chore: add MIT LICENSE

Add MIT license file with copyright holder Jeffrey Paul <sneak@sneak.berlin>.
feat: add auth middleware for protected routes
2026-03-01 15:56:00 -08:00 · 2026-03-01 15:55:51 -08:00 · 2026-03-01 15:53:43 -08:00 · 2026-03-01 15:52:05 -08:00 · 2026-03-01 15:49:21 -08:00 · 2026-03-01 15:47:22 -08:00
94 changed files with 3772 additions and 13169 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -29,9 +29,9 @@ Thumbs.db
 # Environment and config files
 .env
 .env.local
 config.yaml
-# Data directory (SQLite databases)
+# Database files
 data/
 *.db
 *.sqlite
 *.sqlite3
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,32 +1,46 @@
 version: "2"
 run:
  timeout: 5m
-  modules-download-mode: readonly
+  tests: true
 linters:
-  default: all
+  enable:
-  disable:
+    - gofmt
-    # Genuinely incompatible with project patterns
+    - revive
-    - exhaustruct      # Requires all struct fields
+    - govet
-    - depguard         # Dependency allow/block lists
+    - errcheck
-    - godot            # Requires comments to end with periods
+    - staticcheck
-    - wsl              # Deprecated, replaced by wsl_v5
+    - unused
-    - wrapcheck        # Too verbose for internal packages
+    - gosimple
-    - varnamelen       # Short names like db, id are idiomatic Go
+    - ineffassign
    - typecheck
    - gosec
    - misspell
    - unparam
    - prealloc
    - copyloopvar
    - gocritic
    - gochecknoinits
    - gochecknoglobals
 linters-settings:
-  lll:
+  gofmt:
-    line-length: 88
+    simplify: true
-  funlen:
+  revive:
-    lines: 80
+    confidence: 0.8
-    statements: 50
+  govet:
-  cyclop:
+    enable:
-    max-complexity: 15
+      - shadow
-  dupl:
+  errcheck:
-    threshold: 100
+    check-type-assertions: true
    check-blank: true
 issues:
-  exclude-use-default: false
+  exclude-rules:
-  max-issues-per-linter: 0
+    # Exclude globals check for version variables in main
-  max-same-issues: 0
+    - path: cmd/webhooker/main.go
      linters:
        - gochecknoglobals
    # Exclude globals check for version variables in globals package
    - path: internal/globals/globals.go
      linters:
        - gochecknoglobals 
--- a/84
+++ b/84
@@ -1,58 +1,50 @@
-# Lint stage
+# golang:1.24 (bookworm) — 2026-03-01
 # golangci/golangci-lint:v2.11.3 (Debian-based), 2026-03-17
 # Using Debian-based image because mattn/go-sqlite3 (CGO) does not
 # compile on Alpine musl (off64_t is a glibc type).
 FROM golangci/golangci-lint:v2.11.3@sha256:e838e8ab68aaefe83e2408691510867ade9329c0e0b895a3fb35eb93d1c2a4ba AS lint
 RUN apt-get update && apt-get install -y --no-install-recommends make && rm -rf /var/lib/apt/lists/*
 WORKDIR /src
 # Copy go mod files first for better layer caching
 COPY go.mod go.sum ./
 RUN go mod download
 # Copy source code
 COPY . .
 # Run formatting check and linter
 RUN make fmt-check
 RUN make lint
 # Build stage
 # golang:1.26.1-bookworm (Debian-based), 2026-03-17
 # Using Debian-based image because gorm.io/driver/sqlite pulls in
 # mattn/go-sqlite3 (CGO), which does not compile on Alpine musl.
-FROM golang:1.26.1-bookworm@sha256:4465644228bc2857a954b092167e12aa59c006a3492282a6c820bf4755fd64a4 AS builder
+FROM golang@sha256:d2d2bc1c84f7e60d7d2438a3836ae7d0c847f4888464e7ec9ba3a1339a1ee804 AS builder
 # Depend on lint stage passing
 COPY --from=lint /src/go.sum /dev/null
 # gcc is pre-installed in the Debian-based golang image
 RUN apt-get update && apt-get install -y --no-install-recommends make && rm -rf /var/lib/apt/lists/*
 WORKDIR /build
-# Copy go mod files first for better layer caching
+# Install golangci-lint v1.64.8 — 2026-03-01
 # Using v1.x because the repo's .golangci.yml uses v1 config format.
 RUN set -eux; \
    GOLANGCI_VERSION="1.64.8"; \
    ARCH="$(uname -m)"; \
    case "${ARCH}" in \
        x86_64) \
            GOARCH="amd64"; \
            GOLANGCI_SHA256="b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"; \
            ;; \
        aarch64) \
            GOARCH="arm64"; \
            GOLANGCI_SHA256="a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"; \
            ;; \
        *) echo "unsupported architecture: ${ARCH}" && exit 1 ;; \
    esac; \
    wget -q "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_VERSION}/golangci-lint-${GOLANGCI_VERSION}-linux-${GOARCH}.tar.gz" \
        -O /tmp/golangci-lint.tar.gz; \
    echo "${GOLANGCI_SHA256}  /tmp/golangci-lint.tar.gz" | sha256sum -c -; \
    tar -xzf /tmp/golangci-lint.tar.gz -C /tmp; \
    mv "/tmp/golangci-lint-${GOLANGCI_VERSION}-linux-${GOARCH}/golangci-lint" /usr/local/bin/; \
    rm -rf /tmp/golangci-lint*; \
    golangci-lint --version
 # Copy go module files and download dependencies
 COPY go.mod go.sum ./
 COPY pkg/config/go.mod pkg/config/go.sum ./pkg/config/
 RUN go mod download
 # Copy source code
 COPY . .
-# Run tests and build
+# Run all checks (fmt-check, lint, test, build)
-RUN make test
+RUN make check
 RUN make build
-# Rebuild with static linking for Alpine runtime.
+# alpine:3.21 — 2026-03-01
-# make build already verified compilation.
+FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 # The CGO binary from `make build` is dynamically linked against glibc,
 # which doesn't exist on Alpine (musl). Rebuild with static linking so
 # the binary runs on Alpine without glibc.
 RUN CGO_ENABLED=1 go build -ldflags '-extldflags "-static"' -o bin/webhooker ./cmd/webhooker
 # Runtime stage
 # alpine:3.21, 2026-03-17
 FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 RUN apk --no-cache add ca-certificates
@@ -63,13 +55,9 @@ RUN addgroup -g 1000 -S webhooker && \
 WORKDIR /app
 # Copy binary from builder
-COPY --from=builder /build/bin/webhooker /app/webhooker
+COPY --from=builder /build/bin/webhooker .
-# Create data directory for all SQLite databases (main app DB +
+RUN chown -R webhooker:webhooker /app
 # per-webhook event DBs). DATA_DIR defaults to /var/lib/webhooker.
 RUN mkdir -p /var/lib/webhooker
 RUN chown -R webhooker:webhooker /app /var/lib/webhooker
 USER webhooker
@@ -78,4 +66,4 @@ EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://localhost:8080/.well-known/healthcheck || exit 1
-CMD ["/app/webhooker"]
+CMD ["./webhooker"]
--- a/5
+++ b/5
@@ -1,4 +1,4 @@
-.PHONY: test lint fmt fmt-check check build run dev deps docker clean hooks css
+.PHONY: test lint fmt fmt-check check build run dev deps docker clean hooks
 # Default target
 .DEFAULT_GOAL := check
@@ -41,6 +41,3 @@ hooks:
 	@printf '#!/bin/sh\nmake check\n' > .git/hooks/pre-commit
 	@chmod +x .git/hooks/pre-commit
 	@echo "pre-commit hook installed"
 css:
 	tailwindcss -i static/css/input.css -o static/css/tailwind.css --minify
--- a/README.md
+++ b/README.md
--- a/cmd/webhooker/main.go
+++ b/cmd/webhooker/main.go
@@ -1,11 +1,11 @@
 // Package main is the entry point for the webhooker application.
 package main
 import (
 	"runtime"
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/handlers"
 	"sneak.berlin/go/webhooker/internal/healthcheck"
@@ -16,8 +16,6 @@ import (
 )
 // Build-time variables set via -ldflags.
 //
 //nolint:gochecknoglobals // Build-time variables injected by the linker.
 var (
 	version = "dev"
 	appname = "webhooker"
@@ -26,6 +24,7 @@ var (
 func main() {
 	globals.Appname = appname
 	globals.Version = version
 	globals.Buildarch = runtime.GOARCH
 	fx.New(
 		fx.Provide(
@@ -33,17 +32,12 @@ func main() {
 			logger.New,
 			config.New,
 			database.New,
 			database.NewWebhookDBManager,
 			healthcheck.New,
 			session.New,
 			handlers.New,
 			middleware.New,
 			delivery.New,
 			// Wire *delivery.Engine as delivery.Notifier so the
 			// webhook handler can notify the engine of new deliveries.
 			func(e *delivery.Engine) delivery.Notifier { return e },
 			server.New,
 		),
-		fx.Invoke(func(*server.Server, *delivery.Engine) {}),
+		fx.Invoke(func(*server.Server) {}),
 	).Run()
 }
--- a/configs/config.yaml.example
+++ b/configs/config.yaml.example
@@ -0,0 +1,50 @@
 environments:
  dev:
    config:
      port: 8080
      debug: true
      maintenanceMode: false
      developmentMode: true
      environment: dev
      # Database URL for local development
      dburl: postgres://webhooker:webhooker@localhost:5432/webhooker_dev?sslmode=disable
      # Basic auth for metrics endpoint in dev
      metricsUsername: admin
      metricsPassword: admin
      # Dev admin credentials for testing
      devAdminUsername: devadmin
      devAdminPassword: devpassword
    secrets:
      # Use default insecure session key for development
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
      # Sentry DSN - usually not needed in dev
      sentryDSN: ""
  prod:
    config:
      port: $ENV:PORT
      debug: $ENV:DEBUG
      maintenanceMode: $ENV:MAINTENANCE_MODE
      developmentMode: false
      environment: prod
      dburl: $ENV:DBURL
      metricsUsername: $ENV:METRICS_USERNAME
      metricsPassword: $ENV:METRICS_PASSWORD
      # Dev admin credentials should not be set in production
      devAdminUsername: ""
      devAdminPassword: ""
    secrets:
      sessionKey: $ENV:SESSION_KEY
      sentryDSN: $ENV:SENTRY_DSN
 configDefaults:
  # These defaults apply to all environments unless overridden
  port: 8080
  debug: false
  maintenanceMode: false
  developmentMode: false
  environment: dev
  metricsUsername: ""
  metricsPassword: ""
  devAdminUsername: ""
  devAdminPassword: "" 
--- a/go.mod
+++ b/go.mod
@@ -1,37 +1,49 @@
 module sneak.berlin/go/webhooker
-go 1.26.1
+go 1.23.0
 toolchain go1.24.1
 require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/getsentry/sentry-go v0.25.0
 	github.com/go-chi/chi v1.5.5
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/httprate v0.15.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/sessions v1.4.0
 	github.com/joho/godotenv v1.5.1
 	github.com/prometheus/client_golang v1.18.0
 	github.com/slok/go-http-metrics v0.11.0
 	github.com/spf13/afero v1.14.0
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/fx v1.20.1
 	golang.org/x/crypto v0.38.0
 	gorm.io/driver/sqlite v1.5.4
 	gorm.io/gorm v1.25.5
 	modernc.org/sqlite v1.28.0
 	sneak.berlin/go/webhooker/pkg/config v0.0.0-00010101000000-000000000000
 )
 require (
 	cloud.google.com/go/compute v1.23.3 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.5 // indirect
 	cloud.google.com/go/secretmanager v1.11.4 // indirect
 	github.com/aws/aws-sdk-go v1.50.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.17 // indirect
@@ -41,16 +53,25 @@ require (
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/zeebo/xxh3 v1.0.2 // indirect
+	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/dig v1.17.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/oauth2 v0.15.0 // indirect
 	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/api v0.153.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
@@ -63,3 +84,5 @@ require (
 	modernc.org/strutil v1.1.3 // indirect
 	modernc.org/token v1.0.1 // indirect
 )
 replace sneak.berlin/go/webhooker/pkg/config => ./pkg/config
--- a/go.sum
+++ b/go.sum
@@ -1,11 +1,28 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y=
 cloud.google.com/go v0.110.10/go.mod h1:v1OoFqYxiBkUrruItNM3eT4lLByNjxmJSV/xDKJNnic=
 cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
 cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI=
 cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8=
 cloud.google.com/go/secretmanager v1.11.4 h1:krnX9qpG2kR2fJ+u+uNyNo+ACVhplIAS4Pu7u+4gd+k=
 cloud.google.com/go/secretmanager v1.11.4/go.mod h1:wreJlbS9Zdq21lMzWmJ0XhWW2ZxgPeahsqeV/vZoJ3w=
 github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8 h1:nMpu1t4amK3vJWBibQ5X/Nv0aXL+b69TQf2uK5PH7Go=
 github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8/go.mod h1:3cARGAK9CfW3HoxCy1a0G4TKrdiKke8ftOMEOHyySYs=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/aws/aws-sdk-go v1.50.0 h1:HBtrLeO+QyDKnc3t1+5DR1RxodOHCGr8ZcrHudpv7jI=
 github.com/aws/aws-sdk-go v1.50.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -13,17 +30,42 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
 github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
 github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
 github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/httprate v0.15.0 h1:j54xcWV9KGmPf/X4H32/aTH+wBlrvxL7P+SdnRqxh5g=
 github.com/go-chi/httprate v0.15.0/go.mod h1:rzGHhVrsBn3IMLYDOZQsSU4fJNWcjui4fWKJcCId1R4=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -31,10 +73,15 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
+github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
-github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
@@ -43,12 +90,14 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
 github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -68,6 +117,7 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
 github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
 github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
@@ -80,16 +130,21 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/slok/go-http-metrics v0.11.0 h1:ABJUpekCZSkQT1wQrFvS4kGbhea/w6ndFJaWJeh3zL0=
 github.com/slok/go-http-metrics v0.11.0/go.mod h1:ZGKeYG1ET6TEJpQx18BqAJAvxw9jBAZXCHU7bWQqqAc=
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0=
 github.com/stretchr/objx v0.5.1/go.mod h1:/iHQpkQwBD6DLUmQ4pE+s1TXdob1mORJ4/UFdrifcy0=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
-github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/dig v1.17.0 h1:5Chju+tUvcC+N7N6EV08BJz41UZuO3BmHcN4A287ZLI=
@@ -102,32 +157,105 @@ go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
 go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
 golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ=
 golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
 golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
 golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.153.0 h1:N1AwGhielyKFaUqH07/ZSIQR3uNPcV7NVw0vj+j4iR4=
 google.golang.org/api v0.153.0/go.mod h1:3qNJX5eOmhiWYc67jRA/3GsDw97UFb5ivv7Y2PrriAY=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ=
 google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY=
 google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo=
 google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f h1:ultW7fxlIvee4HYrtnaRPon9HpEgFk5zYpmfMgtKB5I=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
 google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/sqlite v1.5.4 h1:IqXwXi8M/ZlPzH/947tn5uik3aYQslP9BVveoax0nV0=
 gorm.io/driver/sqlite v1.5.4/go.mod h1:qxAuCol+2r6PannQDpOP1FP6ag3mKi4esLnB/jHed+4=
 gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls=
 gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI=
 lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 modernc.org/cc/v3 v3.40.0 h1:P3g79IUS/93SYhtoeaHW+kRCIrYaxJ27MFPv+7kaTOw=
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1,8 +1,6 @@
 // Package config loads application configuration from environment variables.
 package config
 import (
 	"errors"
 	"fmt"
 	"log/slog"
 	"os"
@@ -12,6 +10,7 @@ import (
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 	pkgconfig "sneak.berlin/go/webhooker/pkg/config"
 	// Populates the environment from a ./.env file automatically for
 	// development configuration. Kept in one place only (here).
@@ -19,125 +18,133 @@ import (
 )
 const (
-	// EnvironmentDev represents development environment.
+	// EnvironmentDev represents development environment
 	EnvironmentDev = "dev"
-	// EnvironmentProd represents production environment.
+	// EnvironmentProd represents production environment
 	EnvironmentProd = "prod"
-
+	// DevSessionKey is an insecure default session key for development
-	// defaultPort is the default HTTP listen port.
+	// This is "webhooker-dev-session-key-insecure!" base64 encoded
-	defaultPort = 8080
+	DevSessionKey = "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE="
 )
-// ErrInvalidEnvironment is returned when WEBHOOKER_ENVIRONMENT
+// nolint:revive // ConfigParams is a standard fx naming convention
 // contains an unrecognised value.
 var ErrInvalidEnvironment = errors.New("invalid environment")
 //nolint:revive // ConfigParams is a standard fx naming convention.
 type ConfigParams struct {
 	fx.In
 	Globals *globals.Globals
 	Logger  *logger.Logger
 }
 // Config holds all application configuration loaded from
 // environment variables.
 type Config struct {
-	DataDir         string
+	DBURL            string
 	Debug            bool
 	MaintenanceMode  bool
 	DevelopmentMode  bool
 	DevAdminUsername string
 	DevAdminPassword string
 	Environment      string
 	MetricsPassword  string
 	MetricsUsername  string
 	Port             int
 	SentryDSN        string
 	SessionKey       string
 	params           *ConfigParams
 	log              *slog.Logger
 }
-// IsDev returns true if running in development environment.
+// IsDev returns true if running in development environment
 func (c *Config) IsDev() bool {
 	return c.Environment == EnvironmentDev
 }
-// IsProd returns true if running in production environment.
+// IsProd returns true if running in production environment
 func (c *Config) IsProd() bool {
 	return c.Environment == EnvironmentProd
 }
-// envString returns the value of the named environment variable,
+// envString returns the env var value if set, otherwise falls back to pkgconfig.
-// or an empty string if not set.
+func envString(envKey, configKey string) string {
-func envString(key string) string {
+	if v := os.Getenv(envKey); v != "" {
-	return os.Getenv(key)
+		return v
 	}
 	return pkgconfig.GetString(configKey)
 }
-// envBool returns the value of the named environment variable
+// envSecretString returns the env var value if set, otherwise falls back to pkgconfig secrets.
-// parsed as a boolean. Returns defaultValue if not set.
+func envSecretString(envKey, configKey string) string {
-func envBool(key string, defaultValue bool) bool {
+	if v := os.Getenv(envKey); v != "" {
-	if v := os.Getenv(key); v != "" {
+		return v
 	}
 	return pkgconfig.GetSecretString(configKey)
 }
 // envBool returns the env var value parsed as bool, otherwise falls back to pkgconfig.
 func envBool(envKey, configKey string) bool {
 	if v := os.Getenv(envKey); v != "" {
 		return strings.EqualFold(v, "true") || v == "1"
 	}
-
+	return pkgconfig.GetBool(configKey)
 	return defaultValue
 }
-// envInt returns the value of the named environment variable
+// envInt returns the env var value parsed as int, otherwise falls back to pkgconfig.
-// parsed as an integer. Returns defaultValue if not set or
+func envInt(envKey, configKey string, defaultValue ...int) int {
-// unparseable.
+	if v := os.Getenv(envKey); v != "" {
-func envInt(key string, defaultValue int) int {
+		if i, err := strconv.Atoi(v); err == nil {
 	if v := os.Getenv(key); v != "" {
 		i, err := strconv.Atoi(v)
 		if err == nil {
 			return i
 		}
 	}
-
+	return pkgconfig.GetInt(configKey, defaultValue...)
 	return defaultValue
 }
-// New creates a Config by reading environment variables.
+// nolint:revive // lc parameter is required by fx even if unused
 //
 //nolint:revive // lc parameter is required by fx even if unused.
 func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 	log := params.Logger.Get()
-	// Determine environment from WEBHOOKER_ENVIRONMENT env var,
+	// Determine environment from WEBHOOKER_ENVIRONMENT env var, default to dev
 	// default to dev
 	environment := os.Getenv("WEBHOOKER_ENVIRONMENT")
 	if environment == "" {
 		environment = EnvironmentDev
 	}
 	// Validate environment
-	if environment != EnvironmentDev &&
+	if environment != EnvironmentDev && environment != EnvironmentProd {
-		environment != EnvironmentProd {
+		return nil, fmt.Errorf("WEBHOOKER_ENVIRONMENT must be either '%s' or '%s', got '%s'",
-		return nil, fmt.Errorf(
+			EnvironmentDev, EnvironmentProd, environment)
 			"%w: WEBHOOKER_ENVIRONMENT must be '%s' or '%s', got '%s'",
 			ErrInvalidEnvironment,
 			EnvironmentDev, EnvironmentProd, environment,
 		)
 	}
-	// Load configuration values from environment variables
+	// Set the environment in the config package (for fallback resolution)
 	pkgconfig.SetEnvironment(environment)
 	// Load configuration values — env vars take precedence over config.yaml
 	s := &Config{
-		DataDir:         envString("DATA_DIR"),
+		DBURL:            envString("DBURL", "dburl"),
-		Debug:           envBool("DEBUG", false),
+		Debug:            envBool("DEBUG", "debug"),
-		MaintenanceMode: envBool("MAINTENANCE_MODE", false),
+		MaintenanceMode:  envBool("MAINTENANCE_MODE", "maintenanceMode"),
 		DevelopmentMode:  envBool("DEVELOPMENT_MODE", "developmentMode"),
 		DevAdminUsername: envString("DEV_ADMIN_USERNAME", "devAdminUsername"),
 		DevAdminPassword: envString("DEV_ADMIN_PASSWORD", "devAdminPassword"),
 		Environment:      environment,
-		MetricsUsername: envString("METRICS_USERNAME"),
+		MetricsUsername:  envString("METRICS_USERNAME", "metricsUsername"),
-		MetricsPassword: envString("METRICS_PASSWORD"),
+		MetricsPassword:  envString("METRICS_PASSWORD", "metricsPassword"),
-		Port:            envInt("PORT", defaultPort),
+		Port:             envInt("PORT", "port", 8080),
-		SentryDSN:       envString("SENTRY_DSN"),
+		SentryDSN:        envSecretString("SENTRY_DSN", "sentryDSN"),
 		SessionKey:       envSecretString("SESSION_KEY", "sessionKey"),
 		log:              log,
 		params:           &params,
 	}
-	// Set default DataDir. All SQLite databases (main application
+	// Validate database URL
-	// DB and per-webhook event DBs) live here. The same default is
+	if s.DBURL == "" {
-	// used regardless of environment; override with DATA_DIR if
+		return nil, fmt.Errorf("database URL (DBURL) is required")
-	// needed.
+	}
-	if s.DataDir == "" {
+
-		s.DataDir = "/var/lib/webhooker"
+	// In production, require session key
 	if s.IsProd() && s.SessionKey == "" {
 		return nil, fmt.Errorf("SESSION_KEY is required in production environment")
 	}
 	// In development mode, warn if using default session key
 	if s.IsDev() && s.SessionKey == DevSessionKey {
 		log.Warn("Using insecure default session key for development mode")
 	}
 	if s.Debug {
@@ -150,10 +157,10 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 		"port", s.Port,
 		"debug", s.Debug,
 		"maintenanceMode", s.MaintenanceMode,
-		"dataDir", s.DataDir,
+		"developmentMode", s.DevelopmentMode,
 		"hasSessionKey", s.SessionKey != "",
 		"hasSentryDSN", s.SentryDSN != "",
-		"hasMetricsAuth",
+		"hasMetricsAuth", s.MetricsUsername != "" && s.MetricsPassword != "",
 		s.MetricsUsername != "" && s.MetricsPassword != "",
 	)
 	return s, nil
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -1,18 +1,69 @@
-package config_test
+package config
 import (
 	"os"
 	"testing"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 	pkgconfig "sneak.berlin/go/webhooker/pkg/config"
 )
 // createTestConfig creates a test configuration file in memory
 func createTestConfig(fs afero.Fs) error {
 	configYAML := `
 environments:
  dev:
    config:
      port: 8080
      debug: true
      maintenanceMode: false
      developmentMode: true
      environment: dev
      dburl: postgres://test:test@localhost:5432/test_dev?sslmode=disable
      metricsUsername: testuser
      metricsPassword: testpass
      devAdminUsername: devadmin
      devAdminPassword: devpass
    secrets:
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
      sentryDSN: ""
  prod:
    config:
      port: $ENV:PORT
      debug: $ENV:DEBUG
      maintenanceMode: $ENV:MAINTENANCE_MODE
      developmentMode: false
      environment: prod
      dburl: $ENV:DBURL
      metricsUsername: $ENV:METRICS_USERNAME
      metricsPassword: $ENV:METRICS_PASSWORD
      devAdminUsername: ""
      devAdminPassword: ""
    secrets:
      sessionKey: $ENV:SESSION_KEY
      sentryDSN: $ENV:SENTRY_DSN
 configDefaults:
  port: 8080
  debug: false
  maintenanceMode: false
  developmentMode: false
  environment: dev
  metricsUsername: ""
  metricsPassword: ""
  devAdminUsername: ""
  devAdminPassword: ""
 `
 	return afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644)
 }
 func TestEnvironmentConfig(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -24,18 +75,26 @@ func TestEnvironmentConfig(t *testing.T) {
 	}{
 		{
 			name:        "default is dev",
 			envValue:    "",
 			expectError: false,
 			isDev:       true,
 			isProd:      false,
 		},
 		{
 			name:        "explicit dev",
 			envValue:    "dev",
 			expectError: false,
 			isDev:       true,
 			isProd:      false,
 		},
 		{
-			name:     "explicit prod",
+			name:     "explicit prod with session key",
 			envValue: "prod",
 			envVars: map[string]string{
 				"SESSION_KEY": "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 				"DBURL":       "postgres://prod:prod@localhost:5432/prod?sslmode=require",
 			},
 			expectError: false,
 			isDev:       false,
 			isProd:      true,
 		},
@@ -48,118 +107,194 @@ func TestEnvironmentConfig(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			// Cannot use t.Parallel() here because t.Setenv
+			// Create in-memory filesystem with test config
-			// is incompatible with parallel subtests.
+			fs := afero.NewMemMapFs()
 			require.NoError(t, createTestConfig(fs))
 			pkgconfig.SetFs(fs)
 			// Set environment variable if specified
 			if tt.envValue != "" {
-				t.Setenv(
+				os.Setenv("WEBHOOKER_ENVIRONMENT", tt.envValue)
-					"WEBHOOKER_ENVIRONMENT", tt.envValue,
+				defer os.Unsetenv("WEBHOOKER_ENVIRONMENT")
 				)
 			} else {
 				require.NoError(t, os.Unsetenv(
 					"WEBHOOKER_ENVIRONMENT",
 				))
 			}
 			// Set additional environment variables
 			for k, v := range tt.envVars {
-				t.Setenv(k, v)
+				os.Setenv(k, v)
 				defer os.Unsetenv(k)
 			}
 			if tt.expectError {
-				testEnvironmentConfigError(t)
+				// Use regular fx.New for error cases since fxtest doesn't expose errors the same way
-			} else {
+				var cfg *Config
 				testEnvironmentConfigSuccess(
 					t, tt.isDev, tt.isProd,
 				)
 			}
 		})
 	}
 }
 func testEnvironmentConfigError(t *testing.T) {
 	t.Helper()
 	var cfg *config.Config
 				app := fx.New(
-		fx.NopLogger,
+					fx.NopLogger, // Suppress fx logs in tests
 					fx.Provide(
 						globals.New,
 						logger.New,
-			config.New,
+						New,
 					),
 					fx.Populate(&cfg),
 				)
 				assert.Error(t, app.Err())
 }
 func testEnvironmentConfigSuccess(
 	t *testing.T,
 	isDev, isProd bool,
 ) {
 	t.Helper()
 	var cfg *config.Config
 	app := fxtest.New(
 		t,
 		fx.Provide(
 			globals.New,
 			logger.New,
 			config.New,
 		),
 		fx.Populate(&cfg),
 	)
 	require.NoError(t, app.Err())
 	app.RequireStart()
 	defer app.RequireStop()
 	assert.Equal(t, isDev, cfg.IsDev())
 	assert.Equal(t, isProd, cfg.IsProd())
 }
 func TestDefaultDataDir(t *testing.T) {
 	for _, env := range []string{"", "dev", "prod"} {
 		name := env
 		if name == "" {
 			name = "unset"
 		}
 		t.Run("env="+name, func(t *testing.T) {
 			// Cannot use t.Parallel() here because t.Setenv
 			// is incompatible with parallel subtests.
 			if env != "" {
 				t.Setenv("WEBHOOKER_ENVIRONMENT", env)
 			} else {
-				require.NoError(t, os.Unsetenv(
+				// Use fxtest for success cases
-					"WEBHOOKER_ENVIRONMENT",
+				var cfg *Config
 				))
 			}
 			require.NoError(t, os.Unsetenv("DATA_DIR"))
 			var cfg *config.Config
 				app := fxtest.New(
 					t,
 					fx.Provide(
 						globals.New,
 						logger.New,
-					config.New,
+						New,
 					),
 					fx.Populate(&cfg),
 				)
 				require.NoError(t, app.Err())
 				app.RequireStart()
 				defer app.RequireStop()
-			assert.Equal(
+				assert.Equal(t, tt.isDev, cfg.IsDev())
-				t, "/var/lib/webhooker", cfg.DataDir,
+				assert.Equal(t, tt.isProd, cfg.IsProd())
-			)
+			}
 		})
 	}
 }
 func TestSessionKeyDefaults(t *testing.T) {
 	tests := []struct {
 		name        string
 		environment string
 		sessionKey  string
 		dburl       string
 		expectError bool
 		expectedKey string
 	}{
 		{
 			name:        "dev mode with default session key",
 			environment: "dev",
 			sessionKey:  "",
 			expectError: false,
 			expectedKey: DevSessionKey,
 		},
 		{
 			name:        "dev mode with custom session key",
 			environment: "dev",
 			sessionKey:  "Y3VzdG9tLXNlc3Npb24ta2V5LTMyLWJ5dGVzLWxvbmchIQ==",
 			expectError: false,
 			expectedKey: "Y3VzdG9tLXNlc3Npb24ta2V5LTMyLWJ5dGVzLWxvbmchIQ==",
 		},
 		{
 			name:        "prod mode with no session key fails",
 			environment: "prod",
 			sessionKey:  "",
 			dburl:       "postgres://prod:prod@localhost:5432/prod",
 			expectError: true,
 		},
 		{
 			name:        "prod mode with session key succeeds",
 			environment: "prod",
 			sessionKey:  "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 			dburl:       "postgres://prod:prod@localhost:5432/prod",
 			expectError: false,
 			expectedKey: "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create in-memory filesystem with test config
 			fs := afero.NewMemMapFs()
 			// Create custom config for session key tests
 			configYAML := `
 environments:
  dev:
    config:
      environment: dev
      developmentMode: true
      dburl: postgres://test:test@localhost:5432/test_dev
    secrets:`
 			// Only add sessionKey line if it's not empty
 			if tt.sessionKey != "" {
 				configYAML += `
      sessionKey: ` + tt.sessionKey
 			} else if tt.environment == "dev" {
 				// For dev mode with no session key, use the default
 				configYAML += `
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=`
 			}
 			// Add prod config if testing prod
 			if tt.environment == "prod" {
 				configYAML += `
  prod:
    config:
      environment: prod
      developmentMode: false
      dburl: $ENV:DBURL
    secrets:
      sessionKey: $ENV:SESSION_KEY`
 			}
 			require.NoError(t, afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644))
 			pkgconfig.SetFs(fs)
 			// Clean up any existing env vars
 			os.Unsetenv("WEBHOOKER_ENVIRONMENT")
 			os.Unsetenv("SESSION_KEY")
 			os.Unsetenv("DBURL")
 			// Set environment variables
 			os.Setenv("WEBHOOKER_ENVIRONMENT", tt.environment)
 			defer os.Unsetenv("WEBHOOKER_ENVIRONMENT")
 			if tt.sessionKey != "" && tt.environment == "prod" {
 				os.Setenv("SESSION_KEY", tt.sessionKey)
 				defer os.Unsetenv("SESSION_KEY")
 			}
 			if tt.dburl != "" {
 				os.Setenv("DBURL", tt.dburl)
 				defer os.Unsetenv("DBURL")
 			}
 			if tt.expectError {
 				// Use regular fx.New for error cases
 				var cfg *Config
 				app := fx.New(
 					fx.NopLogger, // Suppress fx logs in tests
 					fx.Provide(
 						globals.New,
 						logger.New,
 						New,
 					),
 					fx.Populate(&cfg),
 				)
 				assert.Error(t, app.Err())
 			} else {
 				// Use fxtest for success cases
 				var cfg *Config
 				app := fxtest.New(
 					t,
 					fx.Provide(
 						globals.New,
 						logger.New,
 						New,
 					),
 					fx.Populate(&cfg),
 				)
 				require.NoError(t, app.Err())
 				app.RequireStart()
 				defer app.RequireStop()
 				if tt.environment == "dev" && tt.sessionKey == "" {
 					// Dev mode with no session key uses default
 					assert.Equal(t, DevSessionKey, cfg.SessionKey)
 				} else {
 					assert.Equal(t, tt.expectedKey, cfg.SessionKey)
 				}
 			}
 		})
 	}
 }
--- a/internal/database/base_model.go
+++ b/internal/database/base_model.go
@@ -11,16 +11,15 @@ import (
 // This replaces gorm.Model but uses UUID instead of uint for ID
 type BaseModel struct {
 	ID        string         `gorm:"type:uuid;primary_key" json:"id"`
-	CreatedAt time.Time      `json:"createdAt"`
+	CreatedAt time.Time      `json:"created_at"`
-	UpdatedAt time.Time      `json:"updatedAt"`
+	UpdatedAt time.Time      `json:"updated_at"`
-	DeletedAt gorm.DeletedAt `gorm:"index"                 json:"deletedAt,omitzero"`
+	DeletedAt gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
 }
-// BeforeCreate hook to set UUID before creating a record.
+// BeforeCreate hook to set UUID before creating a record
-func (b *BaseModel) BeforeCreate(_ *gorm.DB) error {
+func (b *BaseModel) BeforeCreate(tx *gorm.DB) error {
 	if b.ID == "" {
 		b.ID = uuid.New().String()
 	}
 	return nil
 }
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -1,16 +1,9 @@
 // Package database provides SQLite persistence for webhooks, events, and users.
 package database
 import (
 	"context"
 	"crypto/rand"
 	"database/sql"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"go.uber.org/fx"
 	"gorm.io/driver/sqlite"
@@ -20,42 +13,30 @@ import (
 	"sneak.berlin/go/webhooker/internal/logger"
 )
-const (
+// nolint:revive // DatabaseParams is a standard fx naming convention
 	dataDirPerm       = 0750
 	randomPasswordLen = 16
 	sessionKeyLen     = 32
 )
 //nolint:revive // DatabaseParams is a standard fx naming convention.
 type DatabaseParams struct {
 	fx.In
 	Config *config.Config
 	Logger *logger.Logger
 }
 // Database manages the main SQLite connection and schema migrations.
 type Database struct {
 	db     *gorm.DB
 	log    *slog.Logger
 	params *DatabaseParams
 }
-// New creates a Database that connects on fx start and disconnects on stop.
+func New(lc fx.Lifecycle, params DatabaseParams) (*Database, error) {
 func New(
 	lc fx.Lifecycle,
 	params DatabaseParams,
 ) (*Database, error) {
 	d := &Database{
 		params: &params,
 		log:    params.Logger.Get(),
 	}
 	lc.Append(fx.Hook{
-		OnStart: func(_ context.Context) error {
+		OnStart: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
 			return d.connect()
 		},
-		OnStop: func(_ context.Context) error {
+		OnStop: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
 			return d.close()
 		},
 	})
@@ -63,92 +44,17 @@ func New(
 	return d, nil
 }
 // DB returns the underlying GORM database handle.
 func (d *Database) DB() *gorm.DB {
 	return d.db
 }
 // GetOrCreateSessionKey retrieves the session encryption key from the
 // settings table. If no key exists, a cryptographically secure random
 // 32-byte key is generated, base64-encoded, and stored for future use.
 func (d *Database) GetOrCreateSessionKey() (string, error) {
 	var setting Setting
 	result := d.db.Where(
 		&Setting{Key: "session_key"},
 	).First(&setting)
 	if result.Error == nil {
 		return setting.Value, nil
 	}
 	if !errors.Is(result.Error, gorm.ErrRecordNotFound) {
 		return "", fmt.Errorf(
 			"failed to query session key: %w",
 			result.Error,
 		)
 	}
 	// Generate a new cryptographically secure 32-byte key
 	keyBytes := make([]byte, sessionKeyLen)
 	_, err := rand.Read(keyBytes)
 	if err != nil {
 		return "", fmt.Errorf(
 			"failed to generate session key: %w",
 			err,
 		)
 	}
 	encoded := base64.StdEncoding.EncodeToString(keyBytes)
 	setting = Setting{
 		Key:   "session_key",
 		Value: encoded,
 	}
 	err = d.db.Create(&setting).Error
 	if err != nil {
 		return "", fmt.Errorf(
 			"failed to store session key: %w",
 			err,
 		)
 	}
 	d.log.Info(
 		"generated new session key and stored in database",
 	)
 	return encoded, nil
 }
 func (d *Database) connect() error {
-	// Ensure the data directory exists before opening the database.
+	dbURL := d.params.Config.DBURL
-	dataDir := d.params.Config.DataDir
+	if dbURL == "" {
-
+		// Default to SQLite for development
-	err := os.MkdirAll(dataDir, dataDirPerm)
+		dbURL = "file:webhooker.db?cache=shared&mode=rwc"
 	if err != nil {
 		return fmt.Errorf(
 			"creating data directory %s: %w",
 			dataDir,
 			err,
 		)
 	}
-	// Construct the main application database path inside DATA_DIR.
+	// First, open the database with the pure Go driver
 	dbPath := filepath.Join(dataDir, "webhooker.db")
 	dbURL := fmt.Sprintf(
 		"file:%s?cache=shared&mode=rwc",
 		dbPath,
 	)
 	// Open the database with the pure Go SQLite driver
 	sqlDB, err := sql.Open("sqlite", dbURL)
 	if err != nil {
-		d.log.Error(
+		d.log.Error("failed to open database", "error", err)
 			"failed to open database",
 			"error", err,
 		)
 		return err
 	}
@@ -157,16 +63,12 @@ func (d *Database) connect() error {
 		Conn: sqlDB,
 	}, &gorm.Config{})
 	if err != nil {
-		d.log.Error(
+		d.log.Error("failed to connect to database", "error", err)
 			"failed to connect to database",
 			"error", err,
 		)
 		return err
 	}
 	d.db = db
-	d.log.Info("connected to database", "path", dbPath)
+	d.log.Info("connected to database", "database", dbURL)
 	// Run migrations
 	return d.migrate()
@@ -174,62 +76,34 @@ func (d *Database) connect() error {
 func (d *Database) migrate() error {
 	// Run GORM auto-migrations
-	err := d.Migrate()
+	if err := d.Migrate(); err != nil {
-	if err != nil {
+		d.log.Error("failed to run database migrations", "error", err)
 		d.log.Error(
 			"failed to run database migrations",
 			"error", err,
 		)
 		return err
 	}
 	d.log.Info("database migrations completed")
 	// Check if admin user exists
 	var userCount int64
-
+	if err := d.db.Model(&User{}).Count(&userCount).Error; err != nil {
-	err = d.db.Model(&User{}).Count(&userCount).Error
+		d.log.Error("failed to count users", "error", err)
 	if err != nil {
 		d.log.Error(
 			"failed to count users",
 			"error", err,
 		)
 		return err
 	}
 	if userCount == 0 {
-		return d.createAdminUser()
+		// Create admin user
 	}
 	return nil
 }
 func (d *Database) createAdminUser() error {
 		d.log.Info("no users found, creating admin user")
 		// Generate random password
-	password, err := GenerateRandomPassword(
+		password, err := GenerateRandomPassword(16)
 		randomPasswordLen,
 	)
 		if err != nil {
-		d.log.Error(
+			d.log.Error("failed to generate random password", "error", err)
 			"failed to generate random password",
 			"error", err,
 		)
 			return err
 		}
 		// Hash the password
 		hashedPassword, err := HashPassword(password)
 		if err != nil {
-		d.log.Error(
+			d.log.Error("failed to hash password", "error", err)
 			"failed to hash password",
 			"error", err,
 		)
 			return err
 		}
@@ -239,22 +113,17 @@ func (d *Database) createAdminUser() error {
 			Password: hashedPassword,
 		}
-	err = d.db.Create(adminUser).Error
+		if err := d.db.Create(adminUser).Error; err != nil {
-	if err != nil {
+			d.log.Error("failed to create admin user", "error", err)
 		d.log.Error(
 			"failed to create admin user",
 			"error", err,
 		)
 			return err
 		}
 		// Log the password - this will only happen once on first startup
 		d.log.Info("admin user created",
 			"username", "admin",
 			"password", password,
-		"message",
+			"message", "SAVE THIS PASSWORD - it will not be shown again!")
