </div>
 {{end}}
--- a/templates/source_logs.html
+++ b/templates/source_logs.html
@@ -0,0 +1,61 @@
 {{template "base" .}}
 {{define "title"}}Event Log - {{.Webhook.Name}} - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-6xl mx-auto px-6 py-8">
    <div class="mb-6">
        <a href="/source/{{.Webhook.ID}}" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to {{.Webhook.Name}}</a>
        <div class="flex justify-between items-center mt-2">
            <h1 class="text-2xl font-medium text-gray-900">Event Log</h1>
            <span class="text-sm text-gray-500">{{.TotalEvents}} total event{{if ne .TotalEvents 1}}s{{end}}</span>
        </div>
    </div>
    <div class="card">
        <div class="divide-y divide-gray-100">
            {{range .Events}}
            <div class="p-4" x-data="{ open: false }">
                <div class="flex items-center justify-between cursor-pointer" @click="open = !open">
                    <div class="flex items-center gap-3">
                        <span class="badge-info">{{.Method}}</span>
                        <span class="text-sm font-mono text-gray-700">{{.ID}}</span>
                        <span class="text-sm text-gray-500">{{.ContentType}}</span>
                    </div>
                    <div class="flex items-center gap-4">
                        {{range .Deliveries}}
                        <span class="text-xs {{if eq .Status "delivered"}}text-green-600{{else if eq .Status "failed"}}text-red-600{{else if eq .Status "retrying"}}text-yellow-600{{else}}text-gray-400{{end}}">
                            {{.Target.Name}}: {{.Status}}
                        </span>
                        {{end}}
                        <span class="text-xs text-gray-400">{{.CreatedAt.Format "2006-01-02 15:04:05"}}</span>
                        <svg class="w-4 h-4 text-gray-400 transition-transform" :class="{ 'rotate-180': open }" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7"/>
                        </svg>
                    </div>
                </div>
                <div x-show="open" x-cloak class="mt-3 p-3 bg-gray-50 rounded-md">
                    <pre class="text-xs text-gray-700 overflow-x-auto whitespace-pre-wrap break-all">{{.Body}}</pre>
                </div>
            </div>
            {{else}}
            <div class="p-12 text-center text-sm text-gray-500">No events recorded yet.</div>
            {{end}}
        </div>
    </div>
    <!-- Pagination -->
    {{if or .HasPrev .HasNext}}
    <div class="flex justify-center gap-2 mt-6">
        {{if .HasPrev}}
        <a href="/source/{{.Webhook.ID}}/logs?page={{.PrevPage}}" class="btn-secondary text-sm">&larr; Previous</a>
        {{end}}
        <span class="inline-flex items-center px-4 py-2 text-sm text-gray-500">Page {{.Page}} of {{.TotalPages}}</span>
        {{if .HasNext}}
        <a href="/source/{{.Webhook.ID}}/logs?page={{.NextPage}}" class="btn-secondary text-sm">Next &rarr;</a>
        {{end}}
    </div>
    {{end}}
 </div>
 {{end}}
--- a/templates/sources_list.html
+++ b/templates/sources_list.html
@@ -0,0 +1,49 @@
 {{template "base" .}}
 {{define "title"}}Sources - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-6xl mx-auto px-6 py-8">
    <div class="flex justify-between items-center mb-6">
        <h1 class="text-2xl font-medium text-gray-900">Webhooks</h1>
        <a href="/sources/new" class="btn-primary">
            <svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
            </svg>
            New Webhook
        </a>
    </div>
    {{if .Webhooks}}
    <div class="grid gap-4">
        {{range .Webhooks}}
        <a href="/source/{{.ID}}" class="card-elevated p-6 block">
            <div class="flex justify-between items-start">
                <div>
                    <h2 class="text-lg font-medium text-gray-900">{{.Name}}</h2>
                    {{if .Description}}
                    <p class="text-sm text-gray-500 mt-1">{{.Description}}</p>
                    {{end}}
                </div>
                <span class="badge-info">{{.RetentionDays}}d retention</span>
            </div>
            <div class="flex gap-6 mt-4 text-sm text-gray-500">
                <span>{{.EntrypointCount}} entrypoint{{if ne .EntrypointCount 1}}s{{end}}</span>
                <span>{{.TargetCount}} target{{if ne .TargetCount 1}}s{{end}}</span>
                <span>{{.EventCount}} event{{if ne .EventCount 1}}s{{end}}</span>
            </div>
        </a>
        {{end}}
    </div>
    {{else}}
    <div class="card p-12 text-center">
        <svg class="w-16 h-16 text-gray-300 mx-auto mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1"/>
        </svg>
        <h2 class="text-lg font-medium text-gray-900 mb-2">No webhooks yet</h2>
        <p class="text-gray-500 mb-6">Create your first webhook to start receiving and forwarding events.</p>
        <a href="/sources/new" class="btn-primary">Create Webhook</a>
    </div>
    {{end}}
 </div>
 {{end}}
--- a/templates/sources_new.html
+++ b/templates/sources_new.html
@@ -0,0 +1,41 @@
 {{template "base" .}}
 {{define "title"}}New Webhook - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-2xl mx-auto px-6 py-8">
    <div class="mb-6">
        <a href="/sources" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to webhooks</a>
        <h1 class="text-2xl font-medium text-gray-900 mt-2">Create Webhook</h1>
    </div>
    <div class="card p-6">
        {{if .Error}}
        <div class="alert-error">{{.Error}}</div>
        {{end}}
        <form method="POST" action="/sources/new" class="space-y-6">
            <div class="form-group">
                <label for="name" class="label">Name</label>
                <input type="text" id="name" name="name" required autofocus placeholder="My Webhook" class="input">
            </div>
            <div class="form-group">
                <label for="description" class="label">Description</label>
                <textarea id="description" name="description" rows="3" placeholder="Optional description" class="input"></textarea>
            </div>
            <div class="form-group">
                <label for="retention_days" class="label">Retention (days)</label>
                <input type="number" id="retention_days" name="retention_days" value="30" min="1" max="365" class="input">
                <p class="text-xs text-gray-500 mt-1">How long to keep event data.</p>
            </div>
            <div class="flex gap-3">
                <button type="submit" class="btn-primary">Create Webhook</button>
                <a href="/sources" class="btn-secondary">Cancel</a>
            </div>
        </form>
    </div>
 </div>
 {{end}}
--- a/templates/templates.go
+++ b/templates/templates.go
@@ -0,0 +1,8 @@
 package templates
 import (
 	"embed"
 )
 //go:embed *.html
 var Templates embed.FS