v1.0.23

The dockhand-updater image ships Docker CLI 29.2.1 (API 1.53), which
fails on hosts running older Docker daemons (e.g. Synology DSM with
Docker 24.0.2 / API 1.43). Every docker command in update.sh returns
"client version 1.53 is too new".

Query the daemon's API version via /version and pass it as
DOCKER_API_VERSION to the updater container env. If the env var is
already set on the main container, forward that instead.

Fixes #759

Dockerfile

@@ -37,7 +37,7 @@ RUN APKO_ARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "x86_64")
     "    - busybox" \
     "    - tzdata" \
     "    - docker-cli" \
-    "    - docker-compose=5.1.3-r0" \
+    "    - docker-compose=5.0.2-r1" \
     "    - docker-cli-buildx" \
     "    - sqlite" \
     "    - postgresql-client" \
@@ -77,8 +77,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Copy package files and install dependencies (--ignore-scripts blocks malicious postinstall hooks)
 COPY package.json package-lock.json ./
-RUN MAKEFLAGS="-j$(nproc)" npm ci --ignore-scripts \
-    && MAKEFLAGS="-j$(nproc)" npm rebuild better-sqlite3 argon2
+RUN npm ci --ignore-scripts \
+    && npm rebuild better-sqlite3 argon2
 
 # Copy source code and build
 COPY . .
@@ -93,7 +93,7 @@ RUN cp -r node_modules/better-sqlite3/build /tmp/better-sqlite3-build \
     && rm -rf node_modules/@types /tmp/better-sqlite3-build
 
 # Build Go collector
-FROM --platform=$BUILDPLATFORM golang:1.25.9 AS go-builder
+FROM --platform=$BUILDPLATFORM golang:1.25.8 AS go-builder
 ARG TARGETARCH
 WORKDIR /app
 COPY collector/ ./collector/

Dockerfile.baseline

@@ -18,33 +18,25 @@ FROM node:24-alpine AS app-builder
 WORKDIR /app
 
 # Install build dependencies
-RUN apk add --no-cache git curl python3 make g++ gcc musl-dev
+RUN apk add --no-cache git curl python3 make g++
 
-# Build getrandom shim for old kernels (< 3.17) that lack the syscall
-COPY shims/getrandom-shim.c /tmp/
-RUN gcc -shared -fPIC -O2 -o /tmp/libgetrandom-shim.so /tmp/getrandom-shim.c
-
-# Copy package files and install dependencies (--ignore-scripts blocks malicious postinstall hooks)
+# Copy package files and install dependencies
 COPY package.json package-lock.json ./
-RUN npm ci --ignore-scripts \
-    && npm rebuild better-sqlite3 argon2
+RUN npm ci
 
 # Copy source code and build
 COPY . .
 RUN npm run build
 
-# Production dependencies only
-# Preserve better-sqlite3 native addon (no prebuilds exist for Node 24 ABI 137)
-RUN cp -r node_modules/better-sqlite3/build /tmp/better-sqlite3-build \
-    && rm -rf node_modules \
-    && npm ci --omit=dev --ignore-scripts \
-    && cp -r /tmp/better-sqlite3-build node_modules/better-sqlite3/build \
-    && rm -rf node_modules/@types /tmp/better-sqlite3-build
+# Production dependencies only (rebuilds native addons against musl)
+RUN rm -rf node_modules \
+    && npm ci --omit=dev \
+    && rm -rf node_modules/@types
 
 # -----------------------------------------------------------------------------
 # Stage 2: Go Collector Builder
 # -----------------------------------------------------------------------------
-FROM golang:1.25.8 AS go-builder
+FROM golang:1.24 AS go-builder
 WORKDIR /app
 COPY collector/ ./collector/
 RUN cd collector && CGO_ENABLED=0 go build -o /app/bin/collection-worker .
@@ -70,10 +62,9 @@ RUN apk add --no-cache \
     su-exec \
     libstdc++
 
-# Create docker compose plugin symlink (skip if package already installed it there)
+# Create docker compose plugin symlink
 RUN mkdir -p /usr/libexec/docker/cli-plugins \
-    && [ -x /usr/libexec/docker/cli-plugins/docker-compose ] \
-    || ln -sf /usr/bin/docker-compose /usr/libexec/docker/cli-plugins/docker-compose
+    && ln -sf /usr/bin/docker-compose /usr/libexec/docker/cli-plugins/docker-compose
 
 # Create dockhand user and group
 RUN addgroup -g 1001 dockhand \
@@ -89,8 +80,7 @@ ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
     DATA_DIR=/app/data \
     HOME=/home/dockhand \
     PUID=1001 \
-    PGID=1001 \
-    LD_PRELOAD=/usr/lib/libgetrandom-shim.so
+    PGID=1001
 
 # Copy application files with correct ownership
 COPY --from=app-builder --chown=dockhand:dockhand /app/node_modules ./node_modules
@@ -108,9 +98,6 @@ COPY --chown=dockhand:dockhand drizzle-pg/ ./drizzle-pg/
 # Copy legal documents
 COPY --chown=dockhand:dockhand LICENSE.txt PRIVACY.txt ./
 
-# Copy getrandom shim for old kernels (Synology DS1513+ with kernel 3.10.x)
-COPY --from=app-builder /tmp/libgetrandom-shim.so /usr/lib/libgetrandom-shim.so
-
 # Copy entrypoint script
 COPY docker-entrypoint-node.sh /usr/local/bin/docker-entrypoint.sh
 RUN chmod +x /usr/local/bin/docker-entrypoint.sh
@@ -126,7 +113,7 @@ RUN mkdir -p /home/dockhand/.dockhand/stacks /app/data \
 EXPOSE 3000
 
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:${PORT:-3000}/ || exit 1
+    CMD curl -f http://localhost:3000/ || exit 1
 
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
-CMD []
+CMD ["node", "/app/server.js"]

VERSION

@@ -1 +1 @@
-v1.0.26
+v1.0.23

collector/go.mod

@@ -1,3 +1,3 @@
 module github.com/Finsys/dockhand/collector
 
-go 1.25.9
+go 1.25

drizzle-pg/0005_add_api_tokens.sql

@@ -1,21 +0,0 @@
-CREATE TABLE IF NOT EXISTS "api_tokens" (
-	"id" serial PRIMARY KEY NOT NULL,
-	"user_id" integer NOT NULL,
-	"name" text NOT NULL,
-	"token_hash" text NOT NULL,
-	"token_prefix" text NOT NULL,
-	"last_used" timestamp,
-	"expires_at" timestamp,
-	"created_at" timestamp DEFAULT now(),
-	"updated_at" timestamp DEFAULT now(),
-	CONSTRAINT "api_tokens_token_hash_unique" UNIQUE("token_hash")
-);
---> statement-breakpoint
-DO $$ BEGIN
- ALTER TABLE "api_tokens" ADD CONSTRAINT "api_tokens_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;
-EXCEPTION
- WHEN duplicate_object THEN null;
-END $$;
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "api_tokens_user_id_idx" ON "api_tokens" USING btree ("user_id");--> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "api_tokens_token_prefix_idx" ON "api_tokens" USING btree ("token_prefix");

drizzle-pg/meta/0004_snapshot.json

@@ -1,6 +1,6 @@
 {
-  "id": "cefce4cc-994a-4b79-b55a-e995211b8f6a",
-  "prevId": "b10cba96-4947-484f-84a2-efb65205381f",
+  "id": "b10cba96-4947-484f-84a2-efb65205381f",
+  "prevId": "eef8322a-0ccc-418c-b0f6-f51972a1850e",
   "version": "7",
   "dialect": "postgresql",
   "tables": {

drizzle-pg/meta/_journal.json

@@ -36,13 +36,6 @@
       "when": 1774155653752,
       "tag": "0004_add_git_stack_deploy_options",
       "breakpoints": true
-    },
-    {
-      "idx": 5,
-      "version": "7",
-      "when": 1775312212996,
-      "tag": "0005_add_api_tokens",
-      "breakpoints": true
     }
   ]
 }

drizzle/0005_add_api_tokens.sql

@@ -1,16 +0,0 @@
-CREATE TABLE `api_tokens` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`user_id` integer NOT NULL,
-	`name` text NOT NULL,
-	`token_hash` text NOT NULL,
-	`token_prefix` text NOT NULL,
-	`last_used` text,
-	`expires_at` text,
-	`created_at` text DEFAULT CURRENT_TIMESTAMP,
-	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
-	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
-);
---> statement-breakpoint
-CREATE UNIQUE INDEX `api_tokens_token_hash_unique` ON `api_tokens` (`token_hash`);--> statement-breakpoint
-CREATE INDEX `api_tokens_user_id_idx` ON `api_tokens` (`user_id`);--> statement-breakpoint
-CREATE INDEX `api_tokens_token_prefix_idx` ON `api_tokens` (`token_prefix`);

drizzle/meta/_journal.json

@@ -36,13 +36,6 @@
       "when": 1774155653752,
       "tag": "0004_add_git_stack_deploy_options",
       "breakpoints": true
-    },
-    {
-      "idx": 5,
-      "version": "6",
-      "when": 1775311743346,
-      "tag": "0005_add_api_tokens",
-      "breakpoints": true
     }
   ]
 }

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "dockhand",
 	"private": true,
-	"version": "1.0.26",
+	"version": "1.0.23",
 	"type": "module",
 	"scripts": {
 		"dev": "npx vite dev",
@@ -77,11 +77,11 @@
 		"croner": "9.1.0",
 		"cronstrue": "3.9.0",
 		"devalue": "5.6.4",
-		"drizzle-orm": "0.45.2",
+		"drizzle-orm": "0.45.1",
 		"fast-xml-parser": "5.5.8",
 		"js-yaml": "4.1.1",
 		"ldapts": "8.1.3",
-		"nodemailer": "8.0.5",
+		"nodemailer": "8.0.4",
 		"otpauth": "9.4.1",
 		"postgres": "3.4.8",
 		"qrcode": "1.5.4",
@@ -136,7 +136,6 @@
 		"@codemirror/commands": "6.10.1",
 		"@codemirror/search": "6.6.0",
 		"@lezer/common": "1.5.0",
-		"@lezer/highlight": "1.2.3",
-		"devalue": "5.6.4"
+		"@lezer/highlight": "1.2.3"
 	}
 }

src/hooks.server.ts

@@ -4,8 +4,6 @@ import { initDatabase, hasAdminUser } from '$lib/server/db';
 import { startSubprocesses, stopSubprocesses } from '$lib/server/subprocess-manager';
 import { startScheduler } from '$lib/server/scheduler';
 import { isAuthEnabled, validateSession } from '$lib/server/auth';
-import { validateApiToken } from '$lib/server/api-tokens';
-import { requestContext } from '$lib/server/request-context';
 import { setServerStartTime } from '$lib/server/uptime';
 import { checkLicenseExpiry, getHostname } from '$lib/server/license';
 import { initCryptoFallback } from '$lib/server/crypto-fallback';
@@ -200,58 +198,6 @@ if (!initialized) {
 	}
 }
 
-// Bearer token auth failure rate limiting (per IP, 5-minute cooldown after 10 failures)
-const bearerFailCounts = new Map<string, { count: number; firstFail: number }>();
-const BEARER_FAIL_WINDOW_MS = 60_000; // 1-minute sliding window
-const BEARER_FAIL_MAX = 15; // max failures per window
-const BEARER_COOLDOWN_MS = 5 * 60 * 1000; // 5-minute cooldown after exceeding limit
-const bearerCooldowns = new Map<string, number>(); // IP → cooldown-until timestamp
-
-// Periodic cleanup
-setInterval(() => {
-	const now = Date.now();
-	for (const [ip, until] of bearerCooldowns) {
-		if (now > until) bearerCooldowns.delete(ip);
-	}
-	for (const [ip, entry] of bearerFailCounts) {
-		if (now - entry.firstFail > BEARER_FAIL_WINDOW_MS) bearerFailCounts.delete(ip);
-	}
-}, BEARER_COOLDOWN_MS).unref?.();
-
-function getClientIp(event: { request: Request; getClientAddress?: () => string }): string {
-	// Prefer socket-level IP (SvelteKit resolves proxy headers via adapter config)
-	// This prevents X-Forwarded-For spoofing to bypass rate limiting
-	try {
-		const addr = event.getClientAddress?.();
-		if (addr) return addr;
-	} catch { /* getClientAddress may throw if unavailable */ }
-	return 'unknown';
-}
-
-function recordBearerFailure(ip: string): void {
-	const now = Date.now();
-	const entry = bearerFailCounts.get(ip);
-	if (!entry || now - entry.firstFail > BEARER_FAIL_WINDOW_MS) {
-		bearerFailCounts.set(ip, { count: 1, firstFail: now });
-		return;
-	}
-	entry.count++;
-	if (entry.count >= BEARER_FAIL_MAX) {
-		bearerCooldowns.set(ip, now + BEARER_COOLDOWN_MS);
-		bearerFailCounts.delete(ip);
-	}
-}
-
-function isBearerRateLimited(ip: string): boolean {
-	const until = bearerCooldowns.get(ip);
-	if (!until) return false;
-	if (Date.now() > until) {
-		bearerCooldowns.delete(ip);
-		return false;
-	}
-	return true;
-}
-
 // Routes that don't require authentication
 const PUBLIC_PATHS = [
 	'/login',
@@ -301,51 +247,21 @@ export const handle: Handle = async ({ event, resolve }) => {
 		// Check if auth is enabled
 		const authEnabled = await isAuthEnabled();
 
-		// If auth is disabled, allow everything
+		// If auth is disabled, allow everything (app works as before)
 		if (!authEnabled) {
 			event.locals.user = null;
 			event.locals.authEnabled = false;
-			const ctx = { user: null, authEnabled: false, authMethod: 'none' as const };
-			return requestContext.run(ctx, async () => compressResponse(event.request, await resolve(event)));
-		}
-
-		// Auth is enabled - check session first
-		let user = await validateSession(event.cookies);
-		let authMethod: 'cookie' | 'bearer' | 'none' = user ? 'cookie' : 'none';
-
-		// If no session, try Bearer token on API routes
-		if (!user && event.url.pathname.startsWith('/api/')) {
-			const authHeader = event.request.headers.get('authorization');
-			if (authHeader && authHeader.startsWith('Bearer dh_') && authHeader.length <= 207) {
-				const clientIp = getClientIp(event);
-
-				// Rate limit failed Bearer attempts
-				if (isBearerRateLimited(clientIp)) {
-					return new Response(
-						JSON.stringify({ error: 'Too many failed authentication attempts' }),
-						{ status: 429, headers: { 'Content-Type': 'application/json', 'Retry-After': '300' } }
-					);
-				}
-
-				const token = authHeader.substring(7); // strip "Bearer "
-				user = await validateApiToken(token);
-
-				if (user) {
-					authMethod = 'bearer';
-				} else {
-					recordBearerFailure(clientIp);
-				}
-			}
+			return compressResponse(event.request, await resolve(event));
 		}
 
+		// Auth is enabled - check session
+		const user = await validateSession(event.cookies);
 		event.locals.user = user;
 		event.locals.authEnabled = true;
 
-		const ctx = { user, authEnabled: true, authMethod };
-
 		// Public paths don't require authentication
 		if (isPublicPath(event.url.pathname)) {
-			return requestContext.run(ctx, async () => compressResponse(event.request, await resolve(event)));
+			return compressResponse(event.request, await resolve(event));
 		}
 
 		// If not authenticated
@@ -354,7 +270,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 			// This enables the first admin user to be created during initial setup
 			const noAdminSetupMode = !(await hasAdminUser());
 			if (noAdminSetupMode && event.url.pathname === '/api/users' && event.request.method === 'POST') {
-				return requestContext.run(ctx, async () => compressResponse(event.request, await resolve(event)));
+				return compressResponse(event.request, await resolve(event));
 			}
 
 			// API routes return 401
@@ -373,7 +289,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 			redirect(307, `/login?redirect=${redirectUrl}`);
 		}
 
-		return requestContext.run(ctx, async () => compressResponse(event.request, await resolve(event)));
+		return compressResponse(event.request, await resolve(event));
 	} finally {
 		rssAfterOp('http', httpBefore);
 	}

src/lib/components/ConfirmPopover.svelte

@@ -19,7 +19,6 @@
 		onConfirm: () => void;
 		onOpenChange: (open: boolean) => void;
 		children: Snippet<[{ open: boolean }]>;
-		extraContent?: Snippet;
 	}
 
 	let {
@@ -36,8 +35,7 @@
 		disabled = false,
 		onConfirm,
 		onOpenChange,
-		children,
-		extraContent
+		children
 	}: Props = $props();
 
 	const triggerClass = $derived(unstyled
@@ -105,16 +103,11 @@
 		align={position === 'left' ? 'start' : 'end'}
 		sideOffset={8}
 	>
-		<div class="flex flex-col gap-1.5">
-			<div class="flex items-center gap-2">
-				<span class="text-xs whitespace-nowrap">{action} {itemType} {#if displayName}<strong>{displayName}</strong>{/if}?</span>
-				<Button size="sm" {variant} class="h-6 px-2 text-xs" onclick={handleConfirm}>
-					{confirmText}
-				</Button>
-			</div>
-			{#if extraContent}
-				{@render extraContent()}
-			{/if}
+		<div class="flex items-center gap-2">
+			<span class="text-xs whitespace-nowrap">{action} {itemType} {#if displayName}<strong>{displayName}</strong>{/if}?</span>
+			<Button size="sm" {variant} class="h-6 px-2 text-xs" onclick={handleConfirm}>
+				{confirmText}
+			</Button>
 		</div>
 	</Popover.Content>
 </Popover.Root>

src/lib/components/ExecutionLogViewer.svelte

@@ -1,15 +1,13 @@
 <script lang="ts">
 	import { Sun, Moon } from 'lucide-svelte';
-	import { getTimeFormat } from '$lib/stores/settings';
 
 	interface Props {
 		logs: string | null;
 		darkMode?: boolean;
-		timezone?: string;
 		onToggleTheme?: () => void;
 	}
 
