1.0.5

compose example
bmac
2026-06-18 03:20:43 +03:00 · 2026-01-01 16:00:34 +01:00 · 2025-12-29 15:29:33 +01:00 · 2025-12-29 13:46:13 +01:00 · 2025-12-29 13:39:36 +01:00 · 2025-12-29 13:37:26 +01:00
584 changed files with 23076 additions and 3671 deletions
@@ -0,0 +1,3 @@
+buy_me_a_coffee:
+  displayName: "Buy Me a Coffee"
+  account: dockhand
@@ -0,0 +1,2 @@
+.idea/
+.DS_Store
@@ -0,0 +1,86 @@
+# Build stage - using Debian to avoid Alpine musl thread creation issues
+# Alpine's musl libc causes rayon/tokio thread pool panics during svelte-adapter-bun build
+FROM oven/bun:1.3.5-debian AS builder
+
+WORKDIR /app
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends jq git && rm -rf /var/lib/apt/lists/*
+
+# Copy package files and install ALL dependencies (needed for build)
+COPY package.json bun.lock* bunfig.toml ./
+RUN bun install --frozen-lockfile
+
+# Copy source code and build
+COPY . .
+
+# Build with parallelism - dedicated build VM has 16 CPUs and 32GB RAM
+# Increased memory limits for parallel compilation with larger semi-space for GC
+RUN NODE_OPTIONS="--max-old-space-size=8192 --max-semi-space-size=128" bun run build
+
+# Production stage - minimal Alpine with Bun runtime
+FROM oven/bun:1.3.5-alpine
+
+WORKDIR /app
+
+# Install runtime dependencies, create user
+# Add sqlite for emergency scripts, git for stack git operations, curl for healthchecks
+# Add docker-cli and docker-cli-compose for stack management (uses host's docker socket)
+# Add openssh-client for SSH key authentication with git repositories
+# Upgrade all packages to latest versions for security patches
+RUN apk upgrade --no-cache \
+    && apk add --no-cache curl git tini su-exec sqlite docker-cli docker-cli-compose openssh-client iproute2 \
+    && addgroup -g 1001 dockhand \
+    && adduser -u 1001 -G dockhand -h /home/dockhand -D dockhand
+
+# Copy package files and install production dependencies
+# This is needed because svelte-adapter-bun externalizes some packages (croner, etc.)
+# that need to be available at runtime. Installing at build time is more reliable
+# than Bun's auto-install which requires network access and writable cache.
+COPY package.json bun.lock* ./
+RUN bun install --production --frozen-lockfile
+
+# Copy built application (Bun adapter output)
+COPY --from=builder /app/build ./build
+
+# Copy bundled subprocess scripts (built by scripts/build-subprocesses.ts)
+COPY --from=builder /app/build/subprocesses/ ./subprocesses/
+
+# Copy database migrations
+COPY drizzle/ ./drizzle/
+COPY drizzle-pg/ ./drizzle-pg/
+
+# Copy legal documents
+COPY LICENSE.txt PRIVACY.txt ./
+
+# Copy entrypoint script
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+# Copy emergency scripts (only the emergency subfolder, not license generation scripts)
+COPY scripts/emergency/ ./scripts/
+RUN chmod +x ./scripts/*.sh ./scripts/**/*.sh 2>/dev/null || true
+
+# Create directories with proper ownership
+RUN mkdir -p /home/dockhand/.dockhand/stacks /app/data \
+    && chown -R dockhand:dockhand /app /home/dockhand
+
+EXPOSE 3000
+
+# Runtime configuration
+ENV NODE_ENV=production
+ENV PORT=3000
+ENV HOST=0.0.0.0
+ENV DATA_DIR=/app/data
+ENV HOME=/home/dockhand
+
+# User/group IDs - customize with -e PUID=1000 -e PGID=1000
+# The entrypoint will recreate the dockhand user with these IDs
+ENV PUID=1001
+ENV PGID=1001
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:3000/ || exit 1
+
+ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
+CMD ["bun", "run", "./build/index.js"]
@@ -123,6 +123,6 @@ under an Open Source License, as stated in this License.

 For licensing inquiries, commercial licensing, or enterprise features:

-  Website: https://dockhand.io
+  Website: https://dockhand.pro

 -----------------------------------------------------------------------------
@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="images/logo.webp" alt="Dockhand" width="300">
+  <img src="src/images/logo.webp" alt="Dockhand" width="300">
 </p>

 <p align="center">
@@ -7,8 +7,8 @@
 </p>

 <p align="center">
-  <a href="https://dockhand.io">Website</a> •
-  <a href="https://dockhand.io/docs">Documentation</a> •
+  <a href="https://dockhand.pro">Website</a> •
+  <a href="https://dockhand.pro/manual">Documentation</a> •
  <a href="#license">License</a>
 </p>

@@ -33,7 +33,7 @@ Dockhand is a modern, efficient Docker management application providing real-tim
 - **Frontend**: SvelteKit 2, Svelte 5, shadcn-svelte, TailwindCSS
 - **Backend**: Bun runtime with SvelteKit API routes
 - **Database**: SQLite or PostgreSQL via Drizzle ORM
- **Docker**: Dockerode library
+- **Docker**: direct docker API calls.

 ## License

@@ -47,10 +47,18 @@ Dockhand is licensed under the [Business Source License 1.1](LICENSE.txt) (BSL 1

 See [LICENSE.txt](LICENSE.txt) for full terms.

+
+<a href="https://buymeacoffee.com/dockhand" target="_blank">
+  <img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png"
+       alt="Buy Me A Coffee"
+       height="40">
+</a>
+
+
 ## Links

- **Website**: [https://dockhand.io](https://dockhand.io)
- **Documentation**: [https://dockhand.io/docs](https://dockhand.io/docs)
+- **Website**: [https://dockhand.pro](https://dockhand.pro)
+- **Documentation**: [https://dockhand.pro/manual](https://dockhand.pro/manual)

