feat: add custom health check commands per app

Add configurable health check commands per app via a new
'healthcheck_command' field. When set, the command is passed
to Docker as a CMD-SHELL health check on the container.
When empty, the image's default health check is used.

Changes:
- Add migration 007 for healthcheck_command column on apps table
- Add HealthcheckCommand field to App model with full CRUD support
- Add buildHealthcheck() to docker client for CMD-SHELL config
- Pass health check command through CreateContainerOptions
- Add health check command input to app create/edit UI forms
- Extract optionalNullString helper to reduce handler complexity
- Update README features list

closes #81

README.md

@@ -8,7 +8,8 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
 - Per-app SSH keypairs for read-only deploy keys
 - Per-app UUID-based webhook URLs for Gitea integration
 - Branch filtering - only deploy on configured branch changes
-- Environment variables, labels, and volume mounts per app
+- Environment variables, labels, volume mounts, and custom health checks per app
+- CPU and memory resource limits per app
 - Docker builds via socket access
 - Notifications via ntfy and Slack-compatible webhooks
 - Simple server-rendered UI with Tailwind CSS

internal/database/migrations/007_add_resource_limits.sql

@@ -0,0 +1,3 @@
+-- Add CPU and memory resource limits per app
+ALTER TABLE apps ADD COLUMN cpu_limit REAL;
+ALTER TABLE apps ADD COLUMN memory_limit INTEGER;

internal/database/migrations/008_add_healthcheck_command.sql

@@ -0,0 +1,2 @@
+-- Add custom health check command per app
+ALTER TABLE apps ADD COLUMN healthcheck_command TEXT;

internal/docker/client.go

@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	dockertypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -138,13 +139,16 @@ func (c *Client) BuildImage(
 
 // CreateContainerOptions contains options for creating a container.
 type CreateContainerOptions struct {
-	Name    string
-	Image   string
-	Env     map[string]string
-	Labels  map[string]string
-	Volumes []VolumeMount
-	Ports   []PortMapping
-	Network string
+	Name               string
+	Image              string
+	Env                map[string]string
+	Labels             map[string]string
+	Volumes            []VolumeMount
+	Ports              []PortMapping
+	Network            string
+	CPULimit           float64 // CPU cores (e.g. 0.5 = half a core, 2.0 = two cores). 0 means unlimited.
+	MemoryLimit        int64   // Memory in bytes. 0 means unlimited.
+	HealthcheckCommand string  // Custom health check shell command (empty = use image default)
 }
 
 // VolumeMount represents a volume mount.
@@ -161,6 +165,14 @@ type PortMapping struct {
 	Protocol      string // "tcp" or "udp"
 }
 
+// nanoCPUsPerCPU is the number of NanoCPUs per CPU core.
+const nanoCPUsPerCPU = 1e9
+
+// cpuLimitToNanoCPUs converts a CPU limit (e.g. 0.5 cores) to Docker NanoCPUs.
+func cpuLimitToNanoCPUs(cpuLimit float64) int64 {
+	return int64(cpuLimit * nanoCPUsPerCPU)
+}
+
 // buildPortConfig converts port mappings to Docker port configuration.
 func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	exposedPorts := make(nat.PortSet)
@@ -185,6 +197,71 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	return exposedPorts, portBindings
 }
 
+// buildEnvSlice converts an env map to a Docker-compatible env slice.
+func buildEnvSlice(env map[string]string) []string {
+	envSlice := make([]string, 0, len(env))
+
+	for key, val := range env {
+		envSlice = append(envSlice, key+"="+val)
+	}
+
+	return envSlice
+}
+
+// buildMounts converts volume mounts to Docker mount configuration.
+func buildMounts(volumes []VolumeMount) []mount.Mount {
+	mounts := make([]mount.Mount, 0, len(volumes))
+
+	for _, vol := range volumes {
+		mounts = append(mounts, mount.Mount{
+			Type:     mount.TypeBind,
+			Source:   vol.HostPath,
+			Target:   vol.ContainerPath,
+			ReadOnly: vol.ReadOnly,
+		})
+	}
+
+	return mounts
+}
+
+// buildResources builds Docker resource constraints from container options.
+func buildResources(opts CreateContainerOptions) container.Resources {
+	resources := container.Resources{}
+
+	if opts.CPULimit > 0 {
+		resources.NanoCPUs = cpuLimitToNanoCPUs(opts.CPULimit)
+	}
+
+	if opts.MemoryLimit > 0 {
+		resources.Memory = opts.MemoryLimit
+	}
+
+	return resources
+}
+
+// healthcheckInterval is the time between health check attempts.
+const healthcheckInterval = 30 * time.Second
+
+// healthcheckTimeout is the maximum time a single health check can take.
+const healthcheckTimeout = 10 * time.Second
+
+// healthcheckStartPeriod is the grace period before health checks start counting failures.
+const healthcheckStartPeriod = 15 * time.Second
+
+// healthcheckRetries is the number of consecutive failures needed to mark unhealthy.
+const healthcheckRetries = 3
+
+// buildHealthcheck creates a Docker health check config from a shell command string.
+func buildHealthcheck(command string) *container.HealthConfig {
+	return &container.HealthConfig{
+		Test:        []string{"CMD-SHELL", command},
+		Interval:    healthcheckInterval,
+		Timeout:     healthcheckTimeout,
+		StartPeriod: healthcheckStartPeriod,
+		Retries:     healthcheckRetries,
+	}
+}
+
 // CreateContainer creates a new container.
 func (c *Client) CreateContainer(
 	ctx context.Context,
@@ -196,40 +273,29 @@ func (c *Client) CreateContainer(
 
 	c.log.Info("creating container", "name", opts.Name, "image", opts.Image)
 
-	// Convert env map to slice
-	envSlice := make([]string, 0, len(opts.Env))
-
-	for key, val := range opts.Env {
-		envSlice = append(envSlice, key+"="+val)
-	}
-
-	// Convert volumes to mounts
-	mounts := make([]mount.Mount, 0, len(opts.Volumes))
-
-	for _, vol := range opts.Volumes {
-		mounts = append(mounts, mount.Mount{
-			Type:     mount.TypeBind,
-			Source:   vol.HostPath,
-			Target:   vol.ContainerPath,
-			ReadOnly: vol.ReadOnly,
-		})
-	}
-
-	// Convert ports to exposed ports and port bindings
 	exposedPorts, portBindings := buildPortConfig(opts.Ports)
 
+	// Build container config
+	containerConfig := &container.Config{
+		Image:        opts.Image,
+		Env:          buildEnvSlice(opts.Env),
+		Labels:       opts.Labels,
+		ExposedPorts: exposedPorts,
+	}
+
+	// Apply custom health check if configured
+	if opts.HealthcheckCommand != "" {
+		containerConfig.Healthcheck = buildHealthcheck(opts.HealthcheckCommand)
+	}
+
 	// Create container
 	resp, err := c.docker.ContainerCreate(ctx,
-		&container.Config{
-			Image:        opts.Image,
-			Env:          envSlice,
-			Labels:       opts.Labels,
-			ExposedPorts: exposedPorts,
-		},
+		containerConfig,
 		&container.HostConfig{
-			Mounts:       mounts,
+			Mounts:       buildMounts(opts.Volumes),
 			PortBindings: portBindings,
 			NetworkMode:  container.NetworkMode(opts.Network),
+			Resources:    buildResources(opts),
 			RestartPolicy: container.RestartPolicy{
 				Name: container.RestartPolicyUnlessStopped,
 			},

