diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..1d473b7
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+buy_me_a_coffee:
+  displayName: "Buy Me a Coffee"
+  account: dockhand
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f32e31a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.idea/
+.DS_Store
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..1e2e0c7
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,183 @@
+# syntax=docker/dockerfile:1.4
+# =============================================================================
+# Dockhand Docker Image - Security-Hardened Build
+# =============================================================================
+# This Dockerfile builds a custom Wolfi OS from scratch using apko, ensuring:
+# - Full transparency (no dependency on pre-built Chainguard images)
+# - Reproducible builds from open-source Wolfi packages
+# - Minimal attack surface with only required packages
+#
+# Bun is copied from the official oven/bun image (app-builder stage).
+# For CPUs without AVX support (Celeron, Atom, pre-Haswell), build with:
+#   docker build --build-arg BUN_VARIANT=baseline -t dockhand:baseline .
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Stage 1: OS Generator (Alpine + apko tool)
+# -----------------------------------------------------------------------------
+# We use Alpine because it has a shell. This lets us download and run apko
+# to build our custom Wolfi OS from scratch using open-source packages.
+FROM alpine:3.21 AS os-builder
+
+ARG TARGETARCH
+
+WORKDIR /work
+
+# Install apko tool (latest stable release)
+# apko is the tool Chainguard uses to build their images - we use it directly
+ARG APKO_VERSION=0.30.34
+RUN apk add --no-cache curl unzip \
+    && ARCH=$([ "$TARGETARCH" = "arm64" ] && echo "arm64" || echo "amd64") \
+    && curl -sL "https://github.com/chainguard-dev/apko/releases/download/v${APKO_VERSION}/apko_${APKO_VERSION}_linux_${ARCH}.tar.gz" \
+       | tar -xz --strip-components=1 -C /usr/local/bin \
+    && chmod +x /usr/local/bin/apko
+
+# Generate apko.yaml for current target architecture only
+# We build single-arch to avoid multi-arch layer confusion in extraction
+# Note: Bun is NOT included here - it's copied from app-builder stage for CPU compatibility
+RUN APKO_ARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "x86_64") \
+    && printf '%s\n' \
+    "contents:" \
+    "  repositories:" \
+    "    - https://packages.wolfi.dev/os" \
+    "  keyring:" \
+    "    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub" \
+    "  packages:" \
+    "    - wolfi-base" \
+    "    - ca-certificates" \
+    "    - busybox" \
+    "    - tzdata" \
+    "    - docker-cli" \
+    "    - docker-compose" \
+    "    - sqlite" \
+    "    - git" \
+    "    - openssh-client" \
+    "    - curl" \
+    "    - tini" \
+    "    - su-exec" \
+    "entrypoint:" \
+    "  command: /bin/sh -l" \
+    "archs:" \
+    "  - ${APKO_ARCH}" \
+    > apko.yaml
+
+# Build the OS tarball and extract rootfs
+# apko creates an OCI tarball - we need to extract the actual filesystem layer
+RUN apko build apko.yaml dockhand-base:latest output.tar \
+    && mkdir -p rootfs \
+    && tar -xf output.tar \
+    && LAYER=$(tar -tf output.tar | grep '.tar.gz$' | head -1) \
+    && tar -xzf "$LAYER" -C rootfs
+
+# -----------------------------------------------------------------------------
+# Stage 2: Application Builder
+# -----------------------------------------------------------------------------
+# Using Debian to avoid Alpine musl thread creation issues
+# Alpine's musl libc causes rayon/tokio thread pool panics during svelte-adapter-bun build
+FROM oven/bun:1.3.5-debian AS app-builder
+
+# Build argument for Bun variant (regular or baseline)
+# baseline is for CPUs without AVX support (Celeron, Atom, pre-Haswell)
+ARG BUN_VARIANT=regular
+ARG TARGETARCH
+
+WORKDIR /app
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends jq git curl unzip ca-certificates && rm -rf /var/lib/apt/lists/*
+
+# Copy package files and install ALL dependencies (needed for build)
+COPY package.json bun.lock* bunfig.toml ./
+RUN bun install --frozen-lockfile
+
+# Copy source code and build
+COPY . .