 ---

@@ -0,0 +1,9 @@
+# Bun configuration for Dockhand
+
+[install]
+# Use exact versions for reproducible builds
+exact = true
+
+[run]
+# Enable source maps for better error messages
+sourcemap = "external"
@@ -0,0 +1,16 @@
+{
+	"$schema": "https://shadcn-svelte.com/schema.json",
+	"tailwind": {
+		"css": "src/app.css",
+		"baseColor": "slate"
+	},
+	"aliases": {
+		"components": "$lib/components",
+		"utils": "$lib/utils",
+		"ui": "$lib/components/ui",
+		"hooks": "$lib/hooks",
+		"lib": "$lib"
+	},
+	"typescript": true,
+	"registry": "https://shadcn-svelte.com/registry"
+}
@@ -0,0 +1,25 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_USER: dockhand
+      POSTGRES_PASSWORD: changeme
+      POSTGRES_DB: dockhand
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+
+  dockhand:
+    image: fnsys/dockhand:latest
+    ports:
+      - 3000:3000
+    environment:
+      DATABASE_URL: postgres://dockhand:changeme@postgres:5432/dockhand
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - dockhand_data:/app/data
+    depends_on:
+      - postgres
+
+volumes:
+  postgres_data:
+  dockhand_data:
@@ -0,0 +1,13 @@
+services:
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    restart: unless-stopped
+    ports:
+      - 3000:3000
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - dockhand_data:/app/data
+
+volumes:
+  dockhand_data:
@@ -0,0 +1,176 @@
+#!/bin/sh
+set -e
+
+# Dockhand Docker Entrypoint
+# === Configuration ===
+PUID=${PUID:-1001}
+PGID=${PGID:-1001}
+
+# === Detect if running as root ===
+RUNNING_AS_ROOT=false
+if [ "$(id -u)" = "0" ]; then
+    RUNNING_AS_ROOT=true
+fi
+
+# === Non-root mode (user: directive in compose) ===
+# If container started as non-root, skip all user management and run directly
+if [ "$RUNNING_AS_ROOT" = "false" ]; then
+    echo "Running as user $(id -u):$(id -g) (set via container user directive)"
+
+    # Ensure data directories exist (user must have write access to DATA_DIR via volume mount)
+    DATA_DIR="${DATA_DIR:-/app/data}"
+    if [ ! -d "$DATA_DIR/db" ]; then
+        echo "Creating database directory at $DATA_DIR/db"
+        mkdir -p "$DATA_DIR/db" 2>/dev/null || {
+            echo "ERROR: Cannot create $DATA_DIR/db directory"
+            echo "Ensure the data volume is mounted with correct permissions for user $(id -u):$(id -g)"
+            echo ""
+            echo "Example docker-compose.yml:"
+            echo "  volumes:"
+            echo "    - ./data:/app/data  # This directory must be writable by user $(id -u)"
+            exit 1
+        }
+    fi
+    if [ ! -d "$DATA_DIR/stacks" ]; then
+        mkdir -p "$DATA_DIR/stacks" 2>/dev/null || true
+    fi
+
+    # Check Docker socket access if mounted
+    SOCKET_PATH="/var/run/docker.sock"
+    if [ -S "$SOCKET_PATH" ]; then
+        if test -r "$SOCKET_PATH" 2>/dev/null; then
+            echo "Docker socket accessible at $SOCKET_PATH"
+            # Detect hostname from Docker if not set
+            if [ -z "$DOCKHAND_HOSTNAME" ]; then
+                DETECTED_HOSTNAME=$(curl -s --unix-socket "$SOCKET_PATH" http://localhost/info 2>/dev/null | sed -n 's/.*"Name":"\([^"]*\)".*/\1/p')
+                if [ -n "$DETECTED_HOSTNAME" ]; then
+                    export DOCKHAND_HOSTNAME="$DETECTED_HOSTNAME"
+                    echo "Detected Docker host hostname: $DOCKHAND_HOSTNAME"
+                fi
+            fi
+        else
+            SOCKET_GID=$(stat -c '%g' "$SOCKET_PATH" 2>/dev/null || echo "unknown")
+            echo "WARNING: Docker socket not readable by user $(id -u)"
+            echo "Add --group-add $SOCKET_GID to your docker run command"
+        fi
+    else
+        echo "No Docker socket found at $SOCKET_PATH"
+        echo "Configure Docker environments via the web UI (Settings > Environments)"
+    fi
+
+    # Run directly as current user (no su-exec needed)
+    if [ "$1" = "" ]; then
+        exec bun run ./build/index.js
+    else
+        exec "$@"
+    fi
+fi
+
+# === User Setup ===
+# Root mode: PUID=0 requested OR already running as root with default PUID/PGID
+if [ "$PUID" = "0" ]; then
+    echo "Running as root user (PUID=0)"
+    RUN_USER="root"
+elif [ "$RUNNING_AS_ROOT" = "true" ] && [ "$PUID" = "1001" ] && [ "$PGID" = "1001" ]; then
+    echo "Running as root user"
+    RUN_USER="root"
+else
+    RUN_USER="dockhand"
+    # Only modify if PUID/PGID differ from image defaults (1001:1001)
+    if [ "$PUID" != "1001" ] || [ "$PGID" != "1001" ]; then
+        echo "Configuring user with PUID=$PUID PGID=$PGID"
+
+        # Remove existing dockhand user/group (only dockhand, not others)
+        deluser dockhand 2>/dev/null || true
+        delgroup dockhand 2>/dev/null || true
+
+        # Check for UID conflicts - warn but don't delete other users
+        if getent passwd "$PUID" >/dev/null 2>&1; then
+            EXISTING=$(getent passwd "$PUID" | cut -d: -f1)
+            echo "WARNING: UID $PUID already in use by '$EXISTING'. Using default UID 1001."
+            PUID=1001
+        fi
+
+        # Handle GID - reuse existing group or create new
+        if getent group "$PGID" >/dev/null 2>&1; then
+            TARGET_GROUP=$(getent group "$PGID" | cut -d: -f1)
+        else
+            addgroup -g "$PGID" dockhand
+            TARGET_GROUP="dockhand"
+        fi
+
+        adduser -u "$PUID" -G "$TARGET_GROUP" -h /home/dockhand -D dockhand
+    fi
+
+    # === Directory Ownership ===
+    chown -R dockhand:dockhand /app/data /home/dockhand 2>/dev/null || true
+
+    if [ -n "$DATA_DIR" ] && [ "$DATA_DIR" != "/app/data" ] && [ "$DATA_DIR" != "./data" ]; then
+        mkdir -p "$DATA_DIR"
+        chown -R dockhand:dockhand "$DATA_DIR" 2>/dev/null || true
+    fi
+fi
+
+# === Docker Socket Access (Optional) ===
+# Check if Docker socket is mounted and accessible
+# Socket path can be configured via environment-specific settings in the app
+SOCKET_PATH="/var/run/docker.sock"
+
+if [ -S "$SOCKET_PATH" ]; then
+    # Socket exists - check if readable
+    if [ "$RUN_USER" != "root" ]; then
+        if ! su-exec "$RUN_USER" test -r "$SOCKET_PATH" 2>/dev/null; then
+            SOCKET_GID=$(stat -c '%g' "$SOCKET_PATH" 2>/dev/null || echo "unknown")
+            echo "WARNING: Docker socket at $SOCKET_PATH is not readable by dockhand user"
+            echo ""
+            echo "To use local Docker, fix with one of these options:"
+            echo ""
+            echo "  1. Add container to docker group (GID: $SOCKET_GID):"
+            echo "     docker run --group-add $SOCKET_GID ..."
+            echo ""
+            echo "  2. Use a socket proxy:"
+            echo "     Configure a 'direct' environment pointing to tcp://socket-proxy:2375"
+            echo ""
+            echo "  3. Make socket world-readable (less secure):"
+            echo "     chmod 666 /var/run/docker.sock"
+            echo ""
+            echo "Continuing startup - configure environments via the web UI..."
+        else
+            echo "Docker socket accessible at $SOCKET_PATH"
+        fi
+    else
+        echo "Docker socket accessible at $SOCKET_PATH"
+    fi
+
+    # === Detect Docker Host Hostname (for license validation) ===
+    # Query Docker API to get the real host hostname (not container ID)
+    if [ -z "$DOCKHAND_HOSTNAME" ]; then
+        DETECTED_HOSTNAME=$(curl -s --unix-socket "$SOCKET_PATH" http://localhost/info 2>/dev/null | sed -n 's/.*"Name":"\([^"]*\)".*/\1/p')
+        if [ -n "$DETECTED_HOSTNAME" ]; then
+            export DOCKHAND_HOSTNAME="$DETECTED_HOSTNAME"
+            echo "Detected Docker host hostname: $DOCKHAND_HOSTNAME"
+        fi
+    else
+        echo "Using configured hostname: $DOCKHAND_HOSTNAME"
+    fi
+else
+    echo "No Docker socket found at $SOCKET_PATH"
+    echo "Configure Docker environments via the web UI (Settings > Environments)"
+fi
+
+# === Run Application ===
+if [ "$RUN_USER" = "root" ]; then
+    # Running as root - execute directly
+    if [ "$1" = "" ]; then
+        exec bun run ./build/index.js
+    else
+        exec "$@"
+    fi
+else
+    # Running as dockhand user
+    if [ "$1" = "" ]; then
+        exec su-exec dockhand bun run ./build/index.js
+    else
+        exec su-exec dockhand "$@"
+    fi
+fi
@@ -0,0 +1,401 @@
+CREATE TABLE "audit_logs" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"user_id" integer,
+	"username" text NOT NULL,
+	"action" text NOT NULL,
+	"entity_type" text NOT NULL,
+	"entity_id" text,
+	"entity_name" text,
+	"environment_id" integer,
+	"description" text,
+	"details" text,
+	"ip_address" text,
+	"user_agent" text,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "auth_settings" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"auth_enabled" boolean DEFAULT false,
+	"default_provider" text DEFAULT 'local',
+	"session_timeout" integer DEFAULT 86400,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "auto_update_settings" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"container_name" text NOT NULL,
+	"enabled" boolean DEFAULT false,
+	"schedule_type" text DEFAULT 'daily',
+	"cron_expression" text,
+	"vulnerability_criteria" text DEFAULT 'never',
+	"last_checked" timestamp,
+	"last_updated" timestamp,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "auto_update_settings_environment_id_container_name_unique" UNIQUE("environment_id","container_name")
+);
+--> statement-breakpoint
+CREATE TABLE "config_sets" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"description" text,
+	"env_vars" text,
+	"labels" text,
+	"ports" text,
+	"volumes" text,
+	"network_mode" text DEFAULT 'bridge',
+	"restart_policy" text DEFAULT 'no',
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "config_sets_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "container_events" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"container_id" text NOT NULL,
+	"container_name" text,
+	"image" text,
+	"action" text NOT NULL,
+	"actor_attributes" text,
+	"timestamp" timestamp NOT NULL,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "environment_notifications" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer NOT NULL,
+	"notification_id" integer NOT NULL,
+	"enabled" boolean DEFAULT true,
+	"event_types" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "environment_notifications_environment_id_notification_id_unique" UNIQUE("environment_id","notification_id")
+);
+--> statement-breakpoint
+CREATE TABLE "environments" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"host" text,
+	"port" integer DEFAULT 2375,
+	"protocol" text DEFAULT 'http',
+	"tls_ca" text,
+	"tls_cert" text,
+	"tls_key" text,
+	"tls_skip_verify" boolean DEFAULT false,
+	"icon" text DEFAULT 'globe',
+	"collect_activity" boolean DEFAULT true,
+	"collect_metrics" boolean DEFAULT true,
+	"highlight_changes" boolean DEFAULT true,
+	"labels" text,
+	"connection_type" text DEFAULT 'socket',
+	"socket_path" text DEFAULT '/var/run/docker.sock',
+	"hawser_token" text,
+	"hawser_last_seen" timestamp,
+	"hawser_agent_id" text,
+	"hawser_agent_name" text,
+	"hawser_version" text,
+	"hawser_capabilities" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "environments_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "git_credentials" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"auth_type" text DEFAULT 'none' NOT NULL,
+	"username" text,
+	"password" text,
+	"ssh_private_key" text,
+	"ssh_passphrase" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "git_credentials_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "git_repositories" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"url" text NOT NULL,
+	"branch" text DEFAULT 'main',
+	"credential_id" integer,
+	"compose_path" text DEFAULT 'docker-compose.yml',
+	"environment_id" integer,
+	"auto_update" boolean DEFAULT false,
+	"auto_update_schedule" text DEFAULT 'daily',
+	"auto_update_cron" text DEFAULT '0 3 * * *',
+	"webhook_enabled" boolean DEFAULT false,
+	"webhook_secret" text,
+	"last_sync" timestamp,
+	"last_commit" text,
+	"sync_status" text DEFAULT 'pending',
+	"sync_error" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "git_repositories_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "git_stacks" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"stack_name" text NOT NULL,
+	"environment_id" integer,
+	"repository_id" integer NOT NULL,
+	"compose_path" text DEFAULT 'docker-compose.yml',
+	"auto_update" boolean DEFAULT false,
+	"auto_update_schedule" text DEFAULT 'daily',
+	"auto_update_cron" text DEFAULT '0 3 * * *',
+	"webhook_enabled" boolean DEFAULT false,
+	"webhook_secret" text,
+	"last_sync" timestamp,
+	"last_commit" text,
+	"sync_status" text DEFAULT 'pending',
+	"sync_error" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "git_stacks_stack_name_environment_id_unique" UNIQUE("stack_name","environment_id")
+);
+--> statement-breakpoint
+CREATE TABLE "hawser_tokens" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"token" text NOT NULL,
+	"token_prefix" text NOT NULL,
+	"name" text NOT NULL,
+	"environment_id" integer,
+	"is_active" boolean DEFAULT true,
+	"last_used" timestamp,
+	"created_at" timestamp DEFAULT now(),
+	"expires_at" timestamp,
+	CONSTRAINT "hawser_tokens_token_unique" UNIQUE("token")
+);
+--> statement-breakpoint
+CREATE TABLE "host_metrics" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"cpu_percent" double precision NOT NULL,
+	"memory_percent" double precision NOT NULL,
+	"memory_used" bigint,
+	"memory_total" bigint,
+	"timestamp" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "ldap_config" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"enabled" boolean DEFAULT false,
+	"server_url" text NOT NULL,
+	"bind_dn" text,
+	"bind_password" text,
+	"base_dn" text NOT NULL,
+	"user_filter" text DEFAULT '(uid={{username}})',
+	"username_attribute" text DEFAULT 'uid',
+	"email_attribute" text DEFAULT 'mail',
+	"display_name_attribute" text DEFAULT 'cn',
+	"group_base_dn" text,
+	"group_filter" text,
+	"admin_group" text,
+	"role_mappings" text,
+	"tls_enabled" boolean DEFAULT false,
+	"tls_ca" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "notification_settings" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"type" text NOT NULL,
+	"name" text NOT NULL,
+	"enabled" boolean DEFAULT true,
+	"config" text NOT NULL,
+	"event_types" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "oidc_config" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"enabled" boolean DEFAULT false,
+	"issuer_url" text NOT NULL,
+	"client_id" text NOT NULL,
+	"client_secret" text NOT NULL,
+	"redirect_uri" text NOT NULL,
+	"scopes" text DEFAULT 'openid profile email',
+	"username_claim" text DEFAULT 'preferred_username',
+	"email_claim" text DEFAULT 'email',