internal/docker/resource_limits_test.go

@@ -0,0 +1,31 @@
+package docker //nolint:testpackage // tests unexported cpuLimitToNanoCPUs
+
+import (
+	"testing"
+)
+
+func TestCpuLimitToNanoCPUs(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		cpuLimit float64
+		expected int64
+	}{
+		{"one core", 1.0, 1_000_000_000},
+		{"half core", 0.5, 500_000_000},
+		{"two cores", 2.0, 2_000_000_000},
+		{"quarter core", 0.25, 250_000_000},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := cpuLimitToNanoCPUs(tt.cpuLimit)
+			if got != tt.expected {
+				t.Errorf("cpuLimitToNanoCPUs(%v) = %d, want %d", tt.cpuLimit, got, tt.expected)
+			}
+		})
+	}
+}

internal/docker/validation_test.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"log/slog"
 	"testing"
+	"time"
 )
 
 func TestValidBranchRegex(t *testing.T) {
@@ -146,3 +147,52 @@ func TestCloneRepoRejectsInjection(t *testing.T) { //nolint:funlen // table-driv
 		})
 	}
 }
+
+func TestBuildHealthcheck(t *testing.T) {
+	t.Parallel()
+
+	t.Run("creates CMD-SHELL health check", func(t *testing.T) {
+		t.Parallel()
+
+		cmd := "curl -f http://localhost:8080/healthz || exit 1"
+		hc := buildHealthcheck(cmd)
+
+		if len(hc.Test) != 2 {
+			t.Fatalf("expected 2 test elements, got %d", len(hc.Test))
+		}
+
+		if hc.Test[0] != "CMD-SHELL" {
+			t.Errorf("expected Test[0]=%q, got %q", "CMD-SHELL", hc.Test[0])
+		}
+
+		if hc.Test[1] != cmd {
+			t.Errorf("expected Test[1]=%q, got %q", cmd, hc.Test[1])
+		}
+	})
+
+	t.Run("sets expected intervals", func(t *testing.T) {
+		t.Parallel()
+
+		hc := buildHealthcheck("true")
+
+		expectedInterval := 30 * time.Second
+		if hc.Interval != expectedInterval {
+			t.Errorf("expected Interval=%v, got %v", expectedInterval, hc.Interval)
+		}
+
+		expectedTimeout := 10 * time.Second
+		if hc.Timeout != expectedTimeout {
+			t.Errorf("expected Timeout=%v, got %v", expectedTimeout, hc.Timeout)
+		}
+
+		expectedStartPeriod := 15 * time.Second
+		if hc.StartPeriod != expectedStartPeriod {
+			t.Errorf("expected StartPeriod=%v, got %v", expectedStartPeriod, hc.StartPeriod)
+		}
+
+		expectedRetries := 3
+		if hc.Retries != expectedRetries {
+			t.Errorf("expected Retries=%d, got %d", expectedRetries, hc.Retries)
+		}
+	})
+}

internal/handlers/app.go

@@ -57,15 +57,17 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		dockerNetwork := request.FormValue("docker_network")
 		ntfyTopic := request.FormValue("ntfy_topic")
 		slackWebhook := request.FormValue("slack_webhook")
+		healthcheckCommand := request.FormValue("healthcheck_command")
 
 		data := h.addGlobals(map[string]any{
-			"Name":           name,
-			"RepoURL":        repoURL,
-			"Branch":         branch,
-			"DockerfilePath": dockerfilePath,
-			"DockerNetwork":  dockerNetwork,
-			"NtfyTopic":      ntfyTopic,
-			"SlackWebhook":   slackWebhook,
+			"Name":               name,
+			"RepoURL":            repoURL,
+			"Branch":             branch,
+			"DockerfilePath":     dockerfilePath,
+			"DockerNetwork":      dockerNetwork,
+			"NtfyTopic":          ntfyTopic,
+			"SlackWebhook":       slackWebhook,
+			"HealthcheckCommand": healthcheckCommand,
 		}, request)
 
 		if name == "" || repoURL == "" {
@@ -102,13 +104,14 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		createdApp, createErr := h.appService.CreateApp(
 			request.Context(),
 			app.CreateAppInput{
-				Name:           name,
-				RepoURL:        repoURL,
-				Branch:         branch,
-				DockerfilePath: dockerfilePath,
-				DockerNetwork:  dockerNetwork,
-				NtfyTopic:      ntfyTopic,
-				SlackWebhook:   slackWebhook,
+				Name:               name,
+				RepoURL:            repoURL,
+				Branch:             branch,
+				DockerfilePath:     dockerfilePath,
+				DockerNetwork:      dockerNetwork,
+				NtfyTopic:          ntfyTopic,
+				SlackWebhook:       slackWebhook,
+				HealthcheckCommand: healthcheckCommand,
 			},
 		)
 		if createErr != nil {
@@ -257,23 +260,20 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 		application.RepoURL = request.FormValue("repo_url")
 		application.Branch = request.FormValue("branch")
 		application.DockerfilePath = request.FormValue("dockerfile_path")
+		application.DockerNetwork = optionalNullString(request.FormValue("docker_network"))
+		application.NtfyTopic = optionalNullString(request.FormValue("ntfy_topic"))
+		application.SlackWebhook = optionalNullString(request.FormValue("slack_webhook"))
+		application.HealthcheckCommand = optionalNullString(request.FormValue("healthcheck_command"))
 
-		if network := request.FormValue("docker_network"); network != "" {
-			application.DockerNetwork = sql.NullString{String: network, Valid: true}
-		} else {
-			application.DockerNetwork = sql.NullString{}
-		}
+		limitsErr := applyResourceLimits(application, request)
+		if limitsErr != "" {
+			data := h.addGlobals(map[string]any{
+				"App":   application,
+				"Error": limitsErr,
+			}, request)
+			h.renderTemplate(writer, tmpl, "app_edit.html", data)
 
-		if ntfy := request.FormValue("ntfy_topic"); ntfy != "" {
-			application.NtfyTopic = sql.NullString{String: ntfy, Valid: true}
-		} else {
-			application.NtfyTopic = sql.NullString{}
-		}
-
-		if slack := request.FormValue("slack_webhook"); slack != "" {
-			application.SlackWebhook = sql.NullString{String: slack, Valid: true}
-		} else {
-			application.SlackWebhook = sql.NullString{}
+			return
 		}
 
 		saveErr := application.Save(request.Context())
@@ -903,50 +903,92 @@ func (h *Handlers) addKeyValueToApp(
 	http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
 }
 
-// HandleEnvVarAdd handles adding an environment variable.
-func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
-	return func(writer http.ResponseWriter, request *http.Request) {
-		h.addKeyValueToApp(
-			writer,
-			request,
-			func(ctx context.Context, application *models.App, key, value string) error {
-				envVar := models.NewEnvVar(h.db)
-				envVar.AppID = application.ID
-				envVar.Key = key
-				envVar.Value = value
-
-				return envVar.Save(ctx)
-			},
-		)
-	}
+// envPairJSON represents a key-value pair in the JSON request body.
+type envPairJSON struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
 }
 
-// HandleEnvVarDelete handles deleting an environment variable.
-func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
+// envVarMaxBodyBytes is the maximum allowed request body size for env var saves (1 MB).
+const envVarMaxBodyBytes = 1 << 20
+
+// validateEnvPairs validates env var pairs.
+// It rejects empty keys and duplicate keys (returns a non-empty error string).
+func validateEnvPairs(pairs []envPairJSON) ([]models.EnvVarPair, string) {
+	seen := make(map[string]bool, len(pairs))
+
+	result := make([]models.EnvVarPair, 0, len(pairs))
+
+	for _, p := range pairs {
+		trimmedKey := strings.TrimSpace(p.Key)
+		if trimmedKey == "" {
+			return nil, "empty environment variable key is not allowed"
+		}
+
+		if seen[trimmedKey] {
+			return nil, "duplicate environment variable key: " + trimmedKey
+		}
+
+		seen[trimmedKey] = true
+
+		result = append(result, models.EnvVarPair{Key: trimmedKey, Value: p.Value})
+	}
+
+	return result, ""
+}
+
+// HandleEnvVarSave handles bulk saving of all environment variables.
+// It reads a JSON array of {key, value} objects from the request body,
+// deletes all existing env vars for the app, and inserts the full
+// submitted set atomically within a database transaction.
+// Duplicate keys are rejected with a 400 Bad Request error.
+func (h *Handlers) HandleEnvVarSave() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
-		envVarIDStr := chi.URLParam(request, "varID")
 