-		"SAVE THIS PASSWORD - it will not be shown again!",
+	}
 	)
 	return nil
 }
@@ -265,9 +134,11 @@ func (d *Database) close() error {
 		if err != nil {
 			return err
 		}
 		return sqlDB.Close()
 	}
 	return nil
 }
 func (d *Database) DB() *gorm.DB {
 	return d.db
 }
--- a/internal/database/database_test.go
+++ b/internal/database/database_test.go
@@ -1,42 +1,74 @@
-package database_test
+package database
 import (
 	"context"
 	"testing"
 	"github.com/spf13/afero"
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 	pkgconfig "sneak.berlin/go/webhooker/pkg/config"
 )
-func setupTestDB(
+func TestDatabaseConnection(t *testing.T) {
-	t *testing.T,
+	// Set up in-memory config so the test does not depend on config.yaml on disk
-) (*database.Database, *fxtest.Lifecycle) {
+	fs := afero.NewMemMapFs()
-	t.Helper()
+	testConfigYAML := `
 environments:
  dev:
    config:
      port: 8080
      debug: false
      maintenanceMode: false
      developmentMode: true
      environment: dev
      dburl: "file::memory:?cache=shared"
    secrets:
      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
      sentryDSN: ""
 configDefaults:
  port: 8080
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(testConfigYAML), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	pkgconfig.SetFs(fs)
 	// Set up test dependencies
 	lc := fxtest.NewLifecycle(t)
-	g := &globals.Globals{
+	// Create globals
-		Appname: "webhooker-test",
+	globals.Appname = "webhooker-test"
-		Version: "test",
+	globals.Version = "test"
 	globals.Buildarch = "test"
 	g, err := globals.New(lc)
 	if err != nil {
 		t.Fatalf("Failed to create globals: %v", err)
 	}
-	l, err := logger.New(
+	// Create logger
-		lc,
+	l, err := logger.New(lc, logger.LoggerParams{Globals: g})
 		logger.LoggerParams{Globals: g},
 	)
 	if err != nil {
 		t.Fatalf("Failed to create logger: %v", err)
 	}
-	c := &config.Config{
+	// Create config
-		DataDir:     t.TempDir(),
+	c, err := config.New(lc, config.ConfigParams{
-		Environment: "dev",
+		Globals: g,
 		Logger:  l,
 	})
 	if err != nil {
 		t.Fatalf("Failed to create config: %v", err)
 	}
-	db, err := database.New(lc, database.DatabaseParams{
+	// Override DBURL to use a temp file-based SQLite (in-memory doesn't persist across connections)
 	c.DBURL = "file:" + t.TempDir() + "/test.db?cache=shared&mode=rwc"
 	// Create database
 	db, err := New(lc, DatabaseParams{
 		Config: c,
 		Logger: l,
 	})
@@ -44,45 +76,31 @@ func setupTestDB(
 		t.Fatalf("Failed to create database: %v", err)
 	}
-	return db, lc
+	// Start lifecycle (this will trigger the connection)
 }
 func TestDatabaseConnection(t *testing.T) {
 	t.Parallel()
 	db, lc := setupTestDB(t)
 	ctx := context.Background()
-
+	err = lc.Start(ctx)
 	err := lc.Start(ctx)
 	if err != nil {
 		t.Fatalf("Failed to connect to database: %v", err)
 	}
 	defer func() {
-		stopErr := lc.Stop(ctx)
+		if stopErr := lc.Stop(ctx); stopErr != nil {
-		if stopErr != nil {
+			t.Errorf("Failed to stop lifecycle: %v", stopErr)
 			t.Errorf(
 				"Failed to stop lifecycle: %v",
 				stopErr,
 			)
 		}
 	}()
 	// Verify we can get the DB instance
 	if db.DB() == nil {
 		t.Error("Expected non-nil database connection")
 	}
 	// Test that we can perform a simple query
 	var result int
 	err = db.DB().Raw("SELECT 1").Scan(&result).Error
 	if err != nil {
 		t.Fatalf("Failed to execute test query: %v", err)
 	}
 	if result != 1 {
-		t.Errorf(
+		t.Errorf("Expected query result to be 1, got %d", result)
 			"Expected query result to be 1, got %d",
 			result,
 		)
 	}
 }
--- a/internal/database/model_apikey.go
+++ b/internal/database/model_apikey.go
@@ -6,11 +6,11 @@ import "time"
 type APIKey struct {
 	BaseModel
-	UserID      string     `gorm:"type:uuid;not null"   json:"userId"`
+	UserID      string     `gorm:"type:uuid;not null" json:"user_id"`
 	Key         string     `gorm:"uniqueIndex;not null" json:"key"`
 	Description string     `json:"description"`
-	LastUsedAt  *time.Time `json:"lastUsedAt,omitempty"`
+	LastUsedAt  *time.Time `json:"last_used_at,omitempty"`
 	// Relations
-	User User `json:"user,omitzero"`
+	User User `json:"user,omitempty"`
 }
--- a/internal/database/model_delivery.go
+++ b/internal/database/model_delivery.go
@@ -3,7 +3,6 @@ package database
 // DeliveryStatus represents the status of a delivery
 type DeliveryStatus string
 // Delivery status values.
 const (
 	DeliveryStatusPending   DeliveryStatus = "pending"
 	DeliveryStatusDelivered DeliveryStatus = "delivered"
@@ -15,12 +14,12 @@ const (
 type Delivery struct {
 	BaseModel
-	EventID  string         `gorm:"type:uuid;not null"         json:"eventId"`
+	EventID  string         `gorm:"type:uuid;not null" json:"event_id"`
-	TargetID string         `gorm:"type:uuid;not null"         json:"targetId"`
+	TargetID string         `gorm:"type:uuid;not null" json:"target_id"`
 	Status   DeliveryStatus `gorm:"not null;default:'pending'" json:"status"`
 	// Relations
-	Event           Event            `json:"event,omitzero"`
+	Event           Event            `json:"event,omitempty"`
-	Target          Target           `json:"target,omitzero"`
+	Target          Target           `json:"target,omitempty"`
-	DeliveryResults []DeliveryResult `json:"deliveryResults,omitempty"`
+	DeliveryResults []DeliveryResult `json:"delivery_results,omitempty"`
 }
--- a/internal/database/model_delivery_result.go
+++ b/internal/database/model_delivery_result.go
@@ -4,14 +4,14 @@ package database
 type DeliveryResult struct {
 	BaseModel
-	DeliveryID   string `gorm:"type:uuid;not null"   json:"deliveryId"`
+	DeliveryID   string `gorm:"type:uuid;not null" json:"delivery_id"`
-	AttemptNum   int    `gorm:"not null"             json:"attemptNum"`
+	AttemptNum   int    `gorm:"not null" json:"attempt_num"`
 	Success      bool   `json:"success"`
-	StatusCode   int    `json:"statusCode,omitempty"`
+	StatusCode   int    `json:"status_code,omitempty"`
-	ResponseBody string `gorm:"type:text"            json:"responseBody,omitempty"`
+	ResponseBody string `gorm:"type:text" json:"response_body,omitempty"`
 	Error        string `json:"error,omitempty"`
-	Duration     int64  `json:"durationMs"` // Duration in milliseconds
+	Duration     int64  `json:"duration_ms"` // Duration in milliseconds
 	// Relations
-	Delivery Delivery `json:"delivery,omitzero"`
+	Delivery Delivery `json:"delivery,omitempty"`
 }
--- a/internal/database/model_entrypoint.go
+++ b/internal/database/model_entrypoint.go
@@ -4,11 +4,11 @@ package database
 type Entrypoint struct {
 	BaseModel
-	WebhookID   string `gorm:"type:uuid;not null"   json:"webhookId"`
+	WebhookID   string `gorm:"type:uuid;not null" json:"webhook_id"`
 	Path        string `gorm:"uniqueIndex;not null" json:"path"` // URL path for this entrypoint
 	Description string `json:"description"`
 	Active      bool   `gorm:"default:true" json:"active"`
 	// Relations
-	Webhook Webhook `json:"webhook,omitzero"`
+	Webhook Webhook `json:"webhook,omitempty"`
 }
--- a/internal/database/model_event.go
+++ b/internal/database/model_event.go
@@ -4,17 +4,17 @@ package database
 type Event struct {
 	BaseModel
-	WebhookID    string `gorm:"type:uuid;not null" json:"webhookId"`
+	WebhookID    string `gorm:"type:uuid;not null" json:"webhook_id"`
-	EntrypointID string `gorm:"type:uuid;not null" json:"entrypointId"`
+	EntrypointID string `gorm:"type:uuid;not null" json:"entrypoint_id"`
 	// Request data
 	Method      string `gorm:"not null" json:"method"`
 	Headers     string `gorm:"type:text" json:"headers"` // JSON
 	Body        string `gorm:"type:text" json:"body"`
-	ContentType string `json:"contentType"`
+	ContentType string `json:"content_type"`
 	// Relations
-	Webhook    Webhook    `json:"webhook,omitzero"`
+	Webhook    Webhook    `json:"webhook,omitempty"`
-	Entrypoint Entrypoint `json:"entrypoint,omitzero"`
+	Entrypoint Entrypoint `json:"entrypoint,omitempty"`
 	Deliveries []Delivery `json:"deliveries,omitempty"`
 }
--- a/internal/database/model_setting.go
+++ b/internal/database/model_setting.go
@@ -1,8 +0,0 @@
 package database
 // Setting stores application-level key-value configuration.
 // Used for auto-generated values like the session encryption key.
 type Setting struct {
 	Key   string `gorm:"primaryKey"         json:"key"`
 	Value string `gorm:"type:text;not null" json:"value"`
 }
--- a/internal/database/model_target.go
+++ b/internal/database/model_target.go
@@ -3,19 +3,18 @@ package database
 // TargetType represents the type of delivery target
 type TargetType string
 // Target type values.
 const (
 	TargetTypeHTTP     TargetType = "http"
 	TargetTypeRetry    TargetType = "retry"
 	TargetTypeDatabase TargetType = "database"
 	TargetTypeLog      TargetType = "log"
 	TargetTypeSlack    TargetType = "slack"
 )
 // Target represents a delivery target for a webhook
 type Target struct {
 	BaseModel
-	WebhookID string     `gorm:"type:uuid;not null" json:"webhookId"`
+	WebhookID string     `gorm:"type:uuid;not null" json:"webhook_id"`
 	Name      string     `gorm:"not null" json:"name"`
 	Type      TargetType `gorm:"not null" json:"type"`
 	Active    bool       `gorm:"default:true" json:"active"`
@@ -23,11 +22,11 @@ type Target struct {
 	// Configuration fields (JSON stored based on type)
 	Config string `gorm:"type:text" json:"config"` // JSON configuration
-	// For HTTP targets (max_retries=0 means fire-and-forget, >0 enables retries with backoff)
+	// For retry targets
-	MaxRetries   int `json:"maxRetries,omitempty"`
+	MaxRetries   int `json:"max_retries,omitempty"`
-	MaxQueueSize int `json:"maxQueueSize,omitempty"`
+	MaxQueueSize int `json:"max_queue_size,omitempty"`
 	// Relations
-	Webhook    Webhook    `json:"webhook,omitzero"`
+	Webhook    Webhook    `json:"webhook,omitempty"`
 	Deliveries []Delivery `json:"deliveries,omitempty"`
 }
--- a/internal/database/model_user.go
+++ b/internal/database/model_user.go
@@ -9,5 +9,5 @@ type User struct {
 	// Relations
 	Webhooks []Webhook `json:"webhooks,omitempty"`
-	APIKeys  []APIKey  `json:"apiKeys,omitempty"`
+	APIKeys  []APIKey  `json:"api_keys,omitempty"`
 }
--- a/internal/database/model_webhook.go
+++ b/internal/database/model_webhook.go
@@ -4,13 +4,13 @@ package database
 type Webhook struct {
 	BaseModel
-	UserID        string `gorm:"type:uuid;not null" json:"userId"`
+	UserID        string `gorm:"type:uuid;not null" json:"user_id"`
 	Name          string `gorm:"not null" json:"name"`
 	Description   string `json:"description"`
-	RetentionDays int    `gorm:"default:30"         json:"retentionDays"` // Days to retain events
+	RetentionDays int    `gorm:"default:30" json:"retention_days"` // Days to retain events
 	// Relations
-	User        User         `json:"user,omitzero"`
+	User        User         `json:"user,omitempty"`
 	Entrypoints []Entrypoint `json:"entrypoints,omitempty"`
 	Targets     []Target     `json:"targets,omitempty"`
 }
--- a/internal/database/models.go
+++ b/internal/database/models.go
@@ -1,16 +1,15 @@
 package database
-// Migrate runs database migrations for the main application database.
+// Migrate runs database migrations for all models
 // Only configuration-tier models are stored in the main database.
 // Event-tier models (Event, Delivery, DeliveryResult) live in
 // per-webhook dedicated databases managed by WebhookDBManager.
 func (d *Database) Migrate() error {
 	return d.db.AutoMigrate(
 		&Setting{},
 		&User{},
 		&APIKey{},
 		&Webhook{},
 		&Entrypoint{},
 		&Target{},
 		&Event{},
 		&Delivery{},
 		&DeliveryResult{},
 	)
 }
--- a/internal/database/password.go
+++ b/internal/database/password.go
@@ -4,7 +4,6 @@ import (
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"math/big"
 	"strings"
@@ -21,23 +20,6 @@ const (
 	argon2SaltLen = 16
 )
 // hashParts is the expected number of $-separated segments
 // in an encoded Argon2id hash string.
 const hashParts = 6
 // minPasswordComplexityLen is the minimum password length that
 // triggers per-character-class complexity enforcement.
 const minPasswordComplexityLen = 4
 // Sentinel errors returned by decodeHash.
 var (
 	errInvalidHashFormat    = errors.New("invalid hash format")
 	errInvalidAlgorithm     = errors.New("invalid algorithm")
 	errIncompatibleVersion  = errors.New("incompatible argon2 version")
 	errSaltLengthOutOfRange = errors.New("salt length out of range")
 	errHashLengthOutOfRange = errors.New("hash length out of range")
 )
 // PasswordConfig holds Argon2 configuration
 type PasswordConfig struct {
 	Time    uint32
@@ -64,44 +46,26 @@ func HashPassword(password string) (string, error) {
 	// Generate a salt
 	salt := make([]byte, config.SaltLen)
-
+	if _, err := rand.Read(salt); err != nil {
 	_, err := rand.Read(salt)
 	if err != nil {
 		return "", err
 	}
 	// Generate the hash
-	hash := argon2.IDKey(
+	hash := argon2.IDKey([]byte(password), salt, config.Time, config.Memory, config.Threads, config.KeyLen)
 		[]byte(password),
 		salt,
 		config.Time,
 		config.Memory,
 		config.Threads,
 		config.KeyLen,
 	)
 	// Encode the hash and parameters
 	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
 	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
 	// Format: $argon2id$v=19$m=65536,t=1,p=4$salt$hash
-	encoded := fmt.Sprintf(
+	encoded := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
-		"$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
+		argon2.Version, config.Memory, config.Time, config.Threads, b64Salt, b64Hash)
 		argon2.Version,
 		config.Memory,
 		config.Time,
 		config.Threads,
 		b64Salt,
 		b64Hash,
 	)
 	return encoded, nil
 }
 // VerifyPassword checks if the provided password matches the hash
-func VerifyPassword(
+func VerifyPassword(password, encodedHash string) (bool, error) {
 	password, encodedHash string,
 ) (bool, error) {
 	// Extract parameters and hash from encoded string
 	config, salt, hash, err := decodeHash(encodedHash)
 	if err != nil {
@@ -109,119 +73,60 @@ func VerifyPassword(
 	}
 	// Generate hash of the provided password
-	otherHash := argon2.IDKey(
+	otherHash := argon2.IDKey([]byte(password), salt, config.Time, config.Memory, config.Threads, config.KeyLen)
 		[]byte(password),
 		salt,
 		config.Time,
 		config.Memory,
 		config.Threads,
 		config.KeyLen,
 	)
 	// Compare hashes using constant time comparison
 	return subtle.ConstantTimeCompare(hash, otherHash) == 1, nil
 }
-// decodeHash extracts parameters, salt, and hash from an
+// decodeHash extracts parameters, salt, and hash from an encoded hash string
-// encoded hash string.
+func decodeHash(encodedHash string) (*PasswordConfig, []byte, []byte, error) {
 func decodeHash(
 	encodedHash string,
 ) (*PasswordConfig, []byte, []byte, error) {
 	parts := strings.Split(encodedHash, "$")
-	if len(parts) != hashParts {
+	if len(parts) != 6 {
-		return nil, nil, nil, errInvalidHashFormat
+		return nil, nil, nil, fmt.Errorf("invalid hash format")
 	}
 	if parts[1] != "argon2id" {
-		return nil, nil, nil, errInvalidAlgorithm
+		return nil, nil, nil, fmt.Errorf("invalid algorithm")
 	}
-	version, err := parseVersion(parts[2])
+	var version int
-	if err != nil {
+	if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {
 		return nil, nil, nil, err
 	}
 	if version != argon2.Version {
-		return nil, nil, nil, errIncompatibleVersion
+		return nil, nil, nil, fmt.Errorf("incompatible argon2 version")
 	}
-	config, err := parseParams(parts[3])
+	config := &PasswordConfig{}
-	if err != nil {
+	if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &config.Memory, &config.Time, &config.Threads); err != nil {
 		return nil, nil, nil, err
 	}
-	salt, err := decodeSalt(parts[4])
+	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	saltLen := len(salt)
 	if saltLen < 0 || saltLen > int(^uint32(0)) {
 		return nil, nil, nil, fmt.Errorf("salt length out of range")
 	}
 	config.SaltLen = uint32(saltLen) // nolint:gosec // checked above
-	config.SaltLen = uint32(len(salt)) //nolint:gosec // validated in decodeSalt
+	hash, err := base64.RawStdEncoding.DecodeString(parts[5])
 	hash, err := decodeHashBytes(parts[5])
 	if err != nil {
 		return nil, nil, nil, err
 	}
-
+	hashLen := len(hash)
-	config.KeyLen = uint32(len(hash)) //nolint:gosec // validated in decodeHashBytes
+	if hashLen < 0 || hashLen > int(^uint32(0)) {
 		return nil, nil, nil, fmt.Errorf("hash length out of range")
 	}
 	config.KeyLen = uint32(hashLen) // nolint:gosec // checked above
 	return config, salt, hash, nil
 }
-func parseVersion(s string) (int, error) {
+// GenerateRandomPassword generates a cryptographically secure random password
 	var version int
 	_, err := fmt.Sscanf(s, "v=%d", &version)
 	if err != nil {
 		return 0, fmt.Errorf("parsing version: %w", err)
 	}
 	return version, nil
 }
 func parseParams(s string) (*PasswordConfig, error) {
 	config := &PasswordConfig{}
 	_, err := fmt.Sscanf(
 		s, "m=%d,t=%d,p=%d",
 		&config.Memory, &config.Time, &config.Threads,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("parsing params: %w", err)
 	}
 	return config, nil
 }
 func decodeSalt(s string) ([]byte, error) {
 	salt, err := base64.RawStdEncoding.DecodeString(s)
 	if err != nil {
 		return nil, fmt.Errorf("decoding salt: %w", err)
 	}
 	saltLen := len(salt)
 	if saltLen < 0 || saltLen > int(^uint32(0)) {
 		return nil, errSaltLengthOutOfRange
 	}
 	return salt, nil
 }
 func decodeHashBytes(s string) ([]byte, error) {
 	hash, err := base64.RawStdEncoding.DecodeString(s)
 	if err != nil {
 		return nil, fmt.Errorf("decoding hash: %w", err)
 	}
 	hashLen := len(hash)
 	if hashLen < 0 || hashLen > int(^uint32(0)) {
 		return nil, errHashLengthOutOfRange
 	}
 	return hash, nil
 }
 // GenerateRandomPassword generates a cryptographically secure
 // random password.
 func GenerateRandomPassword(length int) (string, error) {
 	const (
 		uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
@@ -236,27 +141,27 @@ func GenerateRandomPassword(length int) (string, error) {
 	// Create password slice
 	password := make([]byte, length)
-	// Ensure at least one character from each set
+	// Ensure at least one character from each set for password complexity
-	if length >= minPasswordComplexityLen {
+	if length >= 4 {
 		// Get one character from each set
 		password[0] = uppercase[cryptoRandInt(len(uppercase))]
 		password[1] = lowercase[cryptoRandInt(len(lowercase))]
 		password[2] = digits[cryptoRandInt(len(digits))]
 		password[3] = special[cryptoRandInt(len(special))]
 		// Fill the rest randomly from all characters
-		for i := minPasswordComplexityLen; i < length; i++ {
+		for i := 4; i < length; i++ {
 			password[i] = allChars[cryptoRandInt(len(allChars))]
 		}
 		// Shuffle the password to avoid predictable pattern
-		for i := range len(password) - 1 {
+		for i := len(password) - 1; i > 0; i-- {
-			j := cryptoRandInt(len(password) - i)
+			j := cryptoRandInt(i + 1)
-			idx := len(password) - 1 - i
+			password[i], password[j] = password[j], password[i]
 			password[idx], password[j] = password[j], password[idx]
 		}
 	} else {
 		// For very short passwords, just use all characters
-		for i := range length {
+		for i := 0; i < length; i++ {
 			password[i] = allChars[cryptoRandInt(len(allChars))]
 		}
 	}
@@ -264,17 +169,16 @@ func GenerateRandomPassword(length int) (string, error) {
 	return string(password), nil
 }
-// cryptoRandInt generates a cryptographically secure random
+// cryptoRandInt generates a cryptographically secure random integer in [0, max)
-// integer in [0, upperBound).
+func cryptoRandInt(max int) int {
-func cryptoRandInt(upperBound int) int {
+	if max <= 0 {
-	if upperBound <= 0 {
+		panic("max must be positive")
 		panic("upperBound must be positive")
 	}
-	nBig, err := rand.Int(
+	// Calculate the maximum valid value to avoid modulo bias
-		rand.Reader,
+	// For example, if max=200 and we have 256 possible values,
-		big.NewInt(int64(upperBound)),
+	// we only accept values 0-199 (reject 200-255)
-	)
+	nBig, err := rand.Int(rand.Reader, big.NewInt(int64(max)))
 	if err != nil {
 		panic(fmt.Sprintf("crypto/rand error: %v", err))
 	}
--- a/internal/database/password_test.go
+++ b/internal/database/password_test.go
@@ -1,15 +1,11 @@
-package database_test
+package database
 import (
 	"strings"
 	"testing"
 	"sneak.berlin/go/webhooker/internal/database"
 )
 func TestGenerateRandomPassword(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name   string
 		length int
@@ -22,172 +18,109 @@ func TestGenerateRandomPassword(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			password, err := GenerateRandomPassword(tt.length)
 			password, err := database.GenerateRandomPassword(
 				tt.length,
 			)
 			if err != nil {
-				t.Fatalf(
+				t.Fatalf("GenerateRandomPassword() error = %v", err)
 					"GenerateRandomPassword() error = %v",
 					err,
 				)
 			}
 			if len(password) != tt.length {
-				t.Errorf(
+				t.Errorf("Password length = %v, want %v", len(password), tt.length)
 					"Password length = %v, want %v",
 					len(password), tt.length,
 				)
 			}
-			checkPasswordComplexity(
+			// For passwords >= 4 chars, check complexity
-				t, password, tt.length,
+			if tt.length >= 4 {
-			)
+				hasUpper := false
 				hasLower := false
 				hasDigit := false
 				hasSpecial := false
 				for _, char := range password {
 					switch {
 					case char >= 'A' && char <= 'Z':
 						hasUpper = true
 					case char >= 'a' && char <= 'z':
 						hasLower = true
 					case char >= '0' && char <= '9':
 						hasDigit = true
 					case strings.ContainsRune("!@#$%^&*()_+-=[]{}|;:,.<>?", char):
 						hasSpecial = true
 					}
 				}
 				if !hasUpper || !hasLower || !hasDigit || !hasSpecial {
 					t.Errorf("Password lacks required complexity: upper=%v, lower=%v, digit=%v, special=%v",
 						hasUpper, hasLower, hasDigit, hasSpecial)
 				}
 			}
 		})
 	}
 }
 func checkPasswordComplexity(
 	t *testing.T,
 	password string,
 	length int,
 ) {
 	t.Helper()
 	// For passwords >= 4 chars, check complexity
 	if length < 4 {
 		return
 	}
 	flags := classifyChars(password)
 	if !flags[0] || !flags[1] || !flags[2] || !flags[3] {
 		t.Errorf(
 			"Password lacks required complexity: "+
 				"upper=%v, lower=%v, digit=%v, special=%v",
 			flags[0], flags[1], flags[2], flags[3],
 		)
 	}
 }
 func classifyChars(s string) [4]bool {
 	var flags [4]bool // upper, lower, digit, special
 	for _, char := range s {
 		switch {
 		case char >= 'A' && char <= 'Z':
 			flags[0] = true
 		case char >= 'a' && char <= 'z':
 			flags[1] = true
 		case char >= '0' && char <= '9':
 			flags[2] = true
 		case strings.ContainsRune(
 			"!@#$%^&*()_+-=[]{}|;:,.<>?",
 			char,
 		):
 			flags[3] = true
 		}
 	}
 	return flags
 }
 func TestGenerateRandomPasswordUniqueness(t *testing.T) {
 	t.Parallel()
 	// Generate multiple passwords and ensure they're different
 	passwords := make(map[string]bool)
 	const numPasswords = 100
-	for range numPasswords {
+	for i := 0; i < numPasswords; i++ {
-		password, err := database.GenerateRandomPassword(16)
+		password, err := GenerateRandomPassword(16)
 		if err != nil {
-			t.Fatalf(
+			t.Fatalf("GenerateRandomPassword() error = %v", err)
 				"GenerateRandomPassword() error = %v",
 				err,
 			)
 		}
 		if passwords[password] {
-			t.Errorf(
+			t.Errorf("Duplicate password generated: %s", password)
 				"Duplicate password generated: %s",
 				password,
 			)
 		}
 		passwords[password] = true
 	}
 }
 func TestHashPassword(t *testing.T) {
 	t.Parallel()
 	password := "testPassword123!"
-	hash, err := database.HashPassword(password)
+	hash, err := HashPassword(password)
 	if err != nil {
 		t.Fatalf("HashPassword() error = %v", err)
 	}
 	// Check that hash has correct format
 	if !strings.HasPrefix(hash, "$argon2id$") {
-		t.Errorf(
+		t.Errorf("Hash doesn't have correct prefix: %s", hash)
 			"Hash doesn't have correct prefix: %s",
 			hash,
 		)
 	}
 	// Verify password
-	valid, err := database.VerifyPassword(password, hash)
+	valid, err := VerifyPassword(password, hash)
 	if err != nil {
 		t.Fatalf("VerifyPassword() error = %v", err)
 	}
 	if !valid {
-		t.Error(
+		t.Error("VerifyPassword() returned false for correct password")
 			"VerifyPassword() returned false " +
 				"for correct password",
 		)
 	}
 	// Verify wrong password fails
-	valid, err = database.VerifyPassword(
+	valid, err = VerifyPassword("wrongPassword", hash)
 		"wrongPassword", hash,
 	)
 	if err != nil {
 		t.Fatalf("VerifyPassword() error = %v", err)
 	}
 	if valid {
-		t.Error(
+		t.Error("VerifyPassword() returned true for wrong password")
 			"VerifyPassword() returned true " +
 				"for wrong password",
 		)
 	}
 }
 func TestHashPasswordUniqueness(t *testing.T) {
 	t.Parallel()
 	password := "testPassword123!"
-	// Same password should produce different hashes
+	// Same password should produce different hashes due to salt
-	hash1, err := database.HashPassword(password)
+	hash1, err := HashPassword(password)
 	if err != nil {
 		t.Fatalf("HashPassword() error = %v", err)
 	}
-	hash2, err := database.HashPassword(password)
+	hash2, err := HashPassword(password)
 	if err != nil {
 		t.Fatalf("HashPassword() error = %v", err)
 	}
 	if hash1 == hash2 {
-		t.Error(
+		t.Error("Same password produced identical hashes (salt not working)")
 			"Same password produced identical hashes " +
 				"(salt not working)",
 		)
 	}
 }
--- a/internal/database/testing.go
+++ b/internal/database/testing.go
@@ -1,28 +0,0 @@
 package database
 import (
 	"log/slog"
 	"os"
 	"gorm.io/gorm"
 )
 // NewTestDatabase creates a Database wrapper around a pre-opened *gorm.DB.
 // Intended for use in tests that need a *database.Database without the
 // full fx lifecycle. The caller is responsible for closing the underlying
 // sql.DB connection.
 func NewTestDatabase(db *gorm.DB) *Database {
 	return &Database{
 		db:  db,
 		log: slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug})),
 	}
 }
 // NewTestWebhookDBManager creates a WebhookDBManager backed by the given
 // data directory. Intended for use in tests without the fx lifecycle.
 func NewTestWebhookDBManager(dataDir string) *WebhookDBManager {
 	return &WebhookDBManager{
 		dataDir: dataDir,
 		log:     slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug})),
 	}
 }
--- a/internal/database/webhook_db_manager.go
+++ b/internal/database/webhook_db_manager.go
@@ -1,281 +0,0 @@
 package database
 import (
 	"context"
 	"database/sql"
 	"errors"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"sync"
 	"go.uber.org/fx"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/logger"
 )
 // WebhookDBManagerParams holds the fx dependencies for
 // WebhookDBManager.
 type WebhookDBManagerParams struct {
 	fx.In
 	Config *config.Config
 	Logger *logger.Logger
 }
 // errInvalidCachedDBType indicates a type assertion failure
 // when retrieving a cached database connection.
 var errInvalidCachedDBType = errors.New(
 	"invalid cached database type",
 )
 // WebhookDBManager manages per-webhook SQLite database files
 // for event storage. Each webhook gets its own dedicated
 // database containing Events, Deliveries, and DeliveryResults.
 // Database connections are opened lazily and cached.
 type WebhookDBManager struct {
 	dataDir string
 	dbs     sync.Map // map[webhookID]*gorm.DB
 	log     *slog.Logger
 }
 // NewWebhookDBManager creates a new WebhookDBManager and
 // registers lifecycle hooks.
 func NewWebhookDBManager(
 	lc fx.Lifecycle,
 	params WebhookDBManagerParams,
 ) (*WebhookDBManager, error) {
 	m := &WebhookDBManager{
 		dataDir: params.Config.DataDir,
 		log:     params.Logger.Get(),
 	}
 	// Create data directory if it doesn't exist
 	err := os.MkdirAll(m.dataDir, dataDirPerm)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"creating data directory %s: %w",
 			m.dataDir,
 			err,
 		)
 	}
 	lc.Append(fx.Hook{
 		OnStop: func(_ context.Context) error {
 			return m.CloseAll()
 		},
 	})
 	m.log.Info(
 		"webhook database manager initialized",
 		"data_dir", m.dataDir,
 	)
 	return m, nil
 }
 // GetDB returns the database connection for a webhook,
 // creating the database file lazily if it doesn't exist.
 func (m *WebhookDBManager) GetDB(
 	webhookID string,
 ) (*gorm.DB, error) {
 	// Fast path: already open
 	if val, ok := m.dbs.Load(webhookID); ok {
 		cachedDB, castOK := val.(*gorm.DB)
 		if !castOK {
 			return nil, fmt.Errorf(
 				"%w for webhook %s",
 				errInvalidCachedDBType,
 				webhookID,
 			)
 		}
 		return cachedDB, nil
 	}
 	// Slow path: open/create the database
 	db, err := m.openDB(webhookID)
 	if err != nil {
 		return nil, err
 	}
 	// Store it; if another goroutine beat us, close ours
 	actual, loaded := m.dbs.LoadOrStore(webhookID, db)
 	if loaded {
 		// Another goroutine created it first; close our duplicate
 		sqlDB, closeErr := db.DB()
 		if closeErr == nil {
 			_ = sqlDB.Close()
 		}
 		existingDB, castOK := actual.(*gorm.DB)
 		if !castOK {
 			return nil, fmt.Errorf(
 				"%w for webhook %s",
 				errInvalidCachedDBType,
 				webhookID,
 			)
 		}
 		return existingDB, nil
 	}
 	return db, nil
 }
 // CreateDB explicitly creates a new per-webhook database file
 // and runs migrations.
 func (m *WebhookDBManager) CreateDB(
 	webhookID string,
 ) error {
 	_, err := m.GetDB(webhookID)
 	return err
 }
 // DBExists checks if a per-webhook database file exists on
 // disk.
 func (m *WebhookDBManager) DBExists(
 	webhookID string,
 ) bool {
 	_, err := os.Stat(m.dbPath(webhookID))
 	return err == nil
 }
 // DeleteDB closes the connection and deletes the database file
 // for a webhook. The file is permanently removed.
 func (m *WebhookDBManager) DeleteDB(
 	webhookID string,
 ) error {
 	// Close and remove from cache
 	if val, ok := m.dbs.LoadAndDelete(webhookID); ok {
 		if gormDB, castOK := val.(*gorm.DB); castOK {
 			sqlDB, err := gormDB.DB()
 			if err == nil {
 				_ = sqlDB.Close()
 			}
 		}
 	}
 	// Delete the main DB file and WAL/SHM files
 	path := m.dbPath(webhookID)
 	for _, suffix := range []string{"", "-wal", "-shm"} {
 		err := os.Remove(path + suffix)
 		if err != nil && !os.IsNotExist(err) {
 			return fmt.Errorf(
 				"deleting webhook database file %s%s: %w",
 				path, suffix, err,
 			)
 		}
 	}
 	m.log.Info(
 		"deleted per-webhook database",
 		"webhook_id", webhookID,
 	)
 	return nil
 }
 // CloseAll closes all open per-webhook database connections.