-	let { logs, darkMode = true, timezone, onToggleTheme }: Props = $props();
+	let { logs, darkMode = true, onToggleTheme }: Props = $props();
 
 	// Parse log lines with timestamp and content
 	function parseLogLine(line: string): { timestamp: string; content: string; type: 'trivy' | 'grype' | 'error' | 'default' } {
@@ -46,15 +44,7 @@
 	}
 
 	function formatTimestamp(timestamp: string): string {
-		const d = new Date(timestamp);
-		if (isNaN(d.getTime())) return timestamp;
-		return new Intl.DateTimeFormat('en-GB', {
-			timeZone: timezone || undefined,
-			hour: '2-digit',
-			minute: '2-digit',
-			second: '2-digit',
-			hour12: getTimeFormat() === '12h'
-		}).format(d);
+		return timestamp.split('T')[1]?.replace('Z', '') || timestamp;
 	}
 </script>
 

src/lib/components/data-grid/DataGrid.svelte

@@ -329,40 +329,18 @@
 		onExpandChange?.(key, nowExpanded);
 	}
 
-	// Sort persistence
-	const SORT_STORAGE_KEY = `dockhand-${gridId}-sort`;
-	let sortInitialized = false;
-
-	// Restore saved sort on mount
-	onMount(() => {
-		if (!onSortChange) return;
-		try {
-			const saved = localStorage.getItem(SORT_STORAGE_KEY);
-			if (saved) {
-				const parsed = JSON.parse(saved) as DataGridSortState;
-				if (parsed.field && parsed.direction) {
-					onSortChange(parsed);
-				}
-			}
-		} catch {}
-		sortInitialized = true;
-	});
-
-	// Persist sort state whenever it changes (after init)
-	$effect(() => {
-		if (!sortInitialized || !sortState) return;
-		try { localStorage.setItem(SORT_STORAGE_KEY, JSON.stringify(sortState)); } catch {}
-	});
-
 	// Sort helpers
 	function toggleSort(field: string) {
 		if (!onSortChange) return;
 
-		const newState: DataGridSortState = sortState?.field === field
-			? { field, direction: sortState.direction === 'asc' ? 'desc' : 'asc' }
-			: { field, direction: 'asc' };
-
-		onSortChange(newState);
+		if (sortState?.field === field) {
+			onSortChange({
+				field,
+				direction: sortState.direction === 'asc' ? 'desc' : 'asc'
+			});
+		} else {
+			onSortChange({ field, direction: 'asc' });
+		}
 	}
 
 	// Virtual scroll state

src/lib/data/changelog.json

@@ -1,51 +1,4 @@
 [
-  {
-    "version": "1.0.26",
-    "date": "2026-04-19",
-    "changes": [
-      { "type": "feature", "text": "persist sort order across page navigation for all data grids (#861, #912)" },
-      { "type": "feature", "text": "show git repository URL and branch in git stack edit modal (#856)" },
-      { "type": "feature", "text": "show memory limit alongside usage in containers and stacks views (#893)" },
-      { "type": "feature", "text": "option to delete associated volumes when removing a stack (#655)" },
-      { "type": "feature", "text": "collapse consecutive port mappings into ranges in container list (#821)" },
-      { "type": "fix", "text": "bearer token authentication fails with enterprise license active" },
-      { "type": "fix", "text": "clicking stack name toggles stats accordion instead of just opening editor (#628)" },
-      { "type": "fix", "text": "scheduled image prune notifications missing environment name (#770)" },
-      { "type": "fix", "text": "Gotify, ntfy, Pushover, and webhook notifications missing environment name (#943)" },
-      { "type": "fix", "text": "MFA code field not recognized by Bitwarden and other password managers (#566)" }      
-    ],
-    "imageTag": "fnsys/dockhand:v1.0.26"
-  },
-  {
-    "version": "1.0.25",
-    "date": "2026-04-18",
-    "comingSoon": false,
-    "changes": [
-      { "type": "feature", "text": "API token authentication — Bearer tokens for CI/CD pipelines and scripts" },
-      { "type": "feature", "text": "Telegram topic support — send notifications to supergroup topics (#855)" },
-{ "type": "fix", "text": "allow removing healthcheck, ports, and honor startAfterUpdate=false during container edit (#892)" },
-      { "type": "fix", "text": "validate stack names and prevent broken DB entries on invalid input (#876)" },
-      { "type": "fix", "text": "use per-environment timezone for schedule execution log timestamps (#882)" },
-      { "type": "fix", "text": "\"Pull image before update\" and \"Start after update\" settings ignored (#909)" },
-      { "type": "fix", "text": "image prune timeout on hawser-standard when pruning many images (#905)" },
-      { "type": "fix", "text": "bump Docker Compose to 5.1.3" },
-      { "type": "fix", "text": "mask secret environment variables in container inspect modal (#924)" },
-      { "type": "fix", "text": "viewer role can toggle, delete, and run schedules (#923)" },
-      { "type": "fix", "text": "settings show defaults instead of saved values after login until page refresh (#921)" },
-      { "type": "fix", "text": "settings toggle notifications show wrong state (#931)" },
-      { "type": "fix", "text": "stack memory tooltip shows inflated total on multi-container stacks (#936)" }
-    ],
-    "imageTag": "fnsys/dockhand:v1.0.25"
-  },
-  {
-    "version": "1.0.24",
-    "date": "2026-04-03",
-    "changes": [
-      { "type": "fix", "text": "browsing HTTP registries fails with SSL error (#868)" },
-      { "type": "fix", "text": "git stack deploy options (build, re-pull, force redeploy) not persisted in edit dialog" }
-    ],
-    "imageTag": "fnsys/dockhand:v1.0.24"
-  },
   {
     "version": "1.0.23",
     "date": "2026-04-03",

src/lib/server/api-tokens.ts

@@ -1,274 +0,0 @@
-/**
- * API Token Management
- *
- * Provides Bearer token authentication for CI/CD pipelines and scripts.
- * Tokens use `dh_` prefix, Argon2id hashing, and prefix-based lookup.
- *
- * Performance: An in-memory cache (SHA-256 key, 60s TTL) avoids running
- * Argon2id on every request. First request: ~100ms. Subsequent: ~0ms.
- */
-
-import { createHash } from 'node:crypto';
-import { db, eq, and } from '$lib/server/db/drizzle';
-import { hashPassword, verifyPassword, type AuthenticatedUser } from './auth';
-import { secureRandomBytes } from './crypto-fallback';
-import { getUserRoles, userHasAdminRole, type Permissions } from './db';
-import { isEnterprise } from './license';
-import { tokenCache, ensureCleanupInterval, invalidateTokenCacheForUser, clearTokenCache } from './token-cache';
-
-// Re-export cache functions so existing consumers don't need to change imports
-export { invalidateTokenCacheForUser, clearTokenCache } from './token-cache';
-
-// Dynamic schema import (same pattern as db.ts)
-let apiTokensTable: any;
-
-async function getApiTokensTable() {
-	if (apiTokensTable) return apiTokensTable;
-	const isPostgres = !!(process.env.DATABASE_URL && (
-		process.env.DATABASE_URL.startsWith('postgres://') ||
-		process.env.DATABASE_URL.startsWith('postgresql://')
-	));
-	const schema = isPostgres
-		? await import('./db/schema/pg-schema.js')
-		: await import('./db/schema/index.js');
-	apiTokensTable = schema.apiTokens;
-	return apiTokensTable;
-}
-
-// Token format: dh_ + 32 bytes base64url = dh_ + 43 chars
-const TOKEN_PREFIX = 'dh_';
-const TOKEN_BYTES = 32;
-const PREFIX_LENGTH = 8; // chars after dh_ stored for identification
-const MAX_TOKEN_LENGTH = 200;
-const CACHE_TTL = 60_000; // 60 seconds
-
-function cacheKey(rawToken: string): string {
-	return createHash('sha256').update(rawToken).digest('hex');
-}
-
-// Pre-computed dummy hash for timing protection on invalid prefixes
-let dummyHash: string | null = null;
-
-async function getDummyHash(): Promise<string> {
-	if (!dummyHash) {
-		dummyHash = await hashPassword('dh_dummy_token_for_timing_protection');
-	}
-	return dummyHash;
-}
-
-// Initialize dummy hash on import (fire and forget)
-void getDummyHash();
-
-/**
- * Generate a new API token.
- * Returns the plaintext token (shown once) and the database record.
- */
-export async function generateApiToken(
-	userId: number,
-	name: string,
-	expiresAt?: string | null
-): Promise<{ token: string; id: number; tokenPrefix: string }> {
-	const table = await getApiTokensTable();
-
-	// Generate random token
-	const randomBytes = secureRandomBytes(TOKEN_BYTES);
-	const rawToken = TOKEN_PREFIX + randomBytes.toString('base64url');
-	const tokenPrefix = rawToken.substring(TOKEN_PREFIX.length, TOKEN_PREFIX.length + PREFIX_LENGTH);
-
-	// Hash for storage
-	const tokenHash = await hashPassword(rawToken);
-
-	const result = await db.insert(table).values({
-		userId,
-		name,
-		tokenHash,
-		tokenPrefix,
-		expiresAt: expiresAt || null
-	}).returning();
-
-	return {
-		token: rawToken,
-		id: result[0].id,
-		tokenPrefix
-	};
-}
-
-/**
- * Validate a Bearer token and return the associated user.
- * Uses cache to avoid Argon2id on every request.
- */
-export async function validateApiToken(rawToken: string): Promise<AuthenticatedUser | null> {
-	// Input validation
-	if (!rawToken || rawToken.length > MAX_TOKEN_LENGTH || !rawToken.startsWith(TOKEN_PREFIX)) {
-		return null;
-	}
-
-	// Check cache first
-	ensureCleanupInterval();
-	const key = cacheKey(rawToken);
-	const cached = tokenCache.get(key);
-	if (cached && cached.expiresAt > Date.now()) {
-		return cached.user;
-	}
-
-	const table = await getApiTokensTable();
-
-	// Extract prefix for lookup
-	const prefix = rawToken.substring(TOKEN_PREFIX.length, TOKEN_PREFIX.length + PREFIX_LENGTH);
-
-	// Find tokens with matching prefix (deleted tokens are gone, no isActive filter needed)
-	const candidates = await db
-		.select()
-		.from(table)
-		.where(eq(table.tokenPrefix, prefix));
-
-	if (candidates.length === 0) {
-		// Timing protection: run Argon2id anyway
-		await verifyPassword(rawToken, await getDummyHash());
-		return null;
-	}
-
-	// Verify against each candidate (usually just one)
-	for (const candidate of candidates) {
-		const valid = await verifyPassword(rawToken, candidate.tokenHash);
-		if (!valid) continue;
-
-		// Check expiration AFTER hash verification to avoid timing oracle
-		if (candidate.expiresAt && new Date(candidate.expiresAt) < new Date()) {
-			continue;
-		}
-
-		// Build AuthenticatedUser from the token's user
-		const user = await buildUserFromToken(candidate);
-		if (!user) continue;
-
-		// Update lastUsed (fire and forget — non-critical audit field)
-		void db.update(table)
-			.set({ lastUsed: new Date().toISOString() })
-			.where(eq(table.id, candidate.id))
-			.catch((err) => {
-				if (typeof process !== 'undefined' && process.env.DB_VERBOSE_LOGGING === 'true') {
-					console.debug('[api-tokens] lastUsed update failed:', err?.message);
-				}
-			});
-
-		// Cache the result — cap TTL at token expiry time if sooner
-		let cacheTtl = CACHE_TTL;
-		if (candidate.expiresAt) {
-			const timeUntilExpiry = new Date(candidate.expiresAt).getTime() - Date.now();
-			if (timeUntilExpiry < cacheTtl) {
-				cacheTtl = Math.max(0, timeUntilExpiry);
-			}
-		}
-		tokenCache.set(key, { user, expiresAt: Date.now() + cacheTtl });
-
-		return user;
-	}
-
-	return null;
-}
-
-/**
- * Build an AuthenticatedUser from a token's database record.
- */
-async function buildUserFromToken(tokenRecord: any): Promise<AuthenticatedUser | null> {
-	// Import getUserWithoutPassword dynamically to avoid circular deps
-	// This avoids keeping passwordHash in memory unnecessarily
-	const { getUserWithoutPassword } = await import('./db');
-
-	const dbUser = await getUserWithoutPassword(tokenRecord.userId);
-	if (!dbUser || !dbUser.isActive) return null;
-
-	const enterprise = await isEnterprise();
-	let isAdmin = false;
-	let permissions: Permissions;
-
-	if (!enterprise) {
-		// Free edition: everyone is effectively admin
-		isAdmin = true;
-		const { getRoleByName } = await import('./db');
-		const adminRole = await getRoleByName('Admin');
-		permissions = adminRole?.permissions ?? {} as Permissions;
-	} else {
-		isAdmin = await userHasAdminRole(dbUser.id);
-		const userRoleAssignments = await getUserRoles(dbUser.id);
-		// Merge permissions from all roles
-		permissions = {} as Permissions;
-		for (const assignment of userRoleAssignments) {
-			if (!assignment.role) continue;
-			const rolePerms = typeof assignment.role.permissions === 'string'
-				? JSON.parse(assignment.role.permissions)
-				: assignment.role.permissions;
-			if (!rolePerms) continue;
-			for (const [key, actions] of Object.entries(rolePerms)) {
-				if (!permissions[key as keyof Permissions]) {
-					permissions[key as keyof Permissions] = [];
-				}
-				for (const action of actions as string[]) {
-					if (!permissions[key as keyof Permissions].includes(action)) {
-						permissions[key as keyof Permissions].push(action);
-					}
-				}
-			}
-		}
-	}
-
-	// Determine provider from authProvider field
-	let provider: 'local' | 'ldap' | 'oidc' = 'local';
-	if (dbUser.authProvider?.startsWith('ldap')) provider = 'ldap';
-	else if (dbUser.authProvider?.startsWith('oidc')) provider = 'oidc';
-
-	return {
-		id: dbUser.id,
-		username: dbUser.username,
-		email: dbUser.email ?? undefined,
-		displayName: dbUser.displayName ?? undefined,
-		avatar: dbUser.avatar ?? undefined,
-		isAdmin,
-		provider,
-		permissions
-	};
-}
-
-/**
- * List all tokens for a user (no hashes returned).
- */
-export async function listUserTokens(userId: number) {
-	const table = await getApiTokensTable();
-	return db
-		.select({
-			id: table.id,
-			name: table.name,
-			tokenPrefix: table.tokenPrefix,
-			lastUsed: table.lastUsed,
-			expiresAt: table.expiresAt,
-			createdAt: table.createdAt
-		})
-		.from(table)
-		.where(eq(table.userId, userId));
-}
-
-/**
- * Revoke (delete) a token. Owner or admin can revoke.
- */
-export async function revokeApiToken(tokenId: number, requestingUserId: number, isAdmin: boolean): Promise<boolean> {
-	const table = await getApiTokensTable();
-
-	// Find the token
-	const [token] = await db.select().from(table).where(eq(table.id, tokenId));
-	if (!token) return false;
-
-	// Check ownership or admin
-	if (token.userId !== requestingUserId && !isAdmin) {
-		return false;
-	}
-
-	// Hard-delete
-	await db.delete(table).where(eq(table.id, tokenId));
-
-	// Clear cache — we can't map prefix to SHA-256 cache keys, so clear all
-	clearTokenCache();
-
-	return true;
-}
-

src/lib/server/audit.ts

@@ -9,7 +9,6 @@ import type { RequestEvent } from '@sveltejs/kit';
 import { isEnterprise } from './license';
 import { logAuditEvent, type AuditAction, type AuditEntityType, type AuditLogCreateData } from './db';
 import { authorize } from './authorize';
-import { getRequestContext } from './request-context';
 
 export interface AuditContext {
 	userId?: number | null;
@@ -22,8 +21,7 @@ export interface AuditContext {
  * Extract audit context from a request event
  */
 export async function getAuditContext(event: RequestEvent): Promise<AuditContext> {
-	const ctx = getRequestContext();
-	const user = ctx?.user ?? (await authorize(event.cookies)).user;
+	const auth = await authorize(event.cookies);
 
 	// Get IP address from various headers (proxied requests)
 	const forwardedFor = event.request.headers.get('x-forwarded-for');
@@ -42,8 +40,8 @@ export async function getAuditContext(event: RequestEvent): Promise<AuditContext
 	const userAgent = event.request.headers.get('user-agent') || null;
 
 	return {
-		userId: user?.id ?? null,
-		username: user?.username ?? 'anonymous',
+		userId: auth.user?.id ?? null,
+		username: auth.user?.username ?? 'anonymous',
 		ipAddress,
 		userAgent
 	};

src/lib/server/auth.ts

@@ -44,7 +44,6 @@ import {
 import { Client as LdapClient } from 'ldapts';
 import { isEnterprise } from './license';
 import { secureRandomBytes } from './crypto-fallback';
-import { invalidateTokenCacheForUser } from './token-cache';
 