-		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
-		if parseErr != nil {
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
 			http.NotFound(writer, request)
 
 			return
 		}
 
-		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
-		if findErr != nil || envVar == nil || envVar.AppID != appID {
-			http.NotFound(writer, request)
+		// Limit request body size to prevent abuse
+		request.Body = http.MaxBytesReader(writer, request.Body, envVarMaxBodyBytes)
+
+		var pairs []envPairJSON
+
+		decodeErr := json.NewDecoder(request.Body).Decode(&pairs)
+		if decodeErr != nil {
+			h.respondJSON(writer, request, map[string]string{
+				"error": "invalid request body",
+			}, http.StatusBadRequest)
 
 			return
 		}
 
-		deleteErr := envVar.Delete(request.Context())
-		if deleteErr != nil {
-			h.log.Error("failed to delete env var", "error", deleteErr)
+		modelPairs, validationErr := validateEnvPairs(pairs)
+		if validationErr != "" {
+			h.respondJSON(writer, request, map[string]string{
+				"error": validationErr,
+			}, http.StatusBadRequest)
+
+			return
 		}
 
-		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+		replaceErr := models.ReplaceEnvVarsByAppID(
+			request.Context(), h.db, application.ID, modelPairs,
+		)
+		if replaceErr != nil {
+			h.log.Error("failed to replace env vars", "error", replaceErr)
+			h.respondJSON(writer, request, map[string]string{
+				"error": "failed to save environment variables",
+			}, http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request, map[string]bool{"ok": true}, http.StatusOK)
 	}
 }
 
@@ -1205,59 +1247,6 @@ func ValidateVolumePath(p string) error {
 	return nil
 }
 
-// HandleEnvVarEdit handles editing an existing environment variable.
-func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
-	return func(writer http.ResponseWriter, request *http.Request) {
-		appID := chi.URLParam(request, "id")
-		envVarIDStr := chi.URLParam(request, "varID")
-
-		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
-		if parseErr != nil {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
-		if findErr != nil || envVar == nil || envVar.AppID != appID {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		formErr := request.ParseForm()
-		if formErr != nil {
-			http.Error(writer, "Bad Request", http.StatusBadRequest)
-
-			return
-		}
-
-		key := request.FormValue("key")
-		value := request.FormValue("value")
-
-		if key == "" || value == "" {
-			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
-
-			return
-		}
-
-		envVar.Key = key
-		envVar.Value = value
-
-		saveErr := envVar.Save(request.Context())
-		if saveErr != nil {
-			h.log.Error("failed to update env var", "error", saveErr)
-		}
-
-		http.Redirect(
-			writer,
-			request,
-			"/apps/"+appID+"?success=env-updated",
-			http.StatusSeeOther,
-		)
-	}
-}
-
 // HandleLabelEdit handles editing an existing label.
 func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -1379,6 +1368,129 @@ func validateVolumePaths(hostPath, containerPath string) error {
 	return nil
 }
 
+// ErrInvalidMemoryFormat is returned when a memory limit string cannot be parsed.
+var ErrInvalidMemoryFormat = errors.New(
+	"must be a number with optional unit suffix (e.g. 256m, 1g, 512000000)",
+)
+
+// ErrNegativeValue is returned when a resource limit is negative.
+var ErrNegativeValue = errors.New("value must be positive")
+
+// Memory unit byte multipliers.
+const (
+	kilobyte = 1024
+	megabyte = 1024 * 1024
+	gigabyte = 1024 * 1024 * 1024
+)
+
+// optionalNullString converts a form value to a sql.NullString.
+// Returns a valid NullString if non-empty, invalid (NULL) if empty.
+func optionalNullString(s string) sql.NullString {
+	if s != "" {
+		return sql.NullString{String: s, Valid: true}
+	}
+
+	return sql.NullString{}
+}
+
+// applyResourceLimits parses CPU and memory limit form values and applies them to the app.
+// Returns an error message string if validation fails, or empty string on success.
+func applyResourceLimits(application *models.App, request *http.Request) string {
+	cpuLimit, cpuErr := parseOptionalFloat64(request.FormValue("cpu_limit"))
+	if cpuErr != nil {
+		return "Invalid CPU limit: must be a positive number (e.g. 0.5, 1, 2)"
+	}
+
+	application.CPULimit = cpuLimit
+
+	memoryLimit, memErr := parseOptionalMemoryBytes(request.FormValue("memory_limit"))
+	if memErr != nil {
+		return "Invalid memory limit: " + memErr.Error()
+	}
+
+	application.MemoryLimit = memoryLimit
+
+	return ""
+}
+
+// memoryUnitMultiplier returns the byte multiplier for a memory unit suffix.
+// Returns 0 if the suffix is not recognized.
+func memoryUnitMultiplier(suffix byte) int64 {
+	switch suffix {
+	case 'k':
+		return kilobyte
+	case 'm':
+		return megabyte
+	case 'g':
+		return gigabyte
+	default:
+		return 0
+	}
+}
+
+// parseOptionalFloat64 parses an optional float64 form field.
+// Returns a valid NullFloat64 if the string is non-empty and parses to a positive number.
+// Returns an empty NullFloat64 if the string is empty.
+// Returns an error if the string is non-empty but invalid or non-positive.
+func parseOptionalFloat64(s string) (sql.NullFloat64, error) {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return sql.NullFloat64{}, nil
+	}
+
+	val, err := strconv.ParseFloat(s, 64)
+	if err != nil {
+		return sql.NullFloat64{}, fmt.Errorf("invalid number: %w", err)
+	}
+
+	if val <= 0 {
+		return sql.NullFloat64{}, ErrNegativeValue
+	}
+
+	return sql.NullFloat64{Float64: val, Valid: true}, nil
+}
+
+// parseOptionalMemoryBytes parses an optional memory limit string into bytes.
+// Accepts plain bytes (e.g. "536870912") or suffixed values (e.g. "512m", "1g", "256k").
+// Returns a valid NullInt64 with bytes if non-empty, empty NullInt64 if blank.
+func parseOptionalMemoryBytes(s string) (sql.NullInt64, error) {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return sql.NullInt64{}, nil
+	}
+
+	s = strings.ToLower(s)
+
+	// Check for unit suffix
+	multiplier := memoryUnitMultiplier(s[len(s)-1])
+	if multiplier > 0 {
+		numStr := s[:len(s)-1]
+
+		val, err := strconv.ParseFloat(numStr, 64)
+		if err != nil {
+			return sql.NullInt64{}, ErrInvalidMemoryFormat
+		}
+
+		if val <= 0 {
+			return sql.NullInt64{}, ErrNegativeValue
+		}
+
+		return sql.NullInt64{Int64: int64(val * float64(multiplier)), Valid: true}, nil
+	}
+
+	// Plain bytes
+	val, err := strconv.ParseInt(s, 10, 64)
+	if err != nil {
+		return sql.NullInt64{}, ErrInvalidMemoryFormat
+	}
+
+	if val <= 0 {
+		return sql.NullInt64{}, ErrNegativeValue
+	}
+
+	return sql.NullInt64{Int64: val, Valid: true}, nil
+}
+
 // formatDeployKey formats an SSH public key with a descriptive comment.
 // Format: ssh-ed25519 AAAA... upaas_2025-01-15_myapp
 func formatDeployKey(pubKey string, createdAt time.Time, appName string) string {

internal/handlers/handlers_test.go

@@ -560,45 +560,242 @@ func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
 	cfg.verifyFn(t, testCtx, resourceID)
 }
 
-// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
-// via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
+// TestHandleEnvVarSaveBulk tests that HandleEnvVarSave replaces all env vars
+// for an app with the submitted set (monolithic delete-all + insert-all).
+func TestHandleEnvVarSaveBulk(t *testing.T) {
 	t.Parallel()
 