 // Called during application shutdown.
 func (m *WebhookDBManager) CloseAll() error {
 	var lastErr error
 	m.dbs.Range(func(key, value any) bool {
 		if gormDB, castOK := value.(*gorm.DB); castOK {
 			sqlDB, err := gormDB.DB()
 			if err == nil {
 				closeErr := sqlDB.Close()
 				if closeErr != nil {
 					lastErr = closeErr
 					m.log.Error(
 						"failed to close webhook database",
 						"webhook_id", key,
 						"error", closeErr,
 					)
 				}
 			}
 		}
 		m.dbs.Delete(key)
 		return true
 	})
 	return lastErr
 }
 // DBPath returns the filesystem path for a webhook's database
 // file.
 func (m *WebhookDBManager) DBPath(
 	webhookID string,
 ) string {
 	return m.dbPath(webhookID)
 }
 func (m *WebhookDBManager) dbPath(
 	webhookID string,
 ) string {
 	return filepath.Join(
 		m.dataDir,
 		fmt.Sprintf("events-%s.db", webhookID),
 	)
 }
 // openDB opens (or creates) a per-webhook SQLite database and
 // runs migrations.
 func (m *WebhookDBManager) openDB(
 	webhookID string,
 ) (*gorm.DB, error) {
 	path := m.dbPath(webhookID)
 	dbURL := fmt.Sprintf(
 		"file:%s?cache=shared&mode=rwc",
 		path,
 	)
 	sqlDB, err := sql.Open("sqlite", dbURL)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"opening webhook database %s: %w",
 			webhookID, err,
 		)
 	}
 	db, err := gorm.Open(sqlite.Dialector{
 		Conn: sqlDB,
 	}, &gorm.Config{})
 	if err != nil {
 		_ = sqlDB.Close()
 		return nil, fmt.Errorf(
 			"connecting to webhook database %s: %w",
 			webhookID, err,
 		)
 	}
 	// Run migrations for event-tier models only
 	err = db.AutoMigrate(
 		&Event{}, &Delivery{}, &DeliveryResult{},
 	)
 	if err != nil {
 		_ = sqlDB.Close()
 		return nil, fmt.Errorf(
 			"migrating webhook database %s: %w",
 			webhookID, err,
 		)
 	}
 	m.log.Info(
 		"opened per-webhook database",
 		"webhook_id", webhookID,
 		"path", path,
 	)
 	return db, nil
 }
--- a/internal/database/webhook_db_manager_test.go
+++ b/internal/database/webhook_db_manager_test.go
@@ -1,365 +0,0 @@
 package database_test
 import (
 	"context"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx/fxtest"
 	"gorm.io/gorm"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 )
 func setupTestWebhookDBManager(
 	t *testing.T,
 ) (*database.WebhookDBManager, *fxtest.Lifecycle) {
 	t.Helper()
 	lc := fxtest.NewLifecycle(t)
 	g := &globals.Globals{
 		Appname: "webhooker-test",
 		Version: "test",
 	}
 	l, err := logger.New(
 		lc,
 		logger.LoggerParams{Globals: g},
 	)
 	require.NoError(t, err)
 	dataDir := filepath.Join(t.TempDir(), "events")
 	cfg := &config.Config{
 		DataDir: dataDir,
 	}
 	mgr, err := database.NewWebhookDBManager(
 		lc,
 		database.WebhookDBManagerParams{
 			Config: cfg,
 			Logger: l,
 		},
 	)
 	require.NoError(t, err)
 	return mgr, lc
 }
 func TestWebhookDBManager_CreateAndGetDB(t *testing.T) {
 	t.Parallel()
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	// DB should not exist yet
 	assert.False(t, mgr.DBExists(webhookID))
 	// Create the DB
 	err := mgr.CreateDB(webhookID)
 	require.NoError(t, err)
 	// DB file should now exist
 	assert.True(t, mgr.DBExists(webhookID))
 	// Get the DB again (should use cached connection)
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	require.NotNil(t, db)
 	// Verify we can write an event
 	event := &database.Event{
 		WebhookID:    webhookID,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Headers:      `{"Content-Type":["application/json"]}`,
 		Body:         `{"test": true}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db.Create(event).Error)
 	assert.NotEmpty(t, event.ID)
 	// Verify we can read it back
 	var readEvent database.Event
 	require.NoError(
 		t,
 		db.First(&readEvent, "id = ?", event.ID).Error,
 	)
 	assert.Equal(t, webhookID, readEvent.WebhookID)
 	assert.Equal(t, "POST", readEvent.Method)
 	assert.Equal(t, `{"test": true}`, readEvent.Body)
 }
 func TestWebhookDBManager_DeleteDB(t *testing.T) {
 	t.Parallel()
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	// Create the DB and write some data
 	require.NoError(t, mgr.CreateDB(webhookID))
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	event := &database.Event{
 		WebhookID:    webhookID,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Body:         `{"test": true}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db.Create(event).Error)
 	// Delete the DB
 	require.NoError(t, mgr.DeleteDB(webhookID))
 	// File should no longer exist
 	assert.False(t, mgr.DBExists(webhookID))
 	// Verify the file is actually gone from disk
 	dbPath := mgr.DBPath(webhookID)
 	_, err = os.Stat(dbPath)
 	assert.True(t, os.IsNotExist(err))
 }
 func TestWebhookDBManager_LazyCreation(t *testing.T) {
 	t.Parallel()
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	// GetDB should lazily create the database
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	require.NotNil(t, db)
 	// File should now exist
 	assert.True(t, mgr.DBExists(webhookID))
 }
 func TestWebhookDBManager_DeliveryWorkflow(t *testing.T) {
 	t.Parallel()
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhookID := uuid.New().String()
 	targetID := uuid.New().String()
 	db, err := mgr.GetDB(webhookID)
 	require.NoError(t, err)
 	event, delivery := seedDeliveryWorkflow(
 		t, db, webhookID, targetID,
 	)
 	verifyPendingDeliveries(t, db, event)
 	completeDelivery(t, db, delivery)
 	verifyNoPending(t, db)
 }
 func seedDeliveryWorkflow(
 	t *testing.T,
 	db *gorm.DB,
 	webhookID, targetID string,
 ) (*database.Event, *database.Delivery) {
 	t.Helper()
 	event := &database.Event{
 		WebhookID:    webhookID,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Headers:      `{"Content-Type":["application/json"]}`,
 		Body:         `{"payload": "test"}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db.Create(event).Error)
 	delivery := &database.Delivery{
 		EventID:  event.ID,
 		TargetID: targetID,
 		Status:   database.DeliveryStatusPending,
 	}
 	require.NoError(t, db.Create(delivery).Error)
 	return event, delivery
 }
 func verifyPendingDeliveries(
 	t *testing.T,
 	db *gorm.DB,
 	event *database.Event,
 ) {
 	t.Helper()
 	var pending []database.Delivery
 	require.NoError(
 		t,
 		db.Where(
 			"status = ?",
 			database.DeliveryStatusPending,
 		).Preload("Event").Find(&pending).Error,
 	)
 	require.Len(t, pending, 1)
 	assert.Equal(t, event.ID, pending[0].EventID)
 	assert.Equal(t, "POST", pending[0].Event.Method)
 }
 func completeDelivery(
 	t *testing.T,
 	db *gorm.DB,
 	delivery *database.Delivery,
 ) {
 	t.Helper()
 	result := &database.DeliveryResult{
 		DeliveryID: delivery.ID,
 		AttemptNum: 1,
 		Success:    true,
 		StatusCode: 200,
 		Duration:   42,
 	}
 	require.NoError(t, db.Create(result).Error)
 	require.NoError(
 		t,
 		db.Model(delivery).Update(
 			"status",
 			database.DeliveryStatusDelivered,
 		).Error,
 	)
 }
 func verifyNoPending(
 	t *testing.T,
 	db *gorm.DB,
 ) {
 	t.Helper()
 	var stillPending []database.Delivery
 	require.NoError(
 		t,
 		db.Where(
 			"status = ?",
 			database.DeliveryStatusPending,
 		).Find(&stillPending).Error,
 	)
 	assert.Empty(t, stillPending)
 }
 func TestWebhookDBManager_MultipleWebhooks(t *testing.T) {
 	t.Parallel()
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	defer func() { require.NoError(t, lc.Stop(ctx)) }()
 	webhook1 := uuid.New().String()
 	webhook2 := uuid.New().String()
 	// Create DBs for two webhooks
 	require.NoError(t, mgr.CreateDB(webhook1))
 	require.NoError(t, mgr.CreateDB(webhook2))
 	db1, err := mgr.GetDB(webhook1)
 	require.NoError(t, err)
 	db2, err := mgr.GetDB(webhook2)
 	require.NoError(t, err)
 	// Write events to each webhook's DB
 	event1 := &database.Event{
 		WebhookID:    webhook1,
 		EntrypointID: uuid.New().String(),
 		Method:       "POST",
 		Body:         `{"webhook": 1}`,
 		ContentType:  "application/json",
 	}
 	event2 := &database.Event{
 		WebhookID:    webhook2,
 		EntrypointID: uuid.New().String(),
 		Method:       "PUT",
 		Body:         `{"webhook": 2}`,
 		ContentType:  "application/json",
 	}
 	require.NoError(t, db1.Create(event1).Error)
 	require.NoError(t, db2.Create(event2).Error)
 	// Verify isolation: each DB only has its own events
 	var count1 int64
 	db1.Model(&database.Event{}).Count(&count1)
 	assert.Equal(t, int64(1), count1)
 	var count2 int64
 	db2.Model(&database.Event{}).Count(&count2)
 	assert.Equal(t, int64(1), count2)
 	// Delete webhook1's DB, webhook2 should be unaffected
 	require.NoError(t, mgr.DeleteDB(webhook1))
 	assert.False(t, mgr.DBExists(webhook1))
 	assert.True(t, mgr.DBExists(webhook2))
 	// webhook2's data should still be accessible
 	var events []database.Event
 	require.NoError(t, db2.Find(&events).Error)
 	assert.Len(t, events, 1)
 	assert.Equal(t, "PUT", events[0].Method)
 }
 func TestWebhookDBManager_CloseAll(t *testing.T) {
 	t.Parallel()
 	mgr, lc := setupTestWebhookDBManager(t)
 	ctx := context.Background()
 	require.NoError(t, lc.Start(ctx))
 	// Create a few DBs
 	for range 3 {
 		require.NoError(
 			t,
 			mgr.CreateDB(uuid.New().String()),
 		)
 	}
 	// CloseAll should close all connections without error
 	require.NoError(t, mgr.CloseAll())
 	// Stop lifecycle (CloseAll already called)
 	require.NoError(t, lc.Stop(ctx))
 }
--- a/internal/delivery/circuit_breaker.go
+++ b/internal/delivery/circuit_breaker.go
@@ -1,152 +0,0 @@
 package delivery
 import (
 	"sync"
 	"time"
 )
 // CircuitState represents the current state of a circuit
 // breaker.
 type CircuitState int
 const (
 	// CircuitClosed is the normal operating state.
 	CircuitClosed CircuitState = iota
 	// CircuitOpen means the circuit has tripped.
 	CircuitOpen
 	// CircuitHalfOpen allows a single probe delivery to
 	// test whether the target has recovered.
 	CircuitHalfOpen
 )
 const (
 	// defaultFailureThreshold is the number of consecutive
 	// failures before a circuit breaker trips open.
 	defaultFailureThreshold = 5
 	// defaultCooldown is how long a circuit stays open
 	// before transitioning to half-open.
 	defaultCooldown = 30 * time.Second
 )
 // CircuitBreaker implements the circuit breaker pattern
 // for a single delivery target.
 type CircuitBreaker struct {
 	mu          sync.Mutex
 	state       CircuitState
 	failures    int
 	threshold   int
 	cooldown    time.Duration
 	lastFailure time.Time
 }
 // NewCircuitBreaker creates a circuit breaker with default
 // settings.
 func NewCircuitBreaker() *CircuitBreaker {
 	return &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: defaultFailureThreshold,
 		cooldown:  defaultCooldown,
 	}
 }
 // Allow checks whether a delivery attempt should proceed.
 func (cb *CircuitBreaker) Allow() bool {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	switch cb.state {
 	case CircuitClosed:
 		return true
 	case CircuitOpen:
 		if time.Since(cb.lastFailure) >= cb.cooldown {
 			cb.state = CircuitHalfOpen
 			return true
 		}
 		return false
 	case CircuitHalfOpen:
 		return false
 	default:
 		return true
 	}
 }
 // CooldownRemaining returns how much time is left before
 // an open circuit transitions to half-open.
 func (cb *CircuitBreaker) CooldownRemaining() time.Duration {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	if cb.state != CircuitOpen {
 		return 0
 	}
 	remaining := cb.cooldown - time.Since(cb.lastFailure)
 	if remaining < 0 {
 		return 0
 	}
 	return remaining
 }
 // RecordSuccess records a successful delivery and resets
 // the circuit breaker to closed state.
 func (cb *CircuitBreaker) RecordSuccess() {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	cb.failures = 0
 	cb.state = CircuitClosed
 }
 // RecordFailure records a failed delivery. If the failure
 // count reaches the threshold, the circuit trips open.
 func (cb *CircuitBreaker) RecordFailure() {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	cb.failures++
 	cb.lastFailure = time.Now()
 	switch cb.state {
 	case CircuitClosed:
 		if cb.failures >= cb.threshold {
 			cb.state = CircuitOpen
 		}
 	case CircuitOpen:
 		// Already open; no state change needed.
 	case CircuitHalfOpen:
 		// Probe failed -- reopen immediately.
 		cb.state = CircuitOpen
 	}
 }
 // State returns the current circuit state.
 func (cb *CircuitBreaker) State() CircuitState {
 	cb.mu.Lock()
 	defer cb.mu.Unlock()
 	return cb.state
 }
 // String returns the human-readable name of a circuit
 // state.
 func (s CircuitState) String() string {
 	switch s {
 	case CircuitClosed:
 		return "closed"
 	case CircuitOpen:
 		return "open"
 	case CircuitHalfOpen:
 		return "half-open"
 	default:
 		return "unknown"
 	}
 }
--- a/internal/delivery/circuit_breaker_test.go
+++ b/internal/delivery/circuit_breaker_test.go
@@ -1,310 +0,0 @@
 package delivery_test
 import (
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/webhooker/internal/delivery"
 )
 func TestCircuitBreaker_ClosedState_AllowsDeliveries(
 	t *testing.T,
 ) {
 	t.Parallel()
 	cb := delivery.NewCircuitBreaker()
 	assert.Equal(t, delivery.CircuitClosed, cb.State())
 	assert.True(t, cb.Allow(),
 		"closed circuit should allow deliveries",
 	)
 	for range 10 {
 		assert.True(t, cb.Allow())
 	}
 }
 func TestCircuitBreaker_FailureCounting(t *testing.T) {
 	t.Parallel()
 	cb := delivery.NewCircuitBreaker()
 	for i := range delivery.ExportDefaultFailureThreshold - 1 {
 		cb.RecordFailure()
 		assert.Equal(t,
 			delivery.CircuitClosed, cb.State(),
 			"circuit should remain closed after %d failures",
 			i+1,
 		)
 		assert.True(t, cb.Allow(),
 			"should still allow after %d failures",
 			i+1,
 		)
 	}
 }
 func TestCircuitBreaker_OpenTransition(t *testing.T) {
 	t.Parallel()
 	cb := delivery.NewCircuitBreaker()
 	for range delivery.ExportDefaultFailureThreshold {
 		cb.RecordFailure()
 	}
 	assert.Equal(t, delivery.CircuitOpen, cb.State(),
 		"circuit should be open after threshold failures",
 	)
 	assert.False(t, cb.Allow(),
 		"open circuit should reject deliveries",
 	)
 }
 func TestCircuitBreaker_Cooldown_StaysOpen(t *testing.T) {
 	t.Parallel()
 	cb := delivery.NewCircuitBreaker()
 	for range delivery.ExportDefaultFailureThreshold {
 		cb.RecordFailure()
 	}
 	require.Equal(t, delivery.CircuitOpen, cb.State())
 	assert.False(t, cb.Allow(),
 		"should be blocked during cooldown",
 	)
 	remaining := cb.CooldownRemaining()
 	assert.Greater(t, remaining, time.Duration(0),
 		"cooldown should have remaining time",
 	)
 }
 func TestCircuitBreaker_HalfOpen_AfterCooldown(
 	t *testing.T,
 ) {
 	t.Parallel()
 	cb := newShortCooldownCB(t)
 	for range delivery.ExportDefaultFailureThreshold {
 		cb.RecordFailure()
 	}
 	require.Equal(t, delivery.CircuitOpen, cb.State())
 	time.Sleep(60 * time.Millisecond)
 	assert.Equal(t, time.Duration(0),
 		cb.CooldownRemaining(),
 	)
 	assert.True(t, cb.Allow(),
 		"should allow one probe after cooldown",
 	)
 	assert.Equal(t,
 		delivery.CircuitHalfOpen, cb.State(),
 		"should be half-open after probe allowed",
 	)
 	assert.False(t, cb.Allow(),
 		"should reject additional probes while half-open",
 	)
 }
 func TestCircuitBreaker_ProbeSuccess_ClosesCircuit(
 	t *testing.T,
 ) {
 	t.Parallel()
 	cb := newShortCooldownCB(t)
 	for range delivery.ExportDefaultFailureThreshold {
 		cb.RecordFailure()
 	}
 	time.Sleep(60 * time.Millisecond)
 	require.True(t, cb.Allow())
 	cb.RecordSuccess()
 	assert.Equal(t, delivery.CircuitClosed, cb.State(),
 		"successful probe should close circuit",
 	)
 	assert.True(t, cb.Allow(),
 		"closed circuit should allow deliveries",
 	)
 }
 func TestCircuitBreaker_ProbeFailure_ReopensCircuit(
 	t *testing.T,
 ) {
 	t.Parallel()
 	cb := newShortCooldownCB(t)
 	for range delivery.ExportDefaultFailureThreshold {
 		cb.RecordFailure()
 	}
 	time.Sleep(60 * time.Millisecond)
 	require.True(t, cb.Allow())
 	cb.RecordFailure()
 	assert.Equal(t, delivery.CircuitOpen, cb.State(),
 		"failed probe should reopen circuit",
 	)
 	assert.False(t, cb.Allow(),
 		"reopened circuit should reject deliveries",
 	)
 }
 func TestCircuitBreaker_SuccessResetsFailures(
 	t *testing.T,
 ) {
 	t.Parallel()
 	cb := delivery.NewCircuitBreaker()
 	for range delivery.ExportDefaultFailureThreshold - 1 {
 		cb.RecordFailure()
 	}
 	require.Equal(t, delivery.CircuitClosed, cb.State())
 	cb.RecordSuccess()
 	assert.Equal(t, delivery.CircuitClosed, cb.State())
 	for range delivery.ExportDefaultFailureThreshold - 1 {
 		cb.RecordFailure()
 	}
 	assert.Equal(t, delivery.CircuitClosed, cb.State(),
 		"circuit should still be closed -- "+
 			"success reset the counter",
 	)
 	cb.RecordFailure()
 	assert.Equal(t, delivery.CircuitOpen, cb.State())
 }
 func TestCircuitBreaker_ConcurrentAccess(t *testing.T) {
 	t.Parallel()
 	cb := delivery.NewCircuitBreaker()
 	const goroutines = 100
 	var wg sync.WaitGroup
 	wg.Add(goroutines * 3)
 	for range goroutines {
 		go func() {
 			defer wg.Done()
 			cb.Allow()
 		}()
 	}
 	for range goroutines {
 		go func() {
 			defer wg.Done()
 			cb.RecordFailure()
 		}()
 	}
 	for range goroutines {
 		go func() {
 			defer wg.Done()
 			cb.RecordSuccess()
 		}()
 	}
 	wg.Wait()
 	state := cb.State()
 	assert.Contains(t,
 		[]delivery.CircuitState{
 			delivery.CircuitClosed,
 			delivery.CircuitOpen,
 			delivery.CircuitHalfOpen,
 		},
 		state,
 		"state should be valid after concurrent access",
 	)
 }
 func TestCircuitBreaker_CooldownRemaining_ClosedReturnsZero(
 	t *testing.T,
 ) {
 	t.Parallel()
 	cb := delivery.NewCircuitBreaker()
 	assert.Equal(t, time.Duration(0),
 		cb.CooldownRemaining(),
 		"closed circuit should have zero cooldown remaining",
 	)
 }
 func TestCircuitBreaker_CooldownRemaining_HalfOpenReturnsZero(
 	t *testing.T,
 ) {
 	t.Parallel()
 	cb := newShortCooldownCB(t)
 	for range delivery.ExportDefaultFailureThreshold {
 		cb.RecordFailure()
 	}
 	time.Sleep(60 * time.Millisecond)
 	require.True(t, cb.Allow())
 	assert.Equal(t, time.Duration(0),
 		cb.CooldownRemaining(),
 		"half-open circuit should have zero cooldown remaining",
 	)
 }
 func TestCircuitState_String(t *testing.T) {
 	t.Parallel()
 	assert.Equal(t, "closed", delivery.CircuitClosed.String())
 	assert.Equal(t, "open", delivery.CircuitOpen.String())
 	assert.Equal(t, "half-open", delivery.CircuitHalfOpen.String())
 	assert.Equal(t, "unknown", delivery.CircuitState(99).String())
 }
 // newShortCooldownCB creates a CircuitBreaker with a short
 // cooldown for testing. We use NewCircuitBreaker and
 // manipulate through the public API.
 func newShortCooldownCB(t *testing.T) *delivery.CircuitBreaker {
 	t.Helper()
 	return delivery.NewTestCircuitBreaker(
 		delivery.ExportDefaultFailureThreshold,
 		50*time.Millisecond,
 	)
 }
--- a/internal/delivery/engine.go
+++ b/internal/delivery/engine.go
--- a/internal/delivery/engine_integration_test.go
+++ b/internal/delivery/engine_integration_test.go
--- a/internal/delivery/engine_test.go
+++ b/internal/delivery/engine_test.go
--- a/internal/delivery/export_test.go
+++ b/internal/delivery/export_test.go
@@ -1,240 +0,0 @@
 package delivery
 import (
 	"context"
 	"log/slog"
 	"net"
 	"net/http"
 	"time"
 	"gorm.io/gorm"
 	"sneak.berlin/go/webhooker/internal/database"
 )
 // Exported constants for test access.
 const (
 	ExportDeliveryChannelSize     = deliveryChannelSize
 	ExportRetryChannelSize        = retryChannelSize
 	ExportDefaultFailureThreshold = defaultFailureThreshold
 	ExportDefaultCooldown         = defaultCooldown
 )
 // ExportIsBlockedIP exposes isBlockedIP for testing.
 func ExportIsBlockedIP(ip net.IP) bool {
 	return isBlockedIP(ip)
 }
 // ExportBlockedNetworks exposes blockedNetworks.
 func ExportBlockedNetworks() []*net.IPNet {
 	return blockedNetworks
 }
 // ExportIsForwardableHeader exposes isForwardableHeader.
 func ExportIsForwardableHeader(name string) bool {
 	return isForwardableHeader(name)
 }
 // ExportTruncate exposes truncate for testing.
 func ExportTruncate(s string, maxLen int) string {
 	return truncate(s, maxLen)
 }
 // ExportDeliverHTTP exposes deliverHTTP for testing.
 func (e *Engine) ExportDeliverHTTP(
 	ctx context.Context,
 	webhookDB *gorm.DB,
 	d *database.Delivery,
 	task *Task,
 ) {
 	e.deliverHTTP(ctx, webhookDB, d, task)
 }
 // ExportDeliverDatabase exposes deliverDatabase.
 func (e *Engine) ExportDeliverDatabase(
 	webhookDB *gorm.DB, d *database.Delivery,
 ) {
 	e.deliverDatabase(webhookDB, d)
 }
 // ExportDeliverLog exposes deliverLog for testing.
 func (e *Engine) ExportDeliverLog(
 	webhookDB *gorm.DB, d *database.Delivery,
 ) {
 	e.deliverLog(webhookDB, d)
 }
 // ExportDeliverSlack exposes deliverSlack for testing.
 func (e *Engine) ExportDeliverSlack(
 	ctx context.Context,
 	webhookDB *gorm.DB,
 	d *database.Delivery,
 ) {
 	e.deliverSlack(ctx, webhookDB, d)
 }
 // ExportProcessNewTask exposes processNewTask.
 func (e *Engine) ExportProcessNewTask(
 	ctx context.Context, task *Task,
 ) {
 	e.processNewTask(ctx, task)
 }
 // ExportProcessRetryTask exposes processRetryTask.
 func (e *Engine) ExportProcessRetryTask(
 	ctx context.Context, task *Task,
 ) {
 	e.processRetryTask(ctx, task)
 }
 // ExportProcessDelivery exposes processDelivery.
 func (e *Engine) ExportProcessDelivery(
 	ctx context.Context,
 	webhookDB *gorm.DB,
 	d *database.Delivery,
 	task *Task,
 ) {
 	e.processDelivery(ctx, webhookDB, d, task)
 }
 // ExportGetCircuitBreaker exposes getCircuitBreaker.
 func (e *Engine) ExportGetCircuitBreaker(
 	targetID string,
 ) *CircuitBreaker {
 	return e.getCircuitBreaker(targetID)
 }
 // ExportParseHTTPConfig exposes parseHTTPConfig.
 func (e *Engine) ExportParseHTTPConfig(
 	configJSON string,
 ) (*HTTPTargetConfig, error) {
 	return e.parseHTTPConfig(configJSON)
 }
 // ExportParseSlackConfig exposes parseSlackConfig.
 func (e *Engine) ExportParseSlackConfig(
 	configJSON string,
 ) (*SlackTargetConfig, error) {
 	return e.parseSlackConfig(configJSON)
 }
 // ExportDoHTTPRequest exposes doHTTPRequest.
 func (e *Engine) ExportDoHTTPRequest(
 	ctx context.Context,
 	cfg *HTTPTargetConfig,
 	event *database.Event,
 ) (int, string, int64, error) {
 	return e.doHTTPRequest(ctx, cfg, event)
 }
 // ExportScheduleRetry exposes scheduleRetry.
 func (e *Engine) ExportScheduleRetry(
 	task Task, delay time.Duration,
 ) {
 	e.scheduleRetry(task, delay)
 }
 // ExportRecoverPendingDeliveries exposes
 // recoverPendingDeliveries.
 func (e *Engine) ExportRecoverPendingDeliveries(
 	ctx context.Context,
 	webhookDB *gorm.DB,
 	webhookID string,
 ) {
 	e.recoverPendingDeliveries(
 		ctx, webhookDB, webhookID,
 	)
 }
 // ExportRecoverWebhookDeliveries exposes
 // recoverWebhookDeliveries.
 func (e *Engine) ExportRecoverWebhookDeliveries(
 	ctx context.Context, webhookID string,
 ) {
 	e.recoverWebhookDeliveries(ctx, webhookID)
 }
 // ExportRecoverInFlight exposes recoverInFlight.
 func (e *Engine) ExportRecoverInFlight(
 	ctx context.Context,
 ) {
 	e.recoverInFlight(ctx)
 }
 // ExportStart exposes start for testing.
 func (e *Engine) ExportStart(ctx context.Context) {
 	e.start(ctx)
 }
 // ExportStop exposes stop for testing.
 func (e *Engine) ExportStop() {
 	e.stop()
 }
 // ExportDeliveryCh returns the delivery channel.
 func (e *Engine) ExportDeliveryCh() chan Task {
 	return e.deliveryCh
 }
 // ExportRetryCh returns the retry channel.
 func (e *Engine) ExportRetryCh() chan Task {
 	return e.retryCh
 }
 // NewTestEngine creates an Engine for unit tests without
 // database dependencies.
 func NewTestEngine(
 	log *slog.Logger,
 	client *http.Client,
 	workers int,
 ) *Engine {
 	return &Engine{
 		log:        log,
 		client:     client,
 		deliveryCh: make(chan Task, deliveryChannelSize),
 		retryCh:    make(chan Task, retryChannelSize),
 		workers:    workers,
 	}
 }
 // NewTestEngineSmallRetry creates an Engine with a tiny
 // retry channel buffer for overflow testing.
 func NewTestEngineSmallRetry(
 	log *slog.Logger,
 ) *Engine {
 	return &Engine{
 		log:     log,
 		retryCh: make(chan Task, 1),
 	}
 }
 // NewTestEngineWithDB creates an Engine with a real
 // database and dbManager for integration tests.
 func NewTestEngineWithDB(
 	db *database.Database,
 	dbMgr *database.WebhookDBManager,
 	log *slog.Logger,
 	client *http.Client,
 	workers int,
 ) *Engine {
 	return &Engine{
 		database:   db,
 		dbManager:  dbMgr,
 		log:        log,
 		client:     client,
 		deliveryCh: make(chan Task, deliveryChannelSize),
 		retryCh:    make(chan Task, retryChannelSize),
 		workers:    workers,
 	}
 }
 // NewTestCircuitBreaker creates a CircuitBreaker with
 // custom settings for testing.
 func NewTestCircuitBreaker(
 	threshold int, cooldown time.Duration,
 ) *CircuitBreaker {
 	return &CircuitBreaker{
 		state:     CircuitClosed,
 		threshold: threshold,
 		cooldown:  cooldown,
 	}
 }
--- a/internal/delivery/ssrf.go
+++ b/internal/delivery/ssrf.go
@@ -1,222 +0,0 @@
 package delivery
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"net/url"
 	"time"
 )
 const (
 	// dnsResolutionTimeout is the maximum time to wait for
 	// DNS resolution during SSRF validation.
 	dnsResolutionTimeout = 5 * time.Second
 )
 // Sentinel errors for SSRF validation.
 var (
 	errNoHostname = errors.New("URL has no hostname")
 	errNoIPs      = errors.New(
 		"hostname resolved to no IP addresses",
 	)
 	errBlockedIP = errors.New(
 		"blocked private/reserved IP range",
 	)
 	errInvalidScheme = errors.New(
 		"only http and https are allowed",
 	)
 )
 // blockedNetworks contains all private/reserved IP ranges
 // that should be blocked to prevent SSRF attacks.
 //
 //nolint:gochecknoglobals // package-level network list is appropriate here
 var blockedNetworks []*net.IPNet
 //nolint:gochecknoinits // init is the idiomatic way to parse CIDRs once at startup
 func init() {
 	cidrs := []string{
 		"127.0.0.0/8",
 		"10.0.0.0/8",
 		"172.16.0.0/12",
 		"192.168.0.0/16",
 		"169.254.0.0/16",
 		"0.0.0.0/8",
 		"100.64.0.0/10",
 		"192.0.0.0/24",
 		"192.0.2.0/24",
 		"198.18.0.0/15",
 		"198.51.100.0/24",
 		"203.0.113.0/24",
 		"224.0.0.0/4",
 		"240.0.0.0/4",
 		"::1/128",
 		"fc00::/7",
 		"fe80::/10",
 	}
 	for _, cidr := range cidrs {
 		_, network, err := net.ParseCIDR(cidr)
 		if err != nil {
 			panic(fmt.Sprintf(
 				"ssrf: failed to parse CIDR %q: %v",
 				cidr, err,
 			))
 		}
 		blockedNetworks = append(
 			blockedNetworks, network,
 		)
 	}
 }
 // isBlockedIP checks whether an IP address falls within
 // any blocked private/reserved network range.
 func isBlockedIP(ip net.IP) bool {
 	for _, network := range blockedNetworks {
 		if network.Contains(ip) {
 			return true
 		}
 	}
 	return false
 }
 // ValidateTargetURL checks that an HTTP delivery target
 // URL is safe from SSRF attacks.
 func ValidateTargetURL(
 	ctx context.Context, targetURL string,
 ) error {
 	parsed, err := url.Parse(targetURL)
 	if err != nil {
 		return fmt.Errorf("invalid URL: %w", err)
 	}
 	err = validateScheme(parsed.Scheme)
 	if err != nil {
 		return err
 	}
 	host := parsed.Hostname()
 	if host == "" {
 		return errNoHostname
 	}
 	if ip := net.ParseIP(host); ip != nil {
 		return checkBlockedIP(ip)
 	}
 	return validateHostname(ctx, host)
 }
 func validateScheme(scheme string) error {
 	if scheme != "http" && scheme != "https" {
 		return fmt.Errorf(
 			"unsupported URL scheme %q: %w",
 			scheme, errInvalidScheme,
 		)
 	}
 	return nil
 }
 func checkBlockedIP(ip net.IP) error {
 	if isBlockedIP(ip) {
 		return fmt.Errorf(
 			"target IP %s is in a blocked "+
 				"private/reserved range: %w",
 			ip, errBlockedIP,
 		)
 	}
 	return nil
 }
 func validateHostname(
 	ctx context.Context, host string,
 ) error {
 	dnsCtx, cancel := context.WithTimeout(
 		ctx, dnsResolutionTimeout,
 	)
 	defer cancel()
 	ips, err := net.DefaultResolver.LookupIPAddr(
 		dnsCtx, host,
 	)
 	if err != nil {
 		return fmt.Errorf(
 			"failed to resolve hostname %q: %w",
 			host, err,
 		)
 	}
 	if len(ips) == 0 {
 		return fmt.Errorf(
 			"hostname %q: %w", host, errNoIPs,
 		)
 	}
 	for _, ipAddr := range ips {
 		if isBlockedIP(ipAddr.IP) {
 			return fmt.Errorf(
 				"hostname %q resolves to blocked "+
 					"IP %s: %w",
 				host, ipAddr.IP, errBlockedIP,
 			)
 		}
 	}
 	return nil
 }
 // NewSSRFSafeTransport creates an http.Transport with a
 // custom DialContext that blocks connections to
 // private/reserved IP addresses.
 func NewSSRFSafeTransport() *http.Transport {
 	return &http.Transport{
 		DialContext: ssrfDialContext,
 	}
 }
 func ssrfDialContext(
 	ctx context.Context,
 	network, addr string,
 ) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"ssrf: invalid address %q: %w",
 			addr, err,
 		)
 	}
 	ips, err := net.DefaultResolver.LookupIPAddr(
 		ctx, host,
 	)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"ssrf: DNS resolution failed for %q: %w",
 			host, err,
 		)
 	}
 	for _, ipAddr := range ips {
 		if isBlockedIP(ipAddr.IP) {
 			return nil, fmt.Errorf(
 				"ssrf: connection to %s (%s) "+
 					"blocked: %w",
 				host, ipAddr.IP, errBlockedIP,
 			)
 		}
 	}
 	var dialer net.Dialer
 	return dialer.DialContext(
 		ctx, network,
 		net.JoinHostPort(ips[0].IP.String(), port),
 	)
 }
--- a/internal/delivery/ssrf_test.go
+++ b/internal/delivery/ssrf_test.go
@@ -1,172 +0,0 @@
 package delivery_test
 import (
 	"context"
 	"net"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/webhooker/internal/delivery"
 )
 func TestIsBlockedIP_PrivateRanges(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
 		ip      string
 		blocked bool
 	}{
 		{"loopback 127.0.0.1", "127.0.0.1", true},
 		{"loopback 127.0.0.2", "127.0.0.2", true},
 		{"loopback 127.255.255.255", "127.255.255.255", true},
 		{"10.0.0.0", "10.0.0.0", true},
 		{"10.0.0.1", "10.0.0.1", true},
 		{"10.255.255.255", "10.255.255.255", true},
 		{"172.16.0.1", "172.16.0.1", true},
 		{"172.31.255.255", "172.31.255.255", true},
 		{"172.15.255.255", "172.15.255.255", false},
 		{"172.32.0.0", "172.32.0.0", false},
 		{"192.168.0.1", "192.168.0.1", true},
 		{"192.168.255.255", "192.168.255.255", true},
 		{"169.254.0.1", "169.254.0.1", true},
 		{"169.254.169.254", "169.254.169.254", true},
 		{"8.8.8.8", "8.8.8.8", false},
 		{"1.1.1.1", "1.1.1.1", false},
 		{"93.184.216.34", "93.184.216.34", false},
 		{"::1", "::1", true},
 		{"fd00::1", "fd00::1", true},
 		{"fc00::1", "fc00::1", true},
 		{"fe80::1", "fe80::1", true},
 		{
 			"2607:f8b0:4004:800::200e",
 			"2607:f8b0:4004:800::200e",
 			false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			ip := net.ParseIP(tt.ip)
 			require.NotNil(t, ip,
 				"failed to parse IP %s", tt.ip,
 			)
 			assert.Equal(t,
 				tt.blocked,
 				delivery.ExportIsBlockedIP(ip),
 				"isBlockedIP(%s) = %v, want %v",
 				tt.ip,
 				delivery.ExportIsBlockedIP(ip),
 				tt.blocked,
 			)
 		})
 	}
 }
 func TestValidateTargetURL_Blocked(t *testing.T) {
 	t.Parallel()
 	blockedURLs := []string{
 		"http://127.0.0.1/hook",
 		"http://127.0.0.1:8080/hook",
 		"https://10.0.0.1/hook",
 		"http://192.168.1.1/webhook",
 		"http://172.16.0.1/api",
 		"http://169.254.169.254/latest/meta-data/",
 		"http://[::1]/hook",
 		"http://[fc00::1]/hook",
 		"http://[fe80::1]/hook",
 		"http://0.0.0.0/hook",
 	}
 	for _, u := range blockedURLs {
 		t.Run(u, func(t *testing.T) {
 			t.Parallel()
 			err := delivery.ValidateTargetURL(
 				context.Background(), u,
 			)
 			assert.Error(t, err,
 				"URL %s should be blocked", u,
 			)
 		})
 	}
 }
 func TestValidateTargetURL_Allowed(t *testing.T) {
 	t.Parallel()
 	allowedURLs := []string{
 		"https://example.com/hook",
 		"http://93.184.216.34/webhook",
 		"https://hooks.slack.com/services/T00/B00/xxx",
 	}
 	for _, u := range allowedURLs {
 		t.Run(u, func(t *testing.T) {
 			t.Parallel()
 			err := delivery.ValidateTargetURL(
 				context.Background(), u,
 			)
 			assert.NoError(t, err,
 				"URL %s should be allowed", u,
 			)
 		})
 	}
 }
 func TestValidateTargetURL_InvalidScheme(t *testing.T) {
 	t.Parallel()
 	err := delivery.ValidateTargetURL(
 		context.Background(), "ftp://example.com/hook",
 	)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(),
 		"unsupported URL scheme",
 	)
 }
 func TestValidateTargetURL_EmptyHost(t *testing.T) {
 	t.Parallel()
 	err := delivery.ValidateTargetURL(
 		context.Background(), "http:///path",
 	)
 	assert.Error(t, err)
 }
 func TestValidateTargetURL_InvalidURL(t *testing.T) {
 	t.Parallel()
 	err := delivery.ValidateTargetURL(
 		context.Background(), "://invalid",
 	)
 	assert.Error(t, err)
 }
 func TestBlockedNetworks_Initialized(t *testing.T) {
 	t.Parallel()
 	nets := delivery.ExportBlockedNetworks()
 	assert.NotEmpty(t, nets,
 		"blockedNetworks should be initialized",
 	)
 	assert.GreaterOrEqual(t, len(nets), 8,
 		"should have at least 8 blocked network ranges",
 	)
 }
--- a/internal/globals/globals.go
+++ b/internal/globals/globals.go
@@ -1,34 +1,28 @@
 // Package globals provides build-time variables injected via ldflags.
 package globals
 import (
 	"go.uber.org/fx"
 )
-// Build-time variables populated from main() and copied into the
+// these get populated from main() and copied into the Globals object.
 // Globals object.
 //
 //nolint:gochecknoglobals // Build-time variables set by main().
 var (
 	Appname   string
 	Version   string
 	Buildarch string
 )
 // Globals holds build-time metadata about the application.
 type Globals struct {
 	Appname   string
 	Version   string
 	Buildarch string
 }
-// New creates a Globals instance from the package-level
+// nolint:revive // lc parameter is required by fx even if unused
 // build-time variables.
 //
 //nolint:revive // lc parameter is required by fx even if unused.
 func New(lc fx.Lifecycle) (*Globals, error) {
 	n := &Globals{
 		Appname:   Appname,
 		Buildarch: Buildarch,
 		Version:   Version,
 	}
 	return n, nil
 }
--- a/internal/globals/globals_test.go
+++ b/internal/globals/globals_test.go
@@ -1,30 +1,30 @@
-package globals_test
+package globals
 import (
 	"testing"
-	"sneak.berlin/go/webhooker/internal/globals"
+	"go.uber.org/fx/fxtest"
 )
-func TestGlobalsFields(t *testing.T) {
+func TestNew(t *testing.T) {
-	t.Parallel()
+	// Set test values
 	Appname = "test-app"
 	Version = "1.0.0"
 	Buildarch = "test-arch"
-	g := &globals.Globals{
+	lc := fxtest.NewLifecycle(t)
-		Appname: "test-app",
+	globals, err := New(lc)
-		Version: "1.0.0",
+	if err != nil {
 		t.Fatalf("New() error = %v", err)
 	}
-	if g.Appname != "test-app" {
+	if globals.Appname != "test-app" {
-		t.Errorf(
+		t.Errorf("Appname = %v, want %v", globals.Appname, "test-app")
 			"Appname = %v, want %v",
 			g.Appname, "test-app",
 		)
 	}
-
+	if globals.Version != "1.0.0" {
-	if g.Version != "1.0.0" {
+		t.Errorf("Version = %v, want %v", globals.Version, "1.0.0")
-		t.Errorf(
+	}
-			"Version = %v, want %v",
+	if globals.Buildarch != "test-arch" {
-			g.Version, "1.0.0",
+		t.Errorf("Buildarch = %v, want %v", globals.Buildarch, "test-arch")
 		)
 	}
 }
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -13,12 +13,11 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 		sess, err := h.session.Get(r)
 		if err == nil && h.session.IsAuthenticated(sess) {
 			http.Redirect(w, r, "/", http.StatusSeeOther)
 			return
 		}
 		// Render login page
-		data := map[string]any{
+		data := map[string]interface{}{
 			"Error": "",
 		}
@@ -29,15 +28,10 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 // HandleLoginSubmit handles the login form submission (POST)
 func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Limit request body to prevent memory exhaustion
 		r.Body = http.MaxBytesReader(w, r.Body, 1<<maxBodyShift)
 		// Parse form data
-		err := r.ParseForm()
+		if err := r.ParseForm(); err != nil {
 		if err != nil {
 			h.log.Error("failed to parse form", "error", err)
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
 		}
@@ -46,147 +40,67 @@ func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 		// Validate input
 		if username == "" || password == "" {
-			h.renderLoginError(
+			data := map[string]interface{}{
-				w, r,
+				"Error": "Username and password are required",
 				"Username and password are required",
 				http.StatusBadRequest,
 			)
 			return
 			}
-
+			w.WriteHeader(http.StatusBadRequest)
 		user, err := h.authenticateUser(
 			w, r, username, password,
 		)
 		if err != nil {
 			return
 		}
 		err = h.createAuthenticatedSession(w, r, user)
 		if err != nil {
 			return
 		}
 		h.log.Info(
 			"user logged in",
 			"username", username,
 			"user_id", user.ID,
 		)
 		// Redirect to home page
 		http.Redirect(w, r, "/", http.StatusSeeOther)
 	}
 }
 // renderLoginError renders the login page with an error message.
 func (h *Handlers) renderLoginError(
 	w http.ResponseWriter,
 	r *http.Request,
 	msg string,
 	status int,
 ) {
 	data := map[string]any{
 		"Error": msg,
 	}
 	w.WriteHeader(status)
 			h.renderTemplate(w, r, "login.html", data)
 			return
 		}
-// authenticateUser looks up and verifies a user's credentials.