+
+# Build with parallelism - dedicated build VM has 16 CPUs and 32GB RAM
+RUN NODE_OPTIONS="--max-old-space-size=8192 --max-semi-space-size=128" bun run build
+
+# Prepare production node_modules (do this in builder where we have compilers)
+# This ensures native addons compile correctly before copying to hardened runtime
+RUN rm -rf node_modules && bun install --production --frozen-lockfile \
+    && rm -rf node_modules/@types node_modules/bun-types
+
+# Download baseline Bun binary if BUN_VARIANT=baseline (for CPUs without AVX)
+# Only applies to amd64 - ARM64 doesn't have AVX concept
+ARG BUN_VERSION=1.3.5
+RUN if [ "$BUN_VARIANT" = "baseline" ] && [ "$TARGETARCH" = "amd64" ]; then \
+      echo "Downloading Bun baseline binary for CPUs without AVX support..." && \
+      curl -fsSL "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64-baseline.zip" -o /tmp/bun.zip && \
+      unzip -o /tmp/bun.zip -d /tmp && \
+      cp /tmp/bun-linux-x64-baseline/bun /usr/local/bin/bun && \
+      chmod +x /usr/local/bin/bun && \
+      rm -rf /tmp/bun.zip /tmp/bun-linux-x64-baseline && \
+      echo "Bun baseline binary installed successfully"; \
+    fi
+
+# -----------------------------------------------------------------------------
+# Stage 3: Final Image (Scratch + Custom Wolfi OS)
+# -----------------------------------------------------------------------------
+FROM scratch
+
+# Install our custom-built Wolfi OS (now we have /bin/sh!)
+COPY --from=os-builder /work/rootfs/ /
+
+# Copy Bun from official image - ensures compatibility with all x86_64 CPUs (no AVX2 requirement)
+# Wolfi's bun package requires AVX2 which breaks on Celeron/Atom CPUs
+# For baseline builds (BUN_VARIANT=baseline), this contains the baseline binary (no AVX requirement)
+# For regular builds, this contains the standard oven/bun binary
+COPY --from=app-builder /usr/local/bin/bun /usr/bin/bun
+
+WORKDIR /app
+
+# Set up environment variables
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+    SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
+    NODE_ENV=production \
+    PORT=3000 \
+    HOST=0.0.0.0 \
+    DATA_DIR=/app/data \
+    HOME=/home/dockhand \
+    PUID=1001 \
+    PGID=1001
+
+# Create docker compose plugin symlink (we use `docker compose` syntax, Wolfi has standalone binary)
+RUN mkdir -p /usr/libexec/docker/cli-plugins \
+    && ln -s /usr/bin/docker-compose /usr/libexec/docker/cli-plugins/docker-compose
+
+# Create dockhand user and group (using busybox commands)
+RUN addgroup -g 1001 dockhand \
+    && adduser -u 1001 -G dockhand -h /home/dockhand -D dockhand
+
+# Copy application files with correct ownership (avoids layer duplication from chown -R)
+COPY --from=app-builder --chown=dockhand:dockhand /app/node_modules ./node_modules
+COPY --from=app-builder --chown=dockhand:dockhand /app/package.json ./
+COPY --from=app-builder --chown=dockhand:dockhand /app/build ./build
+COPY --from=app-builder --chown=dockhand:dockhand /app/build/subprocesses/ ./subprocesses/
+
+# Copy database migrations
+COPY --chown=dockhand:dockhand drizzle/ ./drizzle/
+COPY --chown=dockhand:dockhand drizzle-pg/ ./drizzle-pg/
+
+# Copy legal documents
+COPY --chown=dockhand:dockhand LICENSE.txt PRIVACY.txt ./
+
+# Copy entrypoint script (root-owned, executable)
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+# Copy emergency scripts
+COPY --chown=dockhand:dockhand scripts/emergency/ ./scripts/
+RUN chmod +x ./scripts/*.sh ./scripts/**/*.sh 2>/dev/null || true
+
+# Create data directories with correct ownership
+RUN mkdir -p /home/dockhand/.dockhand/stacks /app/data \
+    && chown dockhand:dockhand /app/data /home/dockhand /home/dockhand/.dockhand /home/dockhand/.dockhand/stacks
+
+EXPOSE 3000
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:3000/ || exit 1
+
+ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
+CMD ["bun", "run", "./build/index.js"]
diff --git a/LICENSE.txt b/LICENSE.txt
index 86472ee..148c985 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -123,6 +123,6 @@ under an Open Source License, as stated in this License.