-	testOwnershipVerification(t, ownedResourceTestConfig{
-		appPrefix1: "envvar-owner-app",
-		appPrefix2: "envvar-other-app",
-		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
-			t.Helper()
+	testCtx := setupTestHandlers(t)
+	createdApp := createTestApp(t, testCtx, "envvar-bulk-app")
 
-			envVar := models.NewEnvVar(tc.database)
-			envVar.AppID = ownerApp.ID
-			envVar.Key = "SECRET"
-			envVar.Value = "hunter2"
-			require.NoError(t, envVar.Save(context.Background()))
+	// Create some pre-existing env vars
+	for _, kv := range [][2]string{{"OLD_KEY", "old_value"}, {"REMOVE_ME", "gone"}} {
+		ev := models.NewEnvVar(testCtx.database)
+		ev.AppID = createdApp.ID
+		ev.Key = kv[0]
+		ev.Value = kv[1]
+		require.NoError(t, ev.Save(context.Background()))
+	}
 
-			return envVar.ID
-		},
-		deletePath: func(appID string, resourceID int64) string {
-			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
-		},
-		chiParams: func(appID string, resourceID int64) map[string]string {
-			return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
-		},
-		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
-		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
-			t.Helper()
+	// Submit a new set as a JSON array of key/value objects
+	body := `[{"key":"NEW_KEY","value":"new_value"},{"key":"ANOTHER","value":"42"}]`
 
-			found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
-			require.NoError(t, findErr)
-			assert.NotNil(t, found, "env var should still exist after IDOR attempt")
-		},
-	})
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/env",
+		strings.NewReader(body),
+	)
+	request.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	// Verify old env vars are gone and new ones exist
+	envVars, err := models.FindEnvVarsByAppID(
+		context.Background(), testCtx.database, createdApp.ID,
+	)
+	require.NoError(t, err)
+	assert.Len(t, envVars, 2)
+
+	keys := make(map[string]string)
+	for _, ev := range envVars {
+		keys[ev.Key] = ev.Value
+	}
+
+	assert.Equal(t, "new_value", keys["NEW_KEY"])
+	assert.Equal(t, "42", keys["ANOTHER"])
+	assert.Empty(t, keys["OLD_KEY"], "old env vars should be deleted")
+	assert.Empty(t, keys["REMOVE_ME"], "old env vars should be deleted")
+}
+
+// TestHandleEnvVarSaveAppNotFound tests that HandleEnvVarSave returns 404
+// for a non-existent app.
+func TestHandleEnvVarSaveAppNotFound(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	body := `[{"key":"KEY","value":"value"}]`
+
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/nonexistent-id/env",
+		strings.NewReader(body),
+	)
+	request.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusNotFound, recorder.Code)
+}
+
+// TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON
+// array containing an entry with an empty key returns 400.
+func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+	createdApp := createTestApp(t, testCtx, "envvar-emptykey-app")
+
+	body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]`
+
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/env",
+		strings.NewReader(body),
+	)
+	request.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusBadRequest, recorder.Code)
+}
+
+// TestHandleEnvVarSaveDuplicateKeyRejected verifies that when the client
+// sends duplicate keys, the server rejects them with 400 Bad Request.
+func TestHandleEnvVarSaveDuplicateKeyRejected(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+	createdApp := createTestApp(t, testCtx, "envvar-dedup-app")
+
+	// Send two entries with the same key — should be rejected
+	body := `[{"key":"FOO","value":"first"},{"key":"BAR","value":"bar"},{"key":"FOO","value":"second"}]`
+
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/env",
+		strings.NewReader(body),
+	)
+	request.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusBadRequest, recorder.Code)
+	assert.Contains(t, recorder.Body.String(), "duplicate environment variable key: FOO")
+}
+
+// TestHandleEnvVarSaveCrossAppIsolation verifies that posting env vars
+// to appA's endpoint does not affect appB's env vars (IDOR prevention).
+func TestHandleEnvVarSaveCrossAppIsolation(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+	appA := createTestApp(t, testCtx, "envvar-iso-appA")
+	appB := createTestApp(t, testCtx, "envvar-iso-appB")
+
+	// Give appB some env vars
+	for _, kv := range [][2]string{{"B_KEY1", "b_val1"}, {"B_KEY2", "b_val2"}} {
+		ev := models.NewEnvVar(testCtx.database)
+		ev.AppID = appB.ID
+		ev.Key = kv[0]
+		ev.Value = kv[1]
+		require.NoError(t, ev.Save(context.Background()))
+	}
+
+	// POST new env vars to appA's endpoint
+	body := `[{"key":"A_KEY","value":"a_val"}]`
+
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+appA.ID+"/env",
+		strings.NewReader(body),
+	)
+	request.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	// Verify appA has exactly what we sent
+	appAVars, err := models.FindEnvVarsByAppID(
+		context.Background(), testCtx.database, appA.ID,
+	)
+	require.NoError(t, err)
+	assert.Len(t, appAVars, 1)
+	assert.Equal(t, "A_KEY", appAVars[0].Key)
+
+	// Verify appB's env vars are completely untouched
+	appBVars, err := models.FindEnvVarsByAppID(
+		context.Background(), testCtx.database, appB.ID,
+	)
+	require.NoError(t, err)
+	assert.Len(t, appBVars, 2, "appB env vars must not be affected")
+
+	bKeys := make(map[string]string)
+	for _, ev := range appBVars {
+		bKeys[ev.Key] = ev.Value
+	}
+
+	assert.Equal(t, "b_val1", bKeys["B_KEY1"])
+	assert.Equal(t, "b_val2", bKeys["B_KEY2"])
+}
+
+// TestHandleEnvVarSaveBodySizeLimit verifies that a request body
+// exceeding the 1 MB limit is rejected.
+func TestHandleEnvVarSaveBodySizeLimit(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+	createdApp := createTestApp(t, testCtx, "envvar-sizelimit-app")
+
+	// Build a JSON body that exceeds 1 MB
+	// Each entry is ~30 bytes; 40000 entries ≈ 1.2 MB
+	var sb strings.Builder
+
+	sb.WriteString("[")
+
+	for i := range 40000 {
+		if i > 0 {
+			sb.WriteString(",")
+		}
+
+		sb.WriteString(`{"key":"K` + strconv.Itoa(i) + `","value":"val"}`)
+	}
+
+	sb.WriteString("]")
+
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/env",
+		strings.NewReader(sb.String()),
+	)
+	request.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusBadRequest, recorder.Code,
+		"oversized body should be rejected with 400")
 }
 
 // TestDeleteLabelOwnershipVerification tests that deleting a label
 // via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
+func TestDeleteLabelOwnershipVerification(t *testing.T) {
 	t.Parallel()
 
 	testOwnershipVerification(t, ownedResourceTestConfig{
@@ -714,41 +911,43 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
 
-// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
-// reads the "varID" chi URL parameter (matching the route definition {varID}),
-// not a mismatched name like "envID".
-func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
+// TestHandleEnvVarSaveEmptyClears verifies that submitting an empty JSON
+// array deletes all existing env vars for the app.
+func TestHandleEnvVarSaveEmptyClears(t *testing.T) {
 	t.Parallel()
 
 	testCtx := setupTestHandlers(t)
+	createdApp := createTestApp(t, testCtx, "envvar-clear-app")
 
-	createdApp := createTestApp(t, testCtx, "envdelete-param-app")
+	// Create a pre-existing env var
+	ev := models.NewEnvVar(testCtx.database)
+	ev.AppID = createdApp.ID
+	ev.Key = "DELETE_ME"
+	ev.Value = "gone"
+	require.NoError(t, ev.Save(context.Background()))
 