 // Session cookie name
 const SESSION_COOKIE_NAME = 'dockhand_session';
@@ -736,9 +735,6 @@ async function tryLdapAuth(
 			}
 		}
 
-		// Clear cached token permissions after role sync
-		invalidateTokenCacheForUser(user.id);
-
 		if (!user.isActive) {
 			return { success: false, error: 'Account is disabled' };
 		}
@@ -1453,9 +1449,6 @@ export async function handleOidcCallback(
 			}
 		}
 
-		// Clear cached token permissions after role sync
-		invalidateTokenCacheForUser(user.id);
-
 		if (!user.isActive) {
 			return { success: false, error: 'Account is disabled' };
 		}

src/lib/server/authorize.ts

@@ -40,7 +40,6 @@ import type { Permissions } from './db';
 import { getUserAccessibleEnvironments, userCanAccessEnvironment, userHasAdminRole } from './db';
 import { validateSession, isAuthEnabled, checkPermission, type AuthenticatedUser } from './auth';
 import { isEnterprise } from './license';
-import { getRequestContext } from './request-context';
 
 export interface AuthorizationContext {
 	/** Whether authentication is enabled globally */
@@ -114,10 +113,7 @@ export interface AuthorizationContext {
 export async function authorize(cookies: Cookies): Promise<AuthorizationContext> {
 	const authEnabled = await isAuthEnabled();
 	const enterprise = await isEnterprise();
-
-	// Try request context first (set by hook — handles both cookie and Bearer)
-	const reqCtx = getRequestContext();
-	const user = reqCtx?.user ?? (authEnabled ? await validateSession(cookies) : null);
+	const user = authEnabled ? await validateSession(cookies) : null;
 
 	// Determine admin status:
 	// - Free edition: all authenticated users are effectively admins (full access)
@@ -159,8 +155,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
 			// Must be authenticated
 			if (!user) return false;
 
-			// Admins can access all environments (use fresh isAdmin, not cached user.isAdmin)
-			if (isAdmin) return true;
+			// Admins can access all environments
+			if (user.isAdmin) return true;
 
 			// In free edition, all authenticated users have full access
 			if (!enterprise) return true;
@@ -176,8 +172,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
 			// Must be authenticated
 			if (!user) return [];
 
-			// Admins can access all environments (use fresh isAdmin, not cached user.isAdmin)
-			if (isAdmin) return null;
+			// Admins can access all environments
+			if (user.isAdmin) return null;
 
 			// In free edition, all authenticated users have full access
 			if (!enterprise) return null;
@@ -193,8 +189,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
 			// Must be authenticated
 			if (!user) return false;
 
-			// Admins can always manage users (use fresh isAdmin, not cached user.isAdmin)
-			if (isAdmin) return true;
+			// Admins can always manage users
+			if (user.isAdmin) return true;
 
 			// In free edition, all authenticated users have full access
 			if (!enterprise) return true;

src/lib/server/db.ts

@@ -1185,37 +1185,6 @@ export async function getUser(id: number): Promise<UserData | null> {
 	return results[0] as UserData || null;
 }
 
-export interface SafeUserData {
-	id: number;
-	username: string;
-	email: string | null;
-	displayName: string | null;
-	avatar: string | null;
-	authProvider: string | null;
-	mfaEnabled: boolean;
-	isActive: boolean;
-	lastLogin: string | null;
-	createdAt: string;
-	updatedAt: string;
-}
-
-export async function getUserWithoutPassword(id: number): Promise<SafeUserData | null> {
-	const results = await db.select({
-		id: users.id,
-		username: users.username,
-		email: users.email,
-		displayName: users.displayName,
-		avatar: users.avatar,
-		authProvider: users.authProvider,
-		mfaEnabled: users.mfaEnabled,
-		isActive: users.isActive,
-		lastLogin: users.lastLogin,
-		createdAt: users.createdAt,
-		updatedAt: users.updatedAt
-	}).from(users).where(eq(users.id, id));
-	return results[0] as SafeUserData || null;
-}
-
 export async function hasAdminUser(): Promise<boolean> {
 	// Check if any user has the Admin role assigned
 	const adminRole = await db.select().from(roles).where(eq(roles.name, 'Admin')).limit(1);
@@ -2122,9 +2091,6 @@ export async function getGitStacks(environmentId?: number): Promise<GitStackWith
 			autoUpdateCron: gitStacks.autoUpdateCron,
 			webhookEnabled: gitStacks.webhookEnabled,
 			webhookSecret: gitStacks.webhookSecret,
-			buildOnDeploy: gitStacks.buildOnDeploy,
-			repullImages: gitStacks.repullImages,
-			forceRedeploy: gitStacks.forceRedeploy,
 			lastSync: gitStacks.lastSync,
 			lastCommit: gitStacks.lastCommit,
 			syncStatus: gitStacks.syncStatus,
@@ -2153,9 +2119,6 @@ export async function getGitStacks(environmentId?: number): Promise<GitStackWith
 			autoUpdateCron: gitStacks.autoUpdateCron,
 			webhookEnabled: gitStacks.webhookEnabled,
 			webhookSecret: gitStacks.webhookSecret,
-			buildOnDeploy: gitStacks.buildOnDeploy,
-			repullImages: gitStacks.repullImages,
-			forceRedeploy: gitStacks.forceRedeploy,
 			lastSync: gitStacks.lastSync,
 			lastCommit: gitStacks.lastCommit,
 			syncStatus: gitStacks.syncStatus,
@@ -3077,7 +3040,7 @@ export type AuditAction =
 export type AuditEntityType =
 	| 'container' | 'image' | 'stack' | 'volume' | 'network'
 	| 'user' | 'role' | 'settings' | 'environment' | 'registry' | 'git_repository' | 'git_credential'
-	| 'config_set' | 'notification' | 'oidc_provider' | 'ldap_config' | 'git_stack' | 'api_token';
+	| 'config_set' | 'notification' | 'oidc_provider' | 'ldap_config' | 'git_stack';
 
 export interface AuditLogData {
 	id: number;
@@ -4617,18 +4580,6 @@ export async function setStackEnvVars(
 	}
 }
 
-/**
- * Get the set of secret key names for a stack.
- * Used to mask secret values in container inspect responses.
- */
-export async function getSecretKeyNames(
-	stackName: string,
-	environmentId?: number | null
-): Promise<Set<string>> {
-	const vars = await getStackEnvVars(stackName, environmentId, true);
-	return new Set(vars.filter(v => v.isSecret).map(v => v.key));
-}
-
 /**
  * Get count of environment variables for a stack.
  * @param stackName - Name of the stack

src/lib/server/db/drizzle.ts

@@ -335,8 +335,7 @@ const REQUIRED_TABLES = [
 	'audit_logs',
 	'container_events',
 	'schedule_executions',
-	'user_preferences',
-	'api_tokens'
+	'user_preferences'
 ];
 
 /**
@@ -769,7 +768,7 @@ async function seedDatabase(): Promise<void> {
 		license: ['manage'],
 		audit_logs: ['view'],
 		activity: ['view'],
-		schedules: ['view', 'edit', 'run']
+		schedules: ['view']
 	});
 
 	const operatorPermissions = JSON.stringify({
@@ -788,7 +787,7 @@ async function seedDatabase(): Promise<void> {
 		license: [],
 		audit_logs: [],
 		activity: ['view'],
-		schedules: ['view', 'edit', 'run']
+		schedules: ['view']
 	});
 
 	const viewerPermissions = JSON.stringify({
@@ -899,7 +898,6 @@ export const userPreferences = schemaProxy.userPreferences;
 export const scheduleExecutions = schemaProxy.scheduleExecutions;
 export const stackEnvironmentVariables = schemaProxy.stackEnvironmentVariables;
 export const pendingContainerUpdates = schemaProxy.pendingContainerUpdates;
-export const apiTokens = schemaProxy.apiTokens;
 
 // Re-export types from SQLite schema (they're compatible with PostgreSQL)
 export type {
@@ -958,9 +956,7 @@ export type {
 	StackEnvironmentVariable,
 	NewStackEnvironmentVariable,
 	PendingContainerUpdate,
-	NewPendingContainerUpdate,
-	ApiToken,
-	NewApiToken
+	NewPendingContainerUpdate
 } from './schema/index.js';
 
 export { eq, and, or, desc, asc, like, sql, inArray, isNull, isNotNull } from 'drizzle-orm';

src/lib/server/db/schema/index.ts

@@ -467,25 +467,6 @@ export const pendingContainerUpdates = sqliteTable('pending_container_updates',
 	envContainerUnique: unique().on(table.environmentId, table.containerId)
 }));
 
-// =============================================================================
-// API TOKENS TABLE
-// =============================================================================
-
-export const apiTokens = sqliteTable('api_tokens', {
-	id: integer('id').primaryKey({ autoIncrement: true }),
-	userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
-	name: text('name').notNull(),
-	tokenHash: text('token_hash').notNull().unique(),
-	tokenPrefix: text('token_prefix').notNull(),
-	lastUsed: text('last_used'),
-	expiresAt: text('expires_at'),
-	createdAt: text('created_at').default(sql`CURRENT_TIMESTAMP`),
-	updatedAt: text('updated_at').default(sql`CURRENT_TIMESTAMP`)
-}, (table) => ({
-	userIdIdx: index('api_tokens_user_id_idx').on(table.userId),
-	tokenPrefixIdx: index('api_tokens_token_prefix_idx').on(table.tokenPrefix)
-}));
-
 // =============================================================================
 // USER PREFERENCES TABLE (unified key-value store)
 // =============================================================================
@@ -589,6 +570,3 @@ export type NewStackEnvironmentVariable = typeof stackEnvironmentVariables.$infe
 
 export type PendingContainerUpdate = typeof pendingContainerUpdates.$inferSelect;
 export type NewPendingContainerUpdate = typeof pendingContainerUpdates.$inferInsert;
-
-export type ApiToken = typeof apiTokens.$inferSelect;
-export type NewApiToken = typeof apiTokens.$inferInsert;

src/lib/server/db/schema/pg-schema.ts

@@ -470,25 +470,6 @@ export const pendingContainerUpdates = pgTable('pending_container_updates', {
 	envContainerUnique: unique().on(table.environmentId, table.containerId)
 }));
 
-// =============================================================================
-// API TOKENS TABLE
-// =============================================================================
-
-export const apiTokens = pgTable('api_tokens', {
-	id: serial('id').primaryKey(),
-	userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
-	name: text('name').notNull(),
-	tokenHash: text('token_hash').notNull().unique(),
-	tokenPrefix: text('token_prefix').notNull(),
-	lastUsed: timestamp('last_used', { mode: 'string' }),
-	expiresAt: timestamp('expires_at', { mode: 'string' }),
-	createdAt: timestamp('created_at', { mode: 'string' }).defaultNow(),
-	updatedAt: timestamp('updated_at', { mode: 'string' }).defaultNow()
-}, (table) => ({
-	userIdIdx: index('api_tokens_user_id_idx').on(table.userId),
-	tokenPrefixIdx: index('api_tokens_token_prefix_idx').on(table.tokenPrefix)
-}));
-
 // =============================================================================
 // USER PREFERENCES TABLE (unified key-value store)
 // =============================================================================

src/lib/server/docker.ts

@@ -415,8 +415,7 @@ export function httpsAgentRequest(
 		if (!streaming) {
 			const isComposeOperation = path === '/_hawser/compose';
 			const composeTimeoutMs = parseInt(process.env.COMPOSE_TIMEOUT || '900') * 1000;
-			const isPrune = path.endsWith('/prune');
-			reqOptions.timeout = isComposeOperation ? composeTimeoutMs : isPrune ? 300000 : 30000;
+			reqOptions.timeout = isComposeOperation ? composeTimeoutMs : 30000;
 		}
 
 		// Honor AbortSignal from caller (e.g., AbortSignal.timeout(5000) for ping)
@@ -885,7 +884,7 @@ export async function dockerFetch(
 				body,
 				headers,
 				streaming || false,
-				(streaming || path === '/_hawser/compose' || path.endsWith('/prune')) ? 300000 : 30000, // 5 min for streaming/compose/prune, 30s for normal
+				(streaming || path === '/_hawser/compose') ? 300000 : 30000, // 5 min for streaming/compose, 30s for normal
 				isBinary,
 				fetchOptions.signal ?? undefined
 			);
@@ -961,8 +960,7 @@ export async function dockerFetch(
 		if (!streaming && !finalOptions.signal) {
 			const isComposeOperation = path === '/_hawser/compose';
 			const composeTimeoutMs = parseInt(process.env.COMPOSE_TIMEOUT || '900') * 1000;
-			const isPrune = path.endsWith('/prune');
-			finalOptions.signal = AbortSignal.timeout(isComposeOperation ? composeTimeoutMs : isPrune ? 300000 : 30000);
+			finalOptions.signal = AbortSignal.timeout(isComposeOperation ? composeTimeoutMs : 30000);
 		}
 
 		try {
@@ -1227,9 +1225,9 @@ export interface DeviceRequest {
 export interface CreateContainerOptions {
 	name: string;
 	image: string;
-	ports?: { [key: string]: { HostIp?: string; HostPort: string } } | null;
+	ports?: { [key: string]: { HostIp?: string; HostPort: string } };
 	volumes?: { [key: string]: {} };
-	volumeBinds?: string[] | null;
+	volumeBinds?: string[];
 	env?: string[];
 	labels?: { [key: string]: string };
 	cmd?: string[];
@@ -1249,7 +1247,7 @@ export interface CreateContainerOptions {
 	networkGwPriority?: number;
 	user?: string | null;
 	privileged?: boolean;
-	healthcheck?: HealthcheckConfig | null;
+	healthcheck?: HealthcheckConfig;
 	memory?: number;
 	memoryReservation?: number;
 	memorySwap?: number;
@@ -1340,10 +1338,7 @@ export async function createContainer(options: CreateContainerOptions, envId?: n
 		containerConfig.User = options.user ?? '';
 	}
 
-	if (options.healthcheck === null) {
-		// Explicitly disable healthcheck (user cleared it)
-		containerConfig.Healthcheck = { Test: ["NONE"] };
-	} else if (options.healthcheck) {
+	if (options.healthcheck) {
 		containerConfig.Healthcheck = {};
 		if (options.healthcheck.test && options.healthcheck.test.length > 0) {
 			containerConfig.Healthcheck.Test = options.healthcheck.test;
@@ -1362,11 +1357,7 @@ export async function createContainer(options: CreateContainerOptions, envId?: n
 		}
 	}
 
-	if (options.ports === null) {
-		// Explicitly clear ports (user removed all mappings)
-		containerConfig.ExposedPorts = {};
-		containerConfig.HostConfig.PortBindings = {};
-	} else if (options.ports) {
+	if (options.ports) {
 		containerConfig.ExposedPorts = {};
 		containerConfig.HostConfig.PortBindings = {};
 
@@ -1376,10 +1367,7 @@ export async function createContainer(options: CreateContainerOptions, envId?: n
 		}
 	}
 
-	if (options.volumeBinds === null) {
-		// Explicitly clear volume binds (user removed all)
-		containerConfig.HostConfig.Binds = [];
-	} else if (options.volumeBinds && options.volumeBinds.length > 0) {
+	if (options.volumeBinds && options.volumeBinds.length > 0) {
 		containerConfig.HostConfig.Binds = options.volumeBinds;
 	}
 
@@ -2405,7 +2393,7 @@ export async function updateContainer(id: string, options: Partial<CreateContain
 	}
 
 	// 5. Start if needed
-	if (startAfterUpdate) {
+	if (startAfterUpdate || wasRunning) {
 		try {
 			await newContainer.start();
 		} catch (startError) {
@@ -2637,9 +2625,7 @@ function parseImageReference(imageName: string): { registry: string; repo: strin
  *   'ghcr.io' -> { host: 'ghcr.io', path: '', fullRegistry: 'ghcr.io' }
  *   'registry.example.com:5000/myorg' -> { host: 'registry.example.com:5000', path: '/myorg', fullRegistry: 'registry.example.com:5000/myorg' }
  */
-export function parseRegistryUrl(url: string): { host: string; path: string; fullRegistry: string; protocol: string } {
-	// Detect protocol (default to https)
-	const protocol = url.startsWith('http://') ? 'http' : 'https';
+export function parseRegistryUrl(url: string): { host: string; path: string; fullRegistry: string } {
 	// Remove protocol
 	const withoutProtocol = url.replace(/^https?:\/\//, '');
 	// Remove trailing slash
@@ -2647,11 +2633,11 @@ export function parseRegistryUrl(url: string): { host: string; path: string; ful
 	// Split on first slash (after port if present)
 	const slashIndex = trimmed.indexOf('/');
 	if (slashIndex === -1) {
-		return { host: trimmed, path: '', fullRegistry: trimmed, protocol };
+		return { host: trimmed, path: '', fullRegistry: trimmed };
 	}
 	const host = trimmed.substring(0, slashIndex);
 	const path = trimmed.substring(slashIndex); // includes leading /
-	return { host, path, fullRegistry: trimmed, protocol };
+	return { host, path, fullRegistry: trimmed };
 }
 