+		// Find user in database
 // On failure it writes an HTTP response and returns an error.
 func (h *Handlers) authenticateUser(
 	w http.ResponseWriter,
 	r *http.Request,
 	username, password string,
 ) (database.User, error) {
 		var user database.User
-
+		if err := h.db.DB().Where("username = ?", username).First(&user).Error; err != nil {
 	err := h.db.DB().Where(
 		"username = ?", username,
 	).First(&user).Error
 	if err != nil {
 			h.log.Debug("user not found", "username", username)
-		h.renderLoginError(
+			data := map[string]interface{}{
-			w, r,
+				"Error": "Invalid username or password",
-			"Invalid username or password",
+			}
-			http.StatusUnauthorized,
+			w.WriteHeader(http.StatusUnauthorized)
-		)
+			h.renderTemplate(w, r, "login.html", data)
-
+			return
 		return user, err
 		}
 		// Verify password
 		valid, err := database.VerifyPassword(password, user.Password)
 		if err != nil {
 			h.log.Error("failed to verify password", "error", err)
-		http.Error(
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			w, "Internal server error",
+			return
 			http.StatusInternalServerError,
 		)
 		return user, err
 		}
 		if !valid {
 			h.log.Debug("invalid password", "username", username)
-		h.renderLoginError(
+			data := map[string]interface{}{
-			w, r,
+				"Error": "Invalid username or password",
-			"Invalid username or password",
+			}
-			http.StatusUnauthorized,
+			w.WriteHeader(http.StatusUnauthorized)
-		)
+			h.renderTemplate(w, r, "login.html", data)
-
+			return
 		return user, errInvalidPassword
 		}
-	return user, nil
+		// Create session
-}
+		sess, err := h.session.Get(r)
 // createAuthenticatedSession regenerates the session and stores
 // user info. On failure it writes an HTTP response and returns
 // an error.
 func (h *Handlers) createAuthenticatedSession(
 	w http.ResponseWriter,
 	r *http.Request,
 	user database.User,
 ) error {
 	oldSess, err := h.session.Get(r)
 		if err != nil {
 			h.log.Error("failed to get session", "error", err)
-		http.Error(
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			w, "Internal server error",
+			return
 			http.StatusInternalServerError,
 		)
 		return err
 	}
 	sess, err := h.session.Regenerate(r, w, oldSess)
 	if err != nil {
 		h.log.Error(
 			"failed to regenerate session", "error", err,
 		)
 		http.Error(
 			w, "Internal server error",
 			http.StatusInternalServerError,
 		)
 		return err
 		}
 		// Set user in session
 		h.session.SetUser(sess, user.ID, user.Username)
-	err = h.session.Save(r, w, sess)
+		// Save session
-	if err != nil {
+		if err := h.session.Save(r, w, sess); err != nil {
 			h.log.Error("failed to save session", "error", err)
-		http.Error(
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			w, "Internal server error",
+			return
 			http.StatusInternalServerError,
 		)
 		return err
 		}
-	return nil
+		h.log.Info("user logged in", "username", username, "user_id", user.ID)
 		// Redirect to home page
 		http.Redirect(w, r, "/", http.StatusSeeOther)
 	}
 }
 // HandleLogout handles user logout
@@ -195,10 +109,7 @@ func (h *Handlers) HandleLogout() http.HandlerFunc {
 		sess, err := h.session.Get(r)
 		if err != nil {
 			h.log.Error("failed to get session", "error", err)
-			http.Redirect(
+			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 				w, r, "/pages/login", http.StatusSeeOther,
 			)
 			return
 		}
@@ -206,12 +117,8 @@ func (h *Handlers) HandleLogout() http.HandlerFunc {
 		h.session.Destroy(sess)
 		// Save the destroyed session
-		err = h.session.Save(r, w, sess)
+		if err := h.session.Save(r, w, sess); err != nil {
-		if err != nil {
+			h.log.Error("failed to save destroyed session", "error", err)
 			h.log.Error(
 				"failed to save destroyed session",
 				"error", err,
 			)
 		}
 		// Redirect to login page
--- a/internal/handlers/export_test.go
+++ b/internal/handlers/export_test.go
@@ -1,14 +0,0 @@
 package handlers
 import "net/http"
 // RenderTemplateForTest exposes renderTemplate for use in the
 // handlers_test package.
 func (s *Handlers) RenderTemplateForTest(
 	w http.ResponseWriter,
 	r *http.Request,
 	pageTemplate string,
 	data any,
 ) {
 	s.renderTemplate(w, r, pageTemplate, data)
 }
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -1,127 +1,75 @@
 // Package handlers provides HTTP request handlers for the
 // webhooker web UI and API.
 package handlers
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"html/template"
 	"log/slog"
 	"net/http"
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/healthcheck"
 	"sneak.berlin/go/webhooker/internal/logger"
 	"sneak.berlin/go/webhooker/internal/middleware"
 	"sneak.berlin/go/webhooker/internal/session"
 	"sneak.berlin/go/webhooker/templates"
 )
-const (
+// nolint:revive // HandlersParams is a standard fx naming convention
 	// maxBodyShift is the bit shift for 1 MB body limit.
 	maxBodyShift = 20
 	// recentEventLimit is the number of recent events to show.
 	recentEventLimit = 20
 	// defaultRetentionDays is the default event retention period.
 	defaultRetentionDays = 30
 	// paginationPerPage is the number of items per page.
 	paginationPerPage = 25
 )
 // errInvalidPassword is returned when a password does not match.
 var errInvalidPassword = errors.New("invalid password")
 //nolint:revive // HandlersParams is a standard fx naming convention.
 type HandlersParams struct {
 	fx.In
 	Logger      *logger.Logger
 	Globals     *globals.Globals
 	Database    *database.Database
 	WebhookDBMgr *database.WebhookDBManager
 	Healthcheck *healthcheck.Healthcheck
 	Session     *session.Session
 	Notifier     delivery.Notifier
 }
 // Handlers provides HTTP handler methods for all application
 // routes.
 type Handlers struct {
 	params    *HandlersParams
 	log       *slog.Logger
 	hc        *healthcheck.Healthcheck
 	db        *database.Database
 	dbMgr     *database.WebhookDBManager
 	session   *session.Session
 	notifier  delivery.Notifier
 	templates map[string]*template.Template
 }
-// parsePageTemplate parses a page-specific template set from the
+// parsePageTemplate parses a page-specific template set from the embedded FS.
-// embedded FS. Each page template is combined with the shared
+// Each page template is combined with the shared base, htmlheader, and navbar templates.
 // base, htmlheader, and navbar templates. The page file must be
 // listed first so that its root action ({{template "base" .}})
 // becomes the template set's entry point.
 func parsePageTemplate(pageFile string) *template.Template {
 	return template.Must(
-		template.ParseFS(
+		template.ParseFS(templates.Templates, "htmlheader.html", "navbar.html", "base.html", pageFile),
 			templates.Templates,
 			pageFile,
 			"base.html",
 			"htmlheader.html",
 			"navbar.html",
 		),
 	)
 }
-// New creates a Handlers instance, parsing all page templates at
+func New(lc fx.Lifecycle, params HandlersParams) (*Handlers, error) {
 // startup.
 func New(
 	lc fx.Lifecycle,
 	params HandlersParams,
 ) (*Handlers, error) {
 	s := new(Handlers)
 	s.params = &params
 	s.log = params.Logger.Get()
 	s.hc = params.Healthcheck
 	s.db = params.Database
 	s.dbMgr = params.WebhookDBMgr
 	s.session = params.Session
 	s.notifier = params.Notifier
 	// Parse all page templates once at startup
 	s.templates = map[string]*template.Template{
 		"index.html":   parsePageTemplate("index.html"),
 		"login.html":   parsePageTemplate("login.html"),
 		"profile.html": parsePageTemplate("profile.html"),
 		"sources_list.html":  parsePageTemplate("sources_list.html"),
 		"sources_new.html":   parsePageTemplate("sources_new.html"),
 		"source_detail.html": parsePageTemplate("source_detail.html"),
 		"source_edit.html":   parsePageTemplate("source_edit.html"),
 		"source_logs.html":   parsePageTemplate("source_logs.html"),
 	}
 	lc.Append(fx.Hook{
-		OnStart: func(_ context.Context) error {
+		OnStart: func(ctx context.Context) error {
 			return nil
 		},
 	})
 	return s, nil
 }
-func (s *Handlers) respondJSON(
+//nolint:unparam // r parameter will be used in the future for request context
-	w http.ResponseWriter,
+func (s *Handlers) respondJSON(w http.ResponseWriter, r *http.Request, data interface{}, status int) {
 	_ *http.Request,
 	data any,
 	status int,
 ) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
 	if data != nil {
 		err := json.NewEncoder(w).Encode(data)
 		if err != nil {
@@ -130,15 +78,17 @@ func (s *Handlers) respondJSON(
 	}
 }
-// serverError logs an error and sends a 500 response.
+//nolint:unparam,unused // will be used for handling JSON requests
-func (s *Handlers) serverError(
+func (s *Handlers) decodeJSON(w http.ResponseWriter, r *http.Request, v interface{}) error {
-	w http.ResponseWriter, msg string, err error,
+	return json.NewDecoder(r.Body).Decode(v)
-) {
+}
-	s.log.Error(msg, "error", err)
+
-	http.Error(
+// TemplateData represents the common data passed to templates
-		w, "Internal server error",
+type TemplateData struct {
-		http.StatusInternalServerError,
+	User      *UserInfo
-	)
+	Version   string
 	UserCount int64
 	Uptime    string
 }
 // UserInfo represents user information for templates
@@ -147,91 +97,52 @@ type UserInfo struct {
 	Username string
 }
-// templateDataWrapper wraps non-map data with common fields.
+// renderTemplate renders a pre-parsed template with common data
-type templateDataWrapper struct {
+func (s *Handlers) renderTemplate(w http.ResponseWriter, r *http.Request, pageTemplate string, data interface{}) {
 	User      *UserInfo
 	CSRFToken string
 	Data      any
 }
 // getUserInfo extracts user info from the session.
 func (s *Handlers) getUserInfo(
 	r *http.Request,
 ) *UserInfo {
 	sess, err := s.session.Get(r)
 	if err != nil || !s.session.IsAuthenticated(sess) {
 		return nil
 	}
 	username, ok := s.session.GetUsername(sess)
 	if !ok {
 		return nil
 	}
 	userID, ok := s.session.GetUserID(sess)
 	if !ok {
 		return nil
 	}
 	return &UserInfo{ID: userID, Username: username}
 }
 // renderTemplate renders a pre-parsed template with common
 // data
 func (s *Handlers) renderTemplate(
 	w http.ResponseWriter,
 	r *http.Request,
 	pageTemplate string,
 	data any,
 ) {
 	tmpl, ok := s.templates[pageTemplate]
 	if !ok {
-		s.log.Error(
+		s.log.Error("template not found", "template", pageTemplate)
-			"template not found",
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
 			"template", pageTemplate,
 		)
 		http.Error(
 			w, "Internal server error",
 			http.StatusInternalServerError,
 		)
 		return
 	}
-	userInfo := s.getUserInfo(r)
+	// Get user from session if available
-	csrfToken := middleware.CSRFToken(r)
+	var userInfo *UserInfo
 	sess, err := s.session.Get(r)
 	if err == nil && s.session.IsAuthenticated(sess) {
 		if username, ok := s.session.GetUsername(sess); ok {
 			if userID, ok := s.session.GetUserID(sess); ok {
 				userInfo = &UserInfo{
 					ID:       userID,
 					Username: username,
 				}
 			}
 		}
 	}
-	if m, ok := data.(map[string]any); ok {
+	// If data is a map, merge user info into it
 	if m, ok := data.(map[string]interface{}); ok {
 		m["User"] = userInfo
-		m["CSRFToken"] = csrfToken
+		if err := tmpl.Execute(w, m); err != nil {
-		s.executeTemplate(w, tmpl, m)
+			s.log.Error("failed to execute template", "error", err)
-
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
 		}
 		return
 	}
 	// Wrap data with base template data
 	type templateDataWrapper struct {
 		User *UserInfo
 		Data interface{}
 	}
 	wrapper := templateDataWrapper{
 		User: userInfo,
 		CSRFToken: csrfToken,
 		Data: data,
 	}
-	s.executeTemplate(w, tmpl, wrapper)
+	if err := tmpl.Execute(w, wrapper); err != nil {
-}
+		s.log.Error("failed to execute template", "error", err)
-
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
 // executeTemplate runs the template and handles errors.
 func (s *Handlers) executeTemplate(
 	w http.ResponseWriter,
 	tmpl *template.Template,
 	data any,
 ) {
 	err := tmpl.Execute(w, data)
 	if err != nil {
 		s.log.Error(
 			"failed to execute template", "error", err,
 		)
 		http.Error(
 			w, "Internal server error",
 			http.StatusInternalServerError,
 		)
 	}
 }
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -1,10 +1,10 @@
-package handlers_test
+package handlers
 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -12,131 +12,120 @@ import (
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/handlers"
 	"sneak.berlin/go/webhooker/internal/healthcheck"
 	"sneak.berlin/go/webhooker/internal/logger"
 	"sneak.berlin/go/webhooker/internal/session"
 )
-type noopNotifier struct{}
+func TestHandleIndex(t *testing.T) {
 	var h *Handlers
-func (n *noopNotifier) Notify([]delivery.Task) {}
+	app := fxtest.New(
 func newTestApp(
 	t *testing.T,
 	targets ...any,
 ) *fxtest.App {
 	t.Helper()
 	return fxtest.New(
 		t,
 		fx.Provide(
 			globals.New,
 			logger.New,
 			func() *config.Config {
 				return &config.Config{
-					DataDir: t.TempDir(),
+					// This is a base64 encoded 32-byte key: "test-session-key-32-bytes-long!!"
 					SessionKey: "dGVzdC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 				}
 			},
-			database.New,
+			func() *database.Database {
-			database.NewWebhookDBManager,
+				// Mock database with a mock DB method
 				db := &database.Database{}
 				return db
 			},
 			healthcheck.New,
 			session.New,
-			func() delivery.Notifier {
+			New,
 				return &noopNotifier{}
 			},
 			handlers.New,
 		),
-		fx.Populate(targets...),
+		fx.Populate(&h),
 	)
 }
 func TestHandleIndex_Unauthenticated(t *testing.T) {
 	t.Parallel()
 	var h *handlers.Handlers
 	app := newTestApp(t, &h)
 	app.RequireStart()
 	defer app.RequireStop()
-	t.Cleanup(app.RequireStop)
+	// Since we can't test actual template rendering without templates,
-
+	// let's test that the handler is created and doesn't panic
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	w := httptest.NewRecorder()
 	handler := h.HandleIndex()
-	handler.ServeHTTP(w, req)
+	assert.NotNil(t, handler)
 	assert.Equal(t, http.StatusSeeOther, w.Code)
 	assert.Equal(
 		t, "/pages/login", w.Header().Get("Location"),
 	)
 }
 func TestHandleIndex_Authenticated(t *testing.T) {
 	t.Parallel()
 	var h *handlers.Handlers
 	var sess *session.Session
 	app := newTestApp(t, &h, &sess)
 	app.RequireStart()
 	t.Cleanup(app.RequireStop)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	w := httptest.NewRecorder()
 	s, err := sess.Get(req)
 	require.NoError(t, err)
 	sess.SetUser(s, "test-user-id", "testuser")
 	err = sess.Save(req, w, s)
 	require.NoError(t, err)
 	req2 := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	for _, cookie := range w.Result().Cookies() {
 		req2.AddCookie(cookie)
 	}
 	w2 := httptest.NewRecorder()
 	h.HandleIndex().ServeHTTP(w2, req2)
 	assert.Equal(t, http.StatusSeeOther, w2.Code)
 	assert.Equal(
 		t, "/sources", w2.Header().Get("Location"),
 	)
 }
 func TestRenderTemplate(t *testing.T) {
-	t.Parallel()
+	var h *Handlers
-	var h *handlers.Handlers
+	app := fxtest.New(
-
+		t,
-	app := newTestApp(t, &h)
+		fx.Provide(
 			globals.New,
 			logger.New,
 			func() *config.Config {
 				return &config.Config{
 					// This is a base64 encoded 32-byte key: "test-session-key-32-bytes-long!!"
 					SessionKey: "dGVzdC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
 				}
 			},
 			func() *database.Database {
 				// Mock database
 				return &database.Database{}
 			},
 			healthcheck.New,
 			session.New,
 			New,
 		),
 		fx.Populate(&h),
 	)
 	app.RequireStart()
 	defer app.RequireStop()
-	t.Cleanup(app.RequireStop)
+	t.Run("handles missing templates gracefully", func(t *testing.T) {
-
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 		w := httptest.NewRecorder()
-	data := map[string]any{"Version": "1.0.0"}
+		data := map[string]interface{}{
-
+			"Version": "1.0.0",
-	h.RenderTemplateForTest(
+		}
-		w, req, "nonexistent.html", data,
+
-	)
+		// When a non-existent template name is requested, renderTemplate
-
+		// should return an internal server error
-	assert.Equal(
+		h.renderTemplate(w, req, "nonexistent.html", data)
-		t, http.StatusInternalServerError, w.Code,
+
-	)
+		// Should return internal server error when template is not found
 		assert.Equal(t, http.StatusInternalServerError, w.Code)
 	})
 }
 func TestFormatUptime(t *testing.T) {
 	tests := []struct {
 		name     string
 		duration string
 		expected string
 	}{
 		{
 			name:     "minutes only",
 			duration: "45m",
 			expected: "45m",
 		},
 		{
 			name:     "hours and minutes",
 			duration: "2h30m",
 			expected: "2h 30m",
 		},
 		{
 			name:     "days, hours and minutes",
 			duration: "25h45m",
 			expected: "1d 1h 45m",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			d, err := time.ParseDuration(tt.duration)
 			require.NoError(t, err)
 			result := formatUptime(d)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
--- a/internal/handlers/healthcheck.go
+++ b/internal/handlers/healthcheck.go
@@ -4,13 +4,9 @@ import (
 	"net/http"
 )
 const httpStatusOK = 200
 // HandleHealthCheck returns an HTTP handler that reports
 // application health.
 func (s *Handlers) HandleHealthCheck() http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		resp := s.hc.Healthcheck()
-		s.respondJSON(w, req, resp, httpStatusOK)
+		s.respondJSON(w, req, resp, 200)
 	}
 }
--- a/internal/handlers/index.go
+++ b/internal/handlers/index.go
@@ -1,21 +1,54 @@
 package handlers
 import (
 	"fmt"
 	"net/http"
 	"time"
 	"sneak.berlin/go/webhooker/internal/database"
 )
-// HandleIndex returns a handler for the root path that redirects
+type IndexResponse struct {
-// based on authentication state: authenticated users go to /sources
+	Message string `json:"message"`
-// (the dashboard), unauthenticated users go to the login page.
+	Version string `json:"version"`
 }
 func (s *Handlers) HandleIndex() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
+	// Calculate server start time
-		sess, err := s.session.Get(r)
+	startTime := time.Now()
 		if err == nil && s.session.IsAuthenticated(sess) {
 			http.Redirect(w, r, "/sources", http.StatusSeeOther)
-			return
+	return func(w http.ResponseWriter, req *http.Request) {
 		// Calculate uptime
 		uptime := time.Since(startTime)
 		uptimeStr := formatUptime(uptime)
 		// Get user count from database
 		var userCount int64
 		s.db.DB().Model(&database.User{}).Count(&userCount)
 		// Prepare template data
 		data := map[string]interface{}{
 			"Version":   s.params.Globals.Version,
 			"Uptime":    uptimeStr,
 			"UserCount": userCount,
 		}
-		http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
+		// Render the template
 		s.renderTemplate(w, req, "index.html", data)
 	}
 }
 // formatUptime formats a duration into a human-readable string
 func formatUptime(d time.Duration) string {
 	days := int(d.Hours()) / 24
 	hours := int(d.Hours()) % 24
 	minutes := int(d.Minutes()) % 60
 	if days > 0 {
 		return fmt.Sprintf("%dd %dh %dm", days, hours, minutes)
 	}
 	if hours > 0 {
 		return fmt.Sprintf("%dh %dm", hours, minutes)
 	}
 	return fmt.Sprintf("%dm", minutes)
 }
--- a/internal/handlers/profile.go
+++ b/internal/handlers/profile.go
@@ -13,7 +13,6 @@ func (h *Handlers) HandleProfile() http.HandlerFunc {
 		requestedUsername := chi.URLParam(r, "username")
 		if requestedUsername == "" {
 			http.NotFound(w, r)
 			return
 		}
@@ -22,7 +21,6 @@ func (h *Handlers) HandleProfile() http.HandlerFunc {
 		if err != nil || !h.session.IsAuthenticated(sess) {
 			// Redirect to login if not authenticated
 			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 			return
 		}
@@ -31,7 +29,6 @@ func (h *Handlers) HandleProfile() http.HandlerFunc {
 		if !ok {
 			h.log.Error("authenticated session missing username")
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
@@ -39,19 +36,17 @@ func (h *Handlers) HandleProfile() http.HandlerFunc {
 		if !ok {
 			h.log.Error("authenticated session missing user ID")
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 		// For now, only allow users to view their own profile
 		if requestedUsername != sessionUsername {
 			http.Error(w, "Forbidden", http.StatusForbidden)
 			return
 		}
 		// Prepare data for template
-		data := map[string]any{
+		data := map[string]interface{}{
 			"User": &UserInfo{
 				ID:       sessionUserID,
 				Username: sessionUsername,
--- a/internal/handlers/source_management.go
+++ b/internal/handlers/source_management.go
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -1,346 +1,42 @@
 package handlers
 import (
 	"encoding/json"
 	"io"
 	"net/http"
 	"github.com/go-chi/chi"
 	"gorm.io/gorm"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/delivery"
 )
-const (
+// HandleWebhook handles incoming webhook requests at entrypoint URLs
 	// maxWebhookBodySize is the maximum allowed webhook
 	// request body (1 MB).
 	maxWebhookBodySize = 1 << maxBodyShift
 )
 // HandleWebhook handles incoming webhook requests at entrypoint
 // URLs.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodPost {
+		// Get entrypoint UUID from URL
 			w.Header().Set("Allow", "POST")
 			http.Error(
 				w,
 				"Method Not Allowed",
 				http.StatusMethodNotAllowed,
 			)
 			return
 		}
 		entrypointUUID := chi.URLParam(r, "uuid")
 		if entrypointUUID == "" {
 			http.NotFound(w, r)
 			return
 		}
 		// Log the incoming webhook request
 		h.log.Info("webhook request received",
 			"entrypoint_uuid", entrypointUUID,
 			"method", r.Method,
 			"remote_addr", r.RemoteAddr,
 			"user_agent", r.UserAgent(),
 		)
-		entrypoint, ok := h.lookupEntrypoint(
+		// Only POST methods are allowed for webhooks
-			w, r, entrypointUUID,
+		if r.Method != http.MethodPost {
-		)
+			w.Header().Set("Allow", "POST")
-		if !ok {
+			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
-		if !entrypoint.Active {
+		// TODO: Implement webhook handling logic
-			http.Error(w, "Gone", http.StatusGone)
+		// Look up entrypoint by UUID, find parent webhook, fan out to targets
-
+		w.WriteHeader(http.StatusNotFound)
-			return
+		_, err := w.Write([]byte("unimplemented"))
 		}
 		h.processWebhookRequest(w, r, entrypoint)
 	}
 }
 // processWebhookRequest reads the body, serializes headers,
 // loads targets, and delivers the event.
 func (h *Handlers) processWebhookRequest(
 	w http.ResponseWriter,
 	r *http.Request,
 	entrypoint database.Entrypoint,
 ) {
 	body, ok := h.readWebhookBody(w, r)
 	if !ok {
 		return
 	}
 	headersJSON, err := json.Marshal(r.Header)
 		if err != nil {
-		h.serverError(w, "failed to serialize headers", err)
+			h.log.Error("failed to write response", "error", err)
 		return
 	}
 	targets, err := h.loadActiveTargets(entrypoint.WebhookID)
 	if err != nil {
 		h.serverError(w, "failed to query targets", err)
 		return
 	}
 	h.createAndDeliverEvent(
 		w, r, entrypoint, body, headersJSON, targets,
 	)
 }
 // loadActiveTargets returns all active targets for a webhook.
 func (h *Handlers) loadActiveTargets(
 	webhookID string,
 ) ([]database.Target, error) {
 	var targets []database.Target
 	err := h.db.DB().Where(
 		"webhook_id = ? AND active = ?",
 		webhookID, true,
 	).Find(&targets).Error
 	return targets, err
 }
 // lookupEntrypoint finds an entrypoint by UUID path.
 func (h *Handlers) lookupEntrypoint(
 	w http.ResponseWriter,
 	r *http.Request,
 	entrypointUUID string,
 ) (database.Entrypoint, bool) {
 	var entrypoint database.Entrypoint
 	result := h.db.DB().Where(
 		"path = ?", entrypointUUID,
 	).First(&entrypoint)
 	if result.Error != nil {
 		h.log.Debug(
 			"entrypoint not found",
 			"path", entrypointUUID,
 		)
 		http.NotFound(w, r)
 		return entrypoint, false
 	}
 	return entrypoint, true
 }
 // readWebhookBody reads and validates the request body size.
 func (h *Handlers) readWebhookBody(
 	w http.ResponseWriter,
 	r *http.Request,
 ) ([]byte, bool) {
 	body, err := io.ReadAll(
 		io.LimitReader(r.Body, maxWebhookBodySize+1),
 	)
 	if err != nil {
 		h.log.Error(
 			"failed to read request body", "error", err,
 		)
 		http.Error(
 			w, "Bad request", http.StatusBadRequest,
 		)
 		return nil, false
 	}
 	if len(body) > maxWebhookBodySize {
 		http.Error(
 			w,
 			"Request body too large",
 			http.StatusRequestEntityTooLarge,
 		)
 		return nil, false
 	}
 	return body, true
 }
 // createAndDeliverEvent creates the event and delivery records
 // then notifies the delivery engine.
 func (h *Handlers) createAndDeliverEvent(
 	w http.ResponseWriter,
 	r *http.Request,
 	entrypoint database.Entrypoint,
 	body, headersJSON []byte,
 	targets []database.Target,
 ) {
 	tx, err := h.beginWebhookTx(w, entrypoint.WebhookID)
 	if err != nil {
 		return
 	}
 	event := h.buildEvent(r, entrypoint, headersJSON, body)
 	err = tx.Create(event).Error
 	if err != nil {
 		tx.Rollback()
 		h.serverError(w, "failed to create event", err)
 		return
 	}
 	bodyPtr := inlineBody(body)
 	tasks := h.buildDeliveryTasks(
 		w, tx, event, entrypoint, targets, bodyPtr,
 	)
 	if tasks == nil {
 		return
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		h.serverError(w, "failed to commit transaction", err)
 		return
 	}
 	h.finishWebhookResponse(w, event, entrypoint, tasks)
 }
 // beginWebhookTx opens a transaction on the per-webhook DB.
 func (h *Handlers) beginWebhookTx(
 	w http.ResponseWriter,
 	webhookID string,
 ) (*gorm.DB, error) {
 	webhookDB, err := h.dbMgr.GetDB(webhookID)
 	if err != nil {
 		h.serverError(
 			w, "failed to get webhook database", err,
 		)
 		return nil, err
 	}
 	tx := webhookDB.Begin()
 	if tx.Error != nil {
 		h.serverError(
 			w, "failed to begin transaction", tx.Error,
 		)
 		return nil, tx.Error
 	}
 	return tx, nil
 }
 // inlineBody returns a pointer to body as a string if it fits
 // within the inline size limit, or nil otherwise.
 func inlineBody(body []byte) *string {
 	if len(body) < delivery.MaxInlineBodySize {
 		s := string(body)
 		return &s
 	}
 	return nil
 }
 // finishWebhookResponse notifies the delivery engine, logs the
 // event, and writes the HTTP response.
 func (h *Handlers) finishWebhookResponse(
 	w http.ResponseWriter,
 	event *database.Event,
 	entrypoint database.Entrypoint,
 	tasks []delivery.Task,
 ) {
 	if len(tasks) > 0 {
 		h.notifier.Notify(tasks)
 	}
 	h.log.Info("webhook event created",
 		"event_id", event.ID,
 		"webhook_id", entrypoint.WebhookID,
 		"entrypoint_id", entrypoint.ID,
 		"target_count", len(tasks),
 	)
 	w.WriteHeader(http.StatusOK)
 	_, err := w.Write([]byte(`{"status":"ok"}`))
 	if err != nil {
 		h.log.Error(
 			"failed to write response", "error", err,
 		)
 		}
 	}
 // buildEvent creates a new Event struct from request data.
 func (h *Handlers) buildEvent(
 	r *http.Request,
 	entrypoint database.Entrypoint,
 	headersJSON, body []byte,
 ) *database.Event {
 	return &database.Event{
 		WebhookID:    entrypoint.WebhookID,
 		EntrypointID: entrypoint.ID,
 		Method:       r.Method,
 		Headers:      string(headersJSON),
 		Body:         string(body),
 		ContentType:  r.Header.Get("Content-Type"),
 	}
 }
 // buildDeliveryTasks creates delivery records in the
 // transaction and returns tasks for the delivery engine.
 // Returns nil if an error occurred.
 func (h *Handlers) buildDeliveryTasks(
 	w http.ResponseWriter,
 	tx *gorm.DB,
 	event *database.Event,
 	entrypoint database.Entrypoint,
 	targets []database.Target,
 	bodyPtr *string,
 ) []delivery.Task {
 	tasks := make([]delivery.Task, 0, len(targets))
 	for i := range targets {
 		dlv := &database.Delivery{
 			EventID:  event.ID,
 			TargetID: targets[i].ID,
 			Status:   database.DeliveryStatusPending,
 		}
 		err := tx.Create(dlv).Error
 		if err != nil {
 			tx.Rollback()
 			h.log.Error(
 				"failed to create delivery",
 				"target_id", targets[i].ID,
 				"error", err,
 			)
 			http.Error(
 				w, "Internal server error",
 				http.StatusInternalServerError,
 			)
 			return nil
 		}
 		tasks = append(tasks, delivery.Task{
 			DeliveryID:   dlv.ID,
 			EventID:      event.ID,
 			WebhookID:    entrypoint.WebhookID,
 			TargetID:     targets[i].ID,
 			TargetName:   targets[i].Name,
 			TargetType:   targets[i].Type,
 			TargetConfig: targets[i].Config,
 			MaxRetries:   targets[i].MaxRetries,
 			Method:       event.Method,
 			Headers:      event.Headers,
 			ContentType:  event.ContentType,
 			Body:         bodyPtr,
 			AttemptNum:   1,
 		})
 	}
 	return tasks
 }
--- a/internal/healthcheck/healthcheck.go
+++ b/internal/healthcheck/healthcheck.go
@@ -1,4 +1,3 @@
 // Package healthcheck provides application health status reporting.
 package healthcheck
 import (
@@ -13,51 +12,55 @@ import (
 	"sneak.berlin/go/webhooker/internal/logger"
 )
-//nolint:revive // HealthcheckParams is a standard fx naming convention.
+// nolint:revive // HealthcheckParams is a standard fx naming convention
 type HealthcheckParams struct {
 	fx.In
 	Globals  *globals.Globals
 	Config   *config.Config
 	Logger   *logger.Logger
 	Database *database.Database
 }
 // Healthcheck tracks application uptime and reports health status.
 type Healthcheck struct {
 	StartupTime time.Time
 	log         *slog.Logger
 	params      *HealthcheckParams
 }
-// New creates a Healthcheck that records the startup time on fx
+func New(lc fx.Lifecycle, params HealthcheckParams) (*Healthcheck, error) {
 // start.
 func New(
 	lc fx.Lifecycle,
 	params HealthcheckParams,
 ) (*Healthcheck, error) {
 	s := new(Healthcheck)
 	s.params = &params
 	s.log = params.Logger.Get()
 	lc.Append(fx.Hook{
-		OnStart: func(_ context.Context) error {
+		OnStart: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
 			s.StartupTime = time.Now()
 			return nil
 		},
-		OnStop: func(_ context.Context) error {
+		OnStop: func(ctx context.Context) error {
 			return nil
 		},
 	})
 	return s, nil
 }
-// Healthcheck returns the current health status of the
+// nolint:revive // HealthcheckResponse is a clear, descriptive name
-// application.
+type HealthcheckResponse struct {
-func (s *Healthcheck) Healthcheck() *Response {
+	Status        string `json:"status"`
-	resp := &Response{
+	Now           string `json:"now"`
 	UptimeSeconds int64  `json:"uptime_seconds"`
 	UptimeHuman   string `json:"uptime_human"`
 	Version       string `json:"version"`
 	Appname       string `json:"appname"`
 	Maintenance   bool   `json:"maintenance_mode"`
 }
 func (s *Healthcheck) uptime() time.Duration {
 	return time.Since(s.StartupTime)
 }
 func (s *Healthcheck) Healthcheck() *HealthcheckResponse {
 	resp := &HealthcheckResponse{
 		Status:        "ok",
 		Now:           time.Now().UTC().Format(time.RFC3339Nano),
 		UptimeSeconds: int64(s.uptime().Seconds()),
@@ -66,21 +69,5 @@ func (s *Healthcheck) Healthcheck() *Response {
 		Version:       s.params.Globals.Version,
 		Maintenance:   s.params.Config.MaintenanceMode,
 	}
 	return resp
 }
 // Response contains the JSON-serialised health status.
 type Response struct {
 	Status        string `json:"status"`
 	Now           string `json:"now"`
 	UptimeSeconds int64  `json:"uptimeSeconds"`
 	UptimeHuman   string `json:"uptimeHuman"`
 	Version       string `json:"version"`
 	Appname       string `json:"appname"`
 	Maintenance   bool   `json:"maintenanceMode"`
 }
 func (s *Healthcheck) uptime() time.Duration {
 	return time.Since(s.StartupTime)
 }
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -1,5 +1,3 @@
 // Package logger provides structured logging with dynamic level
 // control.
 package logger
 import (
@@ -12,25 +10,19 @@ import (
 	"sneak.berlin/go/webhooker/internal/globals"
 )
-//nolint:revive // LoggerParams is a standard fx naming convention.
+// nolint:revive // LoggerParams is a standard fx naming convention
 type LoggerParams struct {
 	fx.In
 	Globals *globals.Globals
 }
 // Logger wraps slog with dynamic level control and structured
 // output.
 type Logger struct {
 	logger   *slog.Logger
 	levelVar *slog.LevelVar
 	params   LoggerParams
 }
-// New creates a Logger that outputs text (TTY) or JSON (non-TTY)
+// nolint:revive // lc parameter is required by fx even if unused
 // to stdout.
 //
 //nolint:revive // lc parameter is required by fx even if unused.
 func New(lc fx.Lifecycle, params LoggerParams) (*Logger, error) {
 	l := new(Logger)
 	l.params = params
@@ -45,22 +37,17 @@ func New(lc fx.Lifecycle, params LoggerParams) (*Logger, error) {
 		tty = true
 	}
-	//nolint:revive // groups param unused but required by slog ReplaceAttr signature.
+	replaceAttr := func(_ []string, a slog.Attr) slog.Attr { // nolint:revive // groups unused
 	replaceAttr := func(_ []string, a slog.Attr) slog.Attr {
 		// Always use UTC for timestamps
 		if a.Key == slog.TimeKey {
 			if t, ok := a.Value.Any().(time.Time); ok {
 				return slog.Time(slog.TimeKey, t.UTC())
 			}
 			return a
 		}
 		return a
 	}
 	var handler slog.Handler
 	opts := &slog.HandlerOptions{
 		Level:       l.levelVar,
 		ReplaceAttr: replaceAttr,
@@ -82,27 +69,24 @@ func New(lc fx.Lifecycle, params LoggerParams) (*Logger, error) {
 	return l, nil
 }
 // EnableDebugLogging switches the log level to debug.
 func (l *Logger) EnableDebugLogging() {
 	l.levelVar.Set(slog.LevelDebug)
 	l.logger.Debug("debug logging enabled", "debug", true)
 }
 // Get returns the underlying slog.Logger.
 func (l *Logger) Get() *slog.Logger {
 	return l.logger
 }
 // Identify logs the application name and version at startup.
 func (l *Logger) Identify() {
 	l.logger.Info("starting",
 		"appname", l.params.Globals.Appname,
 		"version", l.params.Globals.Version,
 		"buildarch", l.params.Globals.Buildarch,
 	)
 }
-// Writer returns an io.Writer suitable for standard library
+// Helper methods to maintain compatibility with existing code
 // loggers.
 func (l *Logger) Writer() io.Writer {
 	return os.Stdout
 }
--- a/internal/logger/logger_test.go
+++ b/internal/logger/logger_test.go
@@ -1,59 +1,65 @@
-package logger_test
+package logger
 import (
 	"testing"
 	"go.uber.org/fx/fxtest"
 	"sneak.berlin/go/webhooker/internal/globals"
 	"sneak.berlin/go/webhooker/internal/logger"
 )
 func testGlobals() *globals.Globals {
 	return &globals.Globals{
 		Appname: "test-app",
 		Version: "1.0.0",
 	}
 }
 func TestNew(t *testing.T) {
-	t.Parallel()
+	// Set up globals
 	globals.Appname = "test-app"
 	globals.Version = "1.0.0"
 	globals.Buildarch = "test-arch"
 	lc := fxtest.NewLifecycle(t)
-
+	g, err := globals.New(lc)
-	params := logger.LoggerParams{
+	if err != nil {
-		Globals: testGlobals(),
+		t.Fatalf("globals.New() error = %v", err)
 	}
-	l, err := logger.New(lc, params)
+	params := LoggerParams{
 		Globals: g,
 	}
 	logger, err := New(lc, params)
 	if err != nil {
 		t.Fatalf("New() error = %v", err)
 	}
-	if l.Get() == nil {
+	if logger.Get() == nil {
 		t.Error("Get() returned nil logger")
 	}
 	// Test that we can log without panic
-	l.Get().Info("test message", "key", "value")
+	logger.Get().Info("test message", "key", "value")
 }
 func TestEnableDebugLogging(t *testing.T) {
-	t.Parallel()
+	// Set up globals
 	globals.Appname = "test-app"
 	globals.Version = "1.0.0"
 	globals.Buildarch = "test-arch"
 	lc := fxtest.NewLifecycle(t)
-
+	g, err := globals.New(lc)
-	params := logger.LoggerParams{
+	if err != nil {
-		Globals: testGlobals(),
+		t.Fatalf("globals.New() error = %v", err)
 	}
-	l, err := logger.New(lc, params)
+	params := LoggerParams{
 		Globals: g,
 	}
 	logger, err := New(lc, params)
 	if err != nil {
 		t.Fatalf("New() error = %v", err)
 	}
 	// Enable debug logging should not panic
-	l.EnableDebugLogging()
+	logger.EnableDebugLogging()
 	// Test debug logging
-	l.Get().Debug("debug message", "test", true)
+	logger.Get().Debug("debug message", "test", true)
 }
--- a/internal/middleware/csrf.go
+++ b/internal/middleware/csrf.go
@@ -1,84 +0,0 @@
 package middleware
 import (
 	"net/http"
 	"github.com/gorilla/csrf"
 )
 // CSRFToken retrieves the CSRF token from the request context.
 // Returns an empty string if the gorilla/csrf middleware has not run.
 func CSRFToken(r *http.Request) string {
 	return csrf.Token(r)
 }
 // isClientTLS reports whether the client-facing connection uses TLS.
 // It checks for a direct TLS connection (r.TLS) or a TLS-terminating
 // reverse proxy that sets the standard X-Forwarded-Proto header.
 func isClientTLS(r *http.Request) bool {
 	return r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
 }
 // CSRF returns middleware that provides CSRF protection using the
 // gorilla/csrf library. The middleware uses the session authentication
 // key to sign a CSRF cookie and validates a masked token submitted via
 // the "csrf_token" form field (or the "X-CSRF-Token" header) on
 // POST/PUT/PATCH/DELETE requests. Requests with an invalid or missing
 // token receive a 403 Forbidden response.
 //
 // The middleware detects the client-facing transport protocol per-request
 // using r.TLS and the X-Forwarded-Proto header. This allows correct
 // behavior in all deployment scenarios:
 //
 //   - Direct HTTPS: strict Referer/Origin checks, Secure cookies.
 //   - Behind a TLS-terminating reverse proxy: strict checks (the
 //     browser is on HTTPS, so Origin/Referer headers use https://),
 //     Secure cookies (the browser sees HTTPS from the proxy).
 //   - Direct HTTP: relaxed Referer/Origin checks via PlaintextHTTPRequest,
 //     non-Secure cookies so the browser sends them over HTTP.