-	envVar := models.NewEnvVar(testCtx.database)
-	envVar.AppID = createdApp.ID
-	envVar.Key = "DELETE_ME"
-	envVar.Value = "gone"
-	require.NoError(t, envVar.Save(context.Background()))
-
-	// Use chi router with the real route pattern to test param name
+	// Submit empty JSON array
 	r := chi.NewRouter()
-	r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
+	r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
 
 	request := httptest.NewRequest(
 		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
-		nil,
+		"/apps/"+createdApp.ID+"/env",
+		strings.NewReader("[]"),
 	)
-	recorder := httptest.NewRecorder()
+	request.Header.Set("Content-Type", "application/json")
 
+	recorder := httptest.NewRecorder()
 	r.ServeHTTP(recorder, request)
 
-	assert.Equal(t, http.StatusSeeOther, recorder.Code)
+	assert.Equal(t, http.StatusOK, recorder.Code)
 
-	// Verify the env var was actually deleted
-	found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
-	require.NoError(t, findErr)
-	assert.Nil(t, found, "env var should be deleted when using correct route param")
+	// Verify all env vars are gone
+	envVars, err := models.FindEnvVarsByAppID(
+		context.Background(), testCtx.database, createdApp.ID,
+	)
+	require.NoError(t, err)
+	assert.Empty(t, envVars, "all env vars should be deleted")
 }
 
 // TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates

internal/handlers/resource_limits_test.go

@@ -0,0 +1,195 @@
+package handlers //nolint:testpackage // tests unexported parsing functions
+
+import (
+	"database/sql"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseOptionalFloat64(t *testing.T) {
+	t.Parallel()
+
+	t.Run("empty string returns invalid", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalFloat64("")
+		require.NoError(t, err)
+		assert.False(t, result.Valid)
+	})
+
+	t.Run("whitespace only returns invalid", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalFloat64("   ")
+		require.NoError(t, err)
+		assert.False(t, result.Valid)
+	})
+
+	t.Run("valid float", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalFloat64("0.5")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.InDelta(t, 0.5, result.Float64, 0.001)
+	})
+
+	t.Run("valid integer", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalFloat64("2")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.InDelta(t, 2.0, result.Float64, 0.001)
+	})
+
+	t.Run("negative value rejected", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := parseOptionalFloat64("-1")
+		require.Error(t, err)
+	})
+
+	t.Run("zero value rejected", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := parseOptionalFloat64("0")
+		require.Error(t, err)
+	})
+
+	t.Run("non-numeric rejected", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := parseOptionalFloat64("abc")
+		require.Error(t, err)
+	})
+}
+
+func TestParseOptionalMemoryBytes(t *testing.T) { //nolint:funlen // table-driven test
+	t.Parallel()
+
+	t.Run("empty string returns invalid", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("")
+		require.NoError(t, err)
+		assert.False(t, result.Valid)
+	})
+
+	t.Run("whitespace only returns invalid", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("   ")
+		require.NoError(t, err)
+		assert.False(t, result.Valid)
+	})
+
+	t.Run("plain bytes", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("536870912")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.Equal(t, int64(536870912), result.Int64)
+	})
+
+	t.Run("megabytes suffix", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("256m")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.Equal(t, int64(256*1024*1024), result.Int64)
+	})
+
+	t.Run("megabytes suffix uppercase", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("256M")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.Equal(t, int64(256*1024*1024), result.Int64)
+	})
+
+	t.Run("gigabytes suffix", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("1g")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.Equal(t, int64(1024*1024*1024), result.Int64)
+	})
+
+	t.Run("kilobytes suffix", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("512k")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.Equal(t, int64(512*1024), result.Int64)
+	})
+
+	t.Run("fractional gigabytes", func(t *testing.T) {
+		t.Parallel()
+
+		result, err := parseOptionalMemoryBytes("1.5g")
+		require.NoError(t, err)
+		assert.True(t, result.Valid)
+		assert.Equal(t, int64(1.5*1024*1024*1024), result.Int64)
+	})
+
+	t.Run("negative value rejected", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := parseOptionalMemoryBytes("-256m")
+		require.Error(t, err)
+	})
+
+	t.Run("zero value rejected", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := parseOptionalMemoryBytes("0")
+		require.Error(t, err)
+	})
+
+	t.Run("invalid string rejected", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := parseOptionalMemoryBytes("abc")
+		require.Error(t, err)
+	})
+
+	t.Run("negative plain bytes rejected", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := parseOptionalMemoryBytes("-100")
+		require.Error(t, err)
+	})
+}
+
+func TestAppResourceLimitsRoundTrip(t *testing.T) {
+	t.Parallel()
+
+	// Test that parsing and formatting are consistent
+	tests := []struct {
+		input    string
+		expected sql.NullInt64
+		format   string
+	}{
+		{"256m", sql.NullInt64{Int64: 256 * 1024 * 1024, Valid: true}, "256m"},
+		{"1g", sql.NullInt64{Int64: 1024 * 1024 * 1024, Valid: true}, "1g"},
+		{"512k", sql.NullInt64{Int64: 512 * 1024, Valid: true}, "512k"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			t.Parallel()
+
+			result, err := parseOptionalMemoryBytes(tt.input)
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}

internal/models/app.go

@@ -14,7 +14,8 @@ import (
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id, created_at, updated_at`
+previous_image_id, cpu_limit, memory_limit,
+			healthcheck_command, created_at, updated_at`
 
 // AppStatus represents the status of an app.
 type AppStatus string
@@ -32,23 +33,26 @@ const (
 type App struct {
 	db *database.Database
 
-	ID                string
-	Name              string
-	RepoURL           string
-	Branch            string
-	DockerfilePath    string
-	WebhookSecret     string
-	WebhookSecretHash string
-	SSHPrivateKey     string
-	SSHPublicKey      string
-	ImageID           sql.NullString
-	PreviousImageID   sql.NullString
-	Status            AppStatus
-	DockerNetwork     sql.NullString
-	NtfyTopic         sql.NullString
-	SlackWebhook      sql.NullString
-	CreatedAt         time.Time
-	UpdatedAt         time.Time
+	ID                 string
+	Name               string
+	RepoURL            string
+	Branch             string
+	DockerfilePath     string
+	WebhookSecret      string
+	WebhookSecretHash  string
+	SSHPrivateKey      string
+	SSHPublicKey       string
+	ImageID            sql.NullString
+	PreviousImageID    sql.NullString
+	Status             AppStatus
+	DockerNetwork      sql.NullString
+	NtfyTopic          sql.NullString
+	SlackWebhook       sql.NullString
+	CPULimit           sql.NullFloat64
+	MemoryLimit        sql.NullInt64
+	HealthcheckCommand sql.NullString
+	CreatedAt          time.Time
+	UpdatedAt          time.Time
 }
 
 // NewApp creates a new App with a database reference.
@@ -142,14 +146,16 @@ func (a *App) insert(ctx context.Context) error {
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+previous_image_id, cpu_limit, memory_limit,
+			healthcheck_command
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
-		a.PreviousImageID,
+		a.PreviousImageID, a.CPULimit, a.MemoryLimit,
+		a.HealthcheckCommand,
 	)
 	if err != nil {
 		return err
@@ -164,7 +170,9 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
-			previous_image_id = ?,
+previous_image_id = ?,
+			cpu_limit = ?, memory_limit = ?,
+			healthcheck_command = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
 
@@ -173,6 +181,8 @@ func (a *App) update(ctx context.Context) error {
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
 		a.PreviousImageID,
+		a.CPULimit, a.MemoryLimit,
+		a.HealthcheckCommand,
 		a.ID,
 	)
 
@@ -188,6 +198,8 @@ func (a *App) scan(row *sql.Row) error {
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
 		&a.PreviousImageID,
+		&a.CPULimit, &a.MemoryLimit,
+		&a.HealthcheckCommand,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -206,6 +218,8 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
 			&app.PreviousImageID,
+			&app.CPULimit, &app.MemoryLimit,
+			&app.HealthcheckCommand,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {

internal/models/env_var.go

@@ -1,4 +1,3 @@
-//nolint:dupl // Active Record pattern - similar structure to label.go is intentional
 package models
 
 import (
@@ -129,13 +128,48 @@ func FindEnvVarsByAppID(
 	return envVars, rows.Err()
 }
 