 
 For licensing inquiries, commercial licensing, or enterprise features:
 
-  Website: https://dockhand.io
+  Website: https://dockhand.pro
 
 -----------------------------------------------------------------------------
diff --git a/PRIVACY.txt b/PRIVACY.txt
new file mode 100644
index 0000000..fb5bc78
--- /dev/null
+++ b/PRIVACY.txt
@@ -0,0 +1,425 @@
+DOCKHAND PRIVACY POLICY
+
+Last Updated: December 14, 2025
+Effective Date: December 14, 2025
+
+================================================================================
+
+1. INTRODUCTION
+
+This Privacy Policy describes how Finsys Jaroslaw Krochmalski ("Finsys," "we,"
+"us," or "our") handles data in connection with the Dockhand software
+application ("Software"). This Policy applies to all users of the Software.
+
+Finsys is committed to protecting your privacy and ensuring transparency
+about our data practices. This Policy explains that the Software operates
+entirely locally on your infrastructure with no data transmitted to Finsys.
+
+
+2. DATA CONTROLLER INFORMATION
+
+Finsys Jaroslaw Krochmalski
+ul. Borki 6
+05-119 Jozefow
+Poland
+
+VAT ID: PL7121835977
+REGON: 061576391
+
+Email: enterprise@dockhand.pro
+Website: https://dockhand.pro
+
+For the purpose of the General Data Protection Regulation (GDPR) and other
+applicable data protection laws, Finsys is NOT the data controller for any
+personal data processed through your installation of the Software. You (the
+user or your organization) are the data controller for all data stored in
+your Software installation.
+
+
+3. OUR FUNDAMENTAL PRINCIPLE: LOCAL-ONLY DATA
+
+The Software is designed with privacy as a core principle:
+
+- ALL DATA STAYS LOCAL: The Software stores all data exclusively on your
+  infrastructure (your servers, your databases, your storage).
+
+- NO DATA TRANSMISSION: The Software does not transmit any data to Finsys
+  servers, third-party servers, or any external services.
+
+- NO TELEMETRY: The Software contains no telemetry, analytics, usage
+  tracking, crash reporting, or any other data collection mechanisms.
+
+- FULLY SELF-CONTAINED: The Software operates entirely within your
+  infrastructure without requiring any connection to Finsys systems.
+
+- FINSYS HAS NO ACCESS: Finsys cannot access, view, retrieve, or process
+  any data stored in your Software installation.