+	"display_name_claim" text DEFAULT 'name',
+	"admin_claim" text,
+	"admin_value" text,
+	"role_mappings_claim" text DEFAULT 'groups',
+	"role_mappings" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "registries" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"url" text NOT NULL,
+	"username" text,
+	"password" text,
+	"is_default" boolean DEFAULT false,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "registries_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "roles" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"description" text,
+	"is_system" boolean DEFAULT false,
+	"permissions" text NOT NULL,
+	"environment_ids" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "roles_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "schedule_executions" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"schedule_type" text NOT NULL,
+	"schedule_id" integer NOT NULL,
+	"environment_id" integer,
+	"entity_name" text NOT NULL,
+	"triggered_by" text NOT NULL,
+	"triggered_at" timestamp NOT NULL,
+	"started_at" timestamp,
+	"completed_at" timestamp,
+	"duration" integer,
+	"status" text NOT NULL,
+	"error_message" text,
+	"details" text,
+	"logs" text,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "sessions" (
+	"id" text PRIMARY KEY NOT NULL,
+	"user_id" integer NOT NULL,
+	"provider" text NOT NULL,
+	"expires_at" timestamp NOT NULL,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "settings" (
+	"key" text PRIMARY KEY NOT NULL,
+	"value" text NOT NULL,
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "stack_events" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"stack_name" text NOT NULL,
+	"event_type" text NOT NULL,
+	"timestamp" timestamp DEFAULT now(),
+	"metadata" text
+);
+--> statement-breakpoint
+CREATE TABLE "stack_sources" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"stack_name" text NOT NULL,
+	"environment_id" integer,
+	"source_type" text DEFAULT 'internal' NOT NULL,
+	"git_repository_id" integer,
+	"git_stack_id" integer,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "stack_sources_stack_name_environment_id_unique" UNIQUE("stack_name","environment_id")
+);
+--> statement-breakpoint
+CREATE TABLE "user_preferences" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"user_id" integer,
+	"environment_id" integer,
+	"key" text NOT NULL,
+	"value" text NOT NULL,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "user_preferences_user_id_environment_id_key_unique" UNIQUE("user_id","environment_id","key")
+);
+--> statement-breakpoint
+CREATE TABLE "user_roles" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"user_id" integer NOT NULL,
+	"role_id" integer NOT NULL,
+	"environment_id" integer,
+	"created_at" timestamp DEFAULT now(),
+	CONSTRAINT "user_roles_user_id_role_id_environment_id_unique" UNIQUE("user_id","role_id","environment_id")
+);
+--> statement-breakpoint
+CREATE TABLE "users" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"username" text NOT NULL,
+	"email" text,
+	"password_hash" text NOT NULL,
+	"display_name" text,
+	"avatar" text,
+	"auth_provider" text DEFAULT 'local',
+	"mfa_enabled" boolean DEFAULT false,
+	"mfa_secret" text,
+	"is_active" boolean DEFAULT true,
+	"last_login" timestamp,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "users_username_unique" UNIQUE("username")
+);
+--> statement-breakpoint
+CREATE TABLE "vulnerability_scans" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"image_id" text NOT NULL,
+	"image_name" text NOT NULL,
+	"scanner" text NOT NULL,
+	"scanned_at" timestamp NOT NULL,
+	"scan_duration" integer,
+	"critical_count" integer DEFAULT 0,
+	"high_count" integer DEFAULT 0,
+	"medium_count" integer DEFAULT 0,
+	"low_count" integer DEFAULT 0,
+	"negligible_count" integer DEFAULT 0,
+	"unknown_count" integer DEFAULT 0,
+	"vulnerabilities" text,
+	"error" text,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "auto_update_settings" ADD CONSTRAINT "auto_update_settings_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "container_events" ADD CONSTRAINT "container_events_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_notifications" ADD CONSTRAINT "environment_notifications_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_notifications" ADD CONSTRAINT "environment_notifications_notification_id_notification_settings_id_fk" FOREIGN KEY ("notification_id") REFERENCES "public"."notification_settings"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "git_repositories" ADD CONSTRAINT "git_repositories_credential_id_git_credentials_id_fk" FOREIGN KEY ("credential_id") REFERENCES "public"."git_credentials"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "git_stacks" ADD CONSTRAINT "git_stacks_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "git_stacks" ADD CONSTRAINT "git_stacks_repository_id_git_repositories_id_fk" FOREIGN KEY ("repository_id") REFERENCES "public"."git_repositories"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "hawser_tokens" ADD CONSTRAINT "hawser_tokens_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "host_metrics" ADD CONSTRAINT "host_metrics_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "schedule_executions" ADD CONSTRAINT "schedule_executions_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "sessions" ADD CONSTRAINT "sessions_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_events" ADD CONSTRAINT "stack_events_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_sources" ADD CONSTRAINT "stack_sources_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_sources" ADD CONSTRAINT "stack_sources_git_repository_id_git_repositories_id_fk" FOREIGN KEY ("git_repository_id") REFERENCES "public"."git_repositories"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_sources" ADD CONSTRAINT "stack_sources_git_stack_id_git_stacks_id_fk" FOREIGN KEY ("git_stack_id") REFERENCES "public"."git_stacks"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_preferences" ADD CONSTRAINT "user_preferences_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_preferences" ADD CONSTRAINT "user_preferences_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_role_id_roles_id_fk" FOREIGN KEY ("role_id") REFERENCES "public"."roles"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "vulnerability_scans" ADD CONSTRAINT "vulnerability_scans_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "audit_logs_user_id_idx" ON "audit_logs" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "audit_logs_created_at_idx" ON "audit_logs" USING btree ("created_at");--> statement-breakpoint
+CREATE INDEX "container_events_env_timestamp_idx" ON "container_events" USING btree ("environment_id","timestamp");--> statement-breakpoint
+CREATE INDEX "host_metrics_env_timestamp_idx" ON "host_metrics" USING btree ("environment_id","timestamp");--> statement-breakpoint
+CREATE INDEX "schedule_executions_type_id_idx" ON "schedule_executions" USING btree ("schedule_type","schedule_id");--> statement-breakpoint
+CREATE INDEX "sessions_user_id_idx" ON "sessions" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "sessions_expires_at_idx" ON "sessions" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "vulnerability_scans_env_image_idx" ON "vulnerability_scans" USING btree ("environment_id","image_id");
@@ -0,0 +1,14 @@
+CREATE TABLE "stack_environment_variables" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"stack_name" text NOT NULL,
+	"environment_id" integer,
+	"key" text NOT NULL,
+	"value" text NOT NULL,
+	"is_secret" boolean DEFAULT false,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "stack_environment_variables_stack_name_environment_id_key_unique" UNIQUE("stack_name","environment_id","key")
+);
+--> statement-breakpoint
+ALTER TABLE "git_stacks" ADD COLUMN "env_file_path" text;--> statement-breakpoint
+ALTER TABLE "stack_environment_variables" ADD CONSTRAINT "stack_environment_variables_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;
@@ -0,0 +1,12 @@
+CREATE TABLE "pending_container_updates" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer NOT NULL,
+	"container_id" text NOT NULL,
+	"container_name" text NOT NULL,
+	"current_image" text NOT NULL,
+	"checked_at" timestamp DEFAULT now(),
+	"created_at" timestamp DEFAULT now(),
+	CONSTRAINT "pending_container_updates_environment_id_container_id_unique" UNIQUE("environment_id","container_id")
+);
+--> statement-breakpoint
+ALTER TABLE "pending_container_updates" ADD CONSTRAINT "pending_container_updates_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;
@@ -0,0 +1,27 @@
+{
+  "version": "7",
+  "dialect": "postgresql",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "7",
+      "when": 1765804022462,
+      "tag": "0000_initial_schema",
+      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "7",
+      "when": 1766378770502,
+      "tag": "0001_add_stack_env_vars",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "7",
+      "when": 1766763867484,
+      "tag": "0002_add_pending_container_updates",
+      "breakpoints": true
+    }
+  ]
+}
@@ -0,0 +1,16 @@
+import { defineConfig } from 'drizzle-kit';
+
+const databaseUrl = process.env.DATABASE_URL;
+const isPostgres = databaseUrl && (databaseUrl.startsWith('postgres://') || databaseUrl.startsWith('postgresql://'));
+
+export default defineConfig({
+	// Use different schema files for SQLite vs PostgreSQL
+	schema: isPostgres
+		? './src/lib/server/db/schema/pg-schema.ts'
+		: './src/lib/server/db/schema/index.ts',
+	out: isPostgres ? './drizzle-pg' : './drizzle',
+	dialect: isPostgres ? 'postgresql' : 'sqlite',
+	dbCredentials: isPostgres
+		? { url: databaseUrl! }
+		: { url: `file:${process.env.DATA_DIR || './data'}/dockhand.db` }
+});
@@ -0,0 +1,401 @@
+CREATE TABLE `audit_logs` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer,
+	`username` text NOT NULL,
+	`action` text NOT NULL,
+	`entity_type` text NOT NULL,
+	`entity_id` text,
+	`entity_name` text,
+	`environment_id` integer,
+	`description` text,
+	`details` text,
+	`ip_address` text,
+	`user_agent` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE set null,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE set null
+);
+--> statement-breakpoint
+CREATE INDEX `audit_logs_user_id_idx` ON `audit_logs` (`user_id`);--> statement-breakpoint
+CREATE INDEX `audit_logs_created_at_idx` ON `audit_logs` (`created_at`);--> statement-breakpoint
+CREATE TABLE `auth_settings` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`auth_enabled` integer DEFAULT false,
+	`default_provider` text DEFAULT 'local',
+	`session_timeout` integer DEFAULT 86400,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `auto_update_settings` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`container_name` text NOT NULL,
+	`enabled` integer DEFAULT false,
+	`schedule_type` text DEFAULT 'daily',
+	`cron_expression` text,
+	`vulnerability_criteria` text DEFAULT 'never',
+	`last_checked` text,
+	`last_updated` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE no action
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `auto_update_settings_environment_id_container_name_unique` ON `auto_update_settings` (`environment_id`,`container_name`);--> statement-breakpoint
+CREATE TABLE `config_sets` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`description` text,
+	`env_vars` text,
+	`labels` text,
+	`ports` text,
+	`volumes` text,
+	`network_mode` text DEFAULT 'bridge',
+	`restart_policy` text DEFAULT 'no',
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `config_sets_name_unique` ON `config_sets` (`name`);--> statement-breakpoint
+CREATE TABLE `container_events` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`container_id` text NOT NULL,
+	`container_name` text,
+	`image` text,
+	`action` text NOT NULL,
+	`actor_attributes` text,
+	`timestamp` text NOT NULL,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `container_events_env_timestamp_idx` ON `container_events` (`environment_id`,`timestamp`);--> statement-breakpoint
+CREATE TABLE `environment_notifications` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer NOT NULL,
+	`notification_id` integer NOT NULL,
+	`enabled` integer DEFAULT true,
+	`event_types` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`notification_id`) REFERENCES `notification_settings`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `environment_notifications_environment_id_notification_id_unique` ON `environment_notifications` (`environment_id`,`notification_id`);--> statement-breakpoint
+CREATE TABLE `environments` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`host` text,
+	`port` integer DEFAULT 2375,
+	`protocol` text DEFAULT 'http',
+	`tls_ca` text,
+	`tls_cert` text,
+	`tls_key` text,
+	`tls_skip_verify` integer DEFAULT false,
+	`icon` text DEFAULT 'globe',
+	`collect_activity` integer DEFAULT true,
+	`collect_metrics` integer DEFAULT true,
+	`highlight_changes` integer DEFAULT true,
+	`labels` text,
+	`connection_type` text DEFAULT 'socket',
+	`socket_path` text DEFAULT '/var/run/docker.sock',
+	`hawser_token` text,
+	`hawser_last_seen` text,
+	`hawser_agent_id` text,
+	`hawser_agent_name` text,
+	`hawser_version` text,
+	`hawser_capabilities` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `environments_name_unique` ON `environments` (`name`);--> statement-breakpoint
+CREATE TABLE `git_credentials` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`auth_type` text DEFAULT 'none' NOT NULL,
+	`username` text,
+	`password` text,
+	`ssh_private_key` text,
+	`ssh_passphrase` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `git_credentials_name_unique` ON `git_credentials` (`name`);--> statement-breakpoint
+CREATE TABLE `git_repositories` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`url` text NOT NULL,
+	`branch` text DEFAULT 'main',
+	`credential_id` integer,
+	`compose_path` text DEFAULT 'docker-compose.yml',
+	`environment_id` integer,
+	`auto_update` integer DEFAULT false,
+	`auto_update_schedule` text DEFAULT 'daily',
+	`auto_update_cron` text DEFAULT '0 3 * * *',
+	`webhook_enabled` integer DEFAULT false,
+	`webhook_secret` text,
+	`last_sync` text,
+	`last_commit` text,
+	`sync_status` text DEFAULT 'pending',
+	`sync_error` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`credential_id`) REFERENCES `git_credentials`(`id`) ON UPDATE no action ON DELETE set null
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `git_repositories_name_unique` ON `git_repositories` (`name`);--> statement-breakpoint
+CREATE TABLE `git_stacks` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`stack_name` text NOT NULL,
+	`environment_id` integer,
+	`repository_id` integer NOT NULL,
+	`compose_path` text DEFAULT 'docker-compose.yml',
+	`auto_update` integer DEFAULT false,
+	`auto_update_schedule` text DEFAULT 'daily',