 /**
@@ -2836,7 +2822,7 @@ export async function getRegistryAuthHeader(
 	try {
 		// Parse URL to extract host (V2 API is always at the host root)
 		const parsed = parseRegistryUrl(registryUrl);
-		const apiBaseUrl = `${parsed.protocol}://${parsed.host}`;
+		const apiBaseUrl = `https://${parsed.host}`;
 
 		// Step 1: Challenge request to /v2/ (always at registry root, not under org path)
 		const challengeResponse = await fetch(`${apiBaseUrl}/v2/`, {
@@ -2945,7 +2931,7 @@ export async function getRegistryAuth(
 	const parsed = parseRegistryUrl(registry.url);
 
 	// V2 API endpoints are always at the registry host root
-	const baseUrl = `${parsed.protocol}://${parsed.host}`;
+	const baseUrl = `https://${parsed.host}`;
 
 	// Get auth header using proper token flow
 	const credentials = registry.username && registry.password

src/lib/server/notifications.ts

@@ -277,13 +277,13 @@ async function sendMattermost(appriseUrl: string, payload: NotificationPayload):
 
 // Telegram
 async function sendTelegram(appriseUrl: string, payload: NotificationPayload): Promise<NotificationResult> {
-	// tgram://bot_token/chat_id:topic_id?
-	const match = appriseUrl.match(/^tgram:\/\/([^/]+)\/([^:\/]+)(?::(\d+))?$/);
+	// tgram://bot_token/chat_id
+	const match = appriseUrl.match(/^tgram:\/\/([^/]+)\/(.+)/);
 	if (!match) {
-		return { success: false, error: 'Invalid Telegram URL format. Expected: tgram://bot_token/chat_id or tgram://bot_token/chat_id:topic_id' };
+		return { success: false, error: 'Invalid Telegram URL format. Expected: tgram://bot_token/chat_id' };
 	}
 
-	const [, botToken, chatId, topicIdStr] = match;
+	const [, botToken, chatId] = match;
 	const url = `https://api.telegram.org/bot${botToken}/sendMessage`;
 
 	// Escape markdown special characters in title and message
@@ -291,8 +291,6 @@ async function sendTelegram(appriseUrl: string, payload: NotificationPayload): P
 	const escapedMessage = escapeTelegramMarkdown(payload.message);
 	const envTag = payload.environmentName ? ` \\[${escapeTelegramMarkdown(payload.environmentName)}\\]` : '';
 
-	const topicId = topicIdStr ? parseInt(topicIdStr, 10) : undefined;
-
 	try {
 		const response = await fetch(url, {
 			method: 'POST',
@@ -300,7 +298,6 @@ async function sendTelegram(appriseUrl: string, payload: NotificationPayload): P
 			body: JSON.stringify({
 				chat_id: chatId,
 				text: `*${escapedTitle}*${envTag}\n${escapedMessage}`,
-				...(topicId ? { message_thread_id: topicId } : {}),
 				parse_mode: 'Markdown'
 			})
 		});
@@ -334,14 +331,12 @@ async function sendGotify(appriseUrl: string, payload: NotificationPayload): Pro
 	const token = lastSlash >= 0 ? pathPart.substring(lastSlash + 1) : pathPart;
 	const url = `${protocol}://${hostname}${subpath ? '/' + subpath : ''}/message?token=${token}`;
 
-	const titleWithEnv = payload.environmentName ? `${payload.title} [${payload.environmentName}]` : payload.title;
-
 	try {
 		const response = await fetch(url, {
 			method: 'POST',
 			headers: { 'Content-Type': 'application/json' },
 			body: JSON.stringify({
-				title: titleWithEnv,
+				title: payload.title,
 				message: payload.message,
 				priority: payload.type === 'error' ? 8 : payload.type === 'warning' ? 5 : 2
 			})
@@ -397,9 +392,8 @@ async function sendNtfy(appriseUrl: string, payload: NotificationPayload): Promi
 		url = `https://ntfy.sh/${path}`;
 	}
 
-	const titleWithEnv = payload.environmentName ? `${payload.title} [${payload.environmentName}]` : payload.title;
 	const headers: Record<string, string> = {
-		'Title': titleWithEnv,
+		'Title': payload.title,
 		'Priority': payload.type === 'error' ? '5' : payload.type === 'warning' ? '4' : '3',
 		'Tags': payload.type || 'info'
 	};
@@ -436,7 +430,6 @@ async function sendPushover(appriseUrl: string, payload: NotificationPayload): P
 
 	const [, userKey, apiToken] = match;
 	const url = 'https://api.pushover.net/1/messages.json';
-	const titleWithEnv = payload.environmentName ? `${payload.title} [${payload.environmentName}]` : payload.title;
 
 	try {
 		const response = await fetch(url, {
@@ -445,7 +438,7 @@ async function sendPushover(appriseUrl: string, payload: NotificationPayload): P
 			body: JSON.stringify({
 				token: apiToken,
 				user: userKey,
-				title: titleWithEnv,
+				title: payload.title,
 				message: payload.message,
 				priority: payload.type === 'error' ? 1 : 0
 			})
@@ -475,7 +468,6 @@ async function sendGenericWebhook(appriseUrl: string, payload: NotificationPaylo
 				title: payload.title,
 				message: payload.message,
 				type: payload.type || 'info',
-				environment: payload.environmentName || null,
 				timestamp: new Date().toISOString()
 			})
 		});

src/lib/server/request-context.ts

@@ -1,23 +0,0 @@
-/**
- * Request-scoped context using AsyncLocalStorage.
- *
- * The hook sets the authenticated user (from cookie or Bearer token)
- * and wraps resolve() in requestContext.run(). Downstream code like
- * authorize() reads the pre-resolved user from here instead of
- * re-validating the session.
- */
-
-import { AsyncLocalStorage } from 'node:async_hooks';
-import type { AuthenticatedUser } from './auth';
-
-export interface RequestContext {
-	user: AuthenticatedUser | null;
-	authEnabled: boolean;
-	authMethod: 'cookie' | 'bearer' | 'none';
-}
-
-export const requestContext = new AsyncLocalStorage<RequestContext>();
-
-export function getRequestContext(): RequestContext | undefined {
-	return requestContext.getStore();
-}

src/lib/server/scheduler/tasks/image-prune.ts

@@ -124,7 +124,7 @@ export async function runImagePrune(
 		// Send success notification only when something was actually cleaned up
 		if (imagesRemoved > 0) {
 			await sendEventNotification('image_prune_success', {
-				title: `Image prune completed — ${env.name}`,
+				title: 'Image prune completed',
 				message: `${imagesRemoved} unused images removed, ${formatBytes(spaceReclaimed)} disk space reclaimed`,
 				type: 'success'
 			}, envId);
@@ -142,7 +142,7 @@ export async function runImagePrune(
 
 		// Send failure notification
 		await sendEventNotification('image_prune_failed', {
-			title: `Image prune failed — ${env.name}`,
+			title: 'Image prune failed',
 			message: `Failed to prune images: ${error.message}`,
 			type: 'error'
 		}, envId);

src/lib/server/stacks.ts

@@ -752,10 +752,9 @@ async function loginToRegistries(dockerHost?: string, logPrefix = '[Stack]', api
 		}
 
 		try {
-			// Extract registry host from URL (parseRegistryUrl handles bare hostnames like 'ghcr.io')
-			const { parseRegistryUrl } = await import('./docker.js');
-			const { host } = parseRegistryUrl(reg.url);
-			const registryHost = host;
+			// Extract registry host from URL
+			const url = new URL(reg.url);
+			const registryHost = url.host;
 
 			console.log(`${logPrefix} Logging into registry: ${registryHost}`);
 
@@ -1982,8 +1981,7 @@ export async function downStack(
 export async function removeStack(
 	stackName: string,
 	envId?: number | null,
-	force = false,
-	removeVolumes = false
+	force = false
 ): Promise<StackOperationResult> {
 	return withStackLock(stackName, async () => {
 		// Get compose file (may not exist for external stacks)
@@ -2001,7 +1999,6 @@ export async function removeStack(
 				{
 					stackName,
 					envId,
-					removeVolumes,
 					workingDir: composeResult.stackDir,
 					composePath: composeResult.composePath ?? undefined,
 					envPath: composeResult.envPath ?? undefined

src/lib/server/token-cache.ts

@@ -1,109 +0,0 @@
-/**
- * API Token Cache — LRU with TTL
- *
- * In-memory cache for validated API tokens. Without this, every Bearer
- * request would run Argon2id verification (~64MB RAM, ~100ms CPU per call).
- *
- * Cache key is SHA-256(fullToken) — safe to hold in memory (not reversible).
- * TTL is 60s by default, capped at the token's expiry time if sooner.
- *
- * Uses a bounded LRU (max 1024 entries) to cap memory usage. On overflow
- * the least-recently-used entry is evicted. Expired entries are also pruned
- * every 5 minutes.
- *
- * Separated from api-tokens.ts to avoid circular dependencies
- * (auth.ts ↔ api-tokens.ts).
- */
-
-export interface TokenCacheEntry {
-	user: { id: number; [key: string]: any };
-	expiresAt: number;
-}
-
-const MAX_CACHE_SIZE = 1024;
-
-/**
- * Simple LRU cache backed by a Map.
- * Map iteration order is insertion order, so we delete-and-re-set on every
- * access to move the entry to the "newest" position. The oldest entry
- * (Map.keys().next()) is evicted when the cache exceeds MAX_CACHE_SIZE.
- */
-class LruTokenCache {
-	private map = new Map<string, TokenCacheEntry>();
-
-	get(key: string): TokenCacheEntry | undefined {
-		const entry = this.map.get(key);
-		if (!entry) return undefined;
-		// Move to end (most-recently-used)
-		this.map.delete(key);
-		this.map.set(key, entry);
-		return entry;
-	}
-
-	set(key: string, entry: TokenCacheEntry): void {
-		// If key already exists, delete first so re-insert moves it to end
-		if (this.map.has(key)) {
-			this.map.delete(key);
-		}
-		this.map.set(key, entry);
-		// Evict oldest if over capacity
-		if (this.map.size > MAX_CACHE_SIZE) {
-			const oldest = this.map.keys().next().value!;
-			this.map.delete(oldest);
-		}
-	}
-
-	delete(key: string): void {
-		this.map.delete(key);
-	}
-
-	clear(): void {
-		this.map.clear();
-	}
-
-	entries(): IterableIterator<[string, TokenCacheEntry]> {
-		return this.map.entries();
-	}
-
-	get size(): number {
-		return this.map.size;
-	}
-}
-
-export const tokenCache = new LruTokenCache();
-
-/**
- * Invalidate all cached tokens for a specific user.
- * Call when user permissions change, roles are updated, or user is deleted/deactivated.
- */
-export function invalidateTokenCacheForUser(userId: number): void {
-	for (const [key, entry] of tokenCache.entries()) {
-		if (entry.user.id === userId) {
-			tokenCache.delete(key);
-		}
-	}
-}
-
-/**
- * Clear the entire token cache.
- * Called on revocation, role permission edits, and license state changes.
- */
-export function clearTokenCache(): void {
-	tokenCache.clear();
-}
-
-// Periodic cleanup every 5 minutes
-let cleanupInterval: ReturnType<typeof setInterval> | undefined;
-
-export function ensureCleanupInterval(): void {
-	if (cleanupInterval) return;
-	cleanupInterval = setInterval(() => {
-		const now = Date.now();
-		for (const [key, entry] of tokenCache.entries()) {
-			if (entry.expiresAt <= now) {
-				tokenCache.delete(key);
-			}
-		}
-	}, 5 * 60 * 1000);
-	if (cleanupInterval.unref) cleanupInterval.unref();
-}

src/lib/stores/settings.ts

@@ -349,10 +349,7 @@ function createSettingsStore() {
 			});
 		},
 		// Manual refresh from database
-		refresh: () => {
-			initialized = false;
-			return loadSettings();
-		}
+		refresh: loadSettings
 	};
 }
 

src/lib/utils/port-format.ts

@@ -1,64 +0,0 @@
-export interface PortMapping {
-	publicPort: number;
-	privatePort: number;
-	display: string;
-	isRange?: boolean;
-}
-
-interface PortInfo {
-	PublicPort?: number;
-	PrivatePort?: number;
-	publicPort?: number;
-	privatePort?: number;
-}
-
-/**
- * Format Docker port mappings, collapsing consecutive ranges.
- * Accepts both Docker API format (PublicPort/PrivatePort) and camelCase (publicPort/privatePort).
- * e.g. 8080:8080, 8081:8081, 8082:8082 → 8080-8082:8080-8082
- */
-export function formatPorts(ports: PortInfo[] | undefined | null): PortMapping[] {
-	if (!ports || ports.length === 0) return [];
-	const seen = new Set<string>();
-	const individual = ports
-		.filter(p => (p.PublicPort || p.publicPort))
-		.map(p => ({
-			publicPort: p.PublicPort || p.publicPort!,
-			privatePort: p.PrivatePort || p.privatePort!,
-			display: `${p.PublicPort || p.publicPort}:${p.PrivatePort || p.privatePort}`
-		}))
-		.filter(p => {
-			const key = p.display;
-			if (seen.has(key)) return false;
-			seen.add(key);
-			return true;
-		})
-		.sort((a, b) => a.publicPort - b.publicPort);
-
-	// Collapse consecutive port ranges
-	if (individual.length <= 1) return individual;
-
-	const result: PortMapping[] = [];
-	let rangeStart = individual[0];
-	let rangeEnd = individual[0];
-
-	for (let i = 1; i < individual.length; i++) {
-		const curr = individual[i];
-		const offset = curr.publicPort - rangeStart.publicPort;
-		const expectedPrivate = rangeStart.privatePort + offset;
-		if (curr.publicPort === rangeEnd.publicPort + 1 && curr.privatePort === expectedPrivate) {
-			rangeEnd = curr;
-		} else {
-			result.push(rangeStart.publicPort === rangeEnd.publicPort
-				? rangeStart
-				: { publicPort: rangeStart.publicPort, privatePort: rangeStart.privatePort, display: `${rangeStart.publicPort}-${rangeEnd.publicPort}:${rangeStart.privatePort}-${rangeEnd.privatePort}`, isRange: true });
-			rangeStart = curr;
-			rangeEnd = curr;
-		}
-	}
-	result.push(rangeStart.publicPort === rangeEnd.publicPort
-		? rangeStart
-		: { publicPort: rangeStart.publicPort, privatePort: rangeStart.privatePort, display: `${rangeStart.publicPort}-${rangeEnd.publicPort}:${rangeStart.privatePort}-${rangeEnd.privatePort}`, isRange: true });
-
-	return result;
-}

