fix: unify DATA_DIR default to /var/lib/webhooker for all environments

Remove devDataDir() XDG-based logic. Both dev and prod now default
DATA_DIR to /var/lib/webhooker. Update Dockerfile and README to match.

Dockerfile

@@ -57,10 +57,10 @@ WORKDIR /app
 COPY --from=builder /build/bin/webhooker .
 
 # Create data directory for all SQLite databases (main app DB +
-# per-webhook event DBs). DATA_DIR defaults to /data in production.
-RUN mkdir -p /data
+# per-webhook event DBs). DATA_DIR defaults to /var/lib/webhooker.
+RUN mkdir -p /var/lib/webhooker
 
-RUN chown -R webhooker:webhooker /app /data
+RUN chown -R webhooker:webhooker /app /var/lib/webhooker
 
 USER webhooker
 

README.md

@@ -55,13 +55,22 @@ you can place variables in a `.env` file in the project root (loaded
 automatically via `godotenv/autoload`).
 
 The environment is selected by setting `WEBHOOKER_ENVIRONMENT` to `dev`
-or `prod` (default: `dev`).
+or `prod` (default: `dev`). The setting controls several behaviors:
+
+| Behavior              | `dev`                            | `prod`                          |
+| --------------------- | -------------------------------- | ------------------------------- |
+| CORS                  | Allows any origin (`*`)          | Disabled (no-op)                |
+| Session cookie Secure | `false` (works over plain HTTP)  | `true` (requires HTTPS)         |
+
+All other differences (log format, security headers, etc.) are
+independent of the environment setting — log format is determined by
+TTY detection, and security headers are always applied.
 
 | Variable                | Description                         | Default  |
 | ----------------------- | ----------------------------------- | -------- |
 | `WEBHOOKER_ENVIRONMENT` | `dev` or `prod`                     | `dev`    |
 | `PORT`                  | HTTP listen port                    | `8080`   |
-| `DATA_DIR`              | Directory for all SQLite databases  | `./data` (dev) / `/data` (prod) |
+| `DATA_DIR`              | Directory for all SQLite databases  | `/var/lib/webhooker` |
 | `DEBUG`                 | Enable debug logging                | `false`  |
 | `METRICS_USERNAME`      | Basic auth username for `/metrics`  | `""`     |
 | `METRICS_PASSWORD`      | Basic auth password for `/metrics`  | `""`     |
@@ -80,16 +89,16 @@ is only displayed once.
 ```bash
 docker run -d \
   -p 8080:8080 \
-  -v /path/to/data:/data \
+  -v /path/to/data:/var/lib/webhooker \
   -e WEBHOOKER_ENVIRONMENT=prod \
   webhooker:latest
 ```
 
 The container runs as a non-root user (`webhooker`, UID 1000), exposes
 port 8080, and includes a health check against
-`/.well-known/healthcheck`. The `/data` volume holds all SQLite
-databases: the main application database (`webhooker.db`) and the
-per-webhook event databases (`events-{uuid}.db`). Mount this as a
+`/.well-known/healthcheck`. The `/var/lib/webhooker` volume holds all
+SQLite databases: the main application database (`webhooker.db`) and
+the per-webhook event databases (`events-{uuid}.db`). Mount this as a
 persistent volume to preserve data across container restarts.
 
 ## Rationale
@@ -835,8 +844,8 @@ The Dockerfile uses a multi-stage build:
    golangci-lint, downloads dependencies, copies source, runs `make
    check` (format verification, linting, tests, compilation).
 2. **Runtime stage** (`alpine:3.21`) — copies the binary, creates the
-   `/data` directory for all SQLite databases, runs as non-root user,
-   exposes port 8080, includes a health check.
+   `/var/lib/webhooker` directory for all SQLite databases, runs as
+   non-root user, exposes port 8080, includes a health check.
 
 The builder uses Debian rather than Alpine because GORM's SQLite
 dialect pulls in CGO-dependent headers at compile time. The runtime

internal/config/config.go

@@ -109,14 +109,11 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 		params:          &params,
 	}
 
-	// Set default DataDir based on environment. All SQLite databases
-	// (main application DB and per-webhook event DBs) live here.
+	// Set default DataDir. All SQLite databases (main application DB
+	// and per-webhook event DBs) live here. The same default is used
+	// regardless of environment; override with DATA_DIR if needed.
 	if s.DataDir == "" {
-		if s.IsProd() {
-			s.DataDir = "/data"
-		} else {
-			s.DataDir = "./data"
-		}
+		s.DataDir = "/var/lib/webhooker"
 	}
 
 	if s.Debug {

internal/config/config_test.go

@@ -104,3 +104,39 @@ func TestEnvironmentConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestDefaultDataDir(t *testing.T) {
+	// Verify that when DATA_DIR is unset, the default is /var/lib/webhooker
+	// regardless of the environment setting.
+	for _, env := range []string{"", "dev", "prod"} {
+		name := env
+		if name == "" {
+			name = "unset"
+		}
+		t.Run("env="+name, func(t *testing.T) {
+			if env != "" {
+				os.Setenv("WEBHOOKER_ENVIRONMENT", env)
+				defer os.Unsetenv("WEBHOOKER_ENVIRONMENT")
+			} else {
+				os.Unsetenv("WEBHOOKER_ENVIRONMENT")
+			}
+			os.Unsetenv("DATA_DIR")
+
+			var cfg *Config
+			app := fxtest.New(
+				t,
+				fx.Provide(
+					globals.New,
+					logger.New,
+					New,
+				),
+				fx.Populate(&cfg),
+			)
+			require.NoError(t, app.Err())
+			app.RequireStart()
+			defer app.RequireStop()
+
+			assert.Equal(t, "/var/lib/webhooker", cfg.DataDir)
+		})
+	}
+}