+	`auto_update_cron` text DEFAULT '0 3 * * *',
+	`webhook_enabled` integer DEFAULT false,
+	`webhook_secret` text,
+	`last_sync` text,
+	`last_commit` text,
+	`sync_status` text DEFAULT 'pending',
+	`sync_error` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`repository_id`) REFERENCES `git_repositories`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `git_stacks_stack_name_environment_id_unique` ON `git_stacks` (`stack_name`,`environment_id`);--> statement-breakpoint
+CREATE TABLE `hawser_tokens` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`token` text NOT NULL,
+	`token_prefix` text NOT NULL,
+	`name` text NOT NULL,
+	`environment_id` integer,
+	`is_active` integer DEFAULT true,
+	`last_used` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`expires_at` text,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `hawser_tokens_token_unique` ON `hawser_tokens` (`token`);--> statement-breakpoint
+CREATE TABLE `host_metrics` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`cpu_percent` real NOT NULL,
+	`memory_percent` real NOT NULL,
+	`memory_used` integer,
+	`memory_total` integer,
+	`timestamp` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `host_metrics_env_timestamp_idx` ON `host_metrics` (`environment_id`,`timestamp`);--> statement-breakpoint
+CREATE TABLE `ldap_config` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`enabled` integer DEFAULT false,
+	`server_url` text NOT NULL,
+	`bind_dn` text,
+	`bind_password` text,
+	`base_dn` text NOT NULL,
+	`user_filter` text DEFAULT '(uid={{username}})',
+	`username_attribute` text DEFAULT 'uid',
+	`email_attribute` text DEFAULT 'mail',
+	`display_name_attribute` text DEFAULT 'cn',
+	`group_base_dn` text,
+	`group_filter` text,
+	`admin_group` text,
+	`role_mappings` text,
+	`tls_enabled` integer DEFAULT false,
+	`tls_ca` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `notification_settings` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`type` text NOT NULL,
+	`name` text NOT NULL,
+	`enabled` integer DEFAULT true,
+	`config` text NOT NULL,
+	`event_types` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `oidc_config` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`enabled` integer DEFAULT false,
+	`issuer_url` text NOT NULL,
+	`client_id` text NOT NULL,
+	`client_secret` text NOT NULL,
+	`redirect_uri` text NOT NULL,
+	`scopes` text DEFAULT 'openid profile email',
+	`username_claim` text DEFAULT 'preferred_username',
+	`email_claim` text DEFAULT 'email',
+	`display_name_claim` text DEFAULT 'name',
+	`admin_claim` text,
+	`admin_value` text,
+	`role_mappings_claim` text DEFAULT 'groups',
+	`role_mappings` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `registries` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`url` text NOT NULL,
+	`username` text,
+	`password` text,
+	`is_default` integer DEFAULT false,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `registries_name_unique` ON `registries` (`name`);--> statement-breakpoint
+CREATE TABLE `roles` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`description` text,
+	`is_system` integer DEFAULT false,
+	`permissions` text NOT NULL,
+	`environment_ids` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `roles_name_unique` ON `roles` (`name`);--> statement-breakpoint
+CREATE TABLE `schedule_executions` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`schedule_type` text NOT NULL,
+	`schedule_id` integer NOT NULL,
+	`environment_id` integer,
+	`entity_name` text NOT NULL,
+	`triggered_by` text NOT NULL,
+	`triggered_at` text NOT NULL,
+	`started_at` text,
+	`completed_at` text,
+	`duration` integer,
+	`status` text NOT NULL,
+	`error_message` text,
+	`details` text,
+	`logs` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `schedule_executions_type_id_idx` ON `schedule_executions` (`schedule_type`,`schedule_id`);--> statement-breakpoint
+CREATE TABLE `sessions` (
+	`id` text PRIMARY KEY NOT NULL,
+	`user_id` integer NOT NULL,
+	`provider` text NOT NULL,
+	`expires_at` text NOT NULL,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `sessions_user_id_idx` ON `sessions` (`user_id`);--> statement-breakpoint
+CREATE INDEX `sessions_expires_at_idx` ON `sessions` (`expires_at`);--> statement-breakpoint
+CREATE TABLE `settings` (
+	`key` text PRIMARY KEY NOT NULL,
+	`value` text NOT NULL,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `stack_events` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`stack_name` text NOT NULL,
+	`event_type` text NOT NULL,
+	`timestamp` text DEFAULT CURRENT_TIMESTAMP,
+	`metadata` text,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `stack_sources` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`stack_name` text NOT NULL,
+	`environment_id` integer,
+	`source_type` text DEFAULT 'internal' NOT NULL,
+	`git_repository_id` integer,
+	`git_stack_id` integer,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`git_repository_id`) REFERENCES `git_repositories`(`id`) ON UPDATE no action ON DELETE set null,
+	FOREIGN KEY (`git_stack_id`) REFERENCES `git_stacks`(`id`) ON UPDATE no action ON DELETE set null
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `stack_sources_stack_name_environment_id_unique` ON `stack_sources` (`stack_name`,`environment_id`);--> statement-breakpoint
+CREATE TABLE `user_preferences` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer,
+	`environment_id` integer,
+	`key` text NOT NULL,
+	`value` text NOT NULL,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `user_preferences_user_id_environment_id_key_unique` ON `user_preferences` (`user_id`,`environment_id`,`key`);--> statement-breakpoint
+CREATE TABLE `user_roles` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`role_id` integer NOT NULL,
+	`environment_id` integer,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`role_id`) REFERENCES `roles`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `user_roles_user_id_role_id_environment_id_unique` ON `user_roles` (`user_id`,`role_id`,`environment_id`);--> statement-breakpoint
+CREATE TABLE `users` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`username` text NOT NULL,
+	`email` text,
+	`password_hash` text NOT NULL,
+	`display_name` text,
+	`avatar` text,
+	`auth_provider` text DEFAULT 'local',
+	`mfa_enabled` integer DEFAULT false,
+	`mfa_secret` text,
+	`is_active` integer DEFAULT true,
+	`last_login` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `users_username_unique` ON `users` (`username`);--> statement-breakpoint
+CREATE TABLE `vulnerability_scans` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`image_id` text NOT NULL,
+	`image_name` text NOT NULL,
+	`scanner` text NOT NULL,
+	`scanned_at` text NOT NULL,
+	`scan_duration` integer,
+	`critical_count` integer DEFAULT 0,
+	`high_count` integer DEFAULT 0,
+	`medium_count` integer DEFAULT 0,
+	`low_count` integer DEFAULT 0,
+	`negligible_count` integer DEFAULT 0,
+	`unknown_count` integer DEFAULT 0,
+	`vulnerabilities` text,
+	`error` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `vulnerability_scans_env_image_idx` ON `vulnerability_scans` (`environment_id`,`image_id`);
@@ -0,0 +1,14 @@
+CREATE TABLE `stack_environment_variables` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`stack_name` text NOT NULL,
+	`environment_id` integer,
+	`key` text NOT NULL,
+	`value` text NOT NULL,
+	`is_secret` integer DEFAULT false,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `stack_environment_variables_stack_name_environment_id_key_unique` ON `stack_environment_variables` (`stack_name`,`environment_id`,`key`);--> statement-breakpoint
+ALTER TABLE `git_stacks` ADD `env_file_path` text;
@@ -0,0 +1,12 @@
+CREATE TABLE `pending_container_updates` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer NOT NULL,
+	`container_id` text NOT NULL,
+	`container_name` text NOT NULL,
+	`current_image` text NOT NULL,
+	`checked_at` text DEFAULT CURRENT_TIMESTAMP,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `pending_container_updates_environment_id_container_id_unique` ON `pending_container_updates` (`environment_id`,`container_id`);
@@ -0,0 +1,27 @@
+{
+  "version": "7",
+  "dialect": "sqlite",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "6",
+      "when": 1765804016391,
+      "tag": "0000_initial_schema",
+      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "6",
+      "when": 1766378754939,
+      "tag": "0001_add_stack_env_vars",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "6",
+      "when": 1766763860091,
+      "tag": "0002_add_pending_container_updates",
+      "breakpoints": true
+    }
+  ]
+}
@@ -1,236 +0,0 @@
-<script lang="ts">
-	import { Button } from '$lib/components/ui/button';
-	import StackEnvVarsEditor, { type EnvVar, type ValidationResult } from '$lib/components/StackEnvVarsEditor.svelte';
-	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
-	import { Plus, Info, Upload, Trash2 } from 'lucide-svelte';
-	import * as Tooltip from '$lib/components/ui/tooltip';
-
-	interface Props {
-		variables: EnvVar[];
-		validation?: ValidationResult | null;
-		readonly?: boolean;
-		showSource?: boolean;
-		sources?: Record<string, 'file' | 'override'>;
-		placeholder?: { key: string; value: string };
-		infoText?: string;
-		existingSecretKeys?: Set<string>;
-		class?: string;
-		onchange?: () => void;
-	}
-
-	let {
-		variables = $bindable(),
-		validation = null,
-		readonly = false,
-		showSource = false,
-		sources = {},
-		placeholder = { key: 'VARIABLE_NAME', value: 'value' },
-		infoText,
-		existingSecretKeys = new Set<string>(),
-		class: className = '',
-		onchange
-	}: Props = $props();
-
-	let fileInputRef: HTMLInputElement;
-
-	function addEnvVariable() {
-		variables = [...variables, { key: '', value: '', isSecret: false }];
-	}
-
-	function handleLoadFromFile() {
-		fileInputRef?.click();
-	}
-
-	function parseEnvFile(content: string): EnvVar[] {
-		const lines = content.split('\n');
-		const envVars: EnvVar[] = [];
-
-		for (const line of lines) {
-			// Skip empty lines and comments
-			const trimmed = line.trim();
-			if (!trimmed || trimmed.startsWith('#')) continue;
-
-			// Parse KEY=VALUE format
-			const eqIndex = trimmed.indexOf('=');
-			if (eqIndex === -1) continue;
-
-			const key = trimmed.slice(0, eqIndex).trim();
-			let value = trimmed.slice(eqIndex + 1).trim();
-
-			// Remove surrounding quotes if present
-			if ((value.startsWith('"') && value.endsWith('"')) ||
-			    (value.startsWith("'") && value.endsWith("'"))) {
-				value = value.slice(1, -1);
-			}
-
-			if (key) {
-				envVars.push({ key, value, isSecret: false });
-			}
-		}
-
-		return envVars;
-	}
-
-	function handleFileSelect(event: Event) {
-		const input = event.target as HTMLInputElement;
-		const file = input.files?.[0];
-		if (!file) return;
-
-		const reader = new FileReader();
-		reader.onload = (e) => {
-			const content = e.target?.result as string;
-			const parsedVars = parseEnvFile(content);
-
-			if (parsedVars.length > 0) {
-				// Get existing keys to avoid duplicates
-				const existingKeys = new Set(variables.filter(v => v.key.trim()).map(v => v.key.trim()));
-
-				// Filter empty entries from current variables
-				const nonEmptyVars = variables.filter(v => v.key.trim());
-
-				// Add new variables, updating existing ones or appending new
-				for (const newVar of parsedVars) {
-					if (existingKeys.has(newVar.key)) {
-						// Update existing variable
-						const idx = nonEmptyVars.findIndex(v => v.key.trim() === newVar.key);
-						if (idx !== -1) {
-							nonEmptyVars[idx] = { ...nonEmptyVars[idx], value: newVar.value };
-						}
-					} else {
-						// Add new variable
-						nonEmptyVars.push(newVar);
-						existingKeys.add(newVar.key);
-					}
-				}
-
-				variables = nonEmptyVars;
-				// Notify parent of change (important for async file load)
-				onchange?.();
-			}
-		};
-		reader.readAsText(file);
-
-		// Reset input so the same file can be selected again
-		input.value = '';
-	}
-
-	function clearAllVariables() {
-		variables = [];
-	}
-
-	// Count of non-empty variables
-	const hasVariables = $derived(variables.some(v => v.key.trim()));
-</script>
-
-<div class="flex flex-col h-full {className}">
-	<!-- Header -->
-	<div class="px-4 py-2.5 border-b border-zinc-200 dark:border-zinc-700 flex flex-col gap-1.5">
-		<div class="flex items-center justify-between">
-			<div class="flex items-center gap-2">
-				<span class="text-xs text-zinc-500 dark:text-zinc-400">Environment variables</span>
-				{#if infoText}
-					<Tooltip.Root>
-						<Tooltip.Trigger>
-							<Info class="w-3.5 h-3.5 text-blue-400" />
-						</Tooltip.Trigger>
-						<Tooltip.Content class="max-w-md">
-							<p class="text-xs">{infoText}</p>
-						</Tooltip.Content>
-					</Tooltip.Root>
-				{/if}
-			</div>
-			{#if !readonly}
-				<div class="flex items-center gap-1">
-					<Button type="button" size="sm" variant="ghost" onclick={handleLoadFromFile} class="h-6 text-xs px-2">
-						<Upload class="w-3.5 h-3.5 mr-1" />
-						Load .env
-					</Button>
-					<Button type="button" size="sm" variant="ghost" onclick={addEnvVariable} class="h-6 text-xs px-2">
-						<Plus class="w-3.5 h-3.5 mr-1" />
-						Add
-					</Button>
-					{#if hasVariables}
-						<ConfirmPopover
-							title="Clear all variables"
-							description="This will remove all environment variables. This cannot be undone."
-							confirmText="Clear all"
-							onConfirm={clearAllVariables}
-						>
-							<Button type="button" size="sm" variant="ghost" class="h-6 text-xs px-2 text-destructive hover:text-destructive">
-								<Trash2 class="w-3.5 h-3.5 mr-1" />
-								Clear
-							</Button>
-						</ConfirmPopover>
-					{/if}
-				</div>
-				<input
-					bind:this={fileInputRef}
-					type="file"
-					accept=".env,.env.*,text/plain"
-					class="hidden"
-					onchange={handleFileSelect}
-				/>
-			{/if}
-		</div>
-		<!-- Variable syntax help -->
-		<div class="flex flex-wrap gap-x-3 gap-y-0.5 text-2xs text-zinc-400 dark:text-zinc-500 font-mono">
-			<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR}`}</span> required</span>
-			<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:-default}`}</span> optional</span>
-			<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:?error}`}</span> required w/ error</span>
-		</div>
-		<!-- Validation status pills -->
-		{#if validation}
-			<div class="flex flex-wrap gap-1">
-				{#if validation.missing.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-300">
-						{validation.missing.length} missing
-					</span>
-				{/if}
-				{#if validation.required.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-green-100 text-green-700 dark:bg-green-900/30 dark:text-green-300">
-						{validation.required.length - validation.missing.length} required