src/routes/api/auth/tokens/+server.ts

@@ -1,164 +0,0 @@
-import { json } from '@sveltejs/kit';
-import type { RequestHandler } from './$types';
-import { authorize } from '$lib/server/authorize';
-import { generateApiToken, listUserTokens } from '$lib/server/api-tokens';
-import { isAuthEnabled, verifyPassword } from '$lib/server/auth';
-import { getUser } from '$lib/server/db';
-import { audit } from '$lib/server/audit';
-import { getRequestContext } from '$lib/server/request-context';
-
-// Password confirmation rate limiting (per userId)
-const pwFailCounts = new Map<number, { count: number; firstFail: number }>();
-const pwCooldowns = new Map<number, number>();
-const PW_FAIL_WINDOW = 60_000; // 1-minute sliding window
-const PW_FAIL_MAX = 5; // max failures per window
-const PW_COOLDOWN = 5 * 60 * 1000; // 5-minute cooldown
-
-const MAX_TOKENS_PER_USER = 25;
-
-// Periodic cleanup
-setInterval(() => {
-	const now = Date.now();
-	for (const [id, until] of pwCooldowns) {
-		if (now > until) pwCooldowns.delete(id);
-	}
-	for (const [id, entry] of pwFailCounts) {
-		if (now - entry.firstFail > PW_FAIL_WINDOW) pwFailCounts.delete(id);
-	}
-}, PW_COOLDOWN).unref?.();
-
-function isPwRateLimited(userId: number): boolean {
-	const until = pwCooldowns.get(userId);
-	if (!until) return false;
-	if (Date.now() > until) {
-		pwCooldowns.delete(userId);
-		return false;
-	}
-	return true;
-}
-
-function recordPwFailure(userId: number): void {
-	const now = Date.now();
-	const entry = pwFailCounts.get(userId);
-	if (!entry || now - entry.firstFail > PW_FAIL_WINDOW) {
-		pwFailCounts.set(userId, { count: 1, firstFail: now });
-		return;
-	}
-	entry.count++;
-	if (entry.count >= PW_FAIL_MAX) {
-		pwCooldowns.set(userId, now + PW_COOLDOWN);
-		pwFailCounts.delete(userId);
-	}
-}
-
-/**
- * GET /api/auth/tokens - List the current user's API tokens
- */
-export const GET: RequestHandler = async ({ cookies }) => {
-	const authEnabled = await isAuthEnabled();
-	if (!authEnabled) {
-		return json({ error: 'Authentication is not enabled' }, { status: 400 });
-	}
-
-	const auth = await authorize(cookies);
-	if (!auth.isAuthenticated || !auth.user) {
-		return json({ error: 'Authentication required' }, { status: 401 });
-	}
-
-	const tokens = await listUserTokens(auth.user.id);
-	return json(tokens);
-};
-
-/**
- * POST /api/auth/tokens - Create a new API token
- */
-export const POST: RequestHandler = async (event) => {
-	const { cookies, request } = event;
-
-	const authEnabled = await isAuthEnabled();
-	if (!authEnabled) {
-		return json({ error: 'Authentication is not enabled' }, { status: 400 });
-	}
-
-	const auth = await authorize(cookies);
-	if (!auth.isAuthenticated || !auth.user) {
-		return json({ error: 'Authentication required' }, { status: 401 });
-	}
-
-	// Token creation requires a cookie session — a Bearer token cannot create new tokens
-	const reqCtx = getRequestContext();
-	if (reqCtx?.authMethod === 'bearer') {
-		return json({ error: 'Token creation requires a session login, not a Bearer token' }, { status: 403 });
-	}
-
-	let body: any;
-	try {
-		body = await request.json();
-	} catch {
-		return json({ error: 'Invalid request body' }, { status: 400 });
-	}
-	const { name, expiresAt, password } = body;
-
-	// Local users must confirm their password to create tokens
-	// SSO/OIDC and LDAP users skip this (they authenticated via their IdP)
-	if (auth.user.provider === 'local') {
-		if (isPwRateLimited(auth.user.id)) {
-			return json({ error: 'Too many failed password attempts. Try again later.' }, { status: 429 });
-		}
-		if (!password || typeof password !== 'string') {
-			return json({ error: 'Password is required to create an API token' }, { status: 400 });
-		}
-		const dbUser = await getUser(auth.user.id);
-		if (!dbUser) {
-			return json({ error: 'User not found' }, { status: 404 });
-		}
-		const valid = await verifyPassword(password, dbUser.passwordHash);
-		if (!valid) {
-			recordPwFailure(auth.user.id);
-			return json({ error: 'Invalid password' }, { status: 403 });
-		}
-	}
-
-	// L2: Per-user token count limit
-	const existingTokens = await listUserTokens(auth.user.id);
-	if (existingTokens.length >= MAX_TOKENS_PER_USER) {
-		return json({ error: `Maximum of ${MAX_TOKENS_PER_USER} API tokens per user` }, { status: 400 });
-	}
-
-	// Validate name
-	if (!name || typeof name !== 'string' || name.trim().length === 0) {
-		return json({ error: 'Token name is required' }, { status: 400 });
-	}
-	if (name.length > 255) {
-		return json({ error: 'Token name must be 255 characters or less' }, { status: 400 });
-	}
-
-	// Validate expiration
-	if (expiresAt) {
-		const expiryDate = new Date(expiresAt);
-		if (isNaN(expiryDate.getTime())) {
-			return json({ error: 'Invalid expiration date' }, { status: 400 });
-		}
-		if (expiryDate <= new Date()) {
-			return json({ error: 'Expiration date must be in the future' }, { status: 400 });
-		}
-	}
-
-	const result = await generateApiToken(
-		auth.user.id,
-		name.trim(),
-		expiresAt || null
-	);
-
-	await audit(event, 'create', 'api_token', {
-		entityId: String(result.id),
-		entityName: name.trim(),
-		description: `API token "${name.trim()}" created`
-	});
-
-	return json({
-		id: result.id,
-		token: result.token,
-		tokenPrefix: result.tokenPrefix
-	}, { status: 201, headers: { 'Cache-Control': 'no-store' } });
-};

src/routes/api/auth/tokens/[id]/+server.ts

@@ -1,47 +0,0 @@
-import { json } from '@sveltejs/kit';
-import type { RequestHandler } from './$types';
-import { authorize } from '$lib/server/authorize';
-import { revokeApiToken } from '$lib/server/api-tokens';
-import { isAuthEnabled } from '$lib/server/auth';
-import { getRequestContext } from '$lib/server/request-context';
-import { audit } from '$lib/server/audit';
-
-/**
- * DELETE /api/auth/tokens/[id] - Revoke an API token
- */
-export const DELETE: RequestHandler = async (event) => {
-	const { cookies, params } = event;
-
-	const authEnabled = await isAuthEnabled();
-	if (!authEnabled) {
-		return json({ error: 'Authentication is not enabled' }, { status: 400 });
-	}
-
-	// Bearer tokens cannot manage tokens (prevent leaked token from revoking others)
-	const reqCtx = getRequestContext();
-	if (reqCtx?.authMethod === 'bearer') {
-		return json({ error: 'Token management requires a cookie session' }, { status: 403 });
-	}
-
-	const auth = await authorize(cookies);
-	if (!auth.isAuthenticated || !auth.user) {
-		return json({ error: 'Authentication required' }, { status: 401 });
-	}
-
-	const tokenId = parseInt(params.id);
-	if (isNaN(tokenId)) {
-		return json({ error: 'Invalid token ID' }, { status: 400 });
-	}
-
-	const success = await revokeApiToken(tokenId, auth.user.id, auth.isAdmin);
-	if (!success) {
-		return json({ error: 'Token not found or access denied' }, { status: 404 });
-	}
-
-	await audit(event, 'delete', 'api_token', {
-		entityId: params.id,
-		description: `API token revoked`
-	});
-
-	return json({ success: true });
-};

src/routes/api/auto-update/[containerName]/+server.ts

@@ -7,7 +7,6 @@ import {
 	deleteAutoUpdateSchedule
 } from '$lib/server/db';
 import { registerSchedule, unregisterSchedule } from '$lib/server/scheduler';
-import { authorize } from '$lib/server/authorize';
 
 export const GET: RequestHandler = async ({ params, url }) => {
 	try {
@@ -39,12 +38,7 @@ export const GET: RequestHandler = async ({ params, url }) => {
 	}
 };
 
-export const POST: RequestHandler = async ({ params, url, request, cookies }) => {
-	const auth = await authorize(cookies);
-	if (auth.authEnabled && !await auth.can('schedules', 'edit')) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
-
+export const POST: RequestHandler = async ({ params, url, request }) => {
 	try {
 		const containerName = decodeURIComponent(params.containerName);
 		const envIdParam = url.searchParams.get('env');
@@ -107,12 +101,7 @@ export const POST: RequestHandler = async ({ params, url, request, cookies }) =>
 	}
 };
 
-export const DELETE: RequestHandler = async ({ params, url, cookies }) => {
-	const auth = await authorize(cookies);
-	if (auth.authEnabled && !await auth.can('schedules', 'edit')) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
-
+export const DELETE: RequestHandler = async ({ params, url }) => {
 	try {
 		const containerName = decodeURIComponent(params.containerName);
 		const envIdParam = url.searchParams.get('env');

src/routes/api/containers/[id]/+server.ts

@@ -4,7 +4,7 @@ import {
 	removeContainer,
 	getContainerLogs
 } from '$lib/server/docker';
-import { deleteAutoUpdateSchedule, getAutoUpdateSetting, getSecretKeyNames, removePendingContainerUpdate } from '$lib/server/db';
+import { deleteAutoUpdateSchedule, getAutoUpdateSetting, removePendingContainerUpdate } from '$lib/server/db';
 import { authorize } from '$lib/server/authorize';
 import { auditContainer } from '$lib/server/audit';
 import { unregisterSchedule } from '$lib/server/scheduler';
@@ -33,24 +33,6 @@ export const GET: RequestHandler = async ({ params, url, cookies }) => {
 	try {
 
 		const details = await inspectContainer(params.id, envIdNum);
-
-		// Mask secret env vars for containers belonging to a Compose stack
-		const stackName = details.Config?.Labels?.['com.docker.compose.project'];
-		if (stackName && Array.isArray(details.Config?.Env)) {
-			const secretKeys = await getSecretKeyNames(stackName, envIdNum);
-			if (secretKeys.size > 0) {
-				details.Config.Env = details.Config.Env.map((entry: string) => {
-					const eqIdx = entry.indexOf('=');
-					if (eqIdx === -1) return entry;
-					const key = entry.substring(0, eqIdx);
-					if (secretKeys.has(key)) {
-						return `${key}=***`;
-					}
-					return entry;
-				});
-			}
-		}
-
 		return json(details);
 	} catch (error: any) {
 		if (error?.statusCode === 404) {

src/routes/api/containers/[id]/inspect/+server.ts

@@ -1,7 +1,6 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { inspectContainer } from '$lib/server/docker';
-import { getSecretKeyNames } from '$lib/server/db';
 import { authorize } from '$lib/server/authorize';
 import { validateDockerIdParam } from '$lib/server/docker-validation';
 
@@ -21,24 +20,6 @@ export const GET: RequestHandler = async ({ params, url, cookies }) => {
 
 	try {
 		const containerData = await inspectContainer(params.id, envIdNum);
-
-		// Mask secret env vars for containers belonging to a Compose stack
-		const stackName = containerData.Config?.Labels?.['com.docker.compose.project'];
-		if (stackName && Array.isArray(containerData.Config?.Env)) {
-			const secretKeys = await getSecretKeyNames(stackName, envIdNum);
-			if (secretKeys.size > 0) {
-				containerData.Config.Env = containerData.Config.Env.map((entry: string) => {
-					const eqIdx = entry.indexOf('=');
-					if (eqIdx === -1) return entry;
-					const key = entry.substring(0, eqIdx);
-					if (secretKeys.has(key)) {
-						return `${key}=***`;
-					}
-					return entry;
-				});
-			}
-		}
-
 		return json(containerData);
 	} catch (error) {
 		console.error('Failed to inspect container:', error);

src/routes/api/containers/[id]/update/+server.ts

@@ -1,5 +1,5 @@
 import { json } from '@sveltejs/kit';
-import { inspectContainer, pullImage, updateContainer, type CreateContainerOptions } from '$lib/server/docker';
+import { pullImage, updateContainer, type CreateContainerOptions } from '$lib/server/docker';
 import { authorize } from '$lib/server/authorize';
 import { auditContainer } from '$lib/server/audit';
 import { removePendingContainerUpdate } from '$lib/server/db';
@@ -25,29 +25,6 @@ export const POST: RequestHandler = async (event) => {
 		const body = await request.json();
 		const { startAfterUpdate, repullImage, ...options } = body;
 
-		// Resolve masked secret values (***) back to real values from the current container.
-		// The GET endpoint masks secrets in Config.Env, so the edit modal sends *** for unchanged secrets.
-		if (Array.isArray(options.env) && options.env.some((e: string) => e.endsWith('=***'))) {
-			const currentData = await inspectContainer(params.id, envIdNum);
-			const currentEnvMap = new Map<string, string>();
-			for (const entry of currentData.Config?.Env || []) {
-				const eqIdx = entry.indexOf('=');
-				if (eqIdx !== -1) {
-					currentEnvMap.set(entry.substring(0, eqIdx), entry.substring(eqIdx + 1));
-				}
-			}
-			options.env = options.env.map((entry: string) => {
-				const eqIdx = entry.indexOf('=');
-				if (eqIdx === -1) return entry;
-				const key = entry.substring(0, eqIdx);
-				const value = entry.substring(eqIdx + 1);
-				if (value === '***' && currentEnvMap.has(key)) {
-					return `${key}=${currentEnvMap.get(key)}`;
-				}
-				return entry;
-			});
-		}
-
 		if (repullImage) {
 			console.log(`Pulling image...`);
 			try {

src/routes/api/environments/+server.ts

@@ -3,7 +3,6 @@ import type { RequestHandler } from './$types';
 import { getEnvironments, getEnvironmentByName, createEnvironment, assignUserRole, getRoleByName, getEnvironmentPublicIps, setEnvironmentPublicIp, getEnvUpdateCheckSettings, getEnvironmentTimezone, getImagePruneSettings, type Environment } from '$lib/server/db';
 import { authorize } from '$lib/server/authorize';
 import { auditEnvironment } from '$lib/server/audit';
-import { invalidateTokenCacheForUser } from '$lib/server/api-tokens';
 import { refreshSubprocessEnvironments } from '$lib/server/subprocess-manager';
 import { serializeLabels, parseLabels, MAX_LABELS } from '$lib/utils/label-colors';
 import { cleanPem } from '$lib/utils/pem';
@@ -131,7 +130,6 @@ export const POST: RequestHandler = async (event) => {
 					const adminRole = await getRoleByName('Admin');
 					if (adminRole) {
 						await assignUserRole(user.id, adminRole.id, env.id);
-						invalidateTokenCacheForUser(user.id);
 					}
 				} catch (roleError) {
 					// Log but don't fail - environment was created successfully

src/routes/api/license/+server.ts

@@ -7,7 +7,6 @@ import {
 	getHostname
 } from '$lib/server/license';
 import { authorize } from '$lib/server/authorize';
-import { clearTokenCache } from '$lib/server/api-tokens';
 
 // GET /api/license - Get current license status
 // Any authenticated user can view license status (needed to determine if RBAC applies)
@@ -60,9 +59,6 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 			);
 		}
 
-		// Permission model changes between free/enterprise — clear cached tokens
-		clearTokenCache();
-
 		return json({
 			success: true,
 			license: result.license
@@ -85,8 +81,6 @@ export const DELETE: RequestHandler = async ({ cookies }) => {
 
 	try {
 		await deactivateLicense();
-		// Permission model changes between free/enterprise — clear cached tokens
-		clearTokenCache();
 		return json({ success: true });
 	} catch (error) {
 		console.error('Error deactivating license:', error);

src/routes/api/profile/+server.ts

@@ -2,7 +2,6 @@ import { json } from '@sveltejs/kit';
 import type { RequestHandler } from '@sveltejs/kit';
 import { getUser, updateUser as dbUpdateUser, deleteUserSessions, userHasAdminRole } from '$lib/server/db';
 import { validateSession, hashPassword, isAuthEnabled } from '$lib/server/auth';
-import { invalidateTokenCacheForUser } from '$lib/server/api-tokens';
 
 // GET /api/profile - Get current user's profile
 export const GET: RequestHandler = async ({ cookies }) => {
@@ -86,9 +85,8 @@ export const PUT: RequestHandler = async ({ request, cookies }) => {
 			}
 
 			updateData.passwordHash = await hashPassword(data.newPassword);
-			// Invalidate other sessions and token cache on password change
-			await deleteUserSessions(currentUser.id);
-			invalidateTokenCacheForUser(currentUser.id);
+			// Invalidate other sessions on password change
+			deleteUserSessions(currentUser.id);
 		}
 
 		const user = await dbUpdateUser(currentUser.id, updateData);

src/routes/api/roles/[id]/+server.ts

@@ -8,7 +8,6 @@ import {
 import { authorize } from '$lib/server/authorize';
 import { auditRole } from '$lib/server/audit';
 import { computeAuditDiff } from '$lib/utils/diff';
-import { clearTokenCache } from '$lib/server/api-tokens';
 
 // GET /api/roles/[id] - Get a specific role
 export const GET: RequestHandler = async ({ params, cookies }) => {
@@ -76,9 +75,6 @@ export const PUT: RequestHandler = async (event) => {
 			return json({ error: 'Failed to update role' }, { status: 500 });
 		}
 
-		// Clear token cache — any cached user with this role has stale permissions
-		clearTokenCache();
-
 		// Compute diff for audit
 		const diff = computeAuditDiff(existingRole, role);
 
@@ -132,9 +128,6 @@ export const DELETE: RequestHandler = async (event) => {
 			return json({ error: 'Failed to delete role' }, { status: 500 });
 		}
 
-		// Clear token cache — users with this role may have stale cached permissions
-		clearTokenCache();
-
 		// Audit log
 		await auditRole(event, 'delete', id, role.name);
 

src/routes/api/schedules/[type]/[id]/+server.ts

@@ -13,14 +13,8 @@ import {
 	deleteImagePruneSettings
 } from '$lib/server/db';
 import { unregisterSchedule } from '$lib/server/scheduler';
-import { authorize } from '$lib/server/authorize';
-
-export const DELETE: RequestHandler = async ({ params, cookies }) => {
-	const auth = await authorize(cookies);
-	if (auth.authEnabled && !await auth.can('schedules', 'edit')) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
 
+export const DELETE: RequestHandler = async ({ params }) => {
 	try {
 		const { type, id } = params;
 		const scheduleId = parseInt(id, 10);

src/routes/api/schedules/[type]/[id]/run/+server.ts

@@ -11,14 +11,8 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { triggerContainerUpdate, triggerGitStackSync, triggerSystemJob, triggerEnvUpdateCheck, triggerImagePrune } from '$lib/server/scheduler';
-import { authorize } from '$lib/server/authorize';
-
-export const POST: RequestHandler = async ({ params, cookies }) => {
-	const auth = await authorize(cookies);
-	if (auth.authEnabled && !await auth.can('schedules', 'run')) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
 
+export const POST: RequestHandler = async ({ params }) => {
 	try {
 		const { type, id } = params;
 		const scheduleId = parseInt(id, 10);

src/routes/api/schedules/[type]/[id]/toggle/+server.ts

@@ -7,14 +7,8 @@ import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { getAutoUpdateSettingById, updateAutoUpdateSettingById, getGitStack, updateGitStack, getEnvUpdateCheckSettings, setEnvUpdateCheckSettings, getImagePruneSettings, setImagePruneSettings } from '$lib/server/db';
 import { registerSchedule, unregisterSchedule } from '$lib/server/scheduler';
-import { authorize } from '$lib/server/authorize';
-
-export const POST: RequestHandler = async ({ params, cookies }) => {
-	const auth = await authorize(cookies);
-	if (auth.authEnabled && !await auth.can('schedules', 'edit')) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
 