-// DeleteEnvVarsByAppID deletes all env vars for an app.
-func DeleteEnvVarsByAppID(
+// EnvVarPair is a key-value pair for bulk env var operations.
+type EnvVarPair struct {
+	Key   string
+	Value string
+}
+
+// ReplaceEnvVarsByAppID atomically replaces all env vars for an app
+// within a single database transaction. It deletes all existing env
+// vars and inserts the provided pairs. If any operation fails, the
+// entire transaction is rolled back.
+func ReplaceEnvVarsByAppID(
 	ctx context.Context,
 	db *database.Database,
 	appID string,
+	pairs []EnvVarPair,
 ) error {
-	_, err := db.Exec(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return fmt.Errorf("beginning transaction: %w", err)
+	}
 
-	return err
+	defer func() { _ = tx.Rollback() }()
+
+	_, err = tx.ExecContext(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
+	if err != nil {
+		return fmt.Errorf("deleting env vars: %w", err)
+	}
+
+	for _, p := range pairs {
+		_, err = tx.ExecContext(ctx,
+			"INSERT INTO app_env_vars (app_id, key, value) VALUES (?, ?, ?)",
+			appID, p.Key, p.Value,
+		)
+		if err != nil {
+			return fmt.Errorf("inserting env var %q: %w", p.Key, err)
+		}
+	}
+
+	err = tx.Commit()
+	if err != nil {
+		return fmt.Errorf("committing transaction: %w", err)
+	}
+
+	return nil
 }

internal/models/label.go

@@ -1,4 +1,3 @@
-//nolint:dupl // Active Record pattern - similar structure to env_var.go is intentional
 package models
 
 import (

internal/models/models_test.go

@@ -704,6 +704,72 @@ func TestAppGetWebhookEvents(t *testing.T) {
 	assert.Len(t, events, 1)
 }
 
+// App HealthcheckCommand Tests.
+
+func TestAppHealthcheckCommand(t *testing.T) {
+	t.Parallel()
+
+	t.Run("saves and loads healthcheck command", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+		app.HealthcheckCommand = sql.NullString{
+			String: "curl -f http://localhost:8080/healthz || exit 1",
+			Valid:  true,
+		}
+
+		err := app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.True(t, found.HealthcheckCommand.Valid)
+		assert.Equal(t, "curl -f http://localhost:8080/healthz || exit 1", found.HealthcheckCommand.String)
+	})
+
+	t.Run("null when not set", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.HealthcheckCommand.Valid)
+	})
+
+	t.Run("can be cleared", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+		app.HealthcheckCommand = sql.NullString{String: "true", Valid: true}
+
+		err := app.Save(context.Background())
+		require.NoError(t, err)
+
+		// Clear it
+		app.HealthcheckCommand = sql.NullString{}
+
+		err = app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.HealthcheckCommand.Valid)
+	})
+}
+
 // Cascade Delete Tests.
 
 //nolint:funlen // Test function with many assertions - acceptable for integration tests
@@ -781,6 +847,96 @@ func TestCascadeDelete(t *testing.T) {
 	})
 }
 
+// Resource Limits Tests.
+
+func TestAppResourceLimits(t *testing.T) { //nolint:funlen // integration test with multiple subtests
+	t.Parallel()
+
+	t.Run("saves and loads CPU limit", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+
+		app.CPULimit = sql.NullFloat64{Float64: 0.5, Valid: true}
+
+		err := app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.True(t, found.CPULimit.Valid)
+		assert.InDelta(t, 0.5, found.CPULimit.Float64, 0.001)
+	})
+
+	t.Run("saves and loads memory limit", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+
+		app.MemoryLimit = sql.NullInt64{Int64: 536870912, Valid: true} // 512m
+
+		err := app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.True(t, found.MemoryLimit.Valid)
+		assert.Equal(t, int64(536870912), found.MemoryLimit.Int64)
+	})
+
+	t.Run("null limits by default", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.CPULimit.Valid)
+		assert.False(t, found.MemoryLimit.Valid)
+	})
+
+	t.Run("clears limits when set to null", func(t *testing.T) {
+		t.Parallel()
+
+		testDB, cleanup := setupTestDB(t)
+		defer cleanup()
+
+		app := createTestApp(t, testDB)
+
+		// Set limits
+		app.CPULimit = sql.NullFloat64{Float64: 1.0, Valid: true}
+		app.MemoryLimit = sql.NullInt64{Int64: 1073741824, Valid: true} // 1g
+
+		err := app.Save(context.Background())
+		require.NoError(t, err)
+
+		// Clear limits
+		app.CPULimit = sql.NullFloat64{}
+		app.MemoryLimit = sql.NullInt64{}
+
+		err = app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.CPULimit.Valid)
+		assert.False(t, found.MemoryLimit.Valid)
+	})
+}
+
 // Helper function to create a test app.
 func createTestApp(t *testing.T, testDB *database.Database) *models.App {
 	t.Helper()

internal/server/routes.go

@@ -82,10 +82,8 @@ func (s *Server) SetupRoutes() {
 			r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
 			r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 
-			// Environment variables
-			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
-			r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
-			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
+			// Environment variables (monolithic bulk save)
+			r.Post("/apps/{id}/env", s.handlers.HandleEnvVarSave())
 
 			// Labels
 			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())

internal/service/app/app.go

@@ -46,13 +46,14 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 
 // CreateAppInput contains the input for creating an app.
 type CreateAppInput struct {
-	Name           string
-	RepoURL        string
-	Branch         string
-	DockerfilePath string
-	DockerNetwork  string
-	NtfyTopic      string
-	SlackWebhook   string
+	Name               string
+	RepoURL            string
+	Branch             string
+	DockerfilePath     string
+	DockerNetwork      string
+	NtfyTopic          string
+	SlackWebhook       string
+	HealthcheckCommand string
 }
 
 // CreateApp creates a new application with generated SSH keys and webhook secret.
@@ -100,6 +101,10 @@ func (svc *Service) CreateApp(
 		app.SlackWebhook = sql.NullString{String: input.SlackWebhook, Valid: true}
 	}
 
+	if input.HealthcheckCommand != "" {
+		app.HealthcheckCommand = sql.NullString{String: input.HealthcheckCommand, Valid: true}
+	}
+
 	saveErr := app.Save(ctx)
 	if saveErr != nil {
 		return nil, fmt.Errorf("failed to save app: %w", saveErr)
@@ -112,13 +117,14 @@ func (svc *Service) CreateApp(
 
 // UpdateAppInput contains the input for updating an app.
 type UpdateAppInput struct {
-	Name           string
-	RepoURL        string
-	Branch         string
-	DockerfilePath string
-	DockerNetwork  string
-	NtfyTopic      string
-	SlackWebhook   string
+	Name               string
+	RepoURL            string
+	Branch             string
+	DockerfilePath     string
+	DockerNetwork      string
+	NtfyTopic          string
+	SlackWebhook       string
+	HealthcheckCommand string
 }
 
 // UpdateApp updates an existing application.
@@ -144,6 +150,10 @@ func (svc *Service) UpdateApp(
 		String: input.SlackWebhook,
 		Valid:  input.SlackWebhook != "",
 	}
+	app.HealthcheckCommand = sql.NullString{
+		String: input.HealthcheckCommand,
+		Valid:  input.HealthcheckCommand != "",
+	}
 
 	saveErr := app.Save(ctx)
 	if saveErr != nil {

internal/service/deploy/deploy.go

@@ -1094,17 +1094,44 @@ func (svc *Service) buildContainerOptions(
 		network = app.DockerNetwork.String
 	}
 