-					</span>
-				{/if}
-				{#if validation.optional.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-blue-100 text-blue-700 dark:bg-blue-900/30 dark:text-blue-300">
-						{validation.optional.length} optional
-					</span>
-				{/if}
-				{#if validation.unused.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-amber-100 text-amber-700 dark:bg-amber-900/30 dark:text-amber-300">
-						{validation.unused.length} unused
-					</span>
-				{/if}
-			</div>
-		{/if}
-		<!-- Add missing variables -->
-		{#if validation && validation.missing.length > 0 && !readonly}
-			<div class="flex flex-wrap gap-1 items-center">
-				<span class="text-xs text-muted-foreground mr-1">Add missing:</span>
-				{#each validation.missing as missing}
-					<button
-						type="button"
-						onclick={() => {
-							variables = [...variables, { key: missing, value: '', isSecret: false }];
-						}}
-						class="text-xs px-1.5 py-0.5 rounded bg-red-100 text-red-700 hover:bg-red-200 dark:bg-red-900/30 dark:text-red-300 dark:hover:bg-red-900/50 transition-colors"
-					>
-						{missing}
-					</button>
-				{/each}
-			</div>
-		{/if}
-	</div>
-	<!-- Variables list -->
-	<div class="flex-1 overflow-auto px-4 py-3">
-		<StackEnvVarsEditor
-			bind:variables
-			{validation}
-			{readonly}
-			{showSource}
-			{sources}
-			{placeholder}
-			{existingSecretKeys}
-		/>
-	</div>
-</div>
@@ -0,0 +1,110 @@
+{
+	"name": "dockhand",
+	"private": true,
+	"version": "1.0.4",
+	"type": "module",
+	"scripts": {
+		"dev": "bunx --bun vite dev",
+		"prebuild": "bunx license-checker --json --production | jq 'to_entries | map({name: (.key | split(\"@\")[0:-1] | join(\"@\")), version: (.key | split(\"@\")[-1]), license: .value.licenses, repository: .value.repository}) | sort_by(.name)' > src/lib/data/dependencies.json.tmp && mv src/lib/data/dependencies.json.tmp src/lib/data/dependencies.json || true",
+		"build": "bunx --bun vite build && bun scripts/patch-build.ts && bun scripts/build-subprocesses.ts",
+		"start": "bun ./build/index.js",
+		"preview": "bun ./build/index.js",
+		"prepare": "bunx --bun svelte-kit sync || echo ''",
+		"check": "bunx --bun svelte-kit sync && bunx --bun svelte-check --tsconfig ./tsconfig.json",
+		"check:watch": "bunx --bun svelte-kit sync && bunx --bun svelte-check --tsconfig ./tsconfig.json --watch",
+		"test": "bun test",
+		"test:smoke": "bun test tests/api-smoke.test.ts",
+		"test:containers": "bun test tests/container-lifecycle.test.ts",
+		"test:notifications": "bun test tests/notifications.test.ts",
+		"test:hawser": "bun test tests/hawser-connection.test.ts",
+		"test:build": "SKIP_BUILD_TEST=1 bun test tests/build.test.ts",
+		"test:postgres": "bun test tests/database-postgres.test.ts",
+		"test:crud": "bun test tests/crud-operations.test.ts",
+		"test:scheduling": "bun test tests/scheduling.test.ts",
+		"test:images": "bun test tests/images.test.ts",
+		"test:volumes": "bun test tests/volumes-networks.test.ts",
+		"test:stacks": "bun test tests/stacks.test.ts",
+		"test:stacks:matrix": "bun test tests/stack-matrix.test.ts",
+		"test:stacks:git": "bun test tests/stack-git-flow.test.ts",
+		"test:stacks:env": "bun test tests/stack-env-vars.test.ts",
+		"test:stacks:all": "bun test tests/stack-*.test.ts tests/stacks.test.ts",
+		"test:files": "bun test tests/container-files.test.ts",
+		"test:license": "bun test tests/license.test.ts",
+		"test:activity": "bun test tests/activity-dashboard.test.ts",
+		"test:all": "bun test tests/",
+		"test:quick": "bun test tests/api-smoke.test.ts tests/notifications.test.ts",
+		"test:integration": "bun test tests/api-smoke.test.ts tests/crud-operations.test.ts tests/scheduling.test.ts tests/hawser-connection.test.ts",
+		"test:e2e": "bunx playwright test tests/e2e/",
+		"generate:legal": "bun scripts/generate-legal-pages.ts"
+	},
+	"dependencies": {
+		"@codemirror/autocomplete": "6.20.0",
+		"@codemirror/commands": "6.10.0",
+		"@codemirror/lang-css": "6.3.1",
+		"@codemirror/lang-html": "6.4.11",
+		"@codemirror/lang-javascript": "6.2.4",
+		"@codemirror/lang-json": "6.0.2",
+		"@codemirror/lang-markdown": "6.5.0",
+		"@codemirror/lang-python": "6.2.1",
+		"@codemirror/lang-sql": "6.10.0",
+		"@codemirror/lang-xml": "6.1.0",
+		"@codemirror/language": "6.11.3",
+		"@codemirror/search": "6.5.11",
+		"@lezer/highlight": "1.2.3",
+		"@lucide/lab": "^0.1.2",
+		"croner": "9.1.0",
+		"cronstrue": "3.9.0",
+		"drizzle-orm": "0.45.0",
+		"js-yaml": "^4.1.1",
+		"ldapts": "^8.0.9",
+		"nodemailer": "^7.0.11",
+		"otpauth": "^9.4.1",
+		"postgres": "3.4.7",
+		"qrcode": "^1.5.4",
+		"svelte-dnd-action": "0.9.68",
+		"svelte-sonner": "1.0.7"
+	},
+	"devDependencies": {
+		"@codemirror/lang-yaml": "^6.1.2",
+		"@codemirror/state": "^6.5.2",
+		"@codemirror/theme-one-dark": "^6.1.3",
+		"@codemirror/view": "^6.38.8",
+		"@internationalized/date": "^3.10.0",
+		"@layerstack/tailwind": "^1.0.1",
+		"@lucide/svelte": "^0.544.0",
+		"@playwright/test": "1.57.0",
+		"@sveltejs/kit": "^2.48.5",
+		"@sveltejs/vite-plugin-svelte": "^6.2.1",
+		"@tailwindcss/vite": "^4.1.17",
+		"@types/bun": "^1.2.5",
+		"@types/js-yaml": "^4.0.9",
+		"@types/nodemailer": "^7.0.4",
+		"@types/qrcode": "^1.5.6",
+		"@xterm/addon-fit": "^0.10.0",
+		"@xterm/addon-web-links": "^0.11.0",
+		"@xterm/xterm": "^5.5.0",
+		"autoprefixer": "^10.4.22",
+		"bits-ui": "^2.14.4",
+		"clsx": "^2.1.1",
+		"codemirror": "^6.0.2",
+		"cytoscape": "^3.33.1",
+		"d3-scale": "^4.0.2",
+		"d3-shape": "^3.2.0",
+		"drizzle-kit": "0.31.8",
+		"layerchart": "^1.0.12",
+		"lucide-svelte": "^0.555.0",
+		"mode-watcher": "^1.1.0",
+		"postcss": "^8.5.6",
+		"svelte": "^5.43.8",
+		"svelte-adapter-bun": "1.0.1",
+		"svelte-check": "^4.3.4",
+		"svelte-easy-crop": "^5.0.0",
+		"svelte-virtual-scroll-list": "^1.3.0",
+		"tailwind-merge": "^3.4.0",
+		"tailwind-variants": "^3.2.2",
+		"tailwindcss": "^4.1.17",
+		"tw-animate-css": "^1.4.0",
+		"typescript": "^5.9.3",
+		"vite": "^7.2.2"
+	}
+}
@@ -1,122 +0,0 @@
-import { json } from '@sveltejs/kit';
-import { getStackEnvVars, setStackEnvVars } from '$lib/server/db';
-import { authorize } from '$lib/server/authorize';
-import type { RequestHandler } from './$types';
-
-/**
- * GET /api/stacks/[name]/env?env=X
- * Get all environment variables for a stack.
- * Secrets are masked with '***' in the response.
- */
-export const GET: RequestHandler = async ({ params, url, cookies }) => {
-	const auth = await authorize(cookies);
-	const envId = url.searchParams.get('env');
-	const envIdNum = envId ? parseInt(envId) : null;
-
-	// Permission check with environment context
-	if (auth.authEnabled && !await auth.can('stacks', 'view', envIdNum ?? undefined)) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
-
-	// Environment access check (enterprise only)
-	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
-		return json({ error: 'Access denied to this environment' }, { status: 403 });
-	}
-
-	try {
-		const stackName = decodeURIComponent(params.name);
-		const variables = await getStackEnvVars(stackName, envIdNum, true);
-
-		return json({
-			variables: variables.map(v => ({
-				key: v.key,
-				value: v.value,
-				isSecret: v.isSecret
-			}))
-		});
-	} catch (error) {
-		console.error('Error getting stack env vars:', error);
-		return json({ error: 'Failed to get environment variables' }, { status: 500 });
-	}
-};
-
-/**
- * PUT /api/stacks/[name]/env?env=X
- * Set/replace all environment variables for a stack.
- * Body: { variables: [{ key, value, isSecret? }] }
- *
- * Note: For secrets, if the value is '***' (the masked placeholder), the original
- * secret value from the database is preserved instead of overwriting with '***'.
- */
-export const PUT: RequestHandler = async ({ params, url, cookies, request }) => {
-	const auth = await authorize(cookies);
-	const envId = url.searchParams.get('env');
-	const envIdNum = envId ? parseInt(envId) : null;
-
-	// Permission check with environment context
-	if (auth.authEnabled && !await auth.can('stacks', 'edit', envIdNum ?? undefined)) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
-
-	// Environment access check (enterprise only)
-	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
-		return json({ error: 'Access denied to this environment' }, { status: 403 });
-	}
-
-	try {
-		const stackName = decodeURIComponent(params.name);
-		const body = await request.json();
-
-		if (!body.variables || !Array.isArray(body.variables)) {
-			return json({ error: 'Invalid request body: variables array required' }, { status: 400 });
-		}
-
-		// Validate variables
-		for (const v of body.variables) {
-			if (!v.key || typeof v.key !== 'string') {
-				return json({ error: 'Invalid variable: key is required and must be a string' }, { status: 400 });
-			}
-			if (typeof v.value !== 'string') {
-				return json({ error: `Invalid variable "${v.key}": value must be a string` }, { status: 400 });
-			}
-			// Validate key format (env var naming convention)
-			if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(v.key)) {
-				return json({ error: `Invalid variable name "${v.key}": must start with a letter or underscore and contain only alphanumeric characters and underscores` }, { status: 400 });
-			}
-		}
-
-		// Check if any secrets have the masked placeholder '***'
-		// If so, we need to preserve their original values from the database
-		const secretsWithMaskedValue = body.variables.filter(
-			(v: { key: string; value: string; isSecret?: boolean }) =>
-				v.isSecret && v.value === '***'
-		);
-
-		let variablesToSave = body.variables;
-
-		if (secretsWithMaskedValue.length > 0) {
-			// Get existing variables (unmasked) to preserve secret values
-			const existingVars = await getStackEnvVars(stackName, envIdNum, false);
-			const existingByKey = new Map(existingVars.map(v => [v.key, v]));
-
-			// Replace masked secrets with their original values
-			variablesToSave = body.variables.map((v: { key: string; value: string; isSecret?: boolean }) => {
-				if (v.isSecret && v.value === '***') {
-					const existing = existingByKey.get(v.key);
-					if (existing && existing.isSecret) {
-						// Preserve the original secret value
-						return { ...v, value: existing.value };
-					}
-				}
-				return v;
-			});
-		}
-
-		await setStackEnvVars(stackName, envIdNum, variablesToSave);
-
-		return json({ success: true, count: variablesToSave.length });
-	} catch (error) {
-		console.error('Error setting stack env vars:', error);
-		return json({ error: 'Failed to set environment variables' }, { status: 500 });
-	}
-};
@@ -1,117 +0,0 @@
-<script lang="ts">
-	import { Button } from '$lib/components/ui/button';
-	import * as Dialog from '$lib/components/ui/dialog';
-	import { Label } from '$lib/components/ui/label';
-	import { Input } from '$lib/components/ui/input';
-	import { QrCode, RefreshCw, ShieldCheck, TriangleAlert } from 'lucide-svelte';
-	import * as Alert from '$lib/components/ui/alert';
-	import { focusFirstInput } from '$lib/utils';
-
-	interface Props {
-		open: boolean;
-		qrCode: string;
-		secret: string;
-		userId: number;
-		onClose: () => void;
-		onSuccess: () => void;
-	}
-
-	let { open = $bindable(), qrCode, secret, userId, onClose, onSuccess }: Props = $props();
-
-	let token = $state('');
-	let loading = $state(false);
-	let error = $state('');
-
-	function resetForm() {
-		token = '';
-		error = '';
-	}
-
-	async function verifyAndEnableMfa() {
-		if (!token) {
-			error = 'Please enter the verification code';
-			return;
-		}
-
-		loading = true;
-		error = '';
-
-		try {
-			const response = await fetch(`/api/users/${userId}/mfa`, {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({ action: 'verify', token })
-			});
-
-			if (response.ok) {
-				onSuccess();
-				onClose();
-			} else {
-				const data = await response.json();
-				error = data.error || 'Invalid verification code';
-			}
-		} catch (e) {
-			error = 'Failed to verify MFA';
-		} finally {
-			loading = false;
-		}
-	}
-
-</script>
-
-<Dialog.Root bind:open onOpenChange={(o) => { if (o) { resetForm(); focusFirstInput(); } else onClose(); }}>
-	<Dialog.Content class="max-w-md">
-		<Dialog.Header>
-			<Dialog.Title class="flex items-center gap-2">
-				<QrCode class="w-5 h-5" />
-				Setup two-factor authentication
-			</Dialog.Title>
-		</Dialog.Header>
-		<div class="space-y-4">
-			{#if error}
-				<Alert.Root variant="destructive">
-					<TriangleAlert class="h-4 w-4" />
-					<Alert.Description>{error}</Alert.Description>
-				</Alert.Root>
-			{/if}
-
-			<p class="text-sm text-muted-foreground">
-				Scan this QR code with your authenticator app (Google Authenticator, Authy, etc.)
-			</p>
-
-			{#if qrCode}
-				<div class="flex justify-center p-4 bg-white rounded-lg">
-					<img src={qrCode} alt="MFA QR Code" class="w-48 h-48" />
-				</div>
-			{/if}
-
-			<div class="space-y-2">
-				<Label class="text-xs text-muted-foreground">Or enter this code manually:</Label>
-				<code class="block p-2 bg-muted rounded text-sm font-mono break-all">{secret}</code>
-			</div>
-
-			<div class="space-y-2">
-				<Label>Verification code</Label>
-				<Input
-					bind:value={token}
-					placeholder="Enter 6-digit code"
-					maxlength={6}
-				/>
-				<p class="text-xs text-muted-foreground">
-					Enter the code from your authenticator app to verify setup
-				</p>
-			</div>
-		</div>
-		<Dialog.Footer>
-			<Button variant="outline" onclick={onClose}>Cancel</Button>
-			<Button onclick={verifyAndEnableMfa} disabled={loading || !token}>
-				{#if loading}
-					<RefreshCw class="w-4 h-4 mr-1 animate-spin" />
-				{:else}
-					<ShieldCheck class="w-4 h-4 mr-1" />
-				{/if}
-				Enable MFA
-			</Button>
-		</Dialog.Footer>
-	</Dialog.Content>
-</Dialog.Root>
@@ -3,11 +3,51 @@
 	import { EditorState, StateField, StateEffect, RangeSet } from '@codemirror/state';
 	import { EditorView, keymap, lineNumbers, highlightActiveLine, highlightActiveLineGutter, gutter, GutterMarker, Decoration, WidgetType, type DecorationSet } from '@codemirror/view';
 	import { defaultKeymap, history, historyKeymap, indentWithTab } from '@codemirror/commands';
-	import { syntaxHighlighting, defaultHighlightStyle, indentOnInput, bracketMatching } from '@codemirror/language';
+	import { syntaxHighlighting, defaultHighlightStyle, indentOnInput, bracketMatching, StreamLanguage, type StreamParser } from '@codemirror/language';
 	import { searchKeymap, highlightSelectionMatches } from '@codemirror/search';
 	import { autocompletion, completionKeymap, closeBrackets, closeBracketsKeymap, type CompletionContext, type CompletionResult } from '@codemirror/autocomplete';
 	import { oneDarkHighlightStyle } from '@codemirror/theme-one-dark';