+export const POST: RequestHandler = async ({ params }) => {
 	try {
 		const { type, id } = params;
 		const scheduleId = parseInt(id, 10);

src/routes/api/schedules/executions/[id]/+server.ts

@@ -8,7 +8,6 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { getScheduleExecution, deleteScheduleExecution } from '$lib/server/db';
-import { authorize } from '$lib/server/authorize';
 
 export const GET: RequestHandler = async ({ params }) => {
 	try {
@@ -29,12 +28,7 @@ export const GET: RequestHandler = async ({ params }) => {
 	}
 };
 
-export const DELETE: RequestHandler = async ({ params, cookies }) => {
-	const auth = await authorize(cookies);
-	if (auth.authEnabled && !await auth.can('schedules', 'edit')) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
-
+export const DELETE: RequestHandler = async ({ params }) => {
 	try {
 		const id = parseInt(params.id, 10);
 		if (isNaN(id)) {

src/routes/api/stacks/+server.ts

@@ -144,13 +144,10 @@ export const POST: RequestHandler = async (event) => {
 		}
 
 		// ALWAYS save compose file first - deployStack expects it to exist
-		const saveResult = await saveStackComposeFile(name, compose, true, envIdNum, {
+		await saveStackComposeFile(name, compose, true, envIdNum, {
 			composePath: composePath || undefined,
 			envPath: envPath || undefined
 		});
-		if (!saveResult.success) {
-			return json({ error: saveResult.error }, { status: 400 });
-		}
 
 		// Save environment variables BEFORE deploying so they're available during start
 		if (rawEnvContent || (envVars && Array.isArray(envVars) && envVars.length > 0)) {

src/routes/api/stacks/[name]/+server.ts

@@ -9,7 +9,6 @@ export const DELETE: RequestHandler = async (event) => {
 	const auth = await authorize(cookies);
 
 	const force = url.searchParams.get('force') === 'true';
-	const volumes = url.searchParams.get('volumes') === 'true';
 	const envId = url.searchParams.get('env');
 	const envIdNum = envId ? parseInt(envId) : undefined;
 
@@ -25,10 +24,10 @@ export const DELETE: RequestHandler = async (event) => {
 
 	try {
 		const stackName = decodeURIComponent(params.name);
-		const result = await removeStack(stackName, envIdNum, force, volumes);
+		const result = await removeStack(stackName, envIdNum, force);
 
 		// Audit log
-		await auditStack(event, 'delete', stackName, envIdNum, { force, volumes });
+		await auditStack(event, 'delete', stackName, envIdNum, { force });
 
 		if (!result.success) {
 			return json({ success: false, error: result.error }, { status: 400 });

src/routes/api/users/+server.ts

@@ -11,7 +11,6 @@ import {
 } from '$lib/server/db';
 import { hashPassword, createUserSession } from '$lib/server/auth';
 import { authorize } from '$lib/server/authorize';
-import { invalidateTokenCacheForUser } from '$lib/server/api-tokens';
 import { auditUser } from '$lib/server/audit';
 
 // GET /api/users - List all users
@@ -109,7 +108,6 @@ export const POST: RequestHandler = async (event) => {
 			const adminRole = await getRoleByName('Admin');
 			if (adminRole) {
 				await assignUserRole(user.id, adminRole.id, null);
-				invalidateTokenCacheForUser(user.id);
 			}
 		}
 

src/routes/api/users/[id]/+server.ts

@@ -16,7 +16,6 @@ import { hashPassword } from '$lib/server/auth';
 import { authorize } from '$lib/server/authorize';
 import { auditUser } from '$lib/server/audit';
 import { computeAuditDiff } from '$lib/utils/diff';
-import { invalidateTokenCacheForUser } from '$lib/server/api-tokens';
 
 // GET /api/users/[id] - Get a specific user
 // Free for all - local users are needed for basic auth
@@ -126,7 +125,6 @@ export const PUT: RequestHandler = async (event) => {
 					if (isDeactivating) {
 						updateData.isActive = false;
 						await deleteUserSessions(userId);
-						invalidateTokenCacheForUser(userId);
 					}
 
 					// Disable authentication
@@ -144,7 +142,6 @@ export const PUT: RequestHandler = async (event) => {
 						if (adminRole) {
 							await removeUserRole(userId, adminRole.id, null);
 						}
-						invalidateTokenCacheForUser(userId);
 					}
 
 					return json({
@@ -173,10 +170,9 @@ export const PUT: RequestHandler = async (event) => {
 			}
 			if (data.isActive !== undefined) {
 				updateData.isActive = data.isActive;
-				// If deactivating, invalidate all sessions and token cache
+				// If deactivating, invalidate all sessions
 				if (!data.isActive) {
 					await deleteUserSessions(userId);
-					invalidateTokenCacheForUser(userId);
 				}
 			}
 		}
@@ -187,9 +183,8 @@ export const PUT: RequestHandler = async (event) => {
 				return json({ error: 'Password must be at least 8 characters' }, { status: 400 });
 			}
 			updateData.passwordHash = await hashPassword(data.password);
-			// Invalidate all sessions and token cache on password change
+			// Invalidate all sessions on password change (except current)
 			await deleteUserSessions(userId);
-			invalidateTokenCacheForUser(userId);
 		}
 
 		const user = await dbUpdateUser(userId, updateData);
@@ -203,10 +198,8 @@ export const PUT: RequestHandler = async (event) => {
 		if (adminRole) {
 			if (shouldPromote) {
 				await assignUserRole(userId, adminRole.id, null);
-				invalidateTokenCacheForUser(userId);
 			} else if (shouldDemote) {
 				await removeUserRole(userId, adminRole.id, null);
-				invalidateTokenCacheForUser(userId);
 			}
 		}
 
@@ -291,7 +284,6 @@ export const DELETE: RequestHandler = async (event) => {
 
 				// User confirmed - proceed with deletion and disable auth
 				await deleteUserSessions(id);
-				invalidateTokenCacheForUser(id);
 				const deleted = await dbDeleteUser(id);
 				if (!deleted) {
 					return json({ error: 'Failed to delete user' }, { status: 500 });
@@ -307,9 +299,8 @@ export const DELETE: RequestHandler = async (event) => {
 			}
 		}
 
-		// Delete all sessions and invalidate token cache
+		// Delete all sessions first
 		await deleteUserSessions(id);
-		invalidateTokenCacheForUser(id);
 
 		const deleted = await dbDeleteUser(id);
 		if (!deleted) {

src/routes/api/users/[id]/roles/+server.ts

@@ -10,7 +10,6 @@ import {
 	getRole
 } from '$lib/server/db';
 import { auditUser } from '$lib/server/audit';
-import { invalidateTokenCacheForUser } from '$lib/server/api-tokens';
 
 // GET /api/users/[id]/roles - Get roles assigned to a user
 export const GET: RequestHandler = async ({ params, cookies }) => {
@@ -70,7 +69,6 @@ export const POST: RequestHandler = async (event) => {
 		}
 
 		const userRole = await assignUserRole(userId, roleId, environmentId);
-		invalidateTokenCacheForUser(userId);
 
 		// Audit log - role assigned
 		const role = await getRole(roleId);
@@ -119,7 +117,6 @@ export const DELETE: RequestHandler = async (event) => {
 		if (!deleted) {
 			return json({ error: 'Role assignment not found' }, { status: 404 });
 		}
-		invalidateTokenCacheForUser(userId);
 
 		// Audit log - role removed
 		if (user) {

src/routes/containers/+page.svelte

@@ -1149,7 +1149,29 @@
 		}
 	}
 
-	import { formatPorts, type PortMapping } from '$lib/utils/port-format';
+	interface PortMapping {
+		publicPort: number;
+		privatePort: number;
+		display: string;
+	}
+
+	function formatPorts(ports: ContainerInfo['ports']): PortMapping[] {
+		if (!ports || ports.length === 0) return [];
+		const seen = new Set<string>();
+		return ports
+			.filter(p => p.PublicPort)
+			.map(p => ({
+				publicPort: p.PublicPort,
+				privatePort: p.PrivatePort,
+				display: `${p.PublicPort}:${p.PrivatePort}`
+			}))
+			.filter(p => {
+				const key = p.display;
+				if (seen.has(key)) return false;
+				seen.add(key);
+				return true;
+			});
+	}
 
 	function extractHostFromUrl(urlString: string): string | null {
 		if (!urlString) return null;
@@ -1801,7 +1823,7 @@
 								{@const memoryTooltip = stats.memoryCache > 0
 									? `${formatBytes(stats.memoryUsage)} / ${formatBytes(stats.memoryLimit)} (Total: ${formatBytes(stats.memoryRaw)} | Cache: ${formatBytes(stats.memoryCache)})`
 									: `${formatBytes(stats.memoryUsage)} / ${formatBytes(stats.memoryLimit)}`}
-								<span class="text-xs font-mono {stats.memoryPercent > 80 ? 'text-red-500' : stats.memoryPercent > 50 ? 'text-yellow-500' : 'text-muted-foreground'}" title={memoryTooltip}>{formatBytes(stats.memoryUsage)}<span class="text-muted-foreground/50">/{formatBytes(stats.memoryLimit, 0)}</span></span>
+								<span class="text-xs font-mono {stats.memoryPercent > 80 ? 'text-red-500' : stats.memoryPercent > 50 ? 'text-yellow-500' : 'text-muted-foreground'}" title={memoryTooltip}>{formatBytes(stats.memoryUsage)}</span>
 							{:else if container.state === 'running'}
 								<span class="text-xs text-muted-foreground/50">...</span>
 							{:else}
@@ -1861,7 +1883,7 @@
 							{@const remainingCount = ports.length - 1}
 							<div class="flex {compactPorts ? 'flex-nowrap' : 'flex-wrap'} gap-1">
 								{#each displayPorts as port}
-									{@const url = !port.isRange && currentEnvDetails ? getPortUrl(port.publicPort) : null}
+									{@const url = currentEnvDetails ? getPortUrl(port.publicPort) : null}
 									{#if url}
 										<a
 											href={url}

src/routes/containers/EditContainerModal.svelte

@@ -864,8 +864,6 @@
 						retries: healthcheckRetries,
 						startPeriod: healthcheckStartPeriod * 1e9
 					};
-				} else if (!healthcheckEnabled) {
-					healthcheck = null;
 				}
 
 				const devices = deviceMappings
@@ -904,8 +902,8 @@
 				const payload = {
 					name: name.trim(),
 					image: image.trim(),
-					ports: Object.keys(ports).length > 0 ? ports : null,
-					volumeBinds: volumeBinds.length > 0 ? volumeBinds : null,
+					ports: Object.keys(ports).length > 0 ? ports : undefined,
+					volumeBinds: volumeBinds.length > 0 ? volumeBinds : undefined,
 					env: env.length > 0 ? env : undefined,
 					labels: Object.keys(labelsObj).length > 0 ? labelsObj : undefined,
 					cmd,
@@ -1083,8 +1081,8 @@
 					bind:restartPolicy
 					bind:restartMaxRetries
 					bind:networkMode
-					bind:startAfterCreate={startAfterUpdate}
-					bind:repullImage
+					startAfterCreate={startAfterUpdate}
+					{repullImage}
 					bind:portMappings
 					bind:volumeMappings
 					bind:envVars

src/routes/images/ScanResultsView.svelte

@@ -241,8 +241,8 @@
 											{vuln.severity}
 										</Badge>
 									</td>
-									<td class="py-1 px-2 max-w-[300px]">
-										<code class="text-xs block truncate" title={vuln.package}>{vuln.package}</code>
+									<td class="py-1 px-2">
+										<code class="text-xs">{vuln.package}</code>
 									</td>
 									<td class="py-1 px-2">
 										<code class="text-xs text-muted-foreground">{vuln.version}</code>

src/routes/login/+page.svelte

@@ -9,7 +9,6 @@
 	import { Loader2, LogIn, Shield, AlertCircle, Network, User, KeyRound, TriangleAlert } from 'lucide-svelte';
 	import { authStore } from '$lib/stores/auth';
 	import { environments } from '$lib/stores/environment';
-	import { appSettings } from '$lib/stores/settings';
 	import * as Alert from '$lib/components/ui/alert';
 	import { themeStore, applyTheme } from '$lib/stores/theme';
 
@@ -115,8 +114,7 @@
 				return;
 			}
 
-			// Success - refresh settings and environments (they were fetched before auth) then redirect
-			await appSettings.refresh();
+			// Success - refresh environments (they were cleared during pre-login fetch) then redirect
 			await environments.refresh();
 			goto(redirectUrl);
 		} catch (e) {
@@ -291,7 +289,6 @@
 							<Label for="mfaToken">Authentication code</Label>
 							<Input
 								id="mfaToken"
-								name="totp"
 								type="text"
 								placeholder="Enter code"
 								bind:value={mfaToken}

src/routes/profile/+page.svelte

@@ -11,7 +11,6 @@
 		Shield,
 		ShieldCheck,
 		Key,
-		KeyRound,
 		RefreshCw,
 		Check,
 		Smartphone,
@@ -23,8 +22,7 @@
 		Camera,
 		Trash2,
 		TriangleAlert,
-		Palette,
-		Plus
+		Palette
 	} from 'lucide-svelte';
 	import { authStore } from '$lib/stores/auth';
 	import { formatDateTime } from '$lib/stores/settings';
@@ -34,9 +32,6 @@
 	import ChangePasswordModal from './ChangePasswordModal.svelte';
 	import MfaSetupModal from './MfaSetupModal.svelte';
 	import DisableMfaModal from './DisableMfaModal.svelte';
-	import ApiTokenModal from './ApiTokenModal.svelte';
-	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
-	import * as Table from '$lib/components/ui/table';
 	import ThemeSelector from '$lib/components/ThemeSelector.svelte';
 	import { themeStore } from '$lib/stores/theme';
 	import PageHeader from '$lib/components/PageHeader.svelte';
@@ -78,49 +73,6 @@
 	let mfaError = $state('');
 	let showDisableMfaModal = $state(false);
 
-	// API tokens state
-	interface ApiToken {
-		id: number;
-		name: string;
-		tokenPrefix: string;
-		lastUsed: string | null;
-		expiresAt: string | null;
-		createdAt: string;
-	}
-	let apiTokens = $state<ApiToken[]>([]);
-	let showApiTokenModal = $state(false);
-	let tokensLoading = $state(false);
-
-	async function fetchApiTokens() {
-		tokensLoading = true;
-		try {
-			const response = await fetch('/api/auth/tokens');
-			if (response.ok) {
-				apiTokens = await response.json();
-			}
-		} catch {
-			// Silently fail - tokens section will show empty
-		} finally {
-			tokensLoading = false;
-		}
-	}
-
-	async function revokeToken(tokenId: number) {
-		try {
-			const response = await fetch(`/api/auth/tokens/${tokenId}`, { method: 'DELETE' });
-			if (response.ok) {
-				apiTokens = apiTokens.filter(t => t.id !== tokenId);
-			}
-		} catch {
-			// Ignore
-		}
-	}
-
-	function isTokenExpired(expiresAt: string | null): boolean {
-		if (!expiresAt) return false;
-		return new Date(expiresAt) < new Date();
-	}
-
 	// Avatar state
 	let showAvatarCropper = $state(false);
 	let avatarSaving = $state(false);
@@ -339,7 +291,6 @@
 			if (!profileFetched) {
 				profileFetched = true;
 				fetchProfile();
-				fetchApiTokens();
 			}
 		}
 	});
@@ -349,7 +300,7 @@
 	<title>Profile - Dockhand</title>
 </svelte:head>
 
-<div class="container mx-auto p-6">
+<div class="container mx-auto p-6 max-w-4xl">
 	<div class="flex items-center gap-3 mb-6">
 		<PageHeader icon={User} title="Profile" showConnection={false}>
 			<p class="text-muted-foreground text-sm">Manage your account settings</p>
@@ -379,9 +330,6 @@
 				</div>
 			{/if}
 
-			<!-- Row 1: Account info + Profile details -->
-			<div class="grid grid-cols-1 lg:grid-cols-2 gap-6">
-
 			<!-- Account info card -->
 			<Card.Root>
 				<Card.Header>
@@ -483,14 +431,14 @@
 			</Card.Root>
 
 			<!-- Profile details card -->
-			<Card.Root class="flex flex-col">
+			<Card.Root>
 				<Card.Header>
 					<Card.Title class="flex items-center gap-2">
 						<Mail class="w-5 h-5" />
 						Profile details
 					</Card.Title>
 				</Card.Header>
-				<Card.Content class="flex-1 flex flex-col space-y-4">
+				<Card.Content class="space-y-4">
 					{#if formError}
 						<Alert.Root variant="destructive">
 							<TriangleAlert class="h-4 w-4" />
@@ -498,7 +446,7 @@
 						</Alert.Root>
 					{/if}
 
-					<div class="space-y-4 flex-1">
+					<div class="grid grid-cols-2 gap-4">
 						<div class="space-y-2">
 							<Label>Display name</Label>
 							<Input
@@ -529,13 +477,8 @@
 				</Card.Content>
 			</Card.Root>
 