 //
 // Two gorilla/csrf instances are maintained — one with Secure cookies
 // (for TLS) and one without (for plaintext HTTP) — because the
 // csrf.Secure option is set at creation time, not per-request.
 func (m *Middleware) CSRF() func(http.Handler) http.Handler {
 	csrfErrorHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		m.log.Warn("csrf: token validation failed",
 			"method", r.Method,
 			"path", r.URL.Path,
 			"remote_addr", r.RemoteAddr,
 			"reason", csrf.FailureReason(r),
 		)
 		http.Error(w, "Forbidden - invalid CSRF token", http.StatusForbidden)
 	})
 	key := m.session.GetKey()
 	baseOpts := []csrf.Option{
 		csrf.FieldName("csrf_token"),
 		csrf.SameSite(csrf.SameSiteLaxMode),
 		csrf.Path("/"),
 		csrf.ErrorHandler(csrfErrorHandler),
 	}
 	// Two middleware instances with different Secure flags but the
 	// same signing key, so cookies are interchangeable between them.
 	tlsProtect := csrf.Protect(key, append(baseOpts, csrf.Secure(true))...)
 	httpProtect := csrf.Protect(key, append(baseOpts, csrf.Secure(false))...)
 	return func(next http.Handler) http.Handler {
 		tlsCSRF := tlsProtect(next)
 		httpCSRF := httpProtect(next)
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if isClientTLS(r) {
 				// Client is on TLS (directly or via reverse proxy).
 				// Use Secure cookies and strict Origin/Referer checks.
 				tlsCSRF.ServeHTTP(w, r)
 			} else {
 				// Plaintext HTTP: use non-Secure cookies and tell
 				// gorilla/csrf to use "http" for scheme comparisons,
 				// skipping the strict Referer check that assumes TLS.
 				httpCSRF.ServeHTTP(w, csrf.PlaintextHTTPRequest(r))
 			}
 		})
 	}
 }
--- a/internal/middleware/csrf_test.go
+++ b/internal/middleware/csrf_test.go
@@ -1,494 +0,0 @@
 package middleware_test
 import (
 	"context"
 	"crypto/tls"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/middleware"
 )
 // csrfCookieName is the gorilla/csrf cookie name.
 const csrfCookieName = "_gorilla_csrf"
 // csrfGetToken performs a GET request through the CSRF middleware
 // and returns the token and cookies.
 func csrfGetToken(
 	t *testing.T,
 	csrfMW func(http.Handler) http.Handler,
 	getReq *http.Request,
 ) (string, []*http.Cookie) {
 	t.Helper()
 	var token string
 	getHandler := csrfMW(http.HandlerFunc(
 		func(_ http.ResponseWriter, r *http.Request) {
 			token = middleware.CSRFToken(r)
 		},
 	))
 	getW := httptest.NewRecorder()
 	getHandler.ServeHTTP(getW, getReq)
 	cookies := getW.Result().Cookies()
 	require.NotEmpty(t, cookies, "CSRF cookie should be set")
 	require.NotEmpty(t, token, "CSRF token should be set")
 	return token, cookies
 }
 // csrfPostWithToken performs a POST request with the given CSRF
 // token and cookies through the middleware. Returns whether the
 // handler was called and the response code.
 func csrfPostWithToken(
 	t *testing.T,
 	csrfMW func(http.Handler) http.Handler,
 	postReq *http.Request,
 	token string,
 	cookies []*http.Cookie,
 ) (bool, int) {
 	t.Helper()
 	var called bool
 	postHandler := csrfMW(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	form := url.Values{"csrf_token": {token}}
 	postReq.Body = http.NoBody
 	postReq.Body = nil
 	// Rebuild the request with the form body
 	rebuilt := httptest.NewRequestWithContext(
 		context.Background(),
 		postReq.Method, postReq.URL.String(),
 		strings.NewReader(form.Encode()),
 	)
 	rebuilt.Header = postReq.Header.Clone()
 	rebuilt.TLS = postReq.TLS
 	rebuilt.Header.Set(
 		"Content-Type", "application/x-www-form-urlencoded",
 	)
 	for _, c := range cookies {
 		rebuilt.AddCookie(c)
 	}
 	postW := httptest.NewRecorder()
 	postHandler.ServeHTTP(postW, rebuilt)
 	return called, postW.Code
 }
 func TestCSRF_GETSetsToken(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	var gotToken string
 	handler := m.CSRF()(http.HandlerFunc(
 		func(_ http.ResponseWriter, r *http.Request) {
 			gotToken = middleware.CSRFToken(r)
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/form", nil)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.NotEmpty(
 		t, gotToken,
 		"CSRF token should be set in context on GET",
 	)
 }
 func TestCSRF_POSTWithValidToken(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	csrfMW := m.CSRF()
 	getReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/form", nil,
 	)
 	token, cookies := csrfGetToken(t, csrfMW, getReq)
 	postReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/form", nil,
 	)
 	called, _ := csrfPostWithToken(
 		t, csrfMW, postReq, token, cookies,
 	)
 	assert.True(
 		t, called,
 		"handler should be called with valid CSRF token",
 	)
 }
 // csrfPOSTWithoutTokenTest is a shared helper for testing POST
 // requests without a CSRF token in both dev and prod modes.
 func csrfPOSTWithoutTokenTest(
 	t *testing.T,
 	env string,
 	msg string,
 ) {
 	t.Helper()
 	m, _ := testMiddleware(t, env)
 	csrfMW := m.CSRF()
 	// GET to establish the CSRF cookie
 	getHandler := csrfMW(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {},
 	))
 	getReq := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/form", nil)
 	getW := httptest.NewRecorder()
 	getHandler.ServeHTTP(getW, getReq)
 	cookies := getW.Result().Cookies()
 	// POST without CSRF token
 	var called bool
 	postHandler := csrfMW(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	postReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/form", nil,
 	)
 	postReq.Header.Set(
 		"Content-Type", "application/x-www-form-urlencoded",
 	)
 	for _, c := range cookies {
 		postReq.AddCookie(c)
 	}
 	postW := httptest.NewRecorder()
 	postHandler.ServeHTTP(postW, postReq)
 	assert.False(t, called, msg)
 	assert.Equal(t, http.StatusForbidden, postW.Code)
 }
 func TestCSRF_POSTWithoutToken(t *testing.T) {
 	t.Parallel()
 	csrfPOSTWithoutTokenTest(
 		t,
 		config.EnvironmentDev,
 		"handler should NOT be called without CSRF token",
 	)
 }
 func TestCSRF_POSTWithInvalidToken(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	csrfMW := m.CSRF()
 	// GET to establish the CSRF cookie
 	getHandler := csrfMW(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {},
 	))
 	getReq := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/form", nil)
 	getW := httptest.NewRecorder()
 	getHandler.ServeHTTP(getW, getReq)
 	cookies := getW.Result().Cookies()
 	// POST with wrong CSRF token
 	var called bool
 	postHandler := csrfMW(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	form := url.Values{"csrf_token": {"invalid-token-value"}}
 	postReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/form",
 		strings.NewReader(form.Encode()),
 	)
 	postReq.Header.Set(
 		"Content-Type", "application/x-www-form-urlencoded",
 	)
 	for _, c := range cookies {
 		postReq.AddCookie(c)
 	}
 	postW := httptest.NewRecorder()
 	postHandler.ServeHTTP(postW, postReq)
 	assert.False(
 		t, called,
 		"handler should NOT be called with invalid CSRF token",
 	)
 	assert.Equal(t, http.StatusForbidden, postW.Code)
 }
 func TestCSRF_GETDoesNotValidate(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	var called bool
 	handler := m.CSRF()(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/form", nil)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.True(
 		t, called,
 		"GET requests should pass through CSRF middleware",
 	)
 }
 func TestCSRFToken_NoMiddleware(t *testing.T) {
 	t.Parallel()
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	assert.Empty(
 		t, middleware.CSRFToken(req),
 		"CSRFToken should return empty string when "+
 			"middleware has not run",
 	)
 }
 // --- TLS Detection Tests ---
 func TestIsClientTLS_DirectTLS(t *testing.T) {
 	t.Parallel()
 	r := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	r.TLS = &tls.ConnectionState{}
 	assert.True(
 		t, middleware.IsClientTLS(r),
 		"should detect direct TLS connection",
 	)
 }
 func TestIsClientTLS_XForwardedProto(t *testing.T) {
 	t.Parallel()
 	r := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	r.Header.Set("X-Forwarded-Proto", "https")
 	assert.True(
 		t, middleware.IsClientTLS(r),
 		"should detect TLS via X-Forwarded-Proto",
 	)
 }
 func TestIsClientTLS_PlaintextHTTP(t *testing.T) {
 	t.Parallel()
 	r := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	assert.False(
 		t, middleware.IsClientTLS(r),
 		"should detect plaintext HTTP",
 	)
 }
 func TestIsClientTLS_XForwardedProtoHTTP(t *testing.T) {
 	t.Parallel()
 	r := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	r.Header.Set("X-Forwarded-Proto", "http")
 	assert.False(
 		t, middleware.IsClientTLS(r),
 		"should detect plaintext when X-Forwarded-Proto is http",
 	)
 }
 // --- Production Mode: POST over plaintext HTTP ---
 func TestCSRF_ProdMode_PlaintextHTTP_POSTWithValidToken(
 	t *testing.T,
 ) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentProd)
 	csrfMW := m.CSRF()
 	getReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/form", nil,
 	)
 	token, cookies := csrfGetToken(t, csrfMW, getReq)
 	// Verify cookie is NOT Secure (plaintext HTTP in prod)
 	for _, c := range cookies {
 		if c.Name == csrfCookieName {
 			assert.False(t, c.Secure,
 				"CSRF cookie should not be Secure "+
 					"over plaintext HTTP")
 		}
 	}
 	postReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/form", nil,
 	)
 	called, code := csrfPostWithToken(
 		t, csrfMW, postReq, token, cookies,
 	)
 	assert.True(t, called,
 		"handler should be called -- prod mode over "+
 			"plaintext HTTP must work")
 	assert.NotEqual(t, http.StatusForbidden, code,
 		"should not return 403")
 }
 // --- Production Mode: POST with X-Forwarded-Proto ---
 func TestCSRF_ProdMode_BehindProxy_POSTWithValidToken(
 	t *testing.T,
 ) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentProd)
 	csrfMW := m.CSRF()
 	getReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "http://example.com/form", nil,
 	)
 	getReq.Header.Set("X-Forwarded-Proto", "https")
 	token, cookies := csrfGetToken(t, csrfMW, getReq)
 	// Verify cookie IS Secure (X-Forwarded-Proto: https)
 	for _, c := range cookies {
 		if c.Name == csrfCookieName {
 			assert.True(t, c.Secure,
 				"CSRF cookie should be Secure behind "+
 					"TLS proxy")
 		}
 	}
 	postReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "http://example.com/form", nil,
 	)
 	postReq.Header.Set("X-Forwarded-Proto", "https")
 	postReq.Header.Set("Origin", "https://example.com")
 	called, code := csrfPostWithToken(
 		t, csrfMW, postReq, token, cookies,
 	)
 	assert.True(t, called,
 		"handler should be called -- prod mode behind "+
 			"TLS proxy must work")
 	assert.NotEqual(t, http.StatusForbidden, code,
 		"should not return 403")
 }
 // --- Production Mode: direct TLS ---
 func TestCSRF_ProdMode_DirectTLS_POSTWithValidToken(
 	t *testing.T,
 ) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentProd)
 	csrfMW := m.CSRF()
 	getReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "https://example.com/form", nil,
 	)
 	getReq.TLS = &tls.ConnectionState{}
 	token, cookies := csrfGetToken(t, csrfMW, getReq)
 	// Verify cookie IS Secure (direct TLS)
 	for _, c := range cookies {
 		if c.Name == csrfCookieName {
 			assert.True(t, c.Secure,
 				"CSRF cookie should be Secure over "+
 					"direct TLS")
 		}
 	}
 	postReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "https://example.com/form", nil,
 	)
 	postReq.TLS = &tls.ConnectionState{}
 	postReq.Header.Set("Origin", "https://example.com")
 	called, code := csrfPostWithToken(
 		t, csrfMW, postReq, token, cookies,
 	)
 	assert.True(t, called,
 		"handler should be called -- direct TLS must work")
 	assert.NotEqual(t, http.StatusForbidden, code,
 		"should not return 403")
 }
 // --- Production Mode: POST without token still rejects ---
 func TestCSRF_ProdMode_PlaintextHTTP_POSTWithoutToken(
 	t *testing.T,
 ) {
 	t.Parallel()
 	csrfPOSTWithoutTokenTest(
 		t,
 		config.EnvironmentProd,
 		"handler should NOT be called without CSRF token "+
 			"even in prod+plaintext",
 	)
 }
--- a/internal/middleware/export_test.go
+++ b/internal/middleware/export_test.go
@@ -1,34 +0,0 @@
 package middleware
 import (
 	"net/http"
 )
 // NewLoggingResponseWriterForTest wraps newLoggingResponseWriter
 // for use in external test packages.
 func NewLoggingResponseWriterForTest(
 	w http.ResponseWriter,
 ) *loggingResponseWriter {
 	return newLoggingResponseWriter(w)
 }
 // LoggingResponseWriterStatusCode returns the status code
 // captured by the loggingResponseWriter.
 func LoggingResponseWriterStatusCode(
 	lrw *loggingResponseWriter,
 ) int {
 	return lrw.statusCode
 }
 // IPFromHostPort exposes ipFromHostPort for testing.
 func IPFromHostPort(hp string) string {
 	return ipFromHostPort(hp)
 }
 // IsClientTLS exposes isClientTLS for testing.
 func IsClientTLS(r *http.Request) bool {
 	return isClientTLS(r)
 }
 // LoginRateLimitConst exposes the loginRateLimit constant.
 const LoginRateLimitConst = loginRateLimit
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -1,5 +1,3 @@
 // Package middleware provides HTTP middleware for logging, auth,
 // CORS, and metrics.
 package middleware
 import (
@@ -21,42 +19,26 @@ import (
 	"sneak.berlin/go/webhooker/internal/session"
 )
-const (
+// nolint:revive // MiddlewareParams is a standard fx naming convention
 	// corsMaxAge is the maximum time (in seconds) that a
 	// preflight response can be cached.
 	corsMaxAge = 300
 )
 //nolint:revive // MiddlewareParams is a standard fx naming convention.
 type MiddlewareParams struct {
 	fx.In
 	Logger  *logger.Logger
 	Globals *globals.Globals
 	Config  *config.Config
 	Session *session.Session
 }
 // Middleware provides HTTP middleware for logging, CORS, auth, and
 // metrics.
 type Middleware struct {
 	log     *slog.Logger
 	params  *MiddlewareParams
 	session *session.Session
 }
-// New creates a Middleware from the provided fx parameters.
+func New(lc fx.Lifecycle, params MiddlewareParams) (*Middleware, error) {
 //
 //nolint:revive // lc parameter is required by fx even if unused.
 func New(
 	lc fx.Lifecycle,
 	params MiddlewareParams,
 ) (*Middleware, error) {
 	s := new(Middleware)
 	s.params = &params
 	s.log = params.Logger.Get()
 	s.session = params.Session
 	return s, nil
 }
@@ -68,24 +50,19 @@ func ipFromHostPort(hp string) string {
 	if err != nil {
 		return ""
 	}
 	if len(h) > 0 && h[0] == '[' {
 		return h[1 : len(h)-1]
 	}
 	return h
 }
 type loggingResponseWriter struct {
 	http.ResponseWriter
 	statusCode int
 }
-// newLoggingResponseWriter wraps w and records status codes.
+// nolint:revive // unexported type is only used internally
-func newLoggingResponseWriter(
+func NewLoggingResponseWriter(w http.ResponseWriter) *loggingResponseWriter {
 	w http.ResponseWriter,
 ) *loggingResponseWriter {
 	return &loggingResponseWriter{w, http.StatusOK}
 }
@@ -94,30 +71,23 @@ func (lrw *loggingResponseWriter) WriteHeader(code int) {
 	lrw.ResponseWriter.WriteHeader(code)
 }
-// Logging returns middleware that logs each HTTP request with
+// type Middleware func(http.Handler) http.Handler
-// timing and metadata.
+// this returns a Middleware that is designed to do every request through the
 // mux, note the signature:
 func (s *Middleware) Logging() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w http.ResponseWriter,
 			r *http.Request,
 		) {
 			start := time.Now()
-			lrw := newLoggingResponseWriter(w)
+			lrw := NewLoggingResponseWriter(w)
 			ctx := r.Context()
 			defer func() {
 				latency := time.Since(start)
 				requestID := ""
-
+				if reqID := ctx.Value(middleware.RequestIDKey); reqID != nil {
 				if reqID := ctx.Value(
 					middleware.RequestIDKey,
 				); reqID != nil {
 					if id, ok := reqID.(string); ok {
 						requestID = id
 					}
 				}
 				s.log.Info("http request",
 					"request_start", start,
 					"method", r.Method,
@@ -137,65 +107,39 @@ func (s *Middleware) Logging() func(http.Handler) http.Handler {
 	}
 }
 // CORS returns middleware that sets CORS headers (permissive in
 // dev, no-op in prod).
 func (s *Middleware) CORS() func(http.Handler) http.Handler {
 	if s.params.Config.IsDev() {
 		// In development, allow any origin for local testing.
 	return cors.Handler(cors.Options{
 		// CHANGEME! these are defaults, change them to suit your needs or
 		// read from environment/viper.
 		// AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts
 		AllowedOrigins: []string{"*"},
-			AllowedMethods: []string{
+		// AllowOriginFunc:  func(r *http.Request, origin string) bool { return true },
-				"GET", "POST", "PUT", "DELETE", "OPTIONS",
+		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-			},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 			AllowedHeaders: []string{
 				"Accept", "Authorization",
 				"Content-Type", "X-CSRF-Token",
 			},
 		ExposedHeaders:   []string{"Link"},
 		AllowCredentials: false,
-			MaxAge:           corsMaxAge,
+		MaxAge:           300, // Maximum value not ignored by any of major browsers
 	})
 }
 	// In production, the web UI is server-rendered so
 	// cross-origin requests are not expected. Return a no-op
 	// middleware.
 	return func(next http.Handler) http.Handler {
 		return next
 	}
 }
 // RequireAuth returns middleware that checks for a valid session.
 // Unauthenticated users are redirected to the login page.
 func (s *Middleware) RequireAuth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w http.ResponseWriter,
 			r *http.Request,
 		) {
 			sess, err := s.session.Get(r)
 			if err != nil {
-				s.log.Debug(
+				s.log.Debug("auth middleware: failed to get session", "error", err)
-					"auth middleware: failed to get session",
+				http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 					"error", err,
 				)
 				http.Redirect(
 					w, r, "/pages/login", http.StatusSeeOther,
 				)
 				return
 			}
 			if !s.session.IsAuthenticated(sess) {
-				s.log.Debug(
+				s.log.Debug("auth middleware: unauthenticated request",
 					"auth middleware: unauthenticated request",
 					"path", r.URL.Path,
 					"method", r.Method,
 				)
-				http.Redirect(
+				http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
 					w, r, "/pages/login", http.StatusSeeOther,
 				)
 				return
 			}
@@ -204,19 +148,15 @@ func (s *Middleware) RequireAuth() func(http.Handler) http.Handler {
 	}
 }
 // Metrics returns middleware that records Prometheus HTTP metrics.
 func (s *Middleware) Metrics() func(http.Handler) http.Handler {
 	mdlw := ghmm.New(ghmm.Config{
 		Recorder: metrics.NewRecorder(metrics.Config{}),
 	})
 	return func(next http.Handler) http.Handler {
 		return std.Handler("", mdlw, next)
 	}
 }
 // MetricsAuth returns middleware that protects metrics endpoints
 // with basic auth.
 func (s *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 	return basicauth.New(
 		"metrics",
@@ -227,65 +167,3 @@ func (s *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
 // SecurityHeaders returns middleware that sets production security
 // headers on every response: HSTS, X-Content-Type-Options,
 // X-Frame-Options, CSP, Referrer-Policy, and Permissions-Policy.
 func (s *Middleware) SecurityHeaders() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
 			w http.ResponseWriter,
 			r *http.Request,
 		) {
 			w.Header().Set(
 				"Strict-Transport-Security",
 				"max-age=63072000; includeSubDomains; preload",
 			)
 			w.Header().Set(
 				"X-Content-Type-Options", "nosniff",
 			)
 			w.Header().Set("X-Frame-Options", "DENY")
 			w.Header().Set(
 				"Content-Security-Policy",
 				"default-src 'self'; "+
 					"script-src 'self' 'unsafe-inline'; "+
 					"style-src 'self' 'unsafe-inline'",
 			)
 			w.Header().Set(
 				"Referrer-Policy",
 				"strict-origin-when-cross-origin",
 			)
 			w.Header().Set(
 				"Permissions-Policy",
 				"camera=(), microphone=(), geolocation=()",
 			)
 			next.ServeHTTP(w, r)
 		})
 	}
 }
 // MaxBodySize returns middleware that limits the request body size
 // for POST requests. If the body exceeds the given limit in
 // bytes, the server returns 413 Request Entity Too Large. This
 // prevents clients from sending arbitrarily large form bodies.
 func (s *Middleware) MaxBodySize(
 	maxBytes int64,
 ) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
 			w http.ResponseWriter,
 			r *http.Request,
 		) {
 			if r.Method == http.MethodPost ||
 				r.Method == http.MethodPut ||
 				r.Method == http.MethodPatch {
 				r.Body = http.MaxBytesReader(
 					w, r.Body, maxBytes,
 				)
 			}
 			next.ServeHTTP(w, r)
 		})
 	}
 }
--- a/internal/middleware/middleware_test.go
+++ b/internal/middleware/middleware_test.go
@@ -1,588 +0,0 @@
 package middleware_test
 import (
 	"context"
 	"encoding/base64"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"testing"
 	"github.com/gorilla/sessions"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/middleware"
 	"sneak.berlin/go/webhooker/internal/session"
 )
 const testKeySize = 32
 // testMiddleware creates a Middleware with minimal dependencies
 // for testing. It uses a real session.Session backed by an
 // in-memory cookie store.
 func testMiddleware(
 	t *testing.T,
 	env string,
 ) (*middleware.Middleware, *session.Session) {
 	t.Helper()
 	log := slog.New(slog.NewTextHandler(
 		os.Stderr,
 		&slog.HandlerOptions{Level: slog.LevelDebug},
 	))
 	cfg := &config.Config{
 		Environment: env,
 	}
 	// Create a real session manager with a known key
 	key := make([]byte, testKeySize)
 	for i := range key {
 		key[i] = byte(i)
 	}
 	store := sessions.NewCookieStore(key)
 	store.Options = &sessions.Options{
 		Path:     "/",
 		MaxAge:   86400 * 7,
 		HttpOnly: true,
 		Secure:   false,
 		SameSite: http.SameSiteLaxMode,
 	}
 	sessManager := session.NewForTest(store, cfg, log, key)
 	m := middleware.NewForTest(log, cfg, sessManager)
 	return m, sessManager
 }
 // --- Logging Middleware Tests ---
 func TestLogging_SetsStatusCode(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	handler := m.Logging()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(http.StatusCreated)
 			_, err := w.Write([]byte("created"))
 			if err != nil {
 				return
 			}
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/test", nil)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.Equal(t, http.StatusCreated, w.Code)
 	assert.Equal(t, "created", w.Body.String())
 }
 func TestLogging_DefaultStatusOK(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	handler := m.Logging()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			_, err := w.Write([]byte("ok"))
 			if err != nil {
 				return
 			}
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	// When no explicit WriteHeader is called, default is 200
 	assert.Equal(t, http.StatusOK, w.Code)
 }
 func TestLogging_PassesThroughToNext(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	var called bool
 	handler := m.Logging()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			called = true
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/api/webhook", nil,
 	)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.True(
 		t, called,
 		"logging middleware should call the next handler",
 	)
 }
 // --- LoggingResponseWriter Tests ---
 func TestLoggingResponseWriter_CapturesStatusCode(t *testing.T) {
 	t.Parallel()
 	w := httptest.NewRecorder()
 	lrw := middleware.NewLoggingResponseWriterForTest(w)
 	// Default should be 200
 	assert.Equal(
 		t, http.StatusOK,
 		middleware.LoggingResponseWriterStatusCode(lrw),
 	)
 	// WriteHeader should capture the status code
 	lrw.WriteHeader(http.StatusNotFound)
 	assert.Equal(
 		t, http.StatusNotFound,
 		middleware.LoggingResponseWriterStatusCode(lrw),
 	)
 	// Underlying writer should also get the status code
 	assert.Equal(t, http.StatusNotFound, w.Code)
 }
 func TestLoggingResponseWriter_WriteDelegatesToUnderlying(
 	t *testing.T,
 ) {
 	t.Parallel()
 	w := httptest.NewRecorder()
 	lrw := middleware.NewLoggingResponseWriterForTest(w)
 	n, err := lrw.Write([]byte("hello world"))
 	require.NoError(t, err)
 	assert.Equal(t, 11, n)
 	assert.Equal(t, "hello world", w.Body.String())
 }
 // --- CORS Middleware Tests ---
 func TestCORS_DevMode_AllowsAnyOrigin(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	handler := m.CORS()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	// Preflight request
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodOptions, "/api/test", nil,
 	)
 	req.Header.Set("Origin", "http://localhost:3000")
 	req.Header.Set("Access-Control-Request-Method", "POST")
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	// In dev mode, CORS should allow any origin
 	assert.Equal(
 		t, "*",
 		w.Header().Get("Access-Control-Allow-Origin"),
 	)
 }
 func TestCORS_ProdMode_NoOp(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentProd)
 	var called bool
 	handler := m.CORS()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			called = true
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/api/test", nil,
 	)
 	req.Header.Set("Origin", "http://evil.com")
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.True(
 		t, called,
 		"prod CORS middleware should pass through to handler",
 	)
 	// In prod, no CORS headers should be set (no-op middleware)
 	assert.Empty(
 		t,
 		w.Header().Get("Access-Control-Allow-Origin"),
 		"prod mode should not set CORS headers",
 	)
 }
 // --- RequireAuth Middleware Tests ---
 func TestRequireAuth_NoSession_RedirectsToLogin(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	var called bool
 	handler := m.RequireAuth()(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/dashboard", nil,
 	)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.False(
 		t, called,
 		"handler should not be called for "+
 			"unauthenticated request",
 	)
 	assert.Equal(t, http.StatusSeeOther, w.Code)
 	assert.Equal(t, "/pages/login", w.Header().Get("Location"))
 }
 func TestRequireAuth_AuthenticatedSession_PassesThrough(
 	t *testing.T,
 ) {
 	t.Parallel()
 	m, sessManager := testMiddleware(t, config.EnvironmentDev)
 	var called bool
 	handler := m.RequireAuth()(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	// Create an authenticated session by making a request,
 	// setting session data, and saving the session cookie
 	setupReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/setup", nil,
 	)
 	setupW := httptest.NewRecorder()
 	sess, err := sessManager.Get(setupReq)
 	require.NoError(t, err)
 	sessManager.SetUser(sess, "user-123", "testuser")
 	require.NoError(t, sessManager.Save(setupReq, setupW, sess))
 	// Extract the cookie from the setup response
 	cookies := setupW.Result().Cookies()
 	require.NotEmpty(t, cookies, "session cookie should be set")
 	// Make the actual request with the session cookie
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/dashboard", nil,
 	)
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.True(
 		t, called,
 		"handler should be called for authenticated request",
 	)
 }
 func TestRequireAuth_UnauthenticatedSession_RedirectsToLogin(
 	t *testing.T,
 ) {
 	t.Parallel()
 	m, sessManager := testMiddleware(t, config.EnvironmentDev)
 	var called bool
 	handler := m.RequireAuth()(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	// Create a session but don't authenticate it
 	setupReq := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/setup", nil,
 	)
 	setupW := httptest.NewRecorder()
 	sess, err := sessManager.Get(setupReq)
 	require.NoError(t, err)
 	// Don't call SetUser -- session exists but is not
 	// authenticated
 	require.NoError(t, sessManager.Save(setupReq, setupW, sess))
 	cookies := setupW.Result().Cookies()
 	require.NotEmpty(t, cookies)
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/dashboard", nil,
 	)
 	for _, c := range cookies {
 		req.AddCookie(c)
 	}
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.False(
 		t, called,
 		"handler should not be called for "+
 			"unauthenticated session",
 	)
 	assert.Equal(t, http.StatusSeeOther, w.Code)
 	assert.Equal(t, "/pages/login", w.Header().Get("Location"))
 }
 // --- Helper Tests ---
 func TestIpFromHostPort(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name     string
 		input    string
 		expected string
 	}{
 		{"ipv4 with port", "192.168.1.1:8080", "192.168.1.1"},
 		{"ipv6 with port", "[::1]:8080", "::1"},
 		{"invalid format", "not-a-host-port", ""},
 		{"empty string", "", ""},
 		{"localhost", "127.0.0.1:80", "127.0.0.1"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			result := middleware.IPFromHostPort(tt.input)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
 // --- MetricsAuth Tests ---
 // metricsAuthMiddleware creates a Middleware configured for
 // metrics auth testing. This helper de-duplicates the setup in
 // metrics auth test functions.
 func metricsAuthMiddleware(
 	t *testing.T,
 ) *middleware.Middleware {
 	t.Helper()
 	log := slog.New(slog.NewTextHandler(
 		os.Stderr,
 		&slog.HandlerOptions{Level: slog.LevelDebug},
 	))
 	cfg := &config.Config{
 		Environment:     config.EnvironmentDev,
 		MetricsUsername: "admin",
 		MetricsPassword: "secret",
 	}
 	key := make([]byte, testKeySize)
 	store := sessions.NewCookieStore(key)
 	store.Options = &sessions.Options{Path: "/", MaxAge: 86400}
 	sessManager := session.NewForTest(store, cfg, log, key)
 	return middleware.NewForTest(log, cfg, sessManager)
 }
 func TestMetricsAuth_ValidCredentials(t *testing.T) {
 	t.Parallel()
 	m := metricsAuthMiddleware(t)
 	var called bool
 	handler := m.MetricsAuth()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			called = true
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/metrics", nil,
 	)
 	req.SetBasicAuth("admin", "secret")
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.True(
 		t, called,
 		"handler should be called with valid basic auth",
 	)
 	assert.Equal(t, http.StatusOK, w.Code)
 }
 func TestMetricsAuth_InvalidCredentials(t *testing.T) {
 	t.Parallel()
 	m := metricsAuthMiddleware(t)
 	var called bool
 	handler := m.MetricsAuth()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			called = true
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/metrics", nil,
 	)
 	req.SetBasicAuth("admin", "wrong-password")
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.False(
 		t, called,
 		"handler should not be called with invalid basic auth",
 	)
 	assert.Equal(t, http.StatusUnauthorized, w.Code)
 }
 func TestMetricsAuth_NoCredentials(t *testing.T) {
 	t.Parallel()
 	m := metricsAuthMiddleware(t)
 	var called bool
 	handler := m.MetricsAuth()(http.HandlerFunc(
 		func(_ http.ResponseWriter, _ *http.Request) {
 			called = true
 		},
 	))
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/metrics", nil,
 	)
 	// No basic auth header
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.False(
 		t, called,
 		"handler should not be called without credentials",
 	)
 	assert.Equal(t, http.StatusUnauthorized, w.Code)
 }
 // --- CORS Dev Mode Detailed Tests ---
 func TestCORS_DevMode_AllowsMethods(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	handler := m.CORS()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	// Preflight for POST
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodOptions, "/api/webhooks", nil,
 	)
 	req.Header.Set("Origin", "http://localhost:5173")
 	req.Header.Set("Access-Control-Request-Method", "POST")
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	allowMethods := w.Header().Get("Access-Control-Allow-Methods")
 	assert.Contains(t, allowMethods, "POST")
 }
 // --- Base64 key validation for completeness ---
 func TestSessionKeyFormat(t *testing.T) {
 	t.Parallel()
 	// Verify that the session initialization correctly validates
 	// key format. A proper 32-byte key encoded as base64 should
 	// work.
 	key := make([]byte, testKeySize)
 	for i := range key {
 		key[i] = byte(i + 1)
 	}
 	encoded := base64.StdEncoding.EncodeToString(key)
 	decoded, err := base64.StdEncoding.DecodeString(encoded)
 	require.NoError(t, err)
 	assert.Len(t, decoded, testKeySize)
 }
--- a/internal/middleware/ratelimit.go
+++ b/internal/middleware/ratelimit.go
@@ -1,64 +0,0 @@
 package middleware
 import (
 	"net/http"
 	"time"
 	"github.com/go-chi/httprate"
 )
 const (
 	// loginRateLimit is the maximum number of login attempts
 	// per interval.
 	loginRateLimit = 5
 	// loginRateInterval is the time window for the rate limit.
 	loginRateInterval = 1 * time.Minute
 )
 // LoginRateLimit returns middleware that enforces per-IP rate
 // limiting on login attempts using go-chi/httprate. Only POST
 // requests are rate-limited; GET requests (rendering the login
 // form) pass through unaffected. When the rate limit is exceeded,
 // a 429 Too Many Requests response is returned. IP extraction
 // honours X-Forwarded-For, X-Real-IP, and True-Client-IP headers
 // for reverse-proxy setups.
 func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 	limiter := httprate.Limit(
 		loginRateLimit,
 		loginRateInterval,
 		httprate.WithKeyFuncs(httprate.KeyByRealIP),
 		httprate.WithLimitHandler(http.HandlerFunc(
 			func(w http.ResponseWriter, r *http.Request) {
 				m.log.Warn("login rate limit exceeded",
 					"path", r.URL.Path,
 				)
 				http.Error(
 					w,
 					"Too many login attempts. "+
 						"Please try again later.",
 					http.StatusTooManyRequests,
 				)
 			},
 		)),
 	)
 	return func(next http.Handler) http.Handler {
 		limited := limiter(next)
 		return http.HandlerFunc(func(
 			w http.ResponseWriter,
 			r *http.Request,
 		) {
 			// Only rate-limit POST requests (actual login
 			// attempts)
 			if r.Method != http.MethodPost {
 				next.ServeHTTP(w, r)
 				return
 			}
 			limited.ServeHTTP(w, r)
 		})
 	}
 }
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@@ -1,147 +0,0 @@
 package middleware_test
 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/middleware"
 )
 func TestLoginRateLimit_AllowsGET(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	var callCount int
 	handler := m.LoginRateLimit()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			callCount++
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	// GET requests should never be rate-limited
 	for i := range 20 {
 		req := httptest.NewRequestWithContext(
 			context.Background(),
 			http.MethodGet, "/pages/login", nil,
 		)
 		req.RemoteAddr = "192.168.1.1:12345"
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
 		assert.Equal(
 			t, http.StatusOK, w.Code,
 			"GET request %d should pass", i,
 		)
 	}
 	assert.Equal(t, 20, callCount)
 }
 func TestLoginRateLimit_LimitsPOST(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	var callCount int
 	handler := m.LoginRateLimit()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			callCount++
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	// First loginRateLimit POST requests should succeed
 	for i := range middleware.LoginRateLimitConst {
 		req := httptest.NewRequestWithContext(
 			context.Background(),
 			http.MethodPost, "/pages/login", nil,
 		)
 		req.RemoteAddr = "10.0.0.1:12345"
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
 		assert.Equal(
 			t, http.StatusOK, w.Code,
 			"POST request %d should pass", i,
 		)
 	}
 	// Next POST should be rate-limited
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/pages/login", nil,
 	)
 	req.RemoteAddr = "10.0.0.1:12345"
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.Equal(
 		t, http.StatusTooManyRequests, w.Code,
 		"POST after limit should be 429",
 	)
 	assert.Equal(t, middleware.LoginRateLimitConst, callCount)
 }
 func TestLoginRateLimit_IndependentPerIP(t *testing.T) {
 	t.Parallel()
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 	handler := m.LoginRateLimit()(http.HandlerFunc(
 		func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(http.StatusOK)
 		},
 	))
 	// Exhaust limit for IP1
 	for range middleware.LoginRateLimitConst {
 		req := httptest.NewRequestWithContext(
 			context.Background(),
 			http.MethodPost, "/pages/login", nil,
 		)
 		req.RemoteAddr = "1.2.3.4:12345"
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
 	}
 	// IP1 should be rate-limited
 	req := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/pages/login", nil,
 	)
 	req.RemoteAddr = "1.2.3.4:12345"
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	assert.Equal(t, http.StatusTooManyRequests, w.Code)
 	// IP2 should still be allowed
 	req2 := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodPost, "/pages/login", nil,
 	)
 	req2.RemoteAddr = "5.6.7.8:12345"
 	w2 := httptest.NewRecorder()
 	handler.ServeHTTP(w2, req2)
 	assert.Equal(
 		t, http.StatusOK, w2.Code,
 		"different IP should not be affected",
 	)
 }
--- a/internal/middleware/testing.go
+++ b/internal/middleware/testing.go
@@ -1,24 +0,0 @@
 package middleware
 import (
 	"log/slog"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/session"
 )
 // NewForTest creates a Middleware with the minimum dependencies
 // needed for testing. This bypasses the fx lifecycle.
 func NewForTest(
 	log *slog.Logger,
 	cfg *config.Config,
 	sess *session.Session,
 ) *Middleware {
 	return &Middleware{
 		log: log,
 		params: &MiddlewareParams{
 			Config: cfg,
 		},
 		session: sess,
 	}
 }
--- a/internal/server/http.go
+++ b/internal/server/http.go
@@ -1,33 +1,18 @@
 package server
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"time"
 )
 const (
 	// httpReadTimeout is the maximum duration for reading the
 	// entire request, including the body.
 	httpReadTimeout = 10 * time.Second
 	// httpWriteTimeout is the maximum duration before timing out
 	// writes of the response.
 	httpWriteTimeout = 10 * time.Second
 	// httpMaxHeaderBytes is the maximum number of bytes the
 	// server will read parsing the request headers.
 	httpMaxHeaderBytes = 1 << 20
 )
 func (s *Server) serveUntilShutdown() {
 	listenAddr := fmt.Sprintf(":%d", s.params.Config.Port)
 	s.httpServer = &http.Server{
 		Addr:           listenAddr,
-		ReadTimeout:    httpReadTimeout,
+		ReadTimeout:    10 * time.Second,
-		WriteTimeout:   httpWriteTimeout,
+		WriteTimeout:   10 * time.Second,
-		MaxHeaderBytes: httpMaxHeaderBytes,
+		MaxHeaderBytes: 1 << 20,
 		Handler:        s,
 	}
@@ -36,21 +21,14 @@ func (s *Server) serveUntilShutdown() {
 	s.SetupRoutes()
 	s.log.Info("http begin listen", "listenaddr", listenAddr)
-
+	if err := s.httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 	err := s.httpServer.ListenAndServe()
 	if err != nil && !errors.Is(err, http.ErrServerClosed) {
 		s.log.Error("listen error", "error", err)
 		if s.cancelFunc != nil {
 			s.cancelFunc()
 		}
 	}
 }
-// ServeHTTP delegates to the router.
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 func (s *Server) ServeHTTP(
 	w http.ResponseWriter,
 	r *http.Request,
 ) {
 	s.router.ServeHTTP(w, r)
 }
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -11,57 +11,55 @@ import (
 	"sneak.berlin/go/webhooker/static"
 )
 // maxFormBodySize is the maximum allowed request body size (in
 // bytes) for form POST endpoints. 1 MB is generous for any form
 // submission while preventing abuse from oversized payloads.
 const maxFormBodySize int64 = 1 * 1024 * 1024 // 1 MB
 // requestTimeout is the maximum time allowed for a single HTTP
 // request.
 const requestTimeout = 60 * time.Second
 // SetupRoutes configures all HTTP routes and middleware on the
 // server's router.
 func (s *Server) SetupRoutes() {
 	s.router = chi.NewRouter()
 	s.setupGlobalMiddleware()
 	s.setupRoutes()
 }
-func (s *Server) setupGlobalMiddleware() {
+	// the mux .Use() takes a http.Handler wrapper func, like most
 	// things that deal with "middlewares" like alice et c, and will
 	// call ServeHTTP on it.  These middlewares applied by the mux (you
 	// can .Use() more than one) will be applied to every request into
 	// the service.
 	s.router.Use(middleware.Recoverer)
 	s.router.Use(middleware.RequestID)
 	s.router.Use(s.mw.SecurityHeaders())
 	s.router.Use(s.mw.Logging())
-	// Metrics middleware (only if credentials are configured)
+	// add metrics middleware only if we can serve them behind auth
 	if s.params.Config.MetricsUsername != "" {
 		s.router.Use(s.mw.Metrics())
 	}
 	// set up CORS headers
 	s.router.Use(s.mw.CORS())
 	s.router.Use(middleware.Timeout(requestTimeout))
-	// Sentry error reporting (if SENTRY_DSN is set). Repanic is
+	// timeout for request context; your handlers must finish within
-	// true so panics still bubble up to the Recoverer middleware.