+	// Simple dotenv/env file language parser
+	const dotenvParser: StreamParser<{ inValue: boolean }> = {
+		startState() {
+			return { inValue: false };
+		},
+		token(stream, state) {
+			// Start of line
+			if (stream.sol()) {
+				state.inValue = false;
+				// Skip leading whitespace
+				stream.eatSpace();
+				// Comment line
+				if (stream.peek() === '#') {
+					stream.skipToEnd();
+					return 'comment';
+				}
+			}
+			// If in value part, consume the rest
+			if (state.inValue) {
+				stream.skipToEnd();
+				return 'string';
+			}
+			// Variable name before =
+			if (stream.match(/^[a-zA-Z_][a-zA-Z0-9_]*/)) {
+				if (stream.peek() === '=') {
+					return 'variableName.definition';
+				}
+				return 'variableName';
+			}
+			// Equals sign - switch to value mode
+			if (stream.eat('=')) {
+				state.inValue = true;
+				return 'operator';
+			}
+			// Skip anything else
+			stream.next();
+			return null;
+		}
+	};
+
 	// Docker Compose keywords for autocomplete
 	const COMPOSE_TOP_LEVEL = ['services', 'networks', 'volumes', 'configs', 'secrets', 'name', 'version'];

@@ -453,6 +493,9 @@
 			case 'sh':
 				// No dedicated shell/dockerfile support, use basic highlighting
 				return [];
+			case 'dotenv':
+			case 'env':
+				return StreamLanguage.define(dotenvParser);
 			default:
 				return [];
 		}
@@ -542,6 +585,13 @@
 	// Track if we're initialized (prevents multiple createEditor calls)
 	let initialized = false;