-			</div>
-
-			<!-- Row 2: Security + API tokens -->
-			<div class="grid grid-cols-1 lg:grid-cols-2 gap-6">
-
 			<!-- Security card -->
-			<Card.Root class="flex flex-col">
+			<Card.Root>
 				<Card.Header>
 					<Card.Title class="flex items-center gap-2">
 						<Shield class="w-5 h-5" />
@@ -639,81 +582,6 @@
 				</Card.Content>
 			</Card.Root>
 
-			<!-- API tokens card -->
-			<Card.Root>
-				<Card.Header>
-					<Card.Title class="flex items-center gap-2 justify-between">
-						<span class="flex items-center gap-2">
-							<KeyRound class="w-5 h-5" />
-							API tokens
-						</span>
-						<Button variant="outline" size="sm" onclick={() => showApiTokenModal = true}>
-							<Plus class="w-4 h-4 mr-1" />
-							Generate token
-						</Button>
-					</Card.Title>
-					<Card.Description>Create tokens for CI/CD pipelines and scripts</Card.Description>
-				</Card.Header>
-				<Card.Content>
-					{#if tokensLoading}
-						<p class="text-sm text-muted-foreground">Loading tokens...</p>
-					{:else if apiTokens.length === 0}
-						<p class="text-sm text-muted-foreground">No API tokens created yet.</p>
-					{:else}
-						<Table.Root>
-							<Table.Header>
-								<Table.Row>
-									<Table.Head>Name</Table.Head>
-									<Table.Head>Prefix</Table.Head>
-									<Table.Head>Last used</Table.Head>
-									<Table.Head>Expires</Table.Head>
-									<Table.Head class="w-[80px]"></Table.Head>
-								</Table.Row>
-							</Table.Header>
-							<Table.Body>
-								{#each apiTokens as token (token.id)}
-									<Table.Row class={isTokenExpired(token.expiresAt) ? 'opacity-50' : ''}>
-										<Table.Cell class="font-medium">{token.name}</Table.Cell>
-										<Table.Cell>
-											<code class="text-xs bg-muted px-1.5 py-0.5 rounded">dh_{token.tokenPrefix}...</code>
-										</Table.Cell>
-										<Table.Cell class="text-sm text-muted-foreground">
-											{token.lastUsed ? formatDateTime(token.lastUsed) : 'Never'}
-										</Table.Cell>
-										<Table.Cell class="text-sm">
-											{#if isTokenExpired(token.expiresAt)}
-												<Badge variant="destructive">Expired</Badge>
-											{:else if token.expiresAt}
-												{formatDateTime(token.expiresAt)}
-											{:else}
-												<span class="text-muted-foreground">Never</span>
-											{/if}
-										</Table.Cell>
-										<Table.Cell>
-											<ConfirmPopover
-												title="Revoke token"
-												description="This token will stop working immediately."
-												confirmText="Revoke"
-												onConfirm={() => revokeToken(token.id)}
-											>
-												<Button variant="ghost" size="sm" class="text-destructive hover:text-destructive">
-													<Trash2 class="w-4 h-4" />
-												</Button>
-											</ConfirmPopover>
-										</Table.Cell>
-									</Table.Row>
-								{/each}
-							</Table.Body>
-						</Table.Root>
-					{/if}
-				</Card.Content>
-			</Card.Root>
-
-			</div>
-
-			<!-- Row 3: Appearance (left-aligned with Security) -->
-			<div class="grid grid-cols-1 lg:grid-cols-2 gap-6">
-
 			<!-- Appearance card -->
 			<Card.Root>
 				<Card.Header>
@@ -727,8 +595,6 @@
 					<ThemeSelector userId={profile.id} />
 				</Card.Content>
 			</Card.Root>
-
-			</div>
 		</div>
 	{/if}
 </div>
@@ -759,13 +625,6 @@
 	/>
 {/if}
 
-<!-- API Token Modal -->
-<ApiTokenModal
-	bind:open={showApiTokenModal}
-	onCreated={fetchApiTokens}
-	provider={profile?.provider ?? 'local'}
-/>
-
 <!-- Avatar Cropper Modal -->
 <AvatarCropper
 	show={showAvatarCropper}

src/routes/profile/ApiTokenModal.svelte

@@ -1,237 +0,0 @@
-<script lang="ts">
-	import * as Dialog from '$lib/components/ui/dialog';
-	import { Button } from '$lib/components/ui/button';
-	import { Input } from '$lib/components/ui/input';
-	import { Label } from '$lib/components/ui/label';
-	import * as Select from '$lib/components/ui/select';
-	import * as Alert from '$lib/components/ui/alert';
-	import { KeyRound, Copy, Check, TriangleAlert } from 'lucide-svelte';
-
-	let {
-		open = $bindable(false),
-		onCreated,
-		provider = 'local'
-	}: {
-		open: boolean;
-		onCreated: () => void;
-		provider?: string;
-	} = $props();
-
-	let name = $state('');
-	let password = $state('');
-	let expirationOption = $state('none');
-	let customDate = $state('');
-	let creating = $state(false);
-	let error = $state('');
-
-	const isLocalUser = $derived(provider === 'local');
-
-	// After creation
-	let createdToken = $state('');
-	let copied = $state(false);
-
-	function reset() {
-		name = '';
-		password = '';
-		expirationOption = 'none';
-		customDate = '';
-		creating = false;
-		error = '';
-		createdToken = '';
-		copied = false;
-	}
-
-	function getExpiresAt(): string | null {
-		const now = new Date();
-		switch (expirationOption) {
-			case '30d':
-				return new Date(now.getTime() + 30 * 24 * 60 * 60 * 1000).toISOString();
-			case '90d':
-				return new Date(now.getTime() + 90 * 24 * 60 * 60 * 1000).toISOString();
-			case '1y':
-				return new Date(now.getTime() + 365 * 24 * 60 * 60 * 1000).toISOString();
-			case 'custom':
-				return customDate ? new Date(customDate + 'T23:59:59').toISOString() : null;
-			default:
-				return null;
-		}
-	}
-
-	async function createToken() {
-		if (!name.trim()) {
-			error = 'Token name is required';
-			return;
-		}
-		if (isLocalUser && !password) {
-			error = 'Password is required';
-			return;
-		}
-
-		creating = true;
-		error = '';
-
-		try {
-			const payload: Record<string, any> = {
-				name: name.trim(),
-				expiresAt: getExpiresAt()
-			};
-			if (isLocalUser) {
-				payload.password = password;
-			}
-
-			const response = await fetch('/api/auth/tokens', {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify(payload)
-			});
-
-			if (response.ok) {
-				const data = await response.json();
-				createdToken = data.token;
-			} else {
-				const data = await response.json();
-				error = data.error || 'Failed to create token';
-			}
-		} catch {
-			error = 'Failed to create token';
-		} finally {
-			creating = false;
-		}
-	}
-
-	async function copyToken() {
-		try {
-			await navigator.clipboard.writeText(createdToken);
-			copied = true;
-			setTimeout(() => copied = false, 2000);
-		} catch {
-			// Fallback: select the input text
-		}
-	}
-
-	function handleClose() {
-		if (createdToken) {
-			onCreated();
-		}
-		open = false;
-		// Reset after animation
-		setTimeout(reset, 200);
-	}
-
-	// Get minimum date for custom picker (tomorrow)
-	const minDate = $derived(() => {
-		const tomorrow = new Date();
-		tomorrow.setDate(tomorrow.getDate() + 1);
-		return tomorrow.toISOString().split('T')[0];
-	});
-</script>
-
-<Dialog.Root bind:open onOpenChange={(v) => { if (!v) handleClose(); }}>
-	<Dialog.Content class="max-w-md">
-		<Dialog.Header>
-			<Dialog.Title class="flex items-center gap-2">
-				<KeyRound class="w-5 h-5" />
-				{createdToken ? 'Token created' : 'Generate API token'}
-			</Dialog.Title>
-		</Dialog.Header>
-
-		{#if createdToken}
-			<!-- Token created - show it once -->
-			<div class="space-y-4">
-				<Alert.Root variant="destructive">
-					<TriangleAlert class="h-4 w-4" />
-					<Alert.Description>
-						Copy this token now. It will not be shown again.
-					</Alert.Description>
-				</Alert.Root>
-
-				<div class="flex gap-2">
-					<Input
-						value={createdToken}
-						readonly
-						class="font-mono text-xs"
-					/>
-					<Button variant="outline" size="icon" onclick={copyToken}>
-						{#if copied}
-							<Check class="w-4 h-4 text-green-500" />
-						{:else}
-							<Copy class="w-4 h-4" />
-						{/if}
-					</Button>
-				</div>
-
-				<div class="flex justify-end">
-					<Button onclick={handleClose}>Done</Button>
-				</div>
-			</div>
-		{:else}
-			<!-- Token creation form -->
-			<div class="space-y-4">
-				<div class="space-y-2">
-					<Label for="token-name">Name</Label>
-					<Input
-						id="token-name"
-						bind:value={name}
-						placeholder="e.g., CI/CD pipeline"
-						maxlength={255}
-					/>
-				</div>
-
-				{#if isLocalUser}
-					<div class="space-y-2">
-						<Label for="token-password">Password</Label>
-						<Input
-							id="token-password"
-							type="password"
-							bind:value={password}
-							placeholder="Confirm your password"
-						/>
-					</div>
-				{/if}
-
-				<div class="space-y-2">
-					<Label>Expiration</Label>
-					<Select.Root type="single" bind:value={expirationOption}>
-						<Select.Trigger class="w-full">
-							{#if expirationOption === 'none'}No expiration
-							{:else if expirationOption === '30d'}30 days
-							{:else if expirationOption === '90d'}90 days
-							{:else if expirationOption === '1y'}1 year
-							{:else if expirationOption === 'custom'}Custom date
-							{/if}
-						</Select.Trigger>
-						<Select.Content>
-							<Select.Item value="none">No expiration</Select.Item>
-							<Select.Item value="30d">30 days</Select.Item>
-							<Select.Item value="90d">90 days</Select.Item>
-							<Select.Item value="1y">1 year</Select.Item>
-							<Select.Item value="custom">Custom date</Select.Item>
-						</Select.Content>
-					</Select.Root>
-
-					{#if expirationOption === 'custom'}
-						<Input
-							type="date"
-							bind:value={customDate}
-							min={minDate()}
-						/>
-					{/if}
-				</div>
-
-				{#if error}
-					<Alert.Root variant="destructive">
-						<TriangleAlert class="h-4 w-4" />
-						<Alert.Description>{error}</Alert.Description>
-					</Alert.Root>
-				{/if}
-
-				<div class="flex justify-end gap-2">
-					<Button variant="outline" onclick={handleClose}>Cancel</Button>
-					<Button onclick={createToken} disabled={creating || !name.trim() || (isLocalUser && !password)}>
-						{creating ? 'Creating...' : 'Generate token'}
-					</Button>
-				</div>
-			</div>
-		{/if}
-	</Dialog.Content>
-</Dialog.Root>

src/routes/profile/MfaSetupModal.svelte

@@ -188,10 +188,8 @@
 					<Label>Verification code</Label>
 					<Input
 						bind:value={token}
-						name="totp"
 						placeholder="Enter 6-digit code"
 						maxlength={6}
-						autocomplete="one-time-code"
 					/>
 					<p class="text-xs text-muted-foreground">
 						Enter the code from your authenticator app to verify setup

src/routes/schedules/+page.svelte

@@ -41,17 +41,13 @@
 	import { DataGrid } from '$lib/components/data-grid';
 	import type { DataGridRowState } from '$lib/components/data-grid';
 	import { toast } from 'svelte-sonner';
-	import { formatDateTime, getTimeFormat, appSettings } from '$lib/stores/settings';
+	import { formatDateTime, appSettings } from '$lib/stores/settings';
 	import EnvironmentIcon from '$lib/components/EnvironmentIcon.svelte';
 	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
 	import ScannerSeverityPills from '$lib/components/ScannerSeverityPills.svelte';
 	import VulnerabilityCriteriaBadge from '$lib/components/VulnerabilityCriteriaBadge.svelte';
 	import UpdateSummaryStats from '$lib/components/UpdateSummaryStats.svelte';
 	import ExecutionLogViewer from '$lib/components/ExecutionLogViewer.svelte';
-	import { canAccess } from '$lib/stores/auth';
-
-	const canEditSchedules = $derived($canAccess('schedules', 'edit'));
-	const canRunSchedules = $derived($canAccess('schedules', 'run'));
 	import { vulnerabilityCriteriaIcons, vulnerabilityCriteriaLabels } from '$lib/utils/update-steps';
 	import type { VulnerabilityCriteria } from '$lib/server/db';
 	import cronstrue from 'cronstrue';
@@ -187,7 +183,7 @@
 
 	// State
 	let schedules = $state<Schedule[]>([]);
-	let environments = $state<{ id: number; name: string; icon: string; timezone?: string }[]>([]);
+	let environments = $state<{ id: number; name: string; icon: string }[]>([]);
 	let loading = $state(true);
 	let refreshing = $state(false);
 	let searchQuery = $state('');
@@ -208,11 +204,6 @@
 	let selectedExecution = $state<ScheduleExecution | null>(null);
 	let loadingExecutionDetail = $state(false);
 	let logDarkMode = $state(true);
-	let selectedExecutionTimezone = $derived(
-		selectedExecution?.environmentId
-			? environments.find(e => e.id === selectedExecution!.environmentId)?.timezone
-			: undefined
-	);
 
 	function toggleLogTheme() {
 		logDarkMode = !logDarkMode;
@@ -745,21 +736,9 @@
 		}
 	}
 
-	function formatTimestamp(iso: string | null, tz?: string): string {
+	function formatTimestamp(iso: string | null): string {
 		if (!iso) return '-';
-		if (!tz) return formatDateTime(iso, true);
-		const d = new Date(iso);
-		if (isNaN(d.getTime())) return iso;
-		return new Intl.DateTimeFormat('en-GB', {
-			timeZone: tz,
-			year: 'numeric',
-			month: '2-digit',
-			day: '2-digit',
-			hour: '2-digit',
-			minute: '2-digit',
-			second: '2-digit',
-			hour12: getTimeFormat() === '12h'
-		}).format(d);
+		return formatDateTime(iso, true);
 	}
 
 	function formatDuration(ms: number | null): string {
@@ -1308,31 +1287,27 @@
 							<FileText class="w-3 h-3 text-muted-foreground hover:text-blue-500" />
 						</button>
 					{/if}
-					{#if canEditSchedules}
-						<button
-							type="button"
-							onclick={(e) => { e.stopPropagation(); toggleScheduleEnabled(schedule); }}
-							title={schedule.enabled ? 'Pause schedule' : 'Resume schedule'}
-							class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
-						>
-							{#if schedule.enabled}
-								<Pause class="w-3 h-3 text-muted-foreground hover:text-amber-500" />
-							{:else}
-								<PlayCircle class="w-3 h-3 text-muted-foreground hover:text-green-500" />
-							{/if}
-						</button>
-					{/if}
-					{#if canRunSchedules}
-						<button
-							type="button"
-							onclick={(e) => { e.stopPropagation(); triggerSchedule(schedule); }}
-							title="Run now"
-							class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
-						>
-							<Play class="w-3 h-3 text-muted-foreground hover:text-green-500" />
-						</button>
-					{/if}
-					{#if canEditSchedules && !schedule.isSystem}
+					<button
+						type="button"
+						onclick={(e) => { e.stopPropagation(); toggleScheduleEnabled(schedule); }}
+						title={schedule.enabled ? 'Pause schedule' : 'Resume schedule'}
+						class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
+					>
+						{#if schedule.enabled}
+							<Pause class="w-3 h-3 text-muted-foreground hover:text-amber-500" />
+						{:else}
+							<PlayCircle class="w-3 h-3 text-muted-foreground hover:text-green-500" />
+						{/if}
+					</button>
+					<button
+						type="button"
+						onclick={(e) => { e.stopPropagation(); triggerSchedule(schedule); }}
+						title="Run now"
+						class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
+					>
+						<Play class="w-3 h-3 text-muted-foreground hover:text-green-500" />
+					</button>
+					{#if !schedule.isSystem}
 						{@const scheduleKey = getScheduleKey(schedule)}
 						<ConfirmPopover
 							open={confirmDeleteId === scheduleKey}
@@ -1360,7 +1335,7 @@
 			<div class="p-4 pl-12 shadow-inner bg-muted isolate sticky left-0 max-w-[calc(100vw-18rem)]">
 				<div class="flex items-center justify-between mb-2">
 					<h4 class="text-xs font-medium">Execution history</h4>
-					{#if executions.length > 0 && canEditSchedules}
+					{#if executions.length > 0}
 						<button
 							type="button"
 							onclick={() => deleteAllExecutions(schedule)}
@@ -1437,16 +1412,14 @@
 												>
 													<FileText class="w-3 h-3 text-muted-foreground hover:text-blue-500" />
 												</button>
-												{#if canEditSchedules}
-													<button
-														type="button"
-														onclick={() => deleteExecution(schedule, exec.id)}
-														title="Delete execution"
-														class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
-													>
-														<Trash2 class="w-3 h-3 text-muted-foreground hover:text-red-500" />
-													</button>
-												{/if}
+												<button
+													type="button"
+													onclick={() => deleteExecution(schedule, exec.id)}
+													title="Delete execution"
+													class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
+												>
+													<Trash2 class="w-3 h-3 text-muted-foreground hover:text-red-500" />
+												</button>
 											</div>
 										</td>
 									</tr>
@@ -1518,7 +1491,7 @@
 			</Dialog.Title>
 			{#if selectedExecution}
 				<span class="text-xs text-muted-foreground shrink-0 pr-6 whitespace-nowrap inline-flex items-center gap-1">
-					{formatTimestamp(selectedExecution.triggeredAt, selectedExecutionTimezone)} · <Timer class="w-3 h-3 -mt-px" /> {formatDuration(selectedExecution.duration)}
+					{formatTimestamp(selectedExecution.triggeredAt)} · <Timer class="w-3 h-3 -mt-px" /> {formatDuration(selectedExecution.duration)}
 				</span>
 			{/if}
 		</Dialog.Header>
@@ -1655,7 +1628,6 @@
 					<ExecutionLogViewer
 						logs={selectedExecution.logs}
 						darkMode={logDarkMode}
-						timezone={selectedExecutionTimezone}
 						onToggleTheme={toggleLogTheme}
 					/>
 				</div>

src/routes/settings/auth/roles/RoleModal.svelte

@@ -135,9 +135,7 @@
 			{ key: 'view', label: 'View audit logs' }
 		],
 		schedules: [
-			{ key: 'view', label: 'View schedules' },
-			{ key: 'edit', label: 'Edit schedules' },
-			{ key: 'run', label: 'Run schedules' }
+			{ key: 'view', label: 'View schedules' }
 		]
 	};
 