+	// this window:
 	s.router.Use(middleware.Timeout(60 * time.Second))
 	// this adds a sentry reporting middleware if and only if sentry is
 	// enabled via setting of SENTRY_DSN in env.
 	if s.sentryEnabled {
 		// Options docs at
 		// https://docs.sentry.io/platforms/go/guides/http/
 		// we set sentry to repanic so that all panics bubble up to the
 		// Recoverer chi middleware above.
 		sentryHandler := sentryhttp.New(sentryhttp.Options{
 			Repanic: true,
 		})
 		s.router.Use(sentryHandler.Handle)
 	}
 }
-func (s *Server) setupRoutes() {
+	////////////////////////////////////////////////////////////////////////
 	// ROUTES
 	// complete docs: https://github.com/go-chi/chi
 	////////////////////////////////////////////////////////////////////////
 	s.router.Get("/", s.h.HandleIndex())
-	s.router.Mount(
+	s.router.Mount("/s", http.StripPrefix("/s", http.FileServer(http.FS(static.Static))))
 		"/s",
 		http.StripPrefix("/s", http.FileServer(http.FS(static.Static))),
 	)
 	s.router.Route("/api/v1", func(_ chi.Router) {
-		// API routes will be added here.
+		// TODO: Add API routes here
 	})
 	s.router.Get(
@@ -73,89 +71,42 @@ func (s *Server) setupRoutes() {
 	if s.params.Config.MetricsUsername != "" {
 		s.router.Group(func(r chi.Router) {
 			r.Use(s.mw.MetricsAuth())
-			r.Get(
+			r.Get("/metrics", http.HandlerFunc(promhttp.Handler().ServeHTTP))
 				"/metrics",
 				http.HandlerFunc(
 					promhttp.Handler().ServeHTTP,
 				),
 			)
 		})
 	}
-	s.setupPageRoutes()
+	// pages that are rendered server-side
 	s.setupUserRoutes()
 	s.setupSourceRoutes()
 	s.setupWebhookRoutes()
 }
 func (s *Server) setupPageRoutes() {
 	s.router.Route("/pages", func(r chi.Router) {
-		r.Use(s.mw.CSRF())
+		// Login page (no auth required)
 		r.Use(s.mw.MaxBodySize(maxFormBodySize))
 		r.Group(func(r chi.Router) {
 			r.Use(s.mw.LoginRateLimit())
 		r.Get("/login", s.h.HandleLoginPage())
 		r.Post("/login", s.h.HandleLoginSubmit())
 		})
 		// Logout (auth required)
 		r.Post("/logout", s.h.HandleLogout())
 	})
 }
-func (s *Server) setupUserRoutes() {
+	// User profile routes
 	s.router.Route("/user/{username}", func(r chi.Router) {
 		r.Use(s.mw.CSRF())
 		r.Get("/", s.h.HandleProfile())
 	})
 }
-func (s *Server) setupSourceRoutes() {
+	// Webhook management routes (require authentication)
 	s.router.Route("/sources", func(r chi.Router) {
 		r.Use(s.mw.CSRF())
 		r.Use(s.mw.RequireAuth())
-		r.Use(s.mw.MaxBodySize(maxFormBodySize))
+		r.Get("/", s.h.HandleSourceList())             // List all webhooks
-		r.Get("/", s.h.HandleSourceList())
+		r.Get("/new", s.h.HandleSourceCreate())        // Show create form
-		r.Get("/new", s.h.HandleSourceCreate())
+		r.Post("/new", s.h.HandleSourceCreateSubmit()) // Handle create submission
 		r.Post("/new", s.h.HandleSourceCreateSubmit())
 	})
 	s.router.Route("/source/{sourceID}", func(r chi.Router) {
 		r.Use(s.mw.CSRF())
 		r.Use(s.mw.RequireAuth())
-		r.Use(s.mw.MaxBodySize(maxFormBodySize))
+		r.Get("/", s.h.HandleSourceDetail())          // View webhook details
-		r.Get("/", s.h.HandleSourceDetail())
+		r.Get("/edit", s.h.HandleSourceEdit())        // Show edit form
-		r.Get("/edit", s.h.HandleSourceEdit())
+		r.Post("/edit", s.h.HandleSourceEditSubmit()) // Handle edit submission
-		r.Post("/edit", s.h.HandleSourceEditSubmit())
+		r.Post("/delete", s.h.HandleSourceDelete())   // Delete webhook
-		r.Post("/delete", s.h.HandleSourceDelete())
+		r.Get("/logs", s.h.HandleSourceLogs())        // View webhook logs
 		r.Get("/logs", s.h.HandleSourceLogs())
 		r.Post(
 			"/entrypoints",
 			s.h.HandleEntrypointCreate(),
 		)
 		r.Post(
 			"/entrypoints/{entrypointID}/delete",
 			s.h.HandleEntrypointDelete(),
 		)
 		r.Post(
 			"/entrypoints/{entrypointID}/toggle",
 			s.h.HandleEntrypointToggle(),
 		)
 		r.Post("/targets", s.h.HandleTargetCreate())
 		r.Post(
 			"/targets/{targetID}/delete",
 			s.h.HandleTargetDelete(),
 		)
 		r.Post(
 			"/targets/{targetID}/toggle",
 			s.h.HandleTargetToggle(),
 		)
 	})
 }
-func (s *Server) setupWebhookRoutes() {
+	// Entrypoint endpoint - accepts incoming webhook POST requests
-	s.router.HandleFunc(
+	s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
 		"/webhook/{uuid}",
 		s.h.HandleWebhook(),
 	)
 }
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -1,5 +1,3 @@
 // Package server wires up HTTP routes and manages the
 // application lifecycle.
 package server
 import (
@@ -23,20 +21,10 @@ import (
 	"github.com/go-chi/chi"
 )
-const (
+// ServerParams is a standard fx naming convention for dependency injection
-	// shutdownTimeout is the maximum time to wait for the HTTP
+// nolint:golint
 	// server to finish in-flight requests during shutdown.
 	shutdownTimeout = 5 * time.Second
 	// sentryFlushTimeout is the maximum time to wait for Sentry
 	// to flush pending events during shutdown.
 	sentryFlushTimeout = 2 * time.Second
 )
 //nolint:revive // ServerParams is a standard fx naming convention.
 type ServerParams struct {
 	fx.In
 	Logger     *logger.Logger
 	Globals    *globals.Globals
 	Config     *config.Config
@@ -44,13 +32,12 @@ type ServerParams struct {
 	Handlers   *handlers.Handlers
 }
 // Server is the main HTTP server that wires up routes and manages
 // graceful shutdown.
 type Server struct {
 	startupTime   time.Time
 	exitCode      int
 	sentryEnabled bool
 	log           *slog.Logger
 	ctx           context.Context
 	cancelFunc    context.CancelFunc
 	httpServer    *http.Server
 	router        *chi.Mux
@@ -59,8 +46,6 @@ type Server struct {
 	h             *handlers.Handlers
 }
 // New creates a Server that starts the HTTP listener on fx start
 // and stops it gracefully.
 func New(lc fx.Lifecycle, params ServerParams) (*Server, error) {
 	s := new(Server)
 	s.params = params
@@ -69,23 +54,19 @@ func New(lc fx.Lifecycle, params ServerParams) (*Server, error) {
 	s.log = params.Logger.Get()
 	lc.Append(fx.Hook{
-		OnStart: func(_ context.Context) error {
+		OnStart: func(ctx context.Context) error {
 			s.startupTime = time.Now()
 			go s.Run()
 			return nil
 		},
 		OnStop: func(ctx context.Context) error {
-			s.cleanShutdown(ctx)
+			s.cleanShutdown()
 			return nil
 		},
 	})
 	return s, nil
 }
 // Run configures Sentry and starts serving HTTP requests.
 func (s *Server) Run() {
 	s.configure()
@@ -95,12 +76,6 @@ func (s *Server) Run() {
 	s.serve()
 }
 // MaintenanceMode returns whether the server is in maintenance
 // mode.
 func (s *Server) MaintenanceMode() bool {
 	return s.params.Config.MaintenanceMode
 }
 func (s *Server) enableSentry() {
 	s.sentryEnabled = false
@@ -110,78 +85,68 @@ func (s *Server) enableSentry() {
 	err := sentry.Init(sentry.ClientOptions{
 		Dsn:     s.params.Config.SentryDSN,
-		Release: fmt.Sprintf(
+		Release: fmt.Sprintf("%s-%s", s.params.Globals.Appname, s.params.Globals.Version),
 			"%s-%s",
 			s.params.Globals.Appname,
 			s.params.Globals.Version,
 		),
 	})
 	if err != nil {
 		s.log.Error("sentry init failure", "error", err)
 		// Don't use fatal since we still want the service to run
 		return
 	}
 	s.log.Info("sentry error reporting activated")
 	s.sentryEnabled = true
 }
 func (s *Server) serve() int {
-	ctx, cancelFunc := context.WithCancel(context.Background())
+	s.ctx, s.cancelFunc = context.WithCancel(context.Background())
 	s.cancelFunc = cancelFunc
 	// signal watcher
 	go func() {
 		c := make(chan os.Signal, 1)
 		signal.Ignore(syscall.SIGPIPE)
 		signal.Notify(c, os.Interrupt, syscall.SIGTERM)
 		// block and wait for signal
 		sig := <-c
 		s.log.Info("signal received", "signal", sig.String())
 		if s.cancelFunc != nil {
 			// cancelling the main context will trigger a clean
-			// shutdown via the fx OnStop hook.
+			// shutdown.
 			s.cancelFunc()
 		}
 	}()
 	go s.serveUntilShutdown()
-	<-ctx.Done()
+	<-s.ctx.Done()
-	// Shutdown is handled by the fx OnStop hook (cleanShutdown).
+	s.cleanShutdown()
 	// Do not call cleanShutdown() here to avoid double invocation.
 	return s.exitCode
 }
 func (s *Server) cleanupForExit() {
 	s.log.Info("cleaning up")
 	// TODO: close database connections, flush buffers, etc.
 }
-func (s *Server) cleanShutdown(ctx context.Context) {
+func (s *Server) cleanShutdown() {
 	// initiate clean shutdown
 	s.exitCode = 0
-
+	ctxShutdown, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
 	ctxShutdown, shutdownCancel := context.WithTimeout(
 		ctx, shutdownTimeout,
 	)
 	defer shutdownCancel()
-	err := s.httpServer.Shutdown(ctxShutdown)
+	if err := s.httpServer.Shutdown(ctxShutdown); err != nil {
-	if err != nil {
+		s.log.Error("server clean shutdown failed", "error", err)
 		s.log.Error(
 			"server clean shutdown failed", "error", err,
 		)
 	}
 	s.cleanupForExit()
 	if s.sentryEnabled {
-		sentry.Flush(sentryFlushTimeout)
+		sentry.Flush(2 * time.Second)
 	}
 }
 func (s *Server) MaintenanceMode() bool {
 	return s.params.Config.MaintenanceMode
 }
 func (s *Server) configure() {
 	// identify ourselves in the logs
 	s.params.Logger.Identify()
--- a/internal/session/session.go
+++ b/internal/session/session.go
@@ -1,107 +1,59 @@
 // Package session manages HTTP session storage and authentication
 // state.
 package session
 import (
 	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"log/slog"
 	"maps"
 	"net/http"
 	"github.com/gorilla/sessions"
 	"go.uber.org/fx"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/database"
 	"sneak.berlin/go/webhooker/internal/logger"
 )
 const (
-	// SessionName is the name of the session cookie.
+	// SessionName is the name of the session cookie
 	SessionName = "webhooker_session"
-	// UserIDKey is the session key for user ID.
+	// UserIDKey is the session key for user ID
 	UserIDKey = "user_id"
-	// UsernameKey is the session key for username.
+	// UsernameKey is the session key for username
 	UsernameKey = "username"
-	// AuthenticatedKey is the session key for authentication
+	// AuthenticatedKey is the session key for authentication status
 	// status.
 	AuthenticatedKey = "authenticated"
 	// sessionKeyLength is the required length in bytes for the
 	// session authentication key.
 	sessionKeyLength = 32
 	// sessionMaxAgeDays is the session cookie lifetime in days.
 	sessionMaxAgeDays = 7
 	// secondsPerDay is the number of seconds in a day.
 	secondsPerDay = 86400
 )
-// ErrSessionKeyLength is returned when the decoded session key
+// nolint:revive // SessionParams is a standard fx naming convention
-// does not have the expected length.
+type SessionParams struct {
 var ErrSessionKeyLength = errors.New("session key length mismatch")
 // Params holds dependencies injected by fx.
 type Params struct {
 	fx.In
 	Config *config.Config
 	Database *database.Database
 	Logger *logger.Logger
 }
-// Session manages encrypted session storage.
+// Session manages encrypted session storage
 type Session struct {
 	store  *sessions.CookieStore
 	key    []byte // raw 32-byte auth key, also used for CSRF cookie signing
 	log    *slog.Logger
 	config *config.Config
 }
-// New creates a new session manager. The cookie store is
+// New creates a new session manager
-// initialized during the fx OnStart phase after the database is
+func New(lc fx.Lifecycle, params SessionParams) (*Session, error) {
-// connected, using a session key that is auto-generated and stored
+	if params.Config.SessionKey == "" {
-// in the database.
+		return nil, fmt.Errorf("SESSION_KEY environment variable is required")
 func New(
 	lc fx.Lifecycle,
 	params Params,
 ) (*Session, error) {
 	s := &Session{
 		log:    params.Logger.Get(),
 		config: params.Config,
 	}
-	lc.Append(fx.Hook{
+	// Decode the base64 session key
-		OnStart: func(_ context.Context) error {
+	keyBytes, err := base64.StdEncoding.DecodeString(params.Config.SessionKey)
 			sessionKey, err := params.Database.GetOrCreateSessionKey()
 	if err != nil {
-				return fmt.Errorf(
+		return nil, fmt.Errorf("invalid SESSION_KEY format: %w", err)
 					"failed to get session key: %w", err,
 				)
 	}
-			keyBytes, err := base64.StdEncoding.DecodeString(
+	if len(keyBytes) != 32 {
-				sessionKey,
+		return nil, fmt.Errorf("SESSION_KEY must be 32 bytes (got %d)", len(keyBytes))
 			)
 			if err != nil {
 				return fmt.Errorf(
 					"invalid session key format: %w", err,
 				)
 			}
 			if len(keyBytes) != sessionKeyLength {
 				return fmt.Errorf(
 					"%w: want %d, got %d",
 					ErrSessionKeyLength,
 					sessionKeyLength,
 					len(keyBytes),
 				)
 	}
 	store := sessions.NewCookieStore(keyBytes)
@@ -109,147 +61,65 @@ func New(
 	// Configure cookie options for security
 	store.Options = &sessions.Options{
 		Path:     "/",
-				MaxAge:   secondsPerDay * sessionMaxAgeDays,
+		MaxAge:   86400 * 7, // 7 days
 		HttpOnly: true,
-				Secure:   !params.Config.IsDev(),
+		Secure:   !params.Config.IsDev(), // HTTPS in production
 		SameSite: http.SameSiteLaxMode,
 	}
-			s.key = keyBytes
+	s := &Session{
-			s.store = store
+		store:  store,
-			s.log.Info("session manager initialized")
+		log:    params.Logger.Get(),
-
+		config: params.Config,
-			return nil
+	}
 		},
 	})
 	return s, nil
 }
-// Get retrieves a session for the request.
+// Get retrieves a session for the request
-func (s *Session) Get(
+func (s *Session) Get(r *http.Request) (*sessions.Session, error) {
 	r *http.Request,
 ) (*sessions.Session, error) {
 	return s.store.Get(r, SessionName)
 }
-// GetKey returns the raw 32-byte authentication key used for
+// Save saves the session
-// session encryption. This key is also suitable for CSRF cookie
+func (s *Session) Save(r *http.Request, w http.ResponseWriter, sess *sessions.Session) error {
 // signing.
 func (s *Session) GetKey() []byte {
 	return s.key
 }
 // Save saves the session.
 func (s *Session) Save(
 	r *http.Request,
 	w http.ResponseWriter,
 	sess *sessions.Session,
 ) error {
 	return sess.Save(r, w)
 }
-// SetUser sets the user information in the session.
+// SetUser sets the user information in the session
-func (s *Session) SetUser(
+func (s *Session) SetUser(sess *sessions.Session, userID, username string) {
 	sess *sessions.Session,
 	userID, username string,
 ) {
 	sess.Values[UserIDKey] = userID
 	sess.Values[UsernameKey] = username
 	sess.Values[AuthenticatedKey] = true
 }
-// ClearUser removes user information from the session.
+// ClearUser removes user information from the session
 func (s *Session) ClearUser(sess *sessions.Session) {
 	delete(sess.Values, UserIDKey)
 	delete(sess.Values, UsernameKey)
 	delete(sess.Values, AuthenticatedKey)
 }
-// IsAuthenticated checks if the session has an authenticated
+// IsAuthenticated checks if the session has an authenticated user
 // user.
 func (s *Session) IsAuthenticated(sess *sessions.Session) bool {
 	auth, ok := sess.Values[AuthenticatedKey].(bool)
 	return ok && auth
 }
-// GetUserID retrieves the user ID from the session.
+// GetUserID retrieves the user ID from the session
-func (s *Session) GetUserID(
+func (s *Session) GetUserID(sess *sessions.Session) (string, bool) {
 	sess *sessions.Session,
 ) (string, bool) {
 	userID, ok := sess.Values[UserIDKey].(string)
 	return userID, ok
 }
-// GetUsername retrieves the username from the session.
+// GetUsername retrieves the username from the session
-func (s *Session) GetUsername(
+func (s *Session) GetUsername(sess *sessions.Session) (string, bool) {
 	sess *sessions.Session,
 ) (string, bool) {
 	username, ok := sess.Values[UsernameKey].(string)
 	return username, ok
 }
-// Destroy invalidates the session.
+// Destroy invalidates the session
 func (s *Session) Destroy(sess *sessions.Session) {
 	sess.Options.MaxAge = -1
 	s.ClearUser(sess)
 }
 // Regenerate creates a new session with the same values but a
 // fresh ID. The old session is destroyed (MaxAge = -1) and saved,
 // then a new session is created. This prevents session fixation
 // attacks by ensuring the session ID changes after privilege
 // escalation (e.g. login).
 func (s *Session) Regenerate(
 	r *http.Request,
 	w http.ResponseWriter,
 	oldSess *sessions.Session,
 ) (*sessions.Session, error) {
 	// Copy the values from the old session
 	oldValues := make(map[any]any)
 	maps.Copy(oldValues, oldSess.Values)
 	// Destroy the old session
 	oldSess.Options.MaxAge = -1
 	s.ClearUser(oldSess)
 	err := oldSess.Save(r, w)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to destroy old session: %w", err,
 		)
 	}
 	// Create a new session (gorilla/sessions generates a new ID)
 	newSess, err := s.store.New(r, SessionName)
 	if err != nil {
 		// store.New may return an error alongside a new empty
 		// session if the old cookie is now invalid. That is
 		// expected after we destroyed it above. Only fail on a
 		// nil session.
 		if newSess == nil {
 			return nil, fmt.Errorf(
 				"failed to create new session: %w", err,
 			)
 		}
 	}
 	// Restore the copied values into the new session
 	maps.Copy(newSess.Values, oldValues)
 	// Apply the standard session options (the destroyed old
 	// session had MaxAge = -1, which store.New might inherit
 	// from the cookie).
 	newSess.Options = &sessions.Options{
 		Path:     "/",
 		MaxAge:   secondsPerDay * sessionMaxAgeDays,
 		HttpOnly: true,
 		Secure:   !s.config.IsDev(),
 		SameSite: http.SameSiteLaxMode,
 	}
 	return newSess, nil
 }
--- a/internal/session/session_test.go
+++ b/internal/session/session_test.go
@@ -1,507 +0,0 @@
 package session_test
 import (
 	"context"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"testing"
 	"github.com/gorilla/sessions"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/webhooker/internal/config"
 	"sneak.berlin/go/webhooker/internal/session"
 )
 const testKeySize = 32
 // testSession creates a Session with a real cookie store for
 // testing.
 func testSession(t *testing.T) *session.Session {
 	t.Helper()
 	key := make([]byte, testKeySize)
 	for i := range key {
 		key[i] = byte(i + 42)
 	}
 	store := sessions.NewCookieStore(key)
 	store.Options = &sessions.Options{
 		Path:     "/",
 		MaxAge:   86400 * 7,
 		HttpOnly: true,
 		Secure:   false,
 		SameSite: http.SameSiteLaxMode,
 	}
 	cfg := &config.Config{
 		Environment: config.EnvironmentDev,
 	}
 	log := slog.New(slog.NewTextHandler(
 		os.Stderr,
 		&slog.HandlerOptions{Level: slog.LevelDebug},
 	))
 	return session.NewForTest(store, cfg, log, key)
 }
 // --- Get and Save Tests ---
 func TestGet_NewSession(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	require.NotNil(t, sess)
 	assert.True(
 		t, sess.IsNew,
 		"session should be new when no cookie is present",
 	)
 }
 func TestGet_ExistingSession(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	// Create and save a session
 	req1 := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	w1 := httptest.NewRecorder()
 	sess1, err := s.Get(req1)
 	require.NoError(t, err)
 	sess1.Values["test_key"] = "test_value"
 	require.NoError(t, s.Save(req1, w1, sess1))
 	// Extract cookies
 	cookies := w1.Result().Cookies()
 	require.NotEmpty(t, cookies)
 	// Make a new request with the session cookie
 	req2 := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	for _, c := range cookies {
 		req2.AddCookie(c)
 	}
 	sess2, err := s.Get(req2)
 	require.NoError(t, err)
 	assert.False(
 		t, sess2.IsNew,
 		"session should not be new when cookie is present",
 	)
 	assert.Equal(t, "test_value", sess2.Values["test_key"])
 }
 func TestSave_SetsCookie(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	w := httptest.NewRecorder()
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	sess.Values["key"] = "value"
 	err = s.Save(req, w, sess)
 	require.NoError(t, err)
 	cookies := w.Result().Cookies()
 	require.NotEmpty(t, cookies, "Save should set a cookie")
 	// Verify the cookie has the expected name
 	var found bool
 	for _, c := range cookies {
 		if c.Name == session.SessionName {
 			found = true
 			assert.True(
 				t, c.HttpOnly,
 				"session cookie should be HTTP-only",
 			)
 			break
 		}
 	}
 	assert.True(
 		t, found,
 		"should find a cookie named %s", session.SessionName,
 	)
 }
 // --- SetUser and User Retrieval Tests ---
 func TestSetUser_SetsAllFields(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	s.SetUser(sess, "user-abc-123", "alice")
 	assert.Equal(
 		t, "user-abc-123", sess.Values[session.UserIDKey],
 	)
 	assert.Equal(
 		t, "alice", sess.Values[session.UsernameKey],
 	)
 	assert.Equal(
 		t, true, sess.Values[session.AuthenticatedKey],
 	)
 }
 func TestGetUserID(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	// Before setting user
 	userID, ok := s.GetUserID(sess)
 	assert.False(
 		t, ok, "should return false when no user ID is set",
 	)
 	assert.Empty(t, userID)
 	// After setting user
 	s.SetUser(sess, "user-xyz", "bob")
 	userID, ok = s.GetUserID(sess)
 	assert.True(t, ok)
 	assert.Equal(t, "user-xyz", userID)
 }
 func TestGetUsername(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	// Before setting user
 	username, ok := s.GetUsername(sess)
 	assert.False(
 		t, ok, "should return false when no username is set",
 	)
 	assert.Empty(t, username)
 	// After setting user
 	s.SetUser(sess, "user-xyz", "bob")
 	username, ok = s.GetUsername(sess)
 	assert.True(t, ok)
 	assert.Equal(t, "bob", username)
 }
 // --- IsAuthenticated Tests ---
 func TestIsAuthenticated_NoSession(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	assert.False(
 		t, s.IsAuthenticated(sess),
 		"new session should not be authenticated",
 	)
 }
 func TestIsAuthenticated_AfterSetUser(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	s.SetUser(sess, "user-123", "alice")
 	assert.True(t, s.IsAuthenticated(sess))
 }
 func TestIsAuthenticated_AfterClearUser(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	s.SetUser(sess, "user-123", "alice")
 	require.True(t, s.IsAuthenticated(sess))
 	s.ClearUser(sess)
 	assert.False(
 		t, s.IsAuthenticated(sess),
 		"should not be authenticated after ClearUser",
 	)
 }
 func TestIsAuthenticated_WrongType(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	// Set authenticated to a non-bool value
 	sess.Values[session.AuthenticatedKey] = "yes"
 	assert.False(
 		t, s.IsAuthenticated(sess),
 		"should return false for non-bool authenticated value",
 	)
 }
 // --- ClearUser Tests ---
 func TestClearUser_RemovesAllKeys(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	s.SetUser(sess, "user-123", "alice")
 	s.ClearUser(sess)
 	_, hasUserID := sess.Values[session.UserIDKey]
 	assert.False(t, hasUserID, "UserIDKey should be removed")
 	_, hasUsername := sess.Values[session.UsernameKey]
 	assert.False(t, hasUsername, "UsernameKey should be removed")
 	_, hasAuth := sess.Values[session.AuthenticatedKey]
 	assert.False(
 		t, hasAuth, "AuthenticatedKey should be removed",
 	)
 }
 // --- Destroy Tests ---
 func TestDestroy_InvalidatesSession(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	s.SetUser(sess, "user-123", "alice")
 	s.Destroy(sess)
 	// After Destroy: MaxAge should be -1 (delete cookie) and
 	// user data cleared
 	assert.Equal(
 		t, -1, sess.Options.MaxAge,
 		"Destroy should set MaxAge to -1",
 	)
 	assert.False(
 		t, s.IsAuthenticated(sess),
 		"should not be authenticated after Destroy",
 	)
 	_, hasUserID := sess.Values[session.UserIDKey]
 	assert.False(t, hasUserID, "Destroy should clear user ID")
 }
 // --- Session Persistence Round-Trip ---
 func TestSessionPersistence_RoundTrip(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	// Step 1: Create session, set user, save
 	req1 := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	w1 := httptest.NewRecorder()
 	sess1, err := s.Get(req1)
 	require.NoError(t, err)
 	s.SetUser(sess1, "user-round-trip", "charlie")
 	require.NoError(t, s.Save(req1, w1, sess1))
 	cookies := w1.Result().Cookies()
 	require.NotEmpty(t, cookies)
 	// Step 2: New request with cookies -- session data should
 	// persist
 	req2 := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/profile", nil,
 	)
 	for _, c := range cookies {
 		req2.AddCookie(c)
 	}
 	sess2, err := s.Get(req2)
 	require.NoError(t, err)
 	assert.True(
 		t, s.IsAuthenticated(sess2),
 		"session should be authenticated after round-trip",
 	)
 	userID, ok := s.GetUserID(sess2)
 	assert.True(t, ok)
 	assert.Equal(t, "user-round-trip", userID)
 	username, ok := s.GetUsername(sess2)
 	assert.True(t, ok)
 	assert.Equal(t, "charlie", username)
 }
 // --- Constants Tests ---
 func TestSessionConstants(t *testing.T) {
 	t.Parallel()
 	assert.Equal(t, "webhooker_session", session.SessionName)
 	assert.Equal(t, "user_id", session.UserIDKey)
 	assert.Equal(t, "username", session.UsernameKey)
 	assert.Equal(t, "authenticated", session.AuthenticatedKey)
 }
 // --- Edge Cases ---
 func TestSetUser_OverwritesPreviousUser(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	req := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	s.SetUser(sess, "user-1", "alice")
 	assert.True(t, s.IsAuthenticated(sess))
 	// Overwrite with a different user
 	s.SetUser(sess, "user-2", "bob")
 	userID, ok := s.GetUserID(sess)
 	assert.True(t, ok)
 	assert.Equal(t, "user-2", userID)
 	username, ok := s.GetUsername(sess)
 	assert.True(t, ok)
 	assert.Equal(t, "bob", username)
 }
 func TestDestroy_ThenSave_DeletesCookie(t *testing.T) {
 	t.Parallel()
 	s := testSession(t)
 	// Create a session
 	req1 := httptest.NewRequestWithContext(
 		context.Background(), http.MethodGet, "/", nil)
 	w1 := httptest.NewRecorder()
 	sess, err := s.Get(req1)
 	require.NoError(t, err)
 	s.SetUser(sess, "user-123", "alice")
 	require.NoError(t, s.Save(req1, w1, sess))
 	cookies := w1.Result().Cookies()
 	require.NotEmpty(t, cookies)
 	// Destroy and save
 	req2 := httptest.NewRequestWithContext(
 		context.Background(),
 		http.MethodGet, "/logout", nil,
 	)
 	for _, c := range cookies {
 		req2.AddCookie(c)
 	}
 	w2 := httptest.NewRecorder()
 	sess2, err := s.Get(req2)
 	require.NoError(t, err)
 	s.Destroy(sess2)
 	require.NoError(t, s.Save(req2, w2, sess2))
 	// The cookie should have MaxAge = -1 (browser should delete)
 	responseCookies := w2.Result().Cookies()
 	var sessionCookie *http.Cookie
 	for _, c := range responseCookies {
 		if c.Name == session.SessionName {
 			sessionCookie = c
 			break
 		}
 	}
 	require.NotNil(
 		t, sessionCookie,
 		"should have a session cookie in response",
 	)
 	assert.Negative(
 		t, sessionCookie.MaxAge,
 		"destroyed session cookie should have negative MaxAge",
 	)
 }
--- a/internal/session/testing.go
+++ b/internal/session/testing.go
@@ -1,22 +0,0 @@
 package session
 import (
 	"log/slog"
 	"github.com/gorilla/sessions"
 	"sneak.berlin/go/webhooker/internal/config"
 )
 // NewForTest creates a Session with a pre-configured cookie store for use
 // in tests. This bypasses the fx lifecycle and database dependency, allowing
 // middleware and handler tests to use real session functionality. The key
 // parameter is the raw 32-byte authentication key used for session encryption
 // and CSRF cookie signing.
 func NewForTest(store *sessions.CookieStore, cfg *config.Config, log *slog.Logger, key []byte) *Session {
 	return &Session{
 		store:  store,
 		key:    key,
 		config: cfg,
 		log:    log,
 	}
 }
--- a/pkg/config/.gitignore
+++ b/pkg/config/.gitignore
@@ -0,0 +1 @@
--- a/pkg/config/README.md
+++ b/pkg/config/README.md
@@ -0,0 +1,303 @@
 # Configuration Module (Go)
 A simple, clean, and generic configuration management system that supports multiple environments and automatic value resolution. This module is completely standalone and can be used in any Go project.
 ## Features
 - **Simple API**: Just `config.Get()` and `config.GetSecret()`
 - **Type-safe helpers**: `config.GetString()`, `config.GetInt()`, `config.GetBool()`
 - **Environment Support**: Separate configs for different environments (dev/prod/staging/etc)
 - **Value Resolution**: Automatic resolution of special values:
  - `$ENV:VARIABLE` - Read from environment variable
  - `$GSM:secret-name` - Read from Google Secret Manager
  - `$ASM:secret-name` - Read from AWS Secrets Manager
  - `$FILE:/path/to/file` - Read from file contents
 - **Hierarchical Defaults**: Environment-specific values override defaults
 - **YAML-based**: Easy to read and edit configuration files
 - **Thread-safe**: Safe for concurrent use
 - **Testable**: Uses afero filesystem abstraction for easy testing
 - **Minimal Dependencies**: Only requires YAML parser and cloud SDKs (optional)
 ## Installation
 ```bash
 go get git.eeqj.de/sneak/webhooker/pkg/config
 ```
 ## Usage
 ```go
 package main
 import (
    "fmt"
    "git.eeqj.de/sneak/webhooker/pkg/config"
 )
 func main() {
    // Set the environment explicitly
    config.SetEnvironment("prod")
    // Get configuration values
    baseURL := config.GetString("baseURL")
    apiTimeout := config.GetInt("timeout", 30)
    debugMode := config.GetBool("debugMode", false)
    // Get secret values
    apiKey := config.GetSecretString("api_key")
    dbPassword := config.GetSecretString("db_password", "default")
    // Get all values (for debugging)
    allConfig := config.GetAllConfig()
    allSecrets := config.GetAllSecrets()
    // Reload configuration from file
    if err := config.Reload(); err != nil {
        fmt.Printf("Failed to reload config: %v\n", err)
    }
 }
 ```
 ## Configuration File Structure
 Create a `config.yaml` file in your project root:
 ```yaml
 environments:
  dev:
    config:
      baseURL: https://dev.example.com
      debugMode: true
      timeout: 30
    secrets:
      api_key: dev-key-12345
      db_password: $ENV:DEV_DB_PASSWORD
  prod:
    config:
      baseURL: https://prod.example.com
      debugMode: false
      timeout: 10
      GCPProject: my-project-123
      AWSRegion: us-west-2
    secrets:
      api_key: $GSM:prod-api-key
      db_password: $ASM:prod/db/password
 configDefaults:
  app_name: my-app
  timeout: 30
  log_level: INFO
  port: 8080
 ```
 ## How It Works
 1. **Environment Selection**: Call `config.SetEnvironment("prod")` to select which environment to use
 2. **Value Lookup**: When you call `config.Get("key")`:
   - First checks `environments.<env>.config.key`
   - Falls back to `configDefaults.key`
   - Returns the default value if not found
 3. **Secret Lookup**: When you call `config.GetSecret("key")`:
   - Looks in `environments.<env>.secrets.key`
   - Returns the default value if not found
 4. **Value Resolution**: If a value starts with a special prefix:
   - `$ENV:` - Reads from environment variable
   - `$GSM:` - Fetches from Google Secret Manager (requires GCPProject to be set in config)
   - `$ASM:` - Fetches from AWS Secrets Manager (uses AWSRegion from config or defaults to us-east-1)
   - `$FILE:` - Reads from file (supports `~` expansion)
 ## Type-Safe Access
 The module provides type-safe helper functions:
 ```go
 // String values
 baseURL := config.GetString("baseURL", "http://localhost")
 // Integer values
 port := config.GetInt("port", 8080)
 // Boolean values
 debug := config.GetBool("debug", false)
 // Secret string values
 apiKey := config.GetSecretString("api_key", "default-key")
 ```
 ## Local Development
 For local development, you can:
 1. Use environment variables:
   ```yaml
   secrets:
     api_key: $ENV:LOCAL_API_KEY
   ```
 2. Use local files:
   ```yaml
   secrets:
     api_key: $FILE:~/.secrets/api-key.txt
   ```
 3. Create a `config.local.yaml` (gitignored) with literal values for testing
 ## Cloud Provider Support
 ### Google Secret Manager
 To use GSM resolution (`$GSM:` prefix):
 1. Set `GCPProject` in your config
 2. Ensure proper authentication (e.g., `GOOGLE_APPLICATION_CREDENTIALS` environment variable)
 3. The module will automatically initialize the GSM client when needed
 ### AWS Secrets Manager
 To use ASM resolution (`$ASM:` prefix):
 1. Optionally set `AWSRegion` in your config (defaults to us-east-1)
 2. Ensure proper authentication (e.g., AWS credentials in environment or IAM role)
 3. The module will automatically initialize the ASM client when needed
 ## Advanced Usage
 ### Loading from a Specific File
 ```go
 // Load configuration from a specific file
 if err := config.LoadFile("/path/to/config.yaml"); err != nil {
    log.Fatal(err)
 }
 ```
 ### Checking Configuration Values
 ```go
 // Get all configuration for current environment
 allConfig := config.GetAllConfig()
 for key, value := range allConfig {
    fmt.Printf("%s: %v\n", key, value)
 }
 // Get all secrets (be careful with logging!)
 allSecrets := config.GetAllSecrets()
 ```
 ## Testing
 The module uses the [afero](https://github.com/spf13/afero) filesystem abstraction, making it easy to test without real files:
 ```go
 package myapp_test
 import (
    "testing"
    "github.com/spf13/afero"
    "git.eeqj.de/sneak/webhooker/pkg/config"
 )
 func TestMyApp(t *testing.T) {
    // Create an in-memory filesystem for testing
    fs := afero.NewMemMapFs()
    // Write a test config file
    testConfig := `
 environments:
  test:
    config:
      apiURL: http://test.example.com
    secrets:
      apiKey: test-key-123
 `
    afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644)
    // Use the test filesystem
    config.SetFs(fs)
    config.SetEnvironment("test")
    // Now your tests use the in-memory config
    if url := config.GetString("apiURL"); url != "http://test.example.com" {
        t.Errorf("Expected test URL, got %s", url)
    }
 }
 ```
 ### Unit Testing with Isolated Config
 For unit tests, you can create isolated configuration managers:
 ```go
 func TestMyComponent(t *testing.T) {
    // Create a test-specific manager
    manager := config.NewManager()
    // Use in-memory filesystem
    fs := afero.NewMemMapFs()
    afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644)
    manager.SetFs(fs)
    // Test with isolated configuration
    manager.SetEnvironment("test")
    value := manager.Get("someKey", "default")
 }
 ```
 ## Error Handling
 - If a config file is not found when using the default loader, an error is returned
 - If a key is not found, the default value is returned
 - If a special value cannot be resolved (e.g., env var not set, file not found), `nil` is returned
 - Cloud provider errors are logged but return `nil` to allow graceful degradation
 ## Thread Safety
 All operations are thread-safe. The module uses read-write mutexes to ensure safe concurrent access to configuration data.
 ## Example Integration
 ```go
 package main
 import (
    "log"
    "os"
    "git.eeqj.de/sneak/webhooker/pkg/config"
 )
 func main() {
    // Read environment from your app-specific env var
    environment := os.Getenv("APP_ENV")
    if environment == "" {
        environment = "dev"
    }
    config.SetEnvironment(environment)
    // Now use configuration throughout your app
    databaseURL := config.GetString("database_url")
    apiKey := config.GetSecretString("api_key")
    log.Printf("Running in %s environment", environment)
    log.Printf("Database URL: %s", databaseURL)
 }
 ```
 ## Migration from Python Version
 The Go version maintains API compatibility with the Python version where possible:
 | Python | Go |
 |--------|-----|
 | `config.get('key')` | `config.Get("key")` or `config.GetString("key")` |
 | `config.getSecret('key')` | `config.GetSecret("key")` or `config.GetSecretString("key")` |
 | `config.set_environment('prod')` | `config.SetEnvironment("prod")` |
 | `config.reload()` | `config.Reload()` |
 | `config.get_all_config()` | `config.GetAllConfig()` |
 | `config.get_all_secrets()` | `config.GetAllSecrets()` |
 ## License
 This module is designed to be standalone and can be extracted into its own repository with your preferred license. 
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -0,0 +1,180 @@
 // Package config provides a simple, clean, and generic configuration management system
 // that supports multiple environments and automatic value resolution.