+	cpuLimit, memoryLimit := extractResourceLimits(app)
+
+	healthcheckCmd := ""
+	if app.HealthcheckCommand.Valid {
+		healthcheckCmd = app.HealthcheckCommand.String
+	}
+
 	return docker.CreateContainerOptions{
-		Name:    "upaas-" + app.Name,
-		Image:   imageID.String(),
-		Env:     envMap,
-		Labels:  buildLabelMap(app, labels),
-		Volumes: buildVolumeMounts(volumes),
-		Ports:   buildPortMappings(ports),
-		Network: network,
+		Name:               "upaas-" + app.Name,
+		Image:              imageID.String(),
+		Env:                envMap,
+		Labels:             buildLabelMap(app, labels),
+		Volumes:            buildVolumeMounts(volumes),
+		Ports:              buildPortMappings(ports),
+		Network:            network,
+		CPULimit:           cpuLimit,
+		MemoryLimit:        memoryLimit,
+		HealthcheckCommand: healthcheckCmd,
 	}, nil
 }
 
+// extractResourceLimits returns CPU and memory limits from the app model.
+func extractResourceLimits(app *models.App) (float64, int64) {
+	var cpuLimit float64
+
+	if app.CPULimit.Valid {
+		cpuLimit = app.CPULimit.Float64
+	}
+
+	var memoryLimit int64
+
+	if app.MemoryLimit.Valid {
+		memoryLimit = app.MemoryLimit.Int64
+	}
+
+	return cpuLimit, memoryLimit
+}
+
 func buildLabelMap(app *models.App, labels []*models.Label) map[string]string {
 	labelMap := make(map[string]string, len(labels)+upaasLabelCount)
 	for _, label := range labels {

internal/service/deploy/deploy_container_test.go

@@ -2,6 +2,7 @@ package deploy_test
 
 import (
 	"context"
+	"database/sql"
 	"log/slog"
 	"os"
 	"testing"
@@ -43,3 +44,154 @@ func TestBuildContainerOptionsUsesImageID(t *testing.T) {
 		t.Errorf("expected Name=%q, got %q", "upaas-myapp", opts.Name)
 	}
 }
+
+func TestBuildContainerOptionsNoResourceLimits(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "nolimits"
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	opts, err := svc.BuildContainerOptionsExported(
+		context.Background(), app, docker.ImageID("test:latest"),
+	)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	if opts.CPULimit != 0 {
+		t.Errorf("expected CPULimit=0, got %v", opts.CPULimit)
+	}
+
+	if opts.MemoryLimit != 0 {
+		t.Errorf("expected MemoryLimit=0, got %v", opts.MemoryLimit)
+	}
+}
+
+func TestBuildContainerOptionsCPULimit(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "cpulimit"
+	app.CPULimit = sql.NullFloat64{Float64: 0.5, Valid: true}
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	opts, err := svc.BuildContainerOptionsExported(
+		context.Background(), app, docker.ImageID("test:latest"),
+	)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	if opts.CPULimit != 0.5 {
+		t.Errorf("expected CPULimit=0.5, got %v", opts.CPULimit)
+	}
+}
+
+func TestBuildContainerOptionsMemoryLimit(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "memlimit"
+	app.MemoryLimit = sql.NullInt64{Int64: 536870912, Valid: true} // 512m
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	opts, err := svc.BuildContainerOptionsExported(
+		context.Background(), app, docker.ImageID("test:latest"),
+	)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	if opts.MemoryLimit != 536870912 {
+		t.Errorf("expected MemoryLimit=536870912, got %v", opts.MemoryLimit)
+	}
+}
+
+func TestBuildContainerOptionsHealthcheckSet(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "hc-app"
+	app.HealthcheckCommand = sql.NullString{
+		String: "curl -f http://localhost:8080/healthz || exit 1",
+		Valid:  true,
+	}
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	opts, err := svc.BuildContainerOptionsExported(
+		context.Background(), app, "sha256:test",
+	)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	expected := "curl -f http://localhost:8080/healthz || exit 1"
+	if opts.HealthcheckCommand != expected {
+		t.Errorf("expected HealthcheckCommand=%q, got %q", expected, opts.HealthcheckCommand)
+	}
+}
+
+func TestBuildContainerOptionsHealthcheckEmpty(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "no-hc-app"
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	opts, err := svc.BuildContainerOptionsExported(
+		context.Background(), app, "sha256:test",
+	)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	if opts.HealthcheckCommand != "" {
+		t.Errorf("expected empty HealthcheckCommand, got %q", opts.HealthcheckCommand)
+	}
+}

static/js/app-detail.js

@@ -6,6 +6,103 @@
  */
 
 document.addEventListener("alpine:init", () => {
+    // ============================================
+    // Environment Variable Editor Component
+    // ============================================
+    Alpine.data("envVarEditor", (appId) => ({
+        vars: [],
+        editIdx: -1,
+        editKey: "",
+        editVal: "",
+        appId: appId,
+
+        init() {
+            this.vars = Array.from(this.$el.querySelectorAll(".env-init")).map(
+                (span) => ({
+                    key: span.dataset.key,
+                    value: span.dataset.value,
+                }),
+            );
+        },
+
+        startEdit(i) {
+            this.editIdx = i;
+            this.editKey = this.vars[i].key;
+            this.editVal = this.vars[i].value;
+        },
+
+        saveEdit(i) {
+            this.vars[i] = { key: this.editKey, value: this.editVal };
+            this.editIdx = -1;
+            this.submitAll();
+        },
+
+        removeVar(i) {
+            if (!window.confirm("Delete this environment variable?")) {
+                return;
+            }
+
+            this.vars.splice(i, 1);
+            this.submitAll();
+        },
+
+        addVar(keyEl, valEl) {
+            const k = keyEl.value.trim();
+            const v = valEl.value.trim();
+
+            if (!k) {
+                return;
+            }
+
+            this.vars.push({ key: k, value: v });
+            this.submitAll();
+        },
+
+        submitAll() {
+            const csrfInput = this.$el.querySelector(
+                'input[name="gorilla.csrf.Token"]',
+            );
+            const csrfToken = csrfInput ? csrfInput.value : "";
+
+            fetch("/apps/" + this.appId + "/env", {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "X-CSRF-Token": csrfToken,
+                },
+                body: JSON.stringify(
+                    this.vars.map((e) => ({ key: e.key, value: e.value })),
+                ),
+            })
+                .then((res) => {
+                    if (res.ok) {
+                        window.location.reload();
+                        return;
+                    }
+                    res.json()
+                        .then((data) => {
+                            window.alert(
+                                data.error ||
+                                    "Failed to save environment variables.",
+                            );
+                        })
+                        .catch(() => {
+                            window.alert(
+                                "Failed to save environment variables.",
+                            );
+                        });
+                })
+                .catch(() => {
+                    window.alert(
+                        "Network error: could not save environment variables.",
+                    );
+                });
+        },
+    }));
+
+    // ============================================
+    // App Detail Page Component
+    // ============================================
     Alpine.data("appDetail", (config) => ({
         appId: config.appId,
         currentDeploymentId: config.initialDeploymentId,