@@ -244,7 +242,6 @@
 		disconnect: Unplug,
 		edit: Pencil,
 		test: Play,
-		run: Play,
 		manage: Settings
 	};
 

src/routes/settings/general/GeneralTab.svelte

@@ -94,15 +94,13 @@
 	}
 
 	function handleScheduleCleanupEnabledChange() {
-		const newState = !scheduleCleanupEnabled;
-		appSettings.setScheduleCleanupEnabled(newState);
-		toast.success(newState ? 'Schedule cleanup enabled' : 'Schedule cleanup disabled');
+		appSettings.setScheduleCleanupEnabled(!scheduleCleanupEnabled);
+		toast.success(scheduleCleanupEnabled ? 'Schedule cleanup disabled' : 'Schedule cleanup enabled');
 	}
 
 	function handleEventCleanupEnabledChange() {
-		const newState = !eventCleanupEnabled;
-		appSettings.setEventCleanupEnabled(newState);
-		toast.success(newState ? 'Event cleanup enabled' : 'Event cleanup disabled');
+		appSettings.setEventCleanupEnabled(!eventCleanupEnabled);
+		toast.success(eventCleanupEnabled ? 'Event cleanup disabled' : 'Event cleanup enabled');
 	}
 
 	function handleGrypeImageBlur(e: Event) {
@@ -201,9 +199,9 @@
 									<Label>Show stopped containers</Label>
 									<TogglePill
 										checked={showStoppedContainers}
-										onchange={(checked) => {
-											appSettings.setShowStoppedContainers(checked);
-											toast.success(checked ? 'Stopped containers shown' : 'Stopped containers hidden');
+										onchange={() => {
+											appSettings.setShowStoppedContainers(!showStoppedContainers);
+											toast.success(showStoppedContainers ? 'Stopped containers hidden' : 'Stopped containers shown');
 										}}
 										disabled={!$canAccess('settings', 'edit')}
 									/>
@@ -215,9 +213,9 @@
 									<Label>Highlight available updates</Label>
 									<TogglePill
 										checked={highlightUpdates}
-										onchange={(checked) => {
-											appSettings.setHighlightUpdates(checked);
-											toast.success(checked ? 'Update highlighting enabled' : 'Update highlighting disabled');
+										onchange={() => {
+											appSettings.setHighlightUpdates(!highlightUpdates);
+											toast.success(highlightUpdates ? 'Update highlighting disabled' : 'Update highlighting enabled');
 										}}
 										disabled={!$canAccess('settings', 'edit')}
 									/>
@@ -229,9 +227,9 @@
 									<Label>Compact port display</Label>
 									<TogglePill
 										checked={compactPorts}
-										onchange={(checked) => {
-											appSettings.setCompactPorts(checked);
-											toast.success(checked ? 'Compact port display enabled' : 'Showing all ports');
+										onchange={() => {
+											appSettings.setCompactPorts(!compactPorts);
+											toast.success(compactPorts ? 'Showing all ports' : 'Compact port display enabled');
 										}}
 										disabled={!$canAccess('settings', 'edit')}
 									/>
@@ -339,9 +337,9 @@
 							<Label>Confirm destructive actions</Label>
 							<TogglePill
 								checked={confirmDestructive}
-								onchange={(checked) => {
-									appSettings.setConfirmDestructive(checked);
-									toast.success(checked ? 'Confirmations enabled' : 'Confirmations disabled');
+								onchange={() => {
+									appSettings.setConfirmDestructive(!confirmDestructive);
+									toast.success(confirmDestructive ? 'Confirmations disabled' : 'Confirmations enabled');
 								}}
 								disabled={!$canAccess('settings', 'edit')}
 							/>
@@ -407,9 +405,9 @@
 									<Label>Format log timestamps</Label>
 									<TogglePill
 										checked={formatLogTimestamps}
-										onchange={(checked) => {
-											appSettings.setFormatLogTimestamps(checked);
-											toast.success(checked ? 'Log timestamp formatting enabled' : 'Log timestamp formatting disabled');
+										onchange={() => {
+											appSettings.setFormatLogTimestamps(!formatLogTimestamps);
+											toast.success(formatLogTimestamps ? 'Log timestamp formatting disabled' : 'Log timestamp formatting enabled');
 										}}
 										disabled={!$canAccess('settings', 'edit')}
 									/>

src/routes/settings/notifications/NotificationModal.svelte

@@ -420,7 +420,6 @@ discord://webhook_id/webhook_token
 slack://token_a/token_b/token_c
 mmost://hostname/webhook-token
 tgram://bot_token/chat_id
-tgram://bot_token/chat_id:topic_id
 ntfy://my-topic
 pushover://user_key/api_token
 jsons://hostname/webhook/path"

src/routes/stacks/+page.svelte

@@ -10,12 +10,10 @@
 	import { Badge } from '$lib/components/ui/badge';
 	import { Button } from '$lib/components/ui/button';
 	import { Input } from '$lib/components/ui/input';
-	import { Checkbox } from '$lib/components/ui/checkbox';
 	import * as Tooltip from '$lib/components/ui/tooltip';
 	import * as Popover from '$lib/components/ui/popover';
 	import MultiSelectFilter from '$lib/components/MultiSelectFilter.svelte';
 	import { Play, Square, Trash2, Plus, ArrowBigDown, Search, Pencil, ExternalLink, GitBranch, RefreshCw, Loader2, FileCode, FileText, FileOutput, Box, RotateCcw, ScrollText, Terminal, Eye, Network, HardDrive, Heart, HeartPulse, HeartOff, ChevronsUpDown, ChevronsDownUp, Rocket, AlertTriangle, X, Layers, Pause, CircleDashed, Skull, FolderOpen, Variable, Clock, RotateCw, Import, Ship, Cable, LayoutPanelLeft, Rows3, GripVertical } from 'lucide-svelte';
-	import { formatPorts } from '$lib/utils/port-format';
 	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
 	import BatchOperationModal from '$lib/components/BatchOperationModal.svelte';
 	import type { ComposeStackInfo, ContainerStats } from '$lib/types';
@@ -262,7 +260,7 @@
 			if (stats) {
 				cpuPercent += stats.cpuPercent;
 				memoryUsage += stats.memoryUsage;
-				memoryLimit = Math.max(memoryLimit, stats.memoryLimit);
+				memoryLimit += stats.memoryLimit;
 				networkRx += stats.networkRx;
 				networkTx += stats.networkTx;
 				blockRead += stats.blockRead;
@@ -420,7 +418,6 @@
 	let confirmDeleteName = $state<string | null>(null);
 	let confirmStopName = $state<string | null>(null);
 	let confirmDownName = $state<string | null>(null);
-	let deleteVolumes = $state(false);
 
 	// Stack operation loading state
 	let stackActionLoading = $state<string | null>(null);
@@ -971,18 +968,15 @@
 
 	async function removeStack(name: string) {
 		operationError = null;
-		const withVolumes = deleteVolumes;
-		deleteVolumes = false;
 		try {
-			const params = `force=true${withVolumes ? '&volumes=true' : ''}`;
-			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(name)}?${params}`, envId), { method: 'DELETE' });
+			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(name)}?force=true`, envId), { method: 'DELETE' });
 			if (!response.ok) {
 				const data = await response.json();
 				const errorMsg = data.error || 'Failed to remove stack';
 				showErrorDialog(`Failed to remove ${name}`, errorMsg);
 				return;
 			}
-			toast.success(`Removed ${name}${withVolumes ? ' (volumes deleted)' : ''}`);
+			toast.success(`Removed ${name}`);
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to remove stack:', error);
@@ -1511,7 +1505,7 @@
 						<button
 							type="button"
 							class="font-medium text-xs hover:text-primary hover:underline cursor-pointer text-left"
-							onclick={(e) => { e.stopPropagation(); editStack(stack.name); }}
+							onclick={() => editStack(stack.name)}
 						>
 							{stack.name}
 						</button>
@@ -1654,7 +1648,7 @@
 					{@const stats = getStackStats(stack)}
 					<div class="text-right">
 						{#if stats}
-							<span class="text-xs font-mono text-muted-foreground" title="{formatBytes(stats.memoryUsage)} / {formatBytes(stats.memoryLimit)}">{formatBytes(stats.memoryUsage)}<span class="text-muted-foreground/50">/{formatBytes(stats.memoryLimit, 0)}</span></span>
+							<span class="text-xs font-mono text-muted-foreground" title="{formatBytes(stats.memoryUsage)} / {formatBytes(stats.memoryLimit)}">{formatBytes(stats.memoryUsage)}</span>
 						{:else if stack.status === 'running' || stack.status === 'partial' || stack.status === 'restarting'}
 							<span class="text-xs text-muted-foreground/50">...</span>
 						{:else}
@@ -1759,7 +1753,7 @@
 								{#if source.sourceType === 'git' && source.gitStack}
 									<button
 										type="button"
-										onclick={(e) => { e.stopPropagation(); openGitModal(source.gitStack); }}
+										onclick={() => openGitModal(source.gitStack)}
 										title="Edit git stack"
 										class="p-1 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
 									>
@@ -1769,7 +1763,7 @@
 									<!-- Internal stacks (including those needing file location) -->
 									<button
 										type="button"
-										onclick={(e) => { e.stopPropagation(); editStack(stack.name); }}
+										onclick={() => editStack(stack.name)}
 										title="Edit"
 										class="p-1 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
 									>
@@ -1780,7 +1774,7 @@
 							{#if stack.containers && stack.containers.length > 0}
 								<button
 									type="button"
-									onclick={(e) => { e.stopPropagation(); viewStackLogs(stack); }}
+									onclick={() => viewStackLogs(stack)}
 									title="View logs"
 									class="p-1 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
 								>
@@ -1858,7 +1852,7 @@
 								{#if $canAccess('stacks', 'start')}
 									<button
 										type="button"
-										onclick={(e) => { e.stopPropagation(); startStack(stack.name); }}
+										onclick={() => startStack(stack.name)}
 										title="Start"
 										class="p-1 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
 									>
@@ -1890,14 +1884,8 @@
 								itemName={stack.name}
 								title="Remove"
 								onConfirm={() => removeStack(stack.name)}
-								onOpenChange={(open) => { confirmDeleteName = open ? stack.name : null; if (!open) deleteVolumes = false; }}
+								onOpenChange={(open) => confirmDeleteName = open ? stack.name : null}
 							>
-								{#snippet extraContent()}
-									<label class="flex items-center gap-1.5 cursor-pointer">
-										<Checkbox bind:checked={deleteVolumes} />
-										<span class="text-xs text-muted-foreground">Also delete volumes</span>
-									</label>
-								{/snippet}
 								{#snippet children({ open })}
 									<Trash2 class="w-3 h-3 {open ? 'text-destructive' : 'text-muted-foreground hover:text-destructive'}" />
 								{/snippet}
@@ -2015,11 +2003,11 @@
 										{/key}
 									{/if}
 									<div class="flex flex-wrap gap-1.5 mb-2 text-2xs">
-										<!-- Clickable ports with range collapsing -->
+										<!-- Clickable ports (dedupe by publicPort for IPv4/IPv6) -->
 										{#if container.ports.length > 0}
-											{@const mappedPorts = formatPorts(container.ports)}
-											{#each mappedPorts as port}
-												{@const url = !port.isRange ? getPortUrl(port.publicPort) : null}
+											{@const uniquePorts = container.ports.filter((p, i, arr) => p.publicPort && arr.findIndex(x => x.publicPort === p.publicPort) === i)}
+											{#each uniquePorts as port}
+												{@const url = getPortUrl(port.publicPort)}
 												{#if url}
 													<a
 														href={url}
@@ -2029,12 +2017,12 @@
 														class="inline-flex items-center gap-0.5 px-1.5 py-0.5 rounded bg-blue-100 text-blue-800 dark:bg-blue-900 dark:text-blue-200 hover:bg-blue-200 dark:hover:bg-blue-800 transition-colors"
 														title="Open {url} in new tab"
 													>
-														<code>{port.display}</code>
+														<code>:{port.publicPort}</code>
 														<ExternalLink class="w-2.5 h-2.5" />
 													</a>
 												{:else}
 													<span class="inline-flex items-center gap-0.5 px-1.5 py-0.5 rounded bg-blue-100 text-blue-800 dark:bg-blue-900 dark:text-blue-200">
-														<code>{port.display}</code>
+														<code>:{port.publicPort}</code>
 													</span>
 												{/if}
 											{/each}

src/routes/stacks/GitStackModal.svelte

@@ -4,7 +4,6 @@
 	import * as Dialog from '$lib/components/ui/dialog';
 	import * as Select from '$lib/components/ui/select';
 	import { Label } from '$lib/components/ui/label';
-	import { Badge } from '$lib/components/ui/badge';
 	import { Input } from '$lib/components/ui/input';
 	import { TogglePill } from '$lib/components/ui/toggle-pill';
 	import { Loader2, GitBranch, RefreshCw, Webhook, Rocket, RefreshCcw, Copy, Check, XCircle, FolderGit2, Github, Key, KeyRound, Lock, FileText, HelpCircle, GripVertical, X, Download, Hammer, ArrowDownToLine, Zap } from 'lucide-svelte';
@@ -749,19 +748,6 @@
 				{/if}
 			</div>
 
-			{#if gitStack && selectedRepo}
-				<div class="space-y-2">
-					<Label>Repository</Label>
-					<div class="flex items-center gap-2 text-xs text-muted-foreground bg-muted/50 rounded-md px-3 py-2">
-						<FolderGit2 class="w-3.5 h-3.5 shrink-0" />
-						<span class="truncate" title={selectedRepo.url}>{selectedRepo.url}</span>
-						{#if selectedRepo.branch}
-							<Badge variant="outline" class="text-2xs py-0 px-1.5 shrink-0">{selectedRepo.branch}</Badge>
-						{/if}
-					</div>
-				</div>
-			{/if}
-
 			<div class="space-y-2">
 				<Label for="compose-path">Compose file path</Label>
 				<Input id="compose-path" bind:value={formComposePath} placeholder="compose.yaml" />

src/routes/stacks/StackModal.svelte

@@ -867,9 +867,6 @@ services:
 		if (!newStackName.trim()) {
 			errors.stackName = 'Stack name is required';
 			hasErrors = true;
-		} else if (!/^[a-z0-9][a-z0-9_-]*$/.test(newStackName.trim())) {
-			errors.stackName = 'Must be lowercase, start with a letter or number, and only contain letters, numbers, hyphens, and underscores';
-			hasErrors = true;
 		}
 
 		const content = composeContent || defaultCompose;
@@ -906,7 +903,6 @@ services:
 		// Prepare env vars for creating - syncs variables and rawContent
 		const prepared = envVarsPanelRef?.prepareForSave() || { rawContent: '', variables: [] };
 
-		let response: Response | undefined;
 		try {
 			// Build request body
 			const requestBody: Record<string, unknown> = {
@@ -934,7 +930,7 @@ services:
 			}
 
 			// Create the stack
-			response = await fetch(appendEnvParam('/api/stacks', envId), {
+			const response = await fetch(appendEnvParam('/api/stacks', envId), {
 				method: 'POST',
 				headers: { 'Content-Type': 'application/json' },
 				body: JSON.stringify(requestBody)
@@ -959,10 +955,9 @@ services:
 				message: e.message || 'An error occurred while creating the stack',
 				details: e.details
 			};
-			// Only transition to edit mode if the stack was actually persisted (response was ok
-			// but deploy failed). A 400 from validation means nothing was saved — stay in create
-			// mode so the name field remains visible and the user can fix the error.
-			if (start && response?.ok) {
+			// If start=true, files were saved and stack is in DB — transition to edit mode
+			// so the user can fix and redeploy without leaving the modal
+			if (start) {
 				mode = 'edit';
 				stackName = newStackName.trim();
 				onSuccess(); // refresh stack list so the new stack appears