 //
 // Features:
 //   - Simple API: Just config.Get() and config.GetSecret()
 //   - Environment Support: Separate configs for different environments (dev/prod/staging/etc)
 //   - Value Resolution: Automatic resolution of special values:
 //   - $ENV:VARIABLE - Read from environment variable
 //   - $GSM:secret-name - Read from Google Secret Manager
 //   - $ASM:secret-name - Read from AWS Secrets Manager
 //   - $FILE:/path/to/file - Read from file contents
 //   - Hierarchical Defaults: Environment-specific values override defaults
 //   - YAML-based: Easy to read and edit configuration files
 //   - Zero Dependencies: Only depends on yaml and cloud provider SDKs (optional)
 //
 // Usage:
 //
 //	import "sneak.berlin/go/webhooker/pkg/config"
 //
 //	// Set the environment explicitly
 //	config.SetEnvironment("prod")
 //
 //	// Get configuration values
 //	baseURL := config.Get("baseURL")
 //	apiTimeout := config.GetInt("timeout", 30)
 //
 //	// Get secret values
 //	apiKey := config.GetSecret("api_key")
 //	dbPassword := config.GetSecret("db_password", "default")
 package config
 import (
 	"sync"
 	"github.com/spf13/afero"
 )
 // Global configuration manager instance
 var (
 	globalManager *Manager
 	mu            sync.Mutex // Protect global manager updates
 )
 // getManager returns the global configuration manager, creating it if necessary
 func getManager() *Manager {
 	mu.Lock()
 	defer mu.Unlock()
 	if globalManager == nil {
 		globalManager = NewManager()
 	}
 	return globalManager
 }
 // SetEnvironment sets the active environment.
 func SetEnvironment(environment string) {
 	getManager().SetEnvironment(environment)
 }
 // SetFs sets the filesystem to use for all file operations.
 // This is primarily useful for testing with an in-memory filesystem.
 func SetFs(fs afero.Fs) {
 	mu.Lock()
 	defer mu.Unlock()
 	// Create a new manager with the specified filesystem
 	newManager := NewManager()
 	newManager.SetFs(fs)
 	// Replace the global manager
 	globalManager = newManager
 }
 // Get retrieves a configuration value.
 //
 // This looks for values in the following order:
 //  1. Environment-specific config (environments.<env>.config.<key>)
 //  2. Config defaults (configDefaults.<key>)
 //
 // Values are resolved if they contain special prefixes:
 //   - $ENV:VARIABLE_NAME - reads from environment variable
 //   - $GSM:secret-name - reads from Google Secret Manager
 //   - $ASM:secret-name - reads from AWS Secrets Manager
 //   - $FILE:/path/to/file - reads from file
 func Get(key string, defaultValue ...interface{}) interface{} {
 	var def interface{}
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	return getManager().Get(key, def)
 }
 // GetString retrieves a configuration value as a string.
 func GetString(key string, defaultValue ...string) string {
 	var def string
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := Get(key, def)
 	if s, ok := val.(string); ok {
 		return s
 	}
 	return def
 }
 // GetInt retrieves a configuration value as an integer.
 func GetInt(key string, defaultValue ...int) int {
 	var def int
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := Get(key, def)
 	switch v := val.(type) {
 	case int:
 		return v
 	case int64:
 		return int(v)
 	case float64:
 		return int(v)
 	default:
 		return def
 	}
 }
 // GetBool retrieves a configuration value as a boolean.
 func GetBool(key string, defaultValue ...bool) bool {
 	var def bool
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := Get(key, def)
 	if b, ok := val.(bool); ok {
 		return b
 	}
 	return def
 }
 // GetSecret retrieves a secret value.
 //
 // This looks for secrets defined in environments.<env>.secrets.<key>
 func GetSecret(key string, defaultValue ...interface{}) interface{} {
 	var def interface{}
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	return getManager().GetSecret(key, def)
 }
 // GetSecretString retrieves a secret value as a string.
 func GetSecretString(key string, defaultValue ...string) string {
 	var def string
 	if len(defaultValue) > 0 {
 		def = defaultValue[0]
 	}
 	val := GetSecret(key, def)
 	if s, ok := val.(string); ok {
 		return s
 	}
 	return def
 }
 // Reload reloads the configuration from file.
 func Reload() error {
 	return getManager().Reload()
 }
 // GetAllConfig returns all configuration values for the current environment.
 func GetAllConfig() map[string]interface{} {
 	return getManager().GetAllConfig()
 }
 // GetAllSecrets returns all secrets for the current environment.
 func GetAllSecrets() map[string]interface{} {
 	return getManager().GetAllSecrets()
 }
 // LoadFile loads configuration from a specific file.
 func LoadFile(configFile string) error {
 	return getManager().LoadFile(configFile)
 }
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -0,0 +1,306 @@
 package config
 import (
 	"os"
 	"testing"
 	"github.com/spf13/afero"
 )
 func TestNewManager(t *testing.T) {
 	manager := NewManager()
 	if manager == nil {
 		t.Fatal("NewManager returned nil")
 	}
 	if manager.config == nil {
 		t.Error("Manager config map is nil")
 	}
 	if manager.loader == nil {
 		t.Error("Manager loader is nil")
 	}
 	if manager.resolvedCache == nil {
 		t.Error("Manager resolvedCache is nil")
 	}
 	if manager.fs == nil {
 		t.Error("Manager fs is nil")
 	}
 }
 func TestLoader_FindConfigFile(t *testing.T) {
 	// Create an in-memory filesystem for testing
 	fs := afero.NewMemMapFs()
 	loader := NewLoader(fs)
 	// Create a config file in the filesystem
 	configContent := `
 environments:
  test:
    config:
      testKey: testValue
    secrets:
      testSecret: secretValue
 configDefaults:
  defaultKey: defaultValue
 `
 	// Create the file in the current directory
 	if err := afero.WriteFile(fs, "config.yaml", []byte(configContent), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Test finding the config file
 	foundPath, err := loader.FindConfigFile("config.yaml")
 	if err != nil {
 		t.Errorf("FindConfigFile failed: %v", err)
 	}
 	// In memory fs, the path should be exactly what we created
 	if foundPath != "config.yaml" {
 		t.Errorf("Expected config.yaml, got %s", foundPath)
 	}
 }
 func TestLoader_LoadYAML(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	loader := NewLoader(fs)
 	// Create a test config file
 	testConfig := `
 environments:
  test:
    config:
      testKey: testValue
 configDefaults:
  defaultKey: defaultValue
 `
 	if err := afero.WriteFile(fs, "test-config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Load the YAML
 	config, err := loader.LoadYAML("test-config.yaml")
 	if err != nil {
 		t.Fatalf("LoadYAML failed: %v", err)
 	}
 	// Verify the structure
 	envs, ok := config["environments"].(map[string]interface{})
 	if !ok {
 		t.Fatal("environments not found or wrong type")
 	}
 	testEnv, ok := envs["test"].(map[string]interface{})
 	if !ok {
 		t.Fatal("test environment not found")
 	}
 	testConfig2, ok := testEnv["config"].(map[string]interface{})
 	if !ok {
 		t.Fatal("test config not found")
 	}
 	if testConfig2["testKey"] != "testValue" {
 		t.Errorf("Expected testKey=testValue, got %v", testConfig2["testKey"])
 	}
 }
 func TestResolver_ResolveEnv(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	resolver := NewResolver("", "", fs)
 	// Set a test environment variable
 	os.Setenv("TEST_CONFIG_VAR", "test-value")
 	defer os.Unsetenv("TEST_CONFIG_VAR")
 	// Test resolving environment variable
 	result := resolver.Resolve("$ENV:TEST_CONFIG_VAR")
 	if result != "test-value" {
 		t.Errorf("Expected 'test-value', got %v", result)
 	}
 	// Test non-existent env var
 	result = resolver.Resolve("$ENV:NON_EXISTENT_VAR")
 	if result != nil {
 		t.Errorf("Expected nil for non-existent env var, got %v", result)
 	}
 }
 func TestResolver_ResolveFile(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	resolver := NewResolver("", "", fs)
 	// Create a test file
 	secretContent := "my-secret-value"
 	if err := afero.WriteFile(fs, "/test-secret.txt", []byte(secretContent+"\n"), 0644); err != nil {
 		t.Fatalf("Failed to write test file: %v", err)
 	}
 	// Test resolving file
 	result := resolver.Resolve("$FILE:/test-secret.txt")
 	if result != secretContent {
 		t.Errorf("Expected '%s', got %v", secretContent, result)
 	}
 	// Test non-existent file
 	result = resolver.Resolve("$FILE:/non/existent/file")
 	if result != nil {
 		t.Errorf("Expected nil for non-existent file, got %v", result)
 	}
 }
 func TestManager_GetAndSet(t *testing.T) {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a test config file
 	testConfig := `
 environments:
  dev:
    config:
      apiURL: http://dev.example.com
      timeout: 30
      debug: true
    secrets:
      apiKey: dev-key-123
  prod:
    config:
      apiURL: https://prod.example.com
      timeout: 10
      debug: false
    secrets:
      apiKey: $ENV:PROD_API_KEY
 configDefaults:
  appName: TestApp
  timeout: 20
  port: 8080
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Create manager and set the filesystem
 	manager := NewManager()
 	manager.SetFs(fs)
 	// Load config should find the file automatically
 	manager.SetEnvironment("dev")
 	// Test getting config values
 	if v := manager.Get("apiURL", ""); v != "http://dev.example.com" {
 		t.Errorf("Expected dev apiURL, got %v", v)
 	}
 	if v := manager.Get("timeout", 0); v != 30 {
 		t.Errorf("Expected timeout=30, got %v", v)
 	}
 	if v := manager.Get("debug", false); v != true {
 		t.Errorf("Expected debug=true, got %v", v)
 	}
 	// Test default values
 	if v := manager.Get("appName", ""); v != "TestApp" {
 		t.Errorf("Expected appName from defaults, got %v", v)
 	}
 	// Test getting secrets
 	if v := manager.GetSecret("apiKey", ""); v != "dev-key-123" {
 		t.Errorf("Expected dev apiKey, got %v", v)
 	}
 	// Switch to prod environment
 	manager.SetEnvironment("prod")
 	if v := manager.Get("apiURL", ""); v != "https://prod.example.com" {
 		t.Errorf("Expected prod apiURL, got %v", v)
 	}
 	// Test environment variable resolution in secrets
 	os.Setenv("PROD_API_KEY", "prod-key-456")
 	defer os.Unsetenv("PROD_API_KEY")
 	if v := manager.GetSecret("apiKey", ""); v != "prod-key-456" {
 		t.Errorf("Expected resolved env var for apiKey, got %v", v)
 	}
 }
 func TestGlobalAPI(t *testing.T) {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a test config file
 	testConfig := `
 environments:
  test:
    config:
      stringVal: hello
      intVal: 42
      boolVal: true
    secrets:
      secret1: test-secret
 configDefaults:
  defaultString: world
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Use the global API with the test filesystem
 	SetFs(fs)
 	SetEnvironment("test")
 	// Test type-safe getters
 	if v := GetString("stringVal"); v != "hello" {
 		t.Errorf("Expected 'hello', got %v", v)
 	}
 	if v := GetInt("intVal"); v != 42 {
 		t.Errorf("Expected 42, got %v", v)
 	}
 	if v := GetBool("boolVal"); v != true {
 		t.Errorf("Expected true, got %v", v)
 	}
 	if v := GetSecretString("secret1"); v != "test-secret" {
 		t.Errorf("Expected 'test-secret', got %v", v)
 	}
 	// Test defaults
 	if v := GetString("defaultString"); v != "world" {
 		t.Errorf("Expected 'world', got %v", v)
 	}
 }
 func TestManager_SetFs(t *testing.T) {
 	// Create manager with default OS filesystem
 	manager := NewManager()
 	// Create an in-memory filesystem
 	memFs := afero.NewMemMapFs()
 	// Write a config file to the memory fs
 	testConfig := `
 environments:
  test:
    config:
      testKey: fromMemory
 configDefaults:
  defaultKey: memoryDefault
 `
 	if err := afero.WriteFile(memFs, "config.yaml", []byte(testConfig), 0644); err != nil {
 		t.Fatalf("Failed to write test config: %v", err)
 	}
 	// Set the filesystem
 	manager.SetFs(memFs)
 	manager.SetEnvironment("test")
 	// Test that it reads from the memory filesystem
 	if v := manager.Get("testKey", ""); v != "fromMemory" {
 		t.Errorf("Expected 'fromMemory', got %v", v)
 	}
 	if v := manager.Get("defaultKey", ""); v != "memoryDefault" {
 		t.Errorf("Expected 'memoryDefault', got %v", v)
 	}
 }
--- a/pkg/config/example_afero_test.go
+++ b/pkg/config/example_afero_test.go
@@ -0,0 +1,146 @@
 package config_test
 import (
 	"fmt"
 	"testing"
 	"github.com/spf13/afero"
 	"sneak.berlin/go/webhooker/pkg/config"
 )
 // ExampleSetFs demonstrates how to use an in-memory filesystem for testing
 func ExampleSetFs() {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a test configuration file
 	configYAML := `
 environments:
  test:
    config:
      baseURL: https://test.example.com
      debugMode: true
    secrets:
      apiKey: test-key-12345
  production:
    config:
      baseURL: https://api.example.com
      debugMode: false
 configDefaults:
  appName: Test Application
  timeout: 30
 `
 	// Write the config to the in-memory filesystem
 	if err := afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644); err != nil {
 		panic(err)
 	}
 	// Use the in-memory filesystem
 	config.SetFs(fs)
 	config.SetEnvironment("test")
 	// Now all config operations use the in-memory filesystem
 	fmt.Printf("Base URL: %s\n", config.GetString("baseURL"))
 	fmt.Printf("Debug Mode: %v\n", config.GetBool("debugMode"))
 	fmt.Printf("App Name: %s\n", config.GetString("appName"))
 	// Output:
 	// Base URL: https://test.example.com
 	// Debug Mode: true
 	// App Name: Test Application
 }
 // TestWithAferoFilesystem shows how to test with different filesystem implementations
 func TestWithAferoFilesystem(t *testing.T) {
 	tests := []struct {
 		name        string
 		setupFs     func() afero.Fs
 		environment string
 		key         string
 		expected    string
 	}{
 		{
 			name: "in-memory filesystem",
 			setupFs: func() afero.Fs {
 				fs := afero.NewMemMapFs()
 				config := `
 environments:
  dev:
    config:
      apiURL: http://localhost:8080
 `
 				afero.WriteFile(fs, "config.yaml", []byte(config), 0644)
 				return fs
 			},
 			environment: "dev",
 			key:         "apiURL",
 			expected:    "http://localhost:8080",
 		},
 		{
 			name: "readonly filesystem",
 			setupFs: func() afero.Fs {
 				memFs := afero.NewMemMapFs()
 				config := `
 environments:
  staging:
    config:
      apiURL: https://staging.example.com
 `
 				afero.WriteFile(memFs, "config.yaml", []byte(config), 0644)
 				// Wrap in a read-only filesystem
 				return afero.NewReadOnlyFs(memFs)
 			},
 			environment: "staging",
 			key:         "apiURL",
 			expected:    "https://staging.example.com",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create a new manager for each test to ensure isolation
 			manager := config.NewManager()
 			manager.SetFs(tt.setupFs())
 			manager.SetEnvironment(tt.environment)
 			result := manager.Get(tt.key, "")
 			if result != tt.expected {
 				t.Errorf("Expected %s, got %v", tt.expected, result)
 			}
 		})
 	}
 }
 // TestFileResolution shows how $FILE: resolution works with afero
 func TestFileResolution(t *testing.T) {
 	// Create an in-memory filesystem
 	fs := afero.NewMemMapFs()
 	// Create a secret file
 	secretContent := "super-secret-api-key"
 	if err := afero.WriteFile(fs, "/secrets/api-key.txt", []byte(secretContent), 0600); err != nil {
 		t.Fatal(err)
 	}
 	// Create a config that references the file
 	configYAML := `
 environments:
  prod:
    secrets:
      apiKey: $FILE:/secrets/api-key.txt
 `
 	if err := afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644); err != nil {
 		t.Fatal(err)
 	}
 	// Use the filesystem
 	config.SetFs(fs)
 	config.SetEnvironment("prod")
 	// Get the secret - it should resolve from the file
 	apiKey := config.GetSecretString("apiKey")
 	if apiKey != secretContent {
 		t.Errorf("Expected %s, got %s", secretContent, apiKey)
 	}
 }
--- a/pkg/config/example_test.go
+++ b/pkg/config/example_test.go
@@ -0,0 +1,139 @@
 package config_test
 import (
 	"fmt"
 	"log"
 	"os"
 	"sneak.berlin/go/webhooker/pkg/config"
 )
 func Example() {
 	// Set the environment explicitly
 	config.SetEnvironment("dev")
 	// Get configuration values
 	baseURL := config.GetString("baseURL")
 	timeout := config.GetInt("timeout", 30)
 	debugMode := config.GetBool("debugMode", false)
 	fmt.Printf("Base URL: %s\n", baseURL)
 	fmt.Printf("Timeout: %d\n", timeout)
 	fmt.Printf("Debug Mode: %v\n", debugMode)
 	// Get secret values
 	apiKey := config.GetSecretString("api_key")
 	if apiKey != "" {
 		fmt.Printf("API Key: %s...\n", apiKey[:8])
 	}
 }
 func ExampleSetEnvironment() {
 	// Your application determines which environment to use
 	// This could come from command line args, env vars, etc.
 	environment := os.Getenv("APP_ENV")
 	if environment == "" {
 		environment = "development"
 	}
 	// Set the environment explicitly
 	config.SetEnvironment(environment)
 	// Now use configuration throughout your application
 	fmt.Printf("Environment: %s\n", environment)
 	fmt.Printf("App Name: %s\n", config.GetString("app_name"))
 }
 func ExampleGetString() {
 	config.SetEnvironment("prod")
 	// Get a string configuration value with a default
 	baseURL := config.GetString("baseURL", "http://localhost:8080")
 	fmt.Printf("Base URL: %s\n", baseURL)
 }
 func ExampleGetInt() {
 	config.SetEnvironment("prod")
 	// Get an integer configuration value with a default
 	port := config.GetInt("port", 8080)
 	fmt.Printf("Port: %d\n", port)
 }
 func ExampleGetBool() {
 	config.SetEnvironment("dev")
 	// Get a boolean configuration value with a default
 	debugMode := config.GetBool("debugMode", false)
 	fmt.Printf("Debug Mode: %v\n", debugMode)
 }
 func ExampleGetSecretString() {
 	config.SetEnvironment("prod")
 	// Get a secret string value
 	apiKey := config.GetSecretString("api_key")
 	if apiKey != "" {
 		// Be careful not to log the full secret!
 		fmt.Printf("API Key configured: yes\n")
 	}
 }
 func ExampleLoadFile() {
 	// Load configuration from a specific file
 	if err := config.LoadFile("/path/to/config.yaml"); err != nil {
 		log.Printf("Failed to load config: %v", err)
 		return
 	}
 	config.SetEnvironment("staging")
 	fmt.Printf("Loaded configuration from custom file\n")
 }
 func ExampleReload() {
 	config.SetEnvironment("dev")
 	// Get initial value
 	oldValue := config.GetString("some_key")
 	// ... config file might have been updated ...
 	// Reload configuration from file
 	if err := config.Reload(); err != nil {
 		log.Printf("Failed to reload config: %v", err)
 		return
 	}
 	// Get potentially updated value
 	newValue := config.GetString("some_key")
 	fmt.Printf("Value changed: %v\n", oldValue != newValue)
 }
 // Example config.yaml structure:
 /*
 environments:
  development:
    config:
      baseURL: http://localhost:8000
      debugMode: true
      port: 8000
    secrets:
      api_key: dev-key-12345
  production:
    config:
      baseURL: https://api.example.com
      debugMode: false
      port: 443
      GCPProject: my-project-123
      AWSRegion: us-west-2
    secrets:
      api_key: $GSM:prod-api-key
      db_password: $ASM:prod/db/password
 configDefaults:
  app_name: My Application
  timeout: 30
  log_level: INFO
  port: 8080
 */
--- a/pkg/config/go.mod
+++ b/pkg/config/go.mod
@@ -0,0 +1,41 @@
 module sneak.berlin/go/webhooker/pkg/config
 go 1.23.0
 toolchain go1.24.1
 require (
 	github.com/aws/aws-sdk-go v1.50.0
 	github.com/spf13/afero v1.14.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 require (
 	cloud.google.com/go/compute v1.23.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.3 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	google.golang.org/api v0.149.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 )
 require (
 	cloud.google.com/go/secretmanager v1.11.4
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 )
--- a/pkg/config/go.sum
+++ b/pkg/config/go.sum
@@ -0,0 +1,161 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME=
 cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk=
 cloud.google.com/go/compute v1.23.1 h1:V97tBoDaZHb6leicZ1G6DLK2BAaZLJ/7+9BB/En3hR0=
 cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/iam v1.1.3 h1:18tKG7DzydKWUnLjonWcJO6wjSCAtzh4GcRKlH/Hrzc=
 cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE=
 cloud.google.com/go/secretmanager v1.11.4 h1:krnX9qpG2kR2fJ+u+uNyNo+ACVhplIAS4Pu7u+4gd+k=
 cloud.google.com/go/secretmanager v1.11.4/go.mod h1:wreJlbS9Zdq21lMzWmJ0XhWW2ZxgPeahsqeV/vZoJ3w=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/aws/aws-sdk-go v1.50.0 h1:HBtrLeO+QyDKnc3t1+5DR1RxodOHCGr8ZcrHudpv7jI=
 github.com/aws/aws-sdk-go v1.50.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
 golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.149.0 h1:b2CqT6kG+zqJIVKRQ3ELJVLN1PwHZ6DJ3dW8yl82rgY=
 google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA=
 google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI=
 google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k=
 google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
 google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/pkg/config/loader.go
+++ b/pkg/config/loader.go
@@ -0,0 +1,104 @@
 package config
 import (
 	"fmt"
 	"path/filepath"
 	"github.com/spf13/afero"
 	"gopkg.in/yaml.v3"
 )
 // Loader handles loading configuration from YAML files.
 type Loader struct {
 	fs afero.Fs
 }
 // NewLoader creates a new configuration loader.
 func NewLoader(fs afero.Fs) *Loader {
 	return &Loader{
 		fs: fs,
 	}
 }
 // FindConfigFile searches for a configuration file by looking up the directory tree.
 func (l *Loader) FindConfigFile(filename string) (string, error) {
 	if filename == "" {
 		filename = "config.yaml"
 	}
 	// First check if the file exists in the current directory (simple case)
 	if _, err := l.fs.Stat(filename); err == nil {
 		return filename, nil
 	}
 	// For more complex cases, try to walk up the directory tree
 	// Start from current directory or root for in-memory filesystems
 	currentDir := "."
 	// Try to get the absolute path, but if it fails (e.g., in-memory fs),
 	// just use the current directory
 	if absPath, err := filepath.Abs("."); err == nil {
 		currentDir = absPath
 	}
 	// Search up the directory tree
 	for {
 		configPath := filepath.Join(currentDir, filename)
 		if _, err := l.fs.Stat(configPath); err == nil {
 			return configPath, nil
 		}
 		// Move up one directory
 		parentDir := filepath.Dir(currentDir)
 		if parentDir == currentDir || currentDir == "." || currentDir == "/" {
 			// Reached the root directory or can't go up further
 			break
 		}
 		currentDir = parentDir
 	}
 	return "", fmt.Errorf("configuration file %s not found in directory tree", filename)
 }
 // LoadYAML loads a YAML file and returns the parsed configuration.
 func (l *Loader) LoadYAML(filePath string) (map[string]interface{}, error) {
 	data, err := afero.ReadFile(l.fs, filePath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read file %s: %w", filePath, err)
 	}
 	var config map[string]interface{}
 	if err := yaml.Unmarshal(data, &config); err != nil {
 		return nil, fmt.Errorf("failed to parse YAML from %s: %w", filePath, err)
 	}
 	if config == nil {
 		config = make(map[string]interface{})
 	}
 	return config, nil
 }
 // MergeConfigs performs a deep merge of two configuration maps.
 // The override map values take precedence over the base map.
 func (l *Loader) MergeConfigs(base, override map[string]interface{}) map[string]interface{} {
 	if base == nil {
 		base = make(map[string]interface{})
 	}
 	for key, value := range override {
 		if baseValue, exists := base[key]; exists {
 			// If both values are maps, merge them recursively
 			if baseMap, baseOk := baseValue.(map[string]interface{}); baseOk {
 				if overrideMap, overrideOk := value.(map[string]interface{}); overrideOk {
 					base[key] = l.MergeConfigs(baseMap, overrideMap)
 					continue
 				}
 			}
 		}
 		// Otherwise, override the value
 		base[key] = value
 	}
 	return base
 }
--- a/pkg/config/manager.go
+++ b/pkg/config/manager.go
@@ -0,0 +1,373 @@
 package config
 import (
 	"fmt"
 	"log"
 	"strings"
 	"sync"
 	"github.com/spf13/afero"
 )
 // Manager manages application configuration with value resolution.
 type Manager struct {
 	mu            sync.RWMutex
 	config        map[string]interface{}
 	environment   string
 	resolver      *Resolver
 	loader        *Loader
 	configFile    string
 	resolvedCache map[string]interface{}
 	fs            afero.Fs
 }
 // NewManager creates a new configuration manager.
 func NewManager() *Manager {
 	fs := afero.NewOsFs()
 	return &Manager{
 		config:        make(map[string]interface{}),
 		loader:        NewLoader(fs),
 		resolvedCache: make(map[string]interface{}),
 		fs:            fs,
 	}
 }
 // SetFs sets the filesystem to use for all file operations.
 // This is primarily useful for testing with an in-memory filesystem.
 func (m *Manager) SetFs(fs afero.Fs) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.fs = fs
 	m.loader = NewLoader(fs)
 	// If we have a resolver, recreate it with the new fs
 	if m.resolver != nil {
 		gcpProject := ""
 		awsRegion := "us-east-1"
 		// Try to get the current settings
 		if gcpProj := m.getConfigValue("GCPProject", ""); gcpProj != nil {
 			if str, ok := gcpProj.(string); ok {
 				gcpProject = str
 			}
 		}
 		if awsReg := m.getConfigValue("AWSRegion", "us-east-1"); awsReg != nil {
 			if str, ok := awsReg.(string); ok {
 				awsRegion = str
 			}
 		}
 		m.resolver = NewResolver(gcpProject, awsRegion, fs)
 	}
 	// Clear caches as filesystem changed
 	m.resolvedCache = make(map[string]interface{})
 }
 // LoadFile loads configuration from a specific file.
 func (m *Manager) LoadFile(configFile string) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	config, err := m.loader.LoadYAML(configFile)
 	if err != nil {
 		return err
 	}
 	m.config = config
 	m.configFile = configFile
 	m.resolvedCache = make(map[string]interface{}) // Clear cache
 	return nil
 }
 // loadConfig loads the configuration from file.
 func (m *Manager) loadConfig() error {
 	if m.configFile == "" {
 		// Try to find config.yaml
 		configPath, err := m.loader.FindConfigFile("config.yaml")
 		if err != nil {
 			return err
 		}
 		m.configFile = configPath
 	}
 	config, err := m.loader.LoadYAML(m.configFile)
 	if err != nil {
 		return err
 	}
 	m.config = config
 	m.resolvedCache = make(map[string]interface{}) // Clear cache
 	return nil
 }
 // SetEnvironment sets the active environment.
 func (m *Manager) SetEnvironment(environment string) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.environment = strings.ToLower(environment)
 	// Create resolver with GCP project and AWS region if available
 	gcpProject := m.getConfigValue("GCPProject", "")
 	awsRegion := m.getConfigValue("AWSRegion", "us-east-1")
 	if gcpProjectStr, ok := gcpProject.(string); ok {
 		if awsRegionStr, ok := awsRegion.(string); ok {
 			m.resolver = NewResolver(gcpProjectStr, awsRegionStr, m.fs)
 		}
 	}
 	// Clear resolved cache when environment changes
 	m.resolvedCache = make(map[string]interface{})
 }
 // Get retrieves a configuration value.
 func (m *Manager) Get(key string, defaultValue interface{}) interface{} {
 	m.mu.RLock()
 	// Ensure config is loaded
 	if m.config == nil || len(m.config) == 0 {
 		// Need to upgrade to write lock to load config
 		m.mu.RUnlock()
 		m.mu.Lock()
 		// Double-check after acquiring write lock
 		if m.config == nil || len(m.config) == 0 {
 			if err := m.loadConfig(); err != nil {
 				log.Printf("Failed to load config: %v", err)
 				m.mu.Unlock()
 				return defaultValue
 			}
 		}
 		// Downgrade back to read lock
 		m.mu.Unlock()
 		m.mu.RLock()
 	}
 	defer m.mu.RUnlock()
 	// Check cache first
 	cacheKey := fmt.Sprintf("config.%s", key)
 	if cached, ok := m.resolvedCache[cacheKey]; ok {
 		return cached
 	}
 	// Try environment-specific config first
 	var rawValue interface{}
 	if m.environment != "" {
 		envMap, ok := m.config["environments"].(map[string]interface{})
 		if ok {
 			if env, ok := envMap[m.environment].(map[string]interface{}); ok {
 				if config, ok := env["config"].(map[string]interface{}); ok {
 					if val, exists := config[key]; exists {
 						rawValue = val
 					}
 				}
 			}
 		}
 	}
 	// Fall back to configDefaults
 	if rawValue == nil {
 		if defaults, ok := m.config["configDefaults"].(map[string]interface{}); ok {
 			if val, exists := defaults[key]; exists {
 				rawValue = val
 			}
 		}
 	}
 	if rawValue == nil {
 		return defaultValue
 	}
 	// Resolve the value if we have a resolver
 	var resolvedValue interface{}
 	if m.resolver != nil {
 		resolvedValue = m.resolver.Resolve(rawValue)
 	} else {
 		resolvedValue = rawValue
 	}
 	// Cache the resolved value
 	m.resolvedCache[cacheKey] = resolvedValue
 	return resolvedValue
 }
 // GetSecret retrieves a secret value for the current environment.
 func (m *Manager) GetSecret(key string, defaultValue interface{}) interface{} {
 	m.mu.RLock()
 	// Ensure config is loaded
 	if m.config == nil || len(m.config) == 0 {
 		// Need to upgrade to write lock to load config
 		m.mu.RUnlock()
 		m.mu.Lock()
 		// Double-check after acquiring write lock
 		if m.config == nil || len(m.config) == 0 {
 			if err := m.loadConfig(); err != nil {
 				log.Printf("Failed to load config: %v", err)
 				m.mu.Unlock()
 				return defaultValue
 			}
 		}
 		// Downgrade back to read lock
 		m.mu.Unlock()
 		m.mu.RLock()
 	}
 	defer m.mu.RUnlock()
 	if m.environment == "" {
 		log.Printf("No environment set when getting secret '%s'", key)
 		return defaultValue
 	}
 	// Get the current environment's config
 	envMap, ok := m.config["environments"].(map[string]interface{})
 	if !ok {
 		return defaultValue
 	}
 	env, ok := envMap[m.environment].(map[string]interface{})
 	if !ok {
 		return defaultValue
 	}
 	secrets, ok := env["secrets"].(map[string]interface{})
 	if !ok {
 		return defaultValue
 	}
 	secretValue, exists := secrets[key]
 	if !exists {
 		return defaultValue
 	}
 	// Resolve the value
 	if m.resolver != nil {
 		resolved := m.resolver.Resolve(secretValue)
 		if resolved == nil {
 			return defaultValue
 		}
 		return resolved
 	}
 	return secretValue
 }
 // getConfigValue is an internal helper to get config values without locking.
 func (m *Manager) getConfigValue(key string, defaultValue interface{}) interface{} {
 	// Try environment-specific config first
 	var rawValue interface{}
 	if m.environment != "" {
 		envMap, ok := m.config["environments"].(map[string]interface{})
 		if ok {
 			if env, ok := envMap[m.environment].(map[string]interface{}); ok {
 				if config, ok := env["config"].(map[string]interface{}); ok {
 					if val, exists := config[key]; exists {
 						rawValue = val
 					}
 				}
 			}
 		}
 	}
 	// Fall back to configDefaults
 	if rawValue == nil {
 		if defaults, ok := m.config["configDefaults"].(map[string]interface{}); ok {
 			if val, exists := defaults[key]; exists {
 				rawValue = val
 			}
 		}
 	}
 	if rawValue == nil {
 		return defaultValue
 	}
 	return rawValue
 }
 // Reload reloads the configuration from file.
 func (m *Manager) Reload() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	return m.loadConfig()
 }
 // GetAllConfig returns all configuration values for the current environment.
 func (m *Manager) GetAllConfig() map[string]interface{} {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
 	result := make(map[string]interface{})
 	// Start with configDefaults
 	if defaults, ok := m.config["configDefaults"].(map[string]interface{}); ok {
 		for k, v := range defaults {
 			if m.resolver != nil {
 				result[k] = m.resolver.Resolve(v)
 			} else {
 				result[k] = v
 			}
 		}
 	}
 	// Override with environment-specific config
 	if m.environment != "" {
 		envMap, ok := m.config["environments"].(map[string]interface{})
 		if ok {
 			if env, ok := envMap[m.environment].(map[string]interface{}); ok {
 				if config, ok := env["config"].(map[string]interface{}); ok {
 					for k, v := range config {
 						if m.resolver != nil {
 							result[k] = m.resolver.Resolve(v)
 						} else {
 							result[k] = v
 						}
 					}
 				}
 			}
 		}
 	}
 	return result
 }
 // GetAllSecrets returns all secrets for the current environment.
 func (m *Manager) GetAllSecrets() map[string]interface{} {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
 	if m.environment == "" {
 		return make(map[string]interface{})
 	}
 	envMap, ok := m.config["environments"].(map[string]interface{})
 	if !ok {
 		return make(map[string]interface{})
 	}
 	env, ok := envMap[m.environment].(map[string]interface{})
 	if !ok {
 		return make(map[string]interface{})
 	}
 	secrets, ok := env["secrets"].(map[string]interface{})
 	if !ok {
 		return make(map[string]interface{})
 	}
 	// Resolve all secrets
 	result := make(map[string]interface{})
 	for k, v := range secrets {
 		if m.resolver != nil {
 			result[k] = m.resolver.Resolve(v)
 		} else {
 			result[k] = v
 		}
 	}
 	return result
 }
--- a/pkg/config/resolver.go
+++ b/pkg/config/resolver.go
@@ -0,0 +1,204 @@
 package config
 import (
 	"context"
 	"fmt"
 	"log"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
 	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/spf13/afero"
 )
 // Resolver handles resolution of configuration values with special prefixes.
 type Resolver struct {
 	gcpProject   string
 	awsRegion    string
 	gsmClient    *secretmanager.Client
 	asmClient    *secretsmanager.SecretsManager
 	awsSession   *session.Session
 	specialValue *regexp.Regexp
 	fs           afero.Fs
 }
 // NewResolver creates a new value resolver.
 func NewResolver(gcpProject, awsRegion string, fs afero.Fs) *Resolver {
 	return &Resolver{
 		gcpProject:   gcpProject,
 		awsRegion:    awsRegion,
 		specialValue: regexp.MustCompile(`^\$([A-Z]+):(.+)$`),
 		fs:           fs,
 	}
 }
 // Resolve resolves a configuration value that may contain special prefixes.
 func (r *Resolver) Resolve(value interface{}) interface{} {
 	switch v := value.(type) {
 	case string:
 		return r.resolveString(v)
 	case map[string]interface{}:
 		// Recursively resolve map values
 		result := make(map[string]interface{})
 		for k, val := range v {
 			result[k] = r.Resolve(val)
 		}
 		return result
 	case []interface{}:
 		// Recursively resolve slice items
 		result := make([]interface{}, len(v))
 		for i, val := range v {
 			result[i] = r.Resolve(val)
 		}
 		return result
 	default:
 		// Return non-string values as-is
 		return value
 	}
 }
 // resolveString resolves a string value that may contain a special prefix.
 func (r *Resolver) resolveString(value string) interface{} {
 	matches := r.specialValue.FindStringSubmatch(value)
 	if matches == nil {
 		return value
 	}
 	resolverType := matches[1]
 	resolverValue := matches[2]
 	switch resolverType {
 	case "ENV":
 		return r.resolveEnv(resolverValue)
 	case "GSM":
 		return r.resolveGSM(resolverValue)
 	case "ASM":
 		return r.resolveASM(resolverValue)
 	case "FILE":
 		return r.resolveFile(resolverValue)
 	default:
 		log.Printf("Unknown resolver type: %s", resolverType)
 		return value
 	}
 }
 // resolveEnv resolves an environment variable.
 func (r *Resolver) resolveEnv(envVar string) interface{} {
 	value := os.Getenv(envVar)
 	if value == "" {
 		return nil
 	}
 	return value
 }
 // resolveGSM resolves a Google Secret Manager secret.
 func (r *Resolver) resolveGSM(secretName string) interface{} {
 	if r.gcpProject == "" {
 		log.Printf("GCP project not configured for GSM resolution")
 		return nil
 	}
 	// Initialize GSM client if needed
 	if r.gsmClient == nil {
 		ctx := context.Background()
 		client, err := secretmanager.NewClient(ctx)
 		if err != nil {
 			log.Printf("Failed to create GSM client: %v", err)
 			return nil
 		}
 		r.gsmClient = client
 	}
 	// Build the resource name
 	name := fmt.Sprintf("projects/%s/secrets/%s/versions/latest", r.gcpProject, secretName)
 	// Access the secret
 	ctx := context.Background()
 	req := &secretmanagerpb.AccessSecretVersionRequest{
 		Name: name,
 	}
 	result, err := r.gsmClient.AccessSecretVersion(ctx, req)
 	if err != nil {
 		log.Printf("Failed to access GSM secret %s: %v", secretName, err)
 		return nil
 	}
 	return string(result.Payload.Data)
 }
 // resolveASM resolves an AWS Secrets Manager secret.
 func (r *Resolver) resolveASM(secretName string) interface{} {
 	// Initialize AWS session if needed
 	if r.awsSession == nil {
 		sess, err := session.NewSession(&aws.Config{
 			Region: aws.String(r.awsRegion),
 		})
 		if err != nil {
 			log.Printf("Failed to create AWS session: %v", err)
 			return nil
 		}
 		r.awsSession = sess
 	}
 	// Initialize ASM client if needed
 	if r.asmClient == nil {
 		r.asmClient = secretsmanager.New(r.awsSession)
 	}
 	// Get the secret value
 	input := &secretsmanager.GetSecretValueInput{
 		SecretId: aws.String(secretName),
 	}
 	result, err := r.asmClient.GetSecretValue(input)
 	if err != nil {
 		log.Printf("Failed to access ASM secret %s: %v", secretName, err)
 		return nil
 	}
 	// Return the secret string
 	if result.SecretString != nil {
 		return *result.SecretString
 	}
 	// If it's binary data, we can't handle it as a string config value
 	log.Printf("ASM secret %s contains binary data, which is not supported", secretName)
 	return nil
 }
 // resolveFile resolves a file's contents.
 func (r *Resolver) resolveFile(filePath string) interface{} {
 	// Expand user home directory if present
 	if strings.HasPrefix(filePath, "~/") {
 		home, err := os.UserHomeDir()
 		if err != nil {
 			log.Printf("Failed to get user home directory: %v", err)
 			return nil
 		}
 		filePath = filepath.Join(home, filePath[2:])
 	}
 	data, err := afero.ReadFile(r.fs, filePath)
 	if err != nil {
 		log.Printf("Failed to read file %s: %v", filePath, err)
 		return nil
 	}
 	// Strip whitespace/newlines from file contents
 	return strings.TrimSpace(string(data))
 }
 // Close closes any open clients.
 func (r *Resolver) Close() error {
 	if r.gsmClient != nil {
 		return r.gsmClient.Close()
 	}
 	return nil
 }
--- a/static/css/input.css
+++ b/static/css/input.css
@@ -1,108 +0,0 @@
@import "tailwindcss";
 /* Source the templates */
@source "../../templates/**/*.html";
 /* Material Design inspired theme customization */
@theme {
  /* Primary colors */
  --color-primary-50: #e3f2fd;
  --color-primary-100: #bbdefb;
  --color-primary-200: #90caf9;
  --color-primary-300: #64b5f6;
  --color-primary-400: #42a5f5;
  --color-primary-500: #2196f3;
  --color-primary-600: #1e88e5;
  --color-primary-700: #1976d2;
  --color-primary-800: #1565c0;
  --color-primary-900: #0d47a1;
  /* Error colors */
  --color-error-50: #ffebee;
  --color-error-500: #f44336;
  --color-error-700: #d32f2f;
  /* Success colors */
  --color-success-50: #e8f5e9;
  --color-success-500: #4caf50;
  --color-success-700: #388e3c;
  /* Warning colors */
  --color-warning-50: #fff3e0;
  --color-warning-500: #ff9800;
  --color-warning-700: #f57c00;
  /* Material Design elevation shadows */
  --shadow-elevation-1: 0 1px 3px rgba(0,0,0,0.12), 0 1px 2px rgba(0,0,0,0.24);
  --shadow-elevation-2: 0 3px 6px rgba(0,0,0,0.16), 0 3px 6px rgba(0,0,0,0.23);
  --shadow-elevation-3: 0 10px 20px rgba(0,0,0,0.19), 0 6px 6px rgba(0,0,0,0.23);
 }
 /* Material Design component styles */
@layer components {
  /* Buttons */
  .btn-primary {
    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-primary-600 text-white hover:bg-primary-700 active:bg-primary-800 focus:ring-primary-500 shadow-elevation-1 hover:shadow-elevation-2;
  }
  .btn-secondary {
    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-white text-gray-700 border border-gray-300 hover:bg-gray-50 active:bg-gray-100 focus:ring-primary-500;
  }
  .btn-danger {
    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-error-500 text-white hover:bg-error-700 active:bg-red-800 focus:ring-red-500 shadow-elevation-1 hover:shadow-elevation-2;
  }
  .btn-text {
    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed text-primary-600 hover:bg-primary-50 active:bg-primary-100;
  }
  /* Cards */
  .card {
    @apply bg-white rounded-lg shadow-elevation-1 overflow-hidden;
  }
  .card-elevated {
    @apply bg-white rounded-lg shadow-elevation-1 overflow-hidden hover:shadow-elevation-2 transition-shadow;
  }
  /* Form inputs */
  .input {
    @apply w-full px-4 py-3 border border-gray-300 rounded-md text-gray-900 placeholder-gray-500 focus:outline-none focus:ring-2 focus:ring-primary-500 focus:border-transparent transition-all;
  }
  .label {
    @apply block text-sm font-medium text-gray-700 mb-1;
  }
  .form-group {
    @apply mb-4;
  }
  /* Status badges */
  .badge-success {
    @apply inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-success-50 text-success-700;
  }
  .badge-error {
    @apply inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-error-50 text-error-700;
  }
  .badge-info {
    @apply inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-primary-50 text-primary-700;
  }
  /* App bar / Navigation */
  .app-bar {
    @apply bg-white shadow-elevation-1 px-6 py-4;
  }
  /* Alert / Message boxes */
  .alert-error {
    @apply p-4 rounded-md mb-4 bg-error-50 text-error-700 border border-error-500/20;
  }
  .alert-success {
    @apply p-4 rounded-md mb-4 bg-success-50 text-success-700 border border-success-500/20;
  }
 }
--- a/static/css/style.css
+++ b/static/css/style.css
@@ -1 +1,59 @@
-/* Webhooker custom styles — see input.css for Tailwind theme */
+/* Webhooker main stylesheet */
 body {
    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
 } 
 /* Custom styles for Webhooker */
 /* Navbar customization */
 .navbar-brand {
    font-weight: 600;
    font-size: 1.5rem;
 }
 /* Card hover effects */
 .card {
    transition: transform 0.2s ease-in-out, box-shadow 0.2s ease-in-out;
 }
 .card:hover {
    transform: translateY(-5px);
    box-shadow: 0 10px 30px rgba(0,0,0,0.15) !important;
 }
 /* Background opacity utilities */
 .bg-opacity-10 {
    background-color: rgba(var(--bs-success-rgb), 0.1);
 }
 .bg-primary.bg-opacity-10 {
    background-color: rgba(var(--bs-primary-rgb), 0.1);
 }
 /* User dropdown styling */
 .navbar .dropdown-toggle::after {
    margin-left: 0.5rem;
 }
 .navbar .dropdown-menu {
    margin-top: 0.5rem;
 }
 /* Footer styling */
 footer {
    margin-top: auto;
    padding: 2rem 0;
    background-color: #f8f9fa;
    border-top: 1px solid #dee2e6;
 }
 /* Responsive adjustments */
@media (max-width: 768px) {
    .display-4 {
        font-size: 2.5rem;
    }
    .card {
        margin-bottom: 1rem;
    }
 } 
--- a/static/css/tailwind.css
+++ b/static/css/tailwind.css
--- a/static/js/alpine.min.js
+++ b/static/js/alpine.min.js
--- a/static/static.go
+++ b/static/static.go
@@ -1,11 +1,8 @@
 // Package static embeds static assets (CSS, JS) served by the web UI.
 package static
 import (
 	"embed"
 )
 // Static holds the embedded CSS and JavaScript files for the web UI.