+	// Debounce timer for marker updates (prevents flicker during fast typing)
+	let markerUpdateTimer: ReturnType<typeof setTimeout> | null = null;
+	const MARKER_UPDATE_DEBOUNCE_MS = 300;
+
+	// Track last applied markers to avoid redundant updates
+	let lastAppliedMarkersJson = '';
+
 	function createEditor() {
 		if (!container || view || initialized) return;
 		initialized = true;
@@ -551,12 +601,14 @@
 			: [dockhandLight, syntaxHighlighting(defaultHighlightStyle)];

 		// Build autocompletion config - add Docker Compose completions for YAML
+		// Note: activateOnTyping can interfere with key repeat, so we disable it
+		// Users can still trigger autocomplete manually with Ctrl+Space
 		const autocompletionConfig = language === 'yaml'
 			? autocompletion({
 				override: [composeCompletions, composeValueCompletions],
-				activateOnTyping: true
+				activateOnTyping: false
 			})
-			: autocompletion();
+			: autocompletion({ activateOnTyping: false });

 		const extensions = [
 			lineNumbers(),
@@ -594,18 +646,25 @@
 			extensions
 		});

-		// Custom transaction handler - this is SYNCHRONOUS and more reliable than updateListener
+		// Custom transaction handler - applies transactions synchronously but defers callback
 		// Based on the Svelte Playground pattern: https://svelte.dev/playground/91649ba3e0ce4122b3b34f3a95a00104
 		const dispatchTransactions = (trs: readonly import('@codemirror/state').Transaction[]) => {
 			if (!view) return;

-			// Apply all transactions
+			// Apply all transactions synchronously (required by CodeMirror)
 			view.update(trs);

 			// Check if any transaction changed the document
 			const lastChangingTr = trs.findLast(tr => tr.docChanged);
 			if (lastChangingTr && onchangeRef) {
-				onchangeRef(lastChangingTr.newDoc.toString());
+				// Defer callback to next microtask to avoid blocking input handling
+				// This allows key repeat to work properly
+				const newContent = lastChangingTr.newDoc.toString();
+				queueMicrotask(() => {
+					if (onchangeRef) {
+						onchangeRef(newContent);
+					}
+				});
 			}
 		};

@@ -615,7 +674,6 @@
 			dispatchTransactions
 		});

-
 		// Push initial markers if provided
 		if (variableMarkers.length > 0) {
 			view.dispatch({
@@ -625,11 +683,16 @@
 	}

 	function destroyEditor() {
+		if (markerUpdateTimer) {
+			clearTimeout(markerUpdateTimer);
+			markerUpdateTimer = null;
+		}
 		if (view) {
 			view.destroy();
 			view = null;
 		}
 		initialized = false;
+		lastAppliedMarkersJson = '';
 	}

 	// Get current editor content
@@ -656,11 +719,35 @@
 	}

 	// Update variable markers - this is the key method for parent to call
-	export function updateVariableMarkers(markers: VariableMarker[]) {
-		if (view) {
-			view.dispatch({
-				effects: updateMarkersEffect.of(markers)
-			});
+	// Debounced to prevent flicker during fast typing
+	export function updateVariableMarkers(markers: VariableMarker[], immediate = false) {
+		if (!view) return;
+
+		// Check if markers actually changed (compare by content, not reference)
+		const newJson = JSON.stringify(markers);
+		if (newJson === lastAppliedMarkersJson) {
+			return; // No change, skip update
+		}
+
+		// Clear any pending update
+		if (markerUpdateTimer) {
+			clearTimeout(markerUpdateTimer);
+			markerUpdateTimer = null;
+		}
+
+		const applyUpdate = () => {
+			if (view) {
+				lastAppliedMarkersJson = newJson;
+				view.dispatch({
+					effects: updateMarkersEffect.of(markers)
+				});
+			}
+		};
+
+		if (immediate) {
+			applyUpdate();
+		} else {
+			markerUpdateTimer = setTimeout(applyUpdate, MARKER_UPDATE_DEBOUNCE_MS);
 		}
 	}

@@ -693,12 +780,11 @@
 	});

 	// Update markers when prop changes (backup mechanism, parent should also call updateVariableMarkers)
+	// Uses the debounced update to prevent flicker during fast typing
 	$effect(() => {
 		const markers = variableMarkers;
 		if (view && markers) {
-			view.dispatch({
-				effects: updateMarkersEffect.of(markers)
-			});
+			updateVariableMarkers(markers);
 		}
 	});
 </script>
@@ -706,7 +792,6 @@
 <div
 	bind:this={container}
 	class="h-full w-full overflow-hidden {className}"
-	onkeydown={(e) => e.stopPropagation()}
 ></div>

 <style>
@@ -46,6 +46,8 @@
 	let status = $state<PullStatus>('idle');
 	let image = $state(initialImageName);
 	let duration = $state(0);
+	// Track whether image was set from initial prop vs typed by user
+	let hasAutoStarted = $state(false);

 	// Notify parent of status changes
 	$effect(() => {
@@ -82,8 +84,10 @@
 		onImageChange?.(image);
 	});

+	// Auto-start only once for prefilled images, not when user is typing
 	$effect(() => {
-		if (autoStart && image && status === 'idle') {
+		if (autoStart && initialImageName && image === initialImageName && status === 'idle' && !hasAutoStarted) {
+			hasAutoStarted = true;
 			startPull();
 		}
 	});
@@ -133,6 +137,7 @@
 		layerOrder = 0;
 		outputLines = [];
 		duration = 0;
+		hasAutoStarted = false;
 	}