templates/app_detail.html

@@ -101,9 +101,10 @@
     </div>
 
     <!-- Environment Variables -->
-    <div class="card p-6 mb-6">
+    <div class="card p-6 mb-6" x-data="envVarEditor('{{.App.ID}}')">
         <h2 class="section-title mb-4">Environment Variables</h2>
-        {{if .EnvVars}}
+        {{range .EnvVars}}<span class="env-init hidden" data-key="{{.Key}}" data-value="{{.Value}}"></span>{{end}}
+        <template x-if="vars.length > 0">
         <div class="overflow-x-auto mb-4">
             <table class="table">
                 <thead class="table-header">
@@ -114,47 +115,43 @@
                     </tr>
                 </thead>
                 <tbody class="table-body">
-                    {{range .EnvVars}}
-                    <tr x-data="{ editing: false }">
-                        <template x-if="!editing">
-                            <td class="font-mono font-medium">{{.Key}}</td>
+                    <template x-for="(env, idx) in vars" :key="idx">
+                    <tr>
+                        <template x-if="editIdx !== idx">
+                            <td class="font-mono font-medium" x-text="env.key"></td>
                         </template>
-                        <template x-if="!editing">
-                            <td class="font-mono text-gray-500">{{.Value}}</td>
+                        <template x-if="editIdx !== idx">
+                            <td class="font-mono text-gray-500" x-text="env.value"></td>
                         </template>
-                        <template x-if="!editing">
+                        <template x-if="editIdx !== idx">
                             <td class="text-right">
-                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
-                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
-                                    {{ $.CSRFField }}
-                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
-                                </form>
+                                <button @click="startEdit(idx)" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                                <button @click="removeVar(idx)" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                             </td>
                         </template>
-                        <template x-if="editing">
+                        <template x-if="editIdx === idx">
                             <td colspan="3">
-                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center">
-                                    {{ $.CSRFField }}
-                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
-                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
+                                <form @submit.prevent="saveEdit(idx)" class="flex gap-2 items-center">
+                                    <input type="text" x-model="editKey" required class="input flex-1 font-mono text-sm">
+                                    <input type="text" x-model="editVal" required class="input flex-1 font-mono text-sm">
                                     <button type="submit" class="btn-primary text-sm">Save</button>
-                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
+                                    <button type="button" @click="editIdx = -1" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
                                 </form>
                                 <p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
                             </td>
                         </template>
                     </tr>
-                    {{end}}
+                    </template>
                 </tbody>
             </table>
         </div>
-        {{end}}
-        <form method="POST" action="/apps/{{.App.ID}}/env" class="flex flex-col sm:flex-row gap-2">
-                {{ .CSRFField }}
-            <input type="text" name="key" placeholder="KEY" required class="input flex-1 font-mono text-sm">
-            <input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
+        </template>
+        <form @submit.prevent="addVar($refs.newKey, $refs.newVal)" class="flex flex-col sm:flex-row gap-2">
+            <input x-ref="newKey" type="text" placeholder="KEY" required class="input flex-1 font-mono text-sm">
+            <input x-ref="newVal" type="text" placeholder="value" required class="input flex-1 font-mono text-sm">
             <button type="submit" class="btn-primary">Add</button>
         </form>
+        <div class="hidden">{{ .CSRFField }}</div>
     </div>
 
     <!-- Labels -->

templates/app_edit.html

@@ -114,6 +114,51 @@
                 >
             </div>
 
+<div class="form-group">
+                <label for="healthcheck_command" class="label">Health Check Command</label>
+                <input
+                    type="text"
+                    id="healthcheck_command"
+                    name="healthcheck_command"
+                    value="{{if .App.HealthcheckCommand.Valid}}{{.App.HealthcheckCommand.String}}{{end}}"
+                    class="input font-mono"
+                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
+                >
+                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
+            </div>
+
+            <hr class="border-gray-200">
+
+            <h3 class="text-lg font-medium text-gray-900">Resource Limits</h3>
+
+            <div class="grid grid-cols-2 gap-4">
+                <div class="form-group">
+                    <label for="cpu_limit" class="label">CPU Limit (cores)</label>
+                    <input
+                        type="text"
+                        id="cpu_limit"
+                        name="cpu_limit"
+                        value="{{if .App.CPULimit.Valid}}{{.App.CPULimit.Float64}}{{end}}"
+                        class="input"
+                        placeholder="e.g. 0.5, 1, 2"
+                    >
+                    <p class="text-sm text-gray-500 mt-1">Number of CPU cores (e.g. 0.5 = half a core)</p>
+                </div>
+
+                <div class="form-group">
+                    <label for="memory_limit" class="label">Memory Limit</label>
+                    <input
+                        type="text"
+                        id="memory_limit"
+                        name="memory_limit"
+                        value="{{if .App.MemoryLimit.Valid}}{{formatMemoryBytes .App.MemoryLimit.Int64}}{{end}}"
+                        class="input"
+                        placeholder="e.g. 256m, 1g"
+                    >
+                    <p class="text-sm text-gray-500 mt-1">Memory with unit suffix (k, m, g) or plain bytes</p>
+                </div>
+            </div>
+
             <div class="flex justify-end gap-3 pt-4">
                 <a href="/apps/{{.App.ID}}" class="btn-secondary">Cancel</a>
                 <button type="submit" class="btn-primary">Save Changes</button>

templates/app_new.html

@@ -117,6 +117,19 @@
                 >
             </div>
 
+            <div class="form-group">
+                <label for="healthcheck_command" class="label">Health Check Command</label>
+                <input
+                    type="text"
+                    id="healthcheck_command"
+                    name="healthcheck_command"
+                    value="{{.HealthcheckCommand}}"
+                    class="input font-mono"
+                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
+                >
+                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
+            </div>
+
             <div class="flex justify-end gap-3 pt-4">
                 <a href="/" class="btn-secondary">Cancel</a>
                 <button type="submit" class="btn-primary">Create App</button>

templates/templates.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"strconv"
 	"sync"
 )
 
@@ -23,6 +24,34 @@ var (
 	templatesMutex sync.RWMutex
 )
 
+// templateFuncs returns the custom template function map.
+func templateFuncs() template.FuncMap {
+	return template.FuncMap{
+		"formatMemoryBytes": formatMemoryBytes,
+	}
+}
+
+// Memory unit constants.
+const (
+	memGigabyte = 1024 * 1024 * 1024
+	memMegabyte = 1024 * 1024
+	memKilobyte = 1024
+)
+
+// formatMemoryBytes formats bytes into a human-readable string with unit suffix.
+func formatMemoryBytes(bytes int64) string {
+	switch {
+	case bytes >= memGigabyte && bytes%memGigabyte == 0:
+		return strconv.FormatInt(bytes/memGigabyte, 10) + "g"
+	case bytes >= memMegabyte && bytes%memMegabyte == 0:
+		return strconv.FormatInt(bytes/memMegabyte, 10) + "m"
+	case bytes >= memKilobyte && bytes%memKilobyte == 0:
+		return strconv.FormatInt(bytes/memKilobyte, 10) + "k"
+	default:
+		return strconv.FormatInt(bytes, 10)
+	}
+}
+
 // initTemplates parses base template and creates cloned templates for each page.
 func initTemplates() {
 	templatesMutex.Lock()
@@ -32,8 +61,10 @@ func initTemplates() {
 		return
 	}
 
-	// Parse base template with shared components
-	baseTemplate = template.Must(template.ParseFS(templatesRaw, "base.html"))
+	// Parse base template with shared components and custom functions
+	baseTemplate = template.Must(
+		template.New("base.html").Funcs(templateFuncs()).ParseFS(templatesRaw, "base.html"),
+	)
 
 	// Pages that extend base
 	pages := []string{

templates/templates_test.go

@@ -0,0 +1,34 @@
+package templates //nolint:testpackage // tests unexported formatMemoryBytes
+
+import (
+	"testing"
+)
+
+func TestFormatMemoryBytes(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		bytes    int64
+		expected string
+	}{
+		{"gigabytes", 1024 * 1024 * 1024, "1g"},
+		{"two gigabytes", 2 * 1024 * 1024 * 1024, "2g"},
+		{"megabytes", 256 * 1024 * 1024, "256m"},
+		{"kilobytes", 512 * 1024, "512k"},
+		{"plain bytes", 12345, "12345"},
+		{"non-even megabytes", 256*1024*1024 + 1, "268435457"},
+		{"zero", 0, "0"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := formatMemoryBytes(tt.bytes)
+			if got != tt.expected {
+				t.Errorf("formatMemoryBytes(%d) = %q, want %q", tt.bytes, got, tt.expected)
+			}
+		})
+	}
+}