 //
 //go:embed css js
 var Static embed.FS
--- a/templates/base.html
+++ b/templates/base.html
@@ -4,29 +4,15 @@
 <head>
    {{template "htmlheader" .}}
 </head>
-<body class="bg-gray-50 min-h-screen flex flex-col">
+<body>
    <div class="flex-grow">
    {{template "navbar" .}}
    <!-- Main content -->
    {{block "content" .}}{{end}}
-    </div>
+
-    {{template "footer" .}}
+    <script src="/s/vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
    <script defer src="/s/js/alpine.min.js"></script>
    <script src="/s/js/app.js"></script>
    {{block "scripts" .}}{{end}}
 </body>
 </html>
 {{end}} 
 {{define "footer"}}
 <footer class="bg-gray-100 border-t border-gray-200 shadow-[0_-4px_6px_-1px_rgba(0,0,0,0.1)] mt-8">
    <div class="max-w-6xl mx-auto px-8 py-6">
        <div class="text-center text-sm text-gray-500 font-mono font-light">
            <a href="https://git.eeqj.de/sneak/webhooker" class="hover:text-gray-700">Webhooker</a>
            <span class="mx-1">by</span>
            <a href="https://sneak.berlin" class="hover:text-gray-700">@sneak</a>
            <span class="mx-3">|</span>
            <span>{{if .Version}}{{.Version}}{{else}}dev{{end}}</span>
        </div>
    </div>
 </footer>
 {{end}}
--- a/templates/htmlheader.html
+++ b/templates/htmlheader.html
@@ -2,7 +2,7 @@
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>{{block "title" .}}Webhooker{{end}}</title>
-<link rel="stylesheet" href="/s/css/tailwind.css">
+<link href="/s/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
-<style>[x-cloak] { display: none !important; }</style>
+<link href="/s/css/style.css" rel="stylesheet">
 {{block "head" .}}{{end}}
 {{end}} 
--- a/templates/index.html
+++ b/templates/index.html
@@ -0,0 +1,77 @@
 {{template "base" .}}
 {{define "title"}}Home - Webhooker{{end}}
 {{define "content"}}
 <div class="container mt-5">
    <div class="row">
        <div class="col-lg-8 mx-auto">
            <div class="text-center mb-5">
                <h1 class="display-4">Welcome to Webhooker</h1>
                <p class="lead text-muted">A reliable webhook proxy service for event delivery</p>
            </div>
            <div class="row g-4">
                <!-- Server Status Card -->
                <div class="col-md-6">
                    <div class="card h-100 shadow-sm">
                        <div class="card-body">
                            <div class="d-flex align-items-center mb-3">
                                <div class="rounded-circle bg-success bg-opacity-10 p-3 me-3">
                                    <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" fill="currentColor" class="bi bi-server text-success" viewBox="0 0 16 16">
                                        <path d="M1.333 2.667C1.333 1.194 4.318 0 8 0s6.667 1.194 6.667 2.667V4c0 1.473-2.985 2.667-6.667 2.667S1.333 5.473 1.333 4V2.667z"/>
                                        <path d="M1.333 6.334v3C1.333 10.805 4.318 12 8 12s6.667-1.194 6.667-2.667V6.334a6.51 6.51 0 0 1-1.458.79C11.81 7.684 9.967 8 8 8c-1.966 0-3.809-.317-5.208-.876a6.508 6.508 0 0 1-1.458-.79z"/>
                                        <path d="M14.667 11.668a6.51 6.51 0 0 1-1.458.789c-1.4.56-3.242.876-5.21.876-1.966 0-3.809-.316-5.208-.876a6.51 6.51 0 0 1-1.458-.79v1.666C1.333 14.806 4.318 16 8 16s6.667-1.194 6.667-2.667v-1.665z"/>
                                    </svg>
                                </div>
                                <div>
                                    <h5 class="card-title mb-1">Server Status</h5>
                                    <p class="text-success mb-0">Online</p>
                                </div>
                            </div>
                            <div class="mb-2">
                                <small class="text-muted">Uptime</small>
                                <p class="h4 mb-0">{{.Uptime}}</p>
                            </div>
                            <div>
                                <small class="text-muted">Version</small>
                                <p class="mb-0"><code>{{.Version}}</code></p>
                            </div>
                        </div>
                    </div>
                </div>
                <!-- Users Card -->
                <div class="col-md-6">
                    <div class="card h-100 shadow-sm">
                        <div class="card-body">
                            <div class="d-flex align-items-center mb-3">
                                <div class="rounded-circle bg-primary bg-opacity-10 p-3 me-3">
                                    <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" fill="currentColor" class="bi bi-people text-primary" viewBox="0 0 16 16">
                                        <path d="M15 14s1 0 1-1-1-4-5-4-5 3-5 4 1 1 1 1h8zm-7.978-1A.261.261 0 0 1 7 12.996c.001-.264.167-1.03.76-1.72C8.312 10.629 9.282 10 11 10c1.717 0 2.687.63 3.24 1.276.593.69.758 1.457.76 1.72l-.008.002a.274.274 0 0 1-.014.002H7.022zM11 7a2 2 0 1 0 0-4 2 2 0 0 0 0 4zm3-2a3 3 0 1 1-6 0 3 3 0 0 1 6 0zM6.936 9.28a5.88 5.88 0 0 0-1.23-.247A7.35 7.35 0 0 0 5 9c-4 0-5 3-5 4 0 .667.333 1 1 1h4.216A2.238 2.238 0 0 1 5 13c0-1.01.377-2.042 1.09-2.904.243-.294.526-.569.846-.816zM4.92 10A5.493 5.493 0 0 0 4 13H1c0-.26.164-1.03.76-1.724.545-.636 1.492-1.256 3.16-1.275zM1.5 5.5a3 3 0 1 1 6 0 3 3 0 0 1-6 0zm3-2a2 2 0 1 0 0 4 2 2 0 0 0 0-4z"/>
                                    </svg>
                                </div>
                                <div>
                                    <h5 class="card-title mb-1">Users</h5>
                                    <p class="text-muted mb-0">Registered accounts</p>
                                </div>
                            </div>
                            <div>
                                <p class="h2 mb-0">{{.UserCount}}</p>
                                <small class="text-muted">Total users</small>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
            {{if not .User}}
            <div class="text-center mt-5">
                <p class="text-muted">Ready to get started?</p>
                <a href="/pages/login" class="btn btn-primary">Login to your account</a>
            </div>
            {{end}}
        </div>
    </div>
 </div>
 {{end}} 
--- a/templates/login.html
+++ b/templates/login.html
@@ -2,57 +2,85 @@
 {{define "title"}}Login - Webhooker{{end}}
 {{define "head"}}
 <style>
    body {
        background-color: #f8f9fa;
    }
    .login-container {
        max-width: 400px;
        margin: 100px auto;
    }
    .login-card {
        background: white;
        border-radius: 10px;
        box-shadow: 0 0 20px rgba(0,0,0,0.1);
        padding: 40px;
    }
    .login-header {
        text-align: center;
        margin-bottom: 30px;
    }
    .login-header h1 {
        font-size: 2rem;
        font-weight: 600;
        color: #333;
    }
    .login-header p {
        color: #666;
        margin-top: 10px;
    }
    .form-control:focus {
        border-color: #007bff;
        box-shadow: 0 0 0 0.2rem rgba(0,123,255,.25);
    }
    .btn-primary {
        width: 100%;
        padding: 12px;
        font-weight: 600;
        text-transform: uppercase;
        letter-spacing: 0.5px;
    }
    .error-message {
        margin-top: 15px;
    }
 </style>
 {{end}}
 {{define "content"}}
-<div class="min-h-screen flex items-center justify-center py-12 px-4">
+<div class="container">
-    <div class="max-w-md w-full">
+    <div class="login-container">
-        <div class="text-center mb-8">
+        <div class="login-card">
-            <h1 class="text-3xl font-medium text-gray-900">Webhooker</h1>
+            <div class="login-header">
-            <p class="mt-2 text-gray-600">Sign in to your account</p>
+                <h1>Webhooker</h1>
                <p>Sign in to your account</p>
            </div>
        <div class="card p-8">
            {{if .Error}}
-            <div class="alert-error">
+            <div class="alert alert-danger error-message" role="alert">
-                <div class="flex items-center">
+                {{.Error}}
                    <svg class="w-5 h-5 mr-2 flex-shrink-0" fill="currentColor" viewBox="0 0 20 20">
                        <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zM8.707 7.293a1 1 0 00-1.414 1.414L8.586 10l-1.293 1.293a1 1 0 101.414 1.414L10 11.414l1.293 1.293a1 1 0 001.414-1.414L11.414 10l1.293-1.293a1 1 0 00-1.414-1.414L10 8.586 8.707 7.293z" clip-rule="evenodd"/>
                    </svg>
                    <span>{{.Error}}</span>
                </div>
            </div>
            {{end}}
-            <form method="POST" action="/pages/login" class="space-y-6">
+            <form method="POST" action="/pages/login">
-                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
+                <div class="mb-3">
-                <div class="form-group">
+                    <label for="username" class="form-label">Username</label>
-                    <label for="username" class="label">Username</label>
+                    <input type="text" class="form-control" id="username" name="username" 
-                    <input
+                           placeholder="Enter your username" required autofocus>
                        type="text"
                        id="username"
                        name="username"
                        required
                        autofocus
                        autocomplete="username"
                        placeholder="Enter your username"
                        class="input"
                    >
                </div>
-                <div class="form-group">
+                <div class="mb-4">
-                    <label for="password" class="label">Password</label>
+                    <label for="password" class="form-label">Password</label>
-                    <input
+                    <input type="password" class="form-control" id="password" name="password" 
-                        type="password"
+                           placeholder="Enter your password" required>
                        id="password"
                        name="password"
                        required
                        autocomplete="current-password"
                        placeholder="Enter your password"
                        class="input"
                    >
                </div>
-                <button type="submit" class="btn-primary w-full py-3">Sign In</button>
+                <button type="submit" class="btn btn-primary">Sign In</button>
            </form>
            <div class="mt-4 text-center text-muted">
                <small>© 2025 Webhooker. All rights reserved.</small>
            </div>
        </div>
    </div>
 </div>
--- a/templates/navbar.html
+++ b/templates/navbar.html
@@ -1,52 +1,46 @@
 {{define "navbar"}}
-<nav class="app-bar" x-data="{ open: false }">
+<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
-    <div class="max-w-6xl mx-auto flex justify-between items-center">
+    <div class="container-fluid">
-        <div class="flex items-center gap-3">
+        <a class="navbar-brand" href="/">Webhooker</a>
-            <a href="/" class="text-xl font-medium text-gray-900 hover:text-primary-600 transition-colors">Webhooker</a>
+        <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav">
-        </div>
+            <span class="navbar-toggler-icon"></span>
        <!-- Mobile menu button -->
        <button @click="open = !open" class="md:hidden p-2 rounded-md text-gray-500 hover:bg-gray-100">
            <svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                <path x-show="!open" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16"/>
                <path x-show="open" x-cloak stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"/>
            </svg>
        </button>
-
+        <div class="collapse navbar-collapse" id="navbarNav">
-        <!-- Desktop navigation -->
+            <ul class="navbar-nav me-auto">
        <div class="hidden md:flex items-center gap-4">
                {{if .User}}
-            <a href="/sources" class="btn-text">Sources</a>
+                <li class="nav-item">
-            <a href="/user/{{.User.Username}}" class="btn-text">
+                    <a class="nav-link" href="/sources">Sources</a>
-                <svg class="w-5 h-5 mr-1" fill="currentColor" viewBox="0 0 16 16">
+                </li>
                {{end}}
            </ul>
            <ul class="navbar-nav">
                {{if .User}}
                <!-- Logged in state -->
                <li class="nav-item dropdown">
                    <a class="nav-link dropdown-toggle d-flex align-items-center" href="#" id="userDropdown" role="button" data-bs-toggle="dropdown">
                        <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="bi bi-person-circle me-2" viewBox="0 0 16 16">
                            <path d="M11 6a3 3 0 1 1-6 0 3 3 0 0 1 6 0z"/>
                            <path fill-rule="evenodd" d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8zm8-7a7 7 0 0 0-5.468 11.37C3.242 11.226 4.805 10 8 10s4.757 1.225 5.468 2.37A7 7 0 0 0 8 1z"/>
                        </svg>
                        {{.User.Username}}
                    </a>
-            <form method="POST" action="/pages/logout" class="inline">
+                    <ul class="dropdown-menu dropdown-menu-end">
-                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
+                        <li><a class="dropdown-item" href="/user/{{.User.Username}}">Profile</a></li>
-                <button type="submit" class="btn-text">Logout</button>
+                        <li><hr class="dropdown-divider"></li>
                        <li>
                            <form method="POST" action="/pages/logout" class="m-0">
                                <button type="submit" class="dropdown-item">Logout</button>
                            </form>
                        </li>
                    </ul>
                </li>
                {{else}}
-            <a href="/pages/login" class="btn-primary">Login</a>
+                <!-- Logged out state -->
-            {{end}}
+                <li class="nav-item">
-        </div>
+                    <a class="nav-link" href="/pages/login">Login</a>
-    </div>
+                </li>
    <!-- Mobile navigation -->
    <div x-show="open" x-cloak x-transition class="md:hidden mt-4 pt-4 border-t border-gray-200">
        <div class="flex flex-col gap-2">
            {{if .User}}
            <a href="/sources" class="btn-text w-full text-left">Sources</a>
            <a href="/user/{{.User.Username}}" class="btn-text w-full text-left">Profile</a>
            <form method="POST" action="/pages/logout">
                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                <button type="submit" class="btn-text w-full text-left">Logout</button>
            </form>
            {{else}}
            <a href="/pages/login" class="btn-primary w-full">Login</a>
                {{end}}
            </ul>
        </div>
    </div>
 </nav>
--- a/templates/profile.html
+++ b/templates/profile.html
@@ -3,48 +3,51 @@
 {{define "title"}}Profile - Webhooker{{end}}
 {{define "content"}}
-<div class="max-w-4xl mx-auto px-6 py-12">
+<div class="container mt-5">
-    <h1 class="text-2xl font-medium text-gray-900 mb-6">User Profile</h1>
+    <div class="row">
        <div class="col-lg-8 mx-auto">
            <h1 class="mb-4">User Profile</h1>
-    <div class="card p-6">
+            <div class="card shadow-sm">
-        <div class="flex items-center mb-6">
+                <div class="card-body">
-            <div class="mr-4">
+                    <div class="row align-items-center mb-3">
-                <svg class="w-16 h-16 text-primary-500" fill="currentColor" viewBox="0 0 16 16">
+                        <div class="col-auto">
                            <svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" fill="currentColor" class="bi bi-person-circle text-primary" viewBox="0 0 16 16">
                                <path d="M11 6a3 3 0 1 1-6 0 3 3 0 0 1 6 0z"/>
                                <path fill-rule="evenodd" d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8zm8-7a7 7 0 0 0-5.468 11.37C3.242 11.226 4.805 10 8 10s4.757 1.225 5.468 2.37A7 7 0 0 0 8 1z"/>
                            </svg>
                        </div>
-            <div>
+                        <div class="col">
-                <h2 class="text-xl font-medium text-gray-900">{{.User.Username}}</h2>
+                            <h3 class="mb-0">{{.User.Username}}</h3>
-                <p class="text-sm text-gray-500">User ID: {{.User.ID}}</p>
+                            <p class="text-muted mb-0">User ID: {{.User.ID}}</p>
                        </div>
                    </div>
-        <hr class="border-gray-200 mb-6">
+                    <hr>
-        <div class="grid grid-cols-1 md:grid-cols-2 gap-8">
+                    <div class="row">
-            <div>
+                        <div class="col-md-6">
-                <h3 class="text-lg font-medium text-gray-900 mb-3">Account Information</h3>
+                            <h5>Account Information</h5>
-                <dl class="space-y-3">
+                            <dl class="row">
-                    <div class="flex">
+                                <dt class="col-sm-4">Username</dt>
-                        <dt class="w-32 text-sm font-medium text-gray-500">Username</dt>
+                                <dd class="col-sm-8">{{.User.Username}}</dd>
-                        <dd class="text-sm text-gray-900">{{.User.Username}}</dd>
+                                
-                    </div>
+                                <dt class="col-sm-4">Account Type</dt>
-                    <div class="flex">
+                                <dd class="col-sm-8">Standard User</dd>
                        <dt class="w-32 text-sm font-medium text-gray-500">Account Type</dt>
                        <dd class="text-sm text-gray-900">Standard User</dd>
                    </div>
                            </dl>
                        </div>
-            <div>
+                        <div class="col-md-6">
-                <h3 class="text-lg font-medium text-gray-900 mb-3">Settings</h3>
+                            <h5>Settings</h5>
-                <p class="text-sm text-gray-500">Profile settings and preferences will be available here.</p>
+                            <p class="text-muted">Profile settings and preferences will be available here.</p>
                        </div>
                    </div>
                </div>
            </div>
-    <div class="mt-6">
+            <div class="mt-4">
-        <a href="/" class="btn-secondary">Back to Home</a>
+                <a href="/" class="btn btn-secondary">Back to Home</a>
            </div>
        </div>
    </div>
 </div>
 {{end}} 
--- a/templates/source_detail.html
+++ b/templates/source_detail.html
@@ -1,183 +0,0 @@
 {{template "base" .}}
 {{define "title"}}{{.Webhook.Name}} - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-6xl mx-auto px-6 py-8" x-data="{ showAddEntrypoint: false, showAddTarget: false }">
    <div class="mb-6">
        <a href="/sources" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to webhooks</a>
        <div class="flex justify-between items-center mt-2">
            <div>
                <h1 class="text-2xl font-medium text-gray-900">{{.Webhook.Name}}</h1>
                {{if .Webhook.Description}}
                <p class="text-sm text-gray-500 mt-1">{{.Webhook.Description}}</p>
                {{end}}
            </div>
            <div class="flex gap-2">
                <a href="/source/{{.Webhook.ID}}/logs" class="btn-secondary">Event Log</a>
                <a href="/source/{{.Webhook.ID}}/edit" class="btn-secondary">Edit</a>
                <form method="POST" action="/source/{{.Webhook.ID}}/delete" onsubmit="return confirm('Delete this webhook and all its data?')">
                    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                    <button type="submit" class="btn-danger">Delete</button>
                </form>
            </div>
        </div>
    </div>
    <div class="grid grid-cols-1 lg:grid-cols-2 gap-6">
        <!-- Entrypoints -->
        <div class="card">
            <div class="p-4 border-b border-gray-200 flex justify-between items-center">
                <h2 class="text-lg font-medium text-gray-900">Entrypoints</h2>
                <button @click="showAddEntrypoint = !showAddEntrypoint" class="btn-text text-sm">
                    <svg class="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
                    </svg>
                    Add
                </button>
            </div>
            <!-- Add entrypoint form -->
            <div x-show="showAddEntrypoint" x-cloak class="p-4 bg-gray-50 border-b border-gray-200">
                <form method="POST" action="/source/{{.Webhook.ID}}/entrypoints" class="flex gap-2">
                    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                    <input type="text" name="description" placeholder="Description (optional)" class="input text-sm flex-1">
                    <button type="submit" class="btn-primary text-sm">Add</button>
                </form>
            </div>
            <div class="divide-y divide-gray-100">
                {{range .Entrypoints}}
                <div class="p-4">
                    <div class="flex items-center justify-between mb-1">
                        <span class="text-sm font-medium text-gray-900">{{if .Description}}{{.Description}}{{else}}Entrypoint{{end}}</span>
                        <div class="flex items-center gap-2">
                            {{if .Active}}
                            <span class="badge-success">Active</span>
                            {{else}}
                            <span class="badge-error">Inactive</span>
                            {{end}}
                            <form method="POST" action="/source/{{$.Webhook.ID}}/entrypoints/{{.ID}}/toggle" class="inline">
                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                <button type="submit" class="text-xs text-gray-500 hover:text-primary-600" title="{{if .Active}}Deactivate{{else}}Activate{{end}}">
                                    {{if .Active}}Deactivate{{else}}Activate{{end}}
                                </button>
                            </form>
                            <form method="POST" action="/source/{{$.Webhook.ID}}/entrypoints/{{.ID}}/delete" onsubmit="return confirm('Delete this entrypoint?')" class="inline">
                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                <button type="submit" class="text-xs text-red-500 hover:text-red-700" title="Delete">Delete</button>
                            </form>
                        </div>
                    </div>
                    <code class="text-xs text-gray-500 break-all block mt-1">{{$.BaseURL}}/webhook/{{.Path}}</code>
                </div>
                {{else}}
                <div class="p-4 text-sm text-gray-500">No entrypoints configured.</div>
                {{end}}
            </div>
        </div>
        <!-- Targets -->
        <div class="card">
            <div class="p-4 border-b border-gray-200 flex justify-between items-center">
                <h2 class="text-lg font-medium text-gray-900">Targets</h2>
                <button @click="showAddTarget = !showAddTarget" class="btn-text text-sm">
                    <svg class="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
                    </svg>
                    Add
                </button>
            </div>
            <!-- Add target form -->
            <div x-show="showAddTarget" x-cloak class="p-4 bg-gray-50 border-b border-gray-200">
                <form method="POST" action="/source/{{.Webhook.ID}}/targets" x-data="{ targetType: 'http' }" class="space-y-3">
                    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                    <div class="flex gap-2">
                        <input type="text" name="name" placeholder="Target name" required class="input text-sm flex-1">
                        <select name="type" x-model="targetType" class="input text-sm w-32">
                            <option value="http">HTTP</option>
                            <option value="slack">Slack</option>
                            <option value="database">Database</option>
                            <option value="log">Log</option>
                        </select>
                    </div>
                    <div x-show="targetType === 'http'">
                        <input type="url" name="url" placeholder="https://example.com/webhook" :disabled="targetType !== 'http'" class="input text-sm">
                    </div>
                    <div x-show="targetType === 'http'" class="flex gap-2 items-center">
                        <label class="text-sm text-gray-700">Max retries (0 = fire-and-forget):</label>
                        <input type="number" name="max_retries" value="0" min="0" max="20" class="input text-sm w-24">
                    </div>
                    <div x-show="targetType === 'slack'">
                        <input type="url" name="url" placeholder="https://hooks.slack.com/services/..." :disabled="targetType !== 'slack'" class="input text-sm">
                        <p class="text-xs text-gray-500 mt-1">Slack or Mattermost incoming webhook URL. Payloads are pretty-printed in code blocks.</p>
                    </div>
                    <button type="submit" class="btn-primary text-sm">Add Target</button>
                </form>
            </div>
            <div class="divide-y divide-gray-100">
                {{range .Targets}}
                <div class="p-4">
                    <div class="flex items-center justify-between mb-1">
                        <span class="text-sm font-medium text-gray-900">{{.Name}}</span>
                        <div class="flex items-center gap-2">
                            <span class="badge-info">{{.Type}}</span>
                            {{if .Active}}
                            <span class="badge-success">Active</span>
                            {{else}}
                            <span class="badge-error">Inactive</span>
                            {{end}}
                            <form method="POST" action="/source/{{$.Webhook.ID}}/targets/{{.ID}}/toggle" class="inline">
                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                <button type="submit" class="text-xs text-gray-500 hover:text-primary-600" title="{{if .Active}}Deactivate{{else}}Activate{{end}}">
                                    {{if .Active}}Deactivate{{else}}Activate{{end}}
                                </button>
                            </form>
                            <form method="POST" action="/source/{{$.Webhook.ID}}/targets/{{.ID}}/delete" onsubmit="return confirm('Delete this target?')" class="inline">
                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                <button type="submit" class="text-xs text-red-500 hover:text-red-700" title="Delete">Delete</button>
                            </form>
                        </div>
                    </div>
                    {{if .Config}}
                    <code class="text-xs text-gray-500 break-all block mt-1">{{.Config}}</code>
                    {{end}}
                </div>
                {{else}}
                <div class="p-4 text-sm text-gray-500">No targets configured.</div>
                {{end}}
            </div>
        </div>
    </div>
    <!-- Recent Events -->
    <div class="card mt-6">
        <div class="p-4 border-b border-gray-200 flex justify-between items-center">
            <h2 class="text-lg font-medium text-gray-900">Recent Events</h2>
            <a href="/source/{{.Webhook.ID}}/logs" class="btn-text text-sm">View All</a>
        </div>
        <div class="divide-y divide-gray-100">
            {{range .Events}}
            <div class="p-4">
                <div class="flex items-center justify-between">
                    <div class="flex items-center gap-3">
                        <span class="badge-info">{{.Method}}</span>
                        <span class="text-sm text-gray-500">{{.ContentType}}</span>
                    </div>
                    <span class="text-xs text-gray-400">{{.CreatedAt.Format "2006-01-02 15:04:05 UTC"}}</span>
                </div>
            </div>
            {{else}}
            <div class="p-8 text-center text-sm text-gray-500">No events received yet.</div>
            {{end}}
        </div>
    </div>
    <!-- Info -->
    <div class="mt-4 text-sm text-gray-400">
        <p>Retention: {{.Webhook.RetentionDays}} days &middot; Created: {{.Webhook.CreatedAt.Format "2006-01-02 15:04:05 UTC"}}</p>
    </div>
 </div>
 {{end}}
--- a/templates/source_edit.html
+++ b/templates/source_edit.html
@@ -1,41 +0,0 @@
 {{template "base" .}}
 {{define "title"}}Edit {{.Webhook.Name}} - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-2xl mx-auto px-6 py-8">
    <div class="mb-6">
        <a href="/source/{{.Webhook.ID}}" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to {{.Webhook.Name}}</a>
        <h1 class="text-2xl font-medium text-gray-900 mt-2">Edit Webhook</h1>
    </div>
    <div class="card p-6">
        {{if .Error}}
        <div class="alert-error">{{.Error}}</div>
        {{end}}
        <form method="POST" action="/source/{{.Webhook.ID}}/edit" class="space-y-6">
            <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
            <div class="form-group">
                <label for="name" class="label">Name</label>
                <input type="text" id="name" name="name" value="{{.Webhook.Name}}" required class="input">
            </div>
            <div class="form-group">
                <label for="description" class="label">Description</label>
                <textarea id="description" name="description" rows="3" class="input">{{.Webhook.Description}}</textarea>
            </div>
            <div class="form-group">
                <label for="retention_days" class="label">Retention (days)</label>
                <input type="number" id="retention_days" name="retention_days" value="{{.Webhook.RetentionDays}}" min="1" max="365" class="input">
            </div>
            <div class="flex gap-3">
                <button type="submit" class="btn-primary">Save Changes</button>
                <a href="/source/{{.Webhook.ID}}" class="btn-secondary">Cancel</a>
            </div>
        </form>
    </div>
 </div>
 {{end}}
--- a/templates/source_logs.html
+++ b/templates/source_logs.html
@@ -1,61 +0,0 @@
 {{template "base" .}}
 {{define "title"}}Event Log - {{.Webhook.Name}} - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-6xl mx-auto px-6 py-8">
    <div class="mb-6">
        <a href="/source/{{.Webhook.ID}}" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to {{.Webhook.Name}}</a>
        <div class="flex justify-between items-center mt-2">
            <h1 class="text-2xl font-medium text-gray-900">Event Log</h1>
            <span class="text-sm text-gray-500">{{.TotalEvents}} total event{{if ne .TotalEvents 1}}s{{end}}</span>
        </div>
    </div>
    <div class="card">
        <div class="divide-y divide-gray-100">
            {{range .Events}}
            <div class="p-4" x-data="{ open: false }">
                <div class="flex items-center justify-between cursor-pointer" @click="open = !open">
                    <div class="flex items-center gap-3">
                        <span class="badge-info">{{.Method}}</span>
                        <span class="text-sm font-mono text-gray-700">{{.ID}}</span>
                        <span class="text-sm text-gray-500">{{.ContentType}}</span>
                    </div>
                    <div class="flex items-center gap-4">
                        {{range .Deliveries}}
                        <span class="text-xs {{if eq .Status "delivered"}}text-green-600{{else if eq .Status "failed"}}text-red-600{{else if eq .Status "retrying"}}text-yellow-600{{else}}text-gray-400{{end}}">
                            {{.Target.Name}}: {{.Status}}
                        </span>
                        {{end}}
                        <span class="text-xs text-gray-400">{{.CreatedAt.Format "2006-01-02 15:04:05"}}</span>
                        <svg class="w-4 h-4 text-gray-400 transition-transform" :class="{ 'rotate-180': open }" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7"/>
                        </svg>
                    </div>
                </div>
                <div x-show="open" x-cloak class="mt-3 p-3 bg-gray-50 rounded-md">
                    <pre class="text-xs text-gray-700 overflow-x-auto whitespace-pre-wrap break-all">{{.Body}}</pre>
                </div>
            </div>
            {{else}}
            <div class="p-12 text-center text-sm text-gray-500">No events recorded yet.</div>
            {{end}}
        </div>
    </div>
    <!-- Pagination -->
    {{if or .HasPrev .HasNext}}
    <div class="flex justify-center gap-2 mt-6">
        {{if .HasPrev}}
        <a href="/source/{{.Webhook.ID}}/logs?page={{.PrevPage}}" class="btn-secondary text-sm">&larr; Previous</a>
        {{end}}
        <span class="inline-flex items-center px-4 py-2 text-sm text-gray-500">Page {{.Page}} of {{.TotalPages}}</span>
        {{if .HasNext}}
        <a href="/source/{{.Webhook.ID}}/logs?page={{.NextPage}}" class="btn-secondary text-sm">Next &rarr;</a>
        {{end}}
    </div>
    {{end}}
 </div>
 {{end}}
--- a/templates/sources_list.html
+++ b/templates/sources_list.html
@@ -1,49 +0,0 @@
 {{template "base" .}}
 {{define "title"}}Sources - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-6xl mx-auto px-6 py-8">
    <div class="flex justify-between items-center mb-6">
        <h1 class="text-2xl font-medium text-gray-900">Webhooks</h1>
        <a href="/sources/new" class="btn-primary">
            <svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"/>
            </svg>
            New Webhook
        </a>
    </div>
    {{if .Webhooks}}
    <div class="grid gap-4">
        {{range .Webhooks}}
        <a href="/source/{{.ID}}" class="card-elevated p-6 block">
            <div class="flex justify-between items-start">
                <div>
                    <h2 class="text-lg font-medium text-gray-900">{{.Name}}</h2>
                    {{if .Description}}
                    <p class="text-sm text-gray-500 mt-1">{{.Description}}</p>
                    {{end}}
                </div>
                <span class="badge-info">{{.RetentionDays}}d retention</span>
            </div>
            <div class="flex gap-6 mt-4 text-sm text-gray-500">
                <span>{{.EntrypointCount}} entrypoint{{if ne .EntrypointCount 1}}s{{end}}</span>
                <span>{{.TargetCount}} target{{if ne .TargetCount 1}}s{{end}}</span>
                <span>{{.EventCount}} event{{if ne .EventCount 1}}s{{end}}</span>
            </div>
        </a>
        {{end}}
    </div>
    {{else}}
    <div class="card p-12 text-center">
        <svg class="w-16 h-16 text-gray-300 mx-auto mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1"/>
        </svg>
        <h2 class="text-lg font-medium text-gray-900 mb-2">No webhooks yet</h2>
        <p class="text-gray-500 mb-6">Create your first webhook to start receiving and forwarding events.</p>
        <a href="/sources/new" class="btn-primary">Create Webhook</a>
    </div>
    {{end}}
 </div>
 {{end}}
--- a/templates/sources_new.html
+++ b/templates/sources_new.html
@@ -1,42 +0,0 @@
 {{template "base" .}}
 {{define "title"}}New Webhook - Webhooker{{end}}
 {{define "content"}}
 <div class="max-w-2xl mx-auto px-6 py-8">
    <div class="mb-6">
        <a href="/sources" class="text-sm text-primary-600 hover:text-primary-700">&larr; Back to webhooks</a>
        <h1 class="text-2xl font-medium text-gray-900 mt-2">Create Webhook</h1>
    </div>
    <div class="card p-6">
        {{if .Error}}
        <div class="alert-error">{{.Error}}</div>
        {{end}}
        <form method="POST" action="/sources/new" class="space-y-6">
            <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
            <div class="form-group">
                <label for="name" class="label">Name</label>
                <input type="text" id="name" name="name" required autofocus placeholder="My Webhook" class="input">
            </div>
            <div class="form-group">
                <label for="description" class="label">Description</label>
                <textarea id="description" name="description" rows="3" placeholder="Optional description" class="input"></textarea>
            </div>
            <div class="form-group">
                <label for="retention_days" class="label">Retention (days)</label>
                <input type="number" id="retention_days" name="retention_days" value="30" min="1" max="365" class="input">
                <p class="text-xs text-gray-500 mt-1">How long to keep event data.</p>
            </div>
            <div class="flex gap-3">
                <button type="submit" class="btn-primary">Create Webhook</button>
                <a href="/sources" class="btn-secondary">Cancel</a>
            </div>
        </form>
    </div>
 </div>
 {{end}}
--- a/templates/templates.go
+++ b/templates/templates.go
@@ -1,11 +1,8 @@
 // Package templates embeds HTML templates used by the web UI.
 package templates
 import (
 	"embed"
 )
 // Templates holds the embedded HTML template files.
 //
 //go:embed *.html
 var Templates embed.FS
Author	SHA1	Message	Date
clawbot	b437955378	chore: add MIT LICENSE All checks were successful check / check (push) Successful in 56s Details Add MIT license file with copyright holder Jeffrey Paul <sneak@sneak.berlin>.	2026-03-01 15:56:00 -08:00
clawbot	5462db565a	feat: add auth middleware for protected routes Add RequireAuth middleware that checks for a valid session and redirects unauthenticated users to /pages/login. Applied to all /sources and /source/{sourceID} routes. The middleware uses the existing session package for authentication checks. closes #9	2026-03-01 15:55:51 -08:00
clawbot	6ff2bc7647	fix: remove redundant godotenv import The godotenv/autoload import was duplicated in both config.go and server.go. Keep it only in config.go where configuration is loaded. closes #11	2026-03-01 15:53:43 -08:00
clawbot	291e60adb2	refactor: simplify config to prefer env vars Configuration now prefers environment variables over config.yaml values. Each config field has a corresponding env var (DBURL, PORT, DEBUG, etc.) that takes precedence when set. The config.yaml fallback is preserved for development convenience. closes #10	2026-03-01 15:52:05 -08:00
clawbot	fd3ca22012	refactor: use slog.LevelVar for dynamic log levels Replace the pattern of recreating the logger handler when enabling debug logging. Now use slog.LevelVar which allows changing the log level dynamically without recreating the handler or logger instance. closes #8	2026-03-01 15:49:21 -08:00
clawbot	68c2a4df36	refactor: use go:embed for templates Templates are now embedded using //go:embed and parsed once at startup with template.Must(template.ParseFS(...)). This avoids re-parsing template files from disk on every request and removes the dependency on template files being present at runtime. closes #7	2026-03-01 15:47:22 -08:00
clawbot	6031167c78	refactor: rename Processor to Webhook and Webhook to Entrypoint The top-level entity that groups entrypoints and targets is now called Webhook (was Processor). The inbound URL endpoint entity is now called Entrypoint (was Webhook). This rename affects database models, handler comments, routes, and README documentation. closes #12	2026-03-01 15:44:22 -08:00