 	export function getImage() {
@@ -99,7 +99,7 @@
 <div class="space-y-3">
 	<!-- Variables List -->
 	<div class="space-y-3">
-		{#each variables as variable, index}
+		{#each variables as variable, index (index)}
 			{@const source = getSource(variable.key)}
 			{@const isVarRequired = isRequired(variable.key)}
 			{@const isVarOptional = isOptional(variable.key)}
@@ -0,0 +1,398 @@
+<script lang="ts">
+	import { tick, untrack } from 'svelte';
+	import { Button } from '$lib/components/ui/button';
+	import StackEnvVarsEditor, { type EnvVar, type ValidationResult } from '$lib/components/StackEnvVarsEditor.svelte';
+	import CodeEditor from '$lib/components/CodeEditor.svelte';
+	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
+	import { Plus, Info, Upload, Trash2, List, FileText, AlertTriangle } from 'lucide-svelte';
+	import * as Tooltip from '$lib/components/ui/tooltip';
+
+	interface Props {
+		variables: EnvVar[]; // Bindable - kept in sync with rawContent
+		rawContent?: string; // The actual content saved to disk - source of truth
+		validation?: ValidationResult | null;
+		readonly?: boolean;
+		showSource?: boolean;
+		sources?: Record<string, 'file' | 'override'>;
+		placeholder?: { key: string; value: string };
+		infoText?: string;
+		existingSecretKeys?: Set<string>;
+		class?: string;
+		onchange?: () => void;
+	}
+
+	let {
+		variables = $bindable([]),
+		rawContent = $bindable(''),
+		validation = null,
+		readonly = false,
+		showSource = false,
+		sources = {},
+		placeholder = { key: 'VARIABLE_NAME', value: 'value' },
+		infoText,
+		existingSecretKeys = new Set<string>(),
+		class: className = '',
+		onchange
+	}: Props = $props();
+
+	const STORAGE_KEY_VIEW_MODE = 'dockhand-env-vars-view-mode';
+
+	let fileInputRef: HTMLInputElement;
+	let viewMode = $state<'form' | 'text'>(
+		(typeof localStorage !== 'undefined' && localStorage.getItem(STORAGE_KEY_VIEW_MODE) as 'form' | 'text') || 'form'
+	);
+	let confirmClearOpen = $state(false);
+	let contentAreaRef: HTMLDivElement;
+	let parseWarnings = $state<string[]>([]);
+	let editorTheme = $state<'light' | 'dark'>('dark');
+
+	// Track previous variables to detect form changes
+	let prevVariablesJson = $state('');
+
+	// Track if initial sync has been done (to distinguish initial load from user action)
+	let initialized = $state(false);
+
+	// Parse raw content to EnvVar array
+	function parseRawContent(content: string): { vars: EnvVar[], warnings: string[] } {
+		const result: EnvVar[] = [];
+		const warnings: string[] = [];
+		let lineNum = 0;
+
+		for (const line of content.split('\n')) {
+			lineNum++;
+			const trimmed = line.trim();
+			if (!trimmed || trimmed.startsWith('#')) continue;
+
+			const eqIndex = trimmed.indexOf('=');
+			if (eqIndex === -1) {
+				warnings.push(`Line ${lineNum}: "${trimmed.slice(0, 30)}${trimmed.length > 30 ? '...' : ''}" (no = found)`);
+				continue;
+			}
+
+			const key = trimmed.slice(0, eqIndex).trim();
+			let value = trimmed.slice(eqIndex + 1);
+
+			if ((value.startsWith('"') && value.endsWith('"')) ||
+			    (value.startsWith("'") && value.endsWith("'"))) {
+				value = value.slice(1, -1);
+			}
+
+			if (key) {
+				if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(key)) {
+					warnings.push(`Line ${lineNum}: "${key}" (invalid variable name)`);
+					continue;
+				}
+				result.push({
+					key,
+					value,
+					isSecret: existingSecretKeys.has(key) || false
+				});
+			}
+		}
+
+		return { vars: result, warnings };
+	}
+
+	// Update rawContent when variables change - replace var lines by position, preserve comments
+	function syncRawContentFromVariables(newVars: EnvVar[]) {
+		const lines = rawContent.split('\n');
+		const resultLines: string[] = [];
+		const varsWithKeys = newVars.filter(v => v.key.trim());
+		let varIdx = 0;
+
+		for (const line of lines) {
+			const trimmed = line.trim();
+			// Keep comments and blank lines
+			if (!trimmed || trimmed.startsWith('#')) {
+				resultLines.push(line);
+				continue;
+			}
+
+			const eqIndex = trimmed.indexOf('=');
+			if (eqIndex > 0) {
+				const key = trimmed.slice(0, eqIndex).trim();
+				if (/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(key)) {
+					// This is a valid variable line - replace with var at current index
+					if (varIdx < varsWithKeys.length) {
+						const v = varsWithKeys[varIdx];
+						resultLines.push(`${v.key.trim()}=${v.value}`);
+						varIdx++;
+					}
+					// If we have fewer vars, this line is deleted
+					continue;
+				}
+			}
+			// Keep invalid lines as-is
+			resultLines.push(line);
+		}
+
+		// Append any new variables
+		while (varIdx < varsWithKeys.length) {
+			const v = varsWithKeys[varIdx];
+			resultLines.push(`${v.key.trim()}=${v.value}`);
+			varIdx++;
+		}
+
+		let result = resultLines.join('\n');
+		if (result && !result.endsWith('\n')) {
+			result += '\n';
+		}
+		return result;
+	}
+
+	// When rawContent changes externally (text view, file load), update variables
+	$effect(() => {
+		const { vars, warnings } = parseRawContent(rawContent);
+		parseWarnings = warnings;
+
+		// Initial load with no .env file: don't overwrite DB-loaded variables
+		// Let the second $effect generate rawContent from the existing variables instead
+		if (!initialized && !rawContent.trim() && variables.length > 0) {
+			initialized = true;
+			return;
+		}
+		initialized = true;
+
+		// When rawContent has content, merge parsed vars with existing DB secrets
+		// This handles the case where .env file exists but DB has additional secrets
+		let finalVars = vars;
+		if (rawContent.trim()) {
+			const parsedKeys = new Set(vars.map(v => v.key));
+			const existingSecrets = untrack(() =>
+				variables.filter(v => v.isSecret && !parsedKeys.has(v.key))
+			);
+			if (existingSecrets.length > 0) {
+				finalVars = [...vars, ...existingSecrets];
+			}
+		}
+
+		const newJson = JSON.stringify(finalVars.map(v => ({ key: v.key, value: v.value })));
+		// Use untrack to read variables without creating a dependency on it
+		// This prevents the effect from running when variables changes (only rawContent should trigger it)
+		const currentNonEmptyJson = untrack(() =>
+			JSON.stringify(variables.filter(v => v.key.trim()).map(v => ({ key: v.key, value: v.value })))
+		);
+
+		if (newJson !== currentNonEmptyJson) {
+			variables = finalVars;
+			prevVariablesJson = newJson;
+		}
+	});
+
+	// When variables change from form edits, update rawContent
+	$effect(() => {
+		const currentJson = JSON.stringify(variables.map(v => ({ key: v.key, value: v.value })));
+
+		// Only sync if variables actually changed (not from parsing rawContent)
+		if (currentJson !== prevVariablesJson) {
+			prevVariablesJson = currentJson;
+			const newRaw = syncRawContentFromVariables(variables);
+			if (newRaw !== rawContent) {
+				rawContent = newRaw;
+			}
+		}
+	});
+
+	function handleTextChange(value: string) {
+		rawContent = value;
+		onchange?.();
+	}
+
+	function handleViewModeChange(newMode: 'form' | 'text') {
+		viewMode = newMode;
+		localStorage.setItem(STORAGE_KEY_VIEW_MODE, newMode);
+	}
+
+	async function addEnvVariable() {
+		variables = [...variables, { key: '', value: '', isSecret: false }];
+		onchange?.();
+		await tick();
+		if (contentAreaRef) {
+			contentAreaRef.scrollTop = contentAreaRef.scrollHeight;
+		}
+	}
+
+	async function addMissingVariable(key: string) {
+		variables = [...variables, { key, value: '', isSecret: false }];
+		onchange?.();
+		await tick();
+		if (contentAreaRef) {
+			contentAreaRef.scrollTop = contentAreaRef.scrollHeight;
+		}
+	}
+
+	function handleLoadFromFile() {
+		fileInputRef?.click();
+	}
+
+	function handleFileSelect(event: Event) {
+		const input = event.target as HTMLInputElement;
+		const file = input.files?.[0];
+		if (!file) return;
+
+		const reader = new FileReader();
+		reader.onload = (e) => {
+			rawContent = e.target?.result as string;
+			onchange?.();
+		};
+		reader.readAsText(file);
+		input.value = '';
+	}
+
+	function clearAll() {
+		rawContent = '';
+		variables = [];
+		onchange?.();
+	}
+
+	const hasContent = $derived(!!rawContent?.trim() || variables.some(v => v.key.trim()));
+</script>
+
+<div class="flex flex-col h-full {className}">
+	<!-- Header -->
+	<div class="px-4 py-2.5 border-b border-zinc-200 dark:border-zinc-700 flex flex-col gap-1.5">
+		<div class="flex items-center justify-between gap-2">
+			<div class="flex items-center gap-2 flex-nowrap min-w-0">
+				<span class="text-xs text-zinc-500 dark:text-zinc-400">Environment variables</span>
+				{#if infoText}
+					<Tooltip.Root>
+						<Tooltip.Trigger>
+							<Info class="w-3.5 h-3.5 text-blue-400" />
+						</Tooltip.Trigger>
+						<Tooltip.Portal>
+							<Tooltip.Content side="bottom" sideOffset={8} class="max-w-xs w-64 bg-white dark:bg-zinc-900 text-zinc-900 dark:text-zinc-100 border-zinc-200 dark:border-zinc-700">
+								<p class="text-xs text-left">{infoText}</p>
+							</Tooltip.Content>
+						</Tooltip.Portal>
+					</Tooltip.Root>
+				{/if}
+				<!-- View mode toggle -->
+				<div class="flex items-center gap-0.5 bg-zinc-100 dark:bg-zinc-800 rounded p-0.5 ml-1">
+					<button
+						type="button"
+						class="flex items-center gap-1 px-1.5 py-0.5 rounded text-2xs transition-colors {viewMode === 'form' ? 'bg-white dark:bg-zinc-700 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
+						onclick={() => handleViewModeChange('form')}
+						title="Form view"
+					>
+						<List class="w-3 h-3" />
+					</button>
+					<button
+						type="button"
+						class="flex items-center gap-1 px-1.5 py-0.5 rounded text-2xs transition-colors {viewMode === 'text' ? 'bg-white dark:bg-zinc-700 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
+						onclick={() => handleViewModeChange('text')}
+						title="Text view (raw .env file)"
+					>
+						<FileText class="w-3 h-3" />
+					</button>
+				</div>
+			</div>
+			{#if !readonly}
+				<div class="flex items-center gap-1 shrink-0 ml-4">
+					<Button type="button" size="sm" variant="ghost" onclick={handleLoadFromFile} class="h-6 text-xs px-2">
+						<Upload class="w-3.5 h-3.5 mr-1" />
+						Load .env
+					</Button>
+					{#if viewMode === 'form'}
+						<Button type="button" size="sm" variant="ghost" onclick={addEnvVariable} class="h-6 text-xs px-2">
+							<Plus class="w-3.5 h-3.5 mr-1" />
+							Add
+						</Button>
+					{/if}
+					<div class="{hasContent ? '' : 'invisible'}">
+						<ConfirmPopover
+							bind:open={confirmClearOpen}
+							title="Clear all variables?"
+							action="clear"
+							itemType="environment variables"
+							confirmText="Clear all"
+							onConfirm={clearAll}
+							onOpenChange={(o) => confirmClearOpen = o}
+						>
+							{#snippet children({ open })}
+								<Button type="button" size="sm" variant="ghost" class="h-6 text-xs px-2 text-destructive hover:text-destructive">
+									<Trash2 class="w-3.5 h-3.5 mr-1" />
+									Clear
+								</Button>
+							{/snippet}
+						</ConfirmPopover>
+					</div>
+				</div>
+				<input
+					bind:this={fileInputRef}
+					type="file"
+					accept=".env,.env.*,text/plain"
+					class="hidden"
+					onchange={handleFileSelect}
+				/>
+			{/if}
+		</div>
+		<!-- Help text -->
+		{#if viewMode === 'form'}
+			<div class="flex flex-wrap gap-x-3 gap-y-0.5 text-2xs text-zinc-400 dark:text-zinc-500 font-mono">
+				<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR}`}</span> required</span>
+				<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:-default}`}</span> optional</span>
+				<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:?error}`}</span> required w/ error</span>
+			</div>
+		{:else}
+			<div class="text-2xs text-zinc-400 dark:text-zinc-500">
+				Raw .env file (comments preserved, saved exactly as typed)
+			</div>
+		{/if}
+		<!-- Parse warnings (form mode only) -->
+		{#if viewMode === 'form' && parseWarnings.length > 0}
+			<div class="flex items-start gap-2 px-2 py-1.5 rounded bg-amber-50 dark:bg-amber-900/20 border border-amber-200 dark:border-amber-800/50">
+				<AlertTriangle class="w-3.5 h-3.5 text-amber-500 shrink-0 mt-0.5" />
+				<div class="text-2xs text-amber-700 dark:text-amber-300">
+					<span class="font-medium">Some lines couldn't be parsed:</span>
+					<ul class="mt-0.5 list-disc list-inside">
+						{#each parseWarnings.slice(0, 3) as warning}
+							<li>{warning}</li>
+						{/each}
+						{#if parseWarnings.length > 3}
+							<li>...and {parseWarnings.length - 3} more</li>
+						{/if}
+					</ul>
+					<p class="mt-1 text-amber-600 dark:text-amber-400">Switch to text view to edit these lines.</p>
+				</div>
+			</div>
+		{/if}
+		<!-- Add missing variables (form mode only) -->
+		{#if viewMode === 'form' && validation && validation.missing.length > 0 && !readonly}
+			<div class="flex flex-wrap gap-1 items-center">
+				<span class="text-xs text-muted-foreground mr-1">Add missing:</span>
+				{#each validation.missing as missing}
+					<button
+						type="button"
+						onclick={() => addMissingVariable(missing)}
+						class="text-xs px-1.5 py-0.5 rounded bg-red-100 text-red-700 hover:bg-red-200 dark:bg-red-900/30 dark:text-red-300 dark:hover:bg-red-900/50 transition-colors"
+					>
+						{missing}
+					</button>
+				{/each}
+			</div>
+		{/if}
+	</div>
+	<!-- Content area -->
+	<div bind:this={contentAreaRef} class="flex-1 overflow-auto px-4 py-3">
+		{#if viewMode === 'form'}
+			<StackEnvVarsEditor
+				bind:variables
+				{validation}
+				{readonly}
+				{showSource}
+				{sources}
+				{placeholder}
+				{existingSecretKeys}
+			/>
+		{:else}
+			<CodeEditor
+				value={rawContent}
+				language="dotenv"
+				theme={editorTheme}
+				readonly={readonly}
+				onchange={handleTextChange}
+				class="h-full min-h-[200px] rounded-md overflow-hidden border border-zinc-200 dark:border-zinc-700"
+			/>
+		{/if}
+	</div>
+</div>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
jarek	cd6544aedb	1.0.5	2026-01-01 16:00:34 +01:00
jarek	c60db2930c	compose example	2025-12-29 15:29:33 +01:00
Jarek Krochmalski	695acd922e	bmac	2025-12-29 13:46:13 +01:00
Jarek Krochmalski	fcb36c4646	bmac	2025-12-29 13:39:36 +01:00
Jarek Krochmalski	53ca99ac77	Update README.md	2025-12-29 13:37:26 +01:00
Jarek Krochmalski	81fcc28d0b	Update LICENSE.txt	2025-12-29 09:27:27 +01:00
jarek	522154cd68	ignore	2025-12-29 09:08:29 +01:00
jarek	9db6e67a61	drizzle config	2025-12-29 09:08:06 +01:00
Jarek Krochmalski	ba05d16d79	cleanup .DS_Store	2025-12-29 08:55:55 +01:00
jarek	f4a57ecfd3	proper src structure, dockerfile, entrypoint	2025-12-29 08:40:56 +01:00
jarek	ab8743bdae	proper src structure, dockerfile, entrypoint	2025-12-29 08:40:11 +01:00
Jarek Krochmalski	e536388a7a	Update README.md	2025-12-29 06:47:46 +01:00
Jarek Krochmalski	497fbdb635	Update README.md	2025-12-29 06:47:22 +01:00
Jarek Krochmalski	53d60fdddd	Update README.md	2025-12-28 21:40:06 +01:00