+
+
+4. DATA PROCESSED BY THE SOFTWARE
+
+When you use the Software, the following types of data may be stored
+LOCALLY on your infrastructure:
+
+4.1 User Account Data
+- Usernames and email addresses
+- Password hashes (never stored in plain text)
+- Multi-factor authentication (MFA) secrets (Enterprise Edition)
+- User profile information and avatars
+- Role assignments and permissions (Enterprise Edition)
+
+4.2 Authentication Data
+- Session tokens and cookies
+- OIDC/SSO tokens and provider configurations
+- LDAP/Active Directory connection settings (Enterprise Edition)
+- API tokens for remote access
+
+4.3 Docker Environment Data
+- Docker host connection details (URLs, ports, socket paths)
+- Docker container information (names, IDs, configurations)
+- Container logs and metrics
+- Image and volume data
+- Network configurations
+- Compose stack definitions
+
+4.4 Git Integration Data
+- Git repository URLs and credentials
+- SSH keys and access tokens
+- Deployment webhooks
+
+4.5 Registry Data
+- Docker registry URLs and credentials
+- Image pull/push history
+
+4.6 Activity and Audit Data
+- User activity logs
+- Container events and operations
+- Audit trails (Enterprise Edition)
+
+4.7 Application Settings
+- General configuration preferences
+- Notification channel settings (SMTP, webhooks)
+- Scheduled task configurations
+
+All of the above data is stored exclusively in your local database
+(SQLite or PostgreSQL) and on your local filesystem. None of this data
+is transmitted to or accessible by Finsys.
+
+
+5. HOW DATA IS STORED
+
+5.1 Database Storage
+
+The Software uses either SQLite or PostgreSQL as configured by you:
+- SQLite: Data stored in a local file on your server
+- PostgreSQL: Data stored in your PostgreSQL database instance
+
+5.2 File Storage
+
+Certain data is stored in the local filesystem:
+- Compose stack files
+- Uploaded files (e.g., user avatars)
+- Temporary files during operations
+
+5.3 Encryption
+
+- Passwords are hashed using secure algorithms (Argon2id)
+- Sensitive credentials may be encrypted at rest depending on your
+  database configuration
+- You are responsible for implementing disk encryption, database
+  encryption, and network security for your infrastructure
+
+
+6. YOUR RESPONSIBILITIES AS DATA CONTROLLER
+
+Since all data is stored locally on your infrastructure, YOU are the
+data controller for purposes of GDPR and other data protection laws.
+As data controller, you are responsible for:
+
+6.1 Legal Basis for Processing
+Ensuring you have a valid legal basis for processing personal data of
+your users (e.g., consent, legitimate interest, contractual necessity).
+
+6.2 Data Subject Rights
+Responding to data subject requests including:
+- Right of access (Article 15 GDPR)
+- Right to rectification (Article 16 GDPR)
+- Right to erasure (Article 17 GDPR)
+- Right to restriction of processing (Article 18 GDPR)
+- Right to data portability (Article 20 GDPR)
+- Right to object (Article 21 GDPR)
+
+6.3 Security Measures
+Implementing appropriate technical and organizational measures to
+protect personal data, including:
+- Access controls and authentication
+- Encryption of data at rest and in transit
+- Regular security updates and patches
+- Backup and disaster recovery procedures
+- Network security (firewalls, VPNs, etc.)
+
+6.4 Data Retention
+Establishing and implementing appropriate data retention policies.
+
+6.5 Breach Notification
+Notifying supervisory authorities and affected individuals in case
+of a personal data breach, as required by applicable law.
+
+6.6 Privacy Notices
+Providing appropriate privacy notices to your users regarding how
+their data is processed within the Software.
+
+
+7. DATA WE DO NOT COLLECT
+
+To be absolutely clear, Finsys does NOT collect, receive, access, or
+process ANY of the following:
+
+- Your identity or contact information (unless you contact us directly)
+- Your Docker infrastructure information
+- Your container configurations or data
+- Your user accounts or credentials
+- Your activity logs or audit trails
+- Your git repositories or deployment data
+- Usage statistics or analytics
+- Error reports or crash data
+- Any telemetry or diagnostic data
+- Any data whatsoever from your Software installation
+
+
+8. WHEN FINSYS MAY RECEIVE DATA
+
+The only circumstances in which Finsys may receive data from you are:
+
+8.1 Direct Communication
+When you voluntarily contact us via email (enterprise@dockhand.pro),
+we receive and process the information you provide (name, email address,
+message content). This data is processed for the purpose of responding
+to your inquiry based on our legitimate interest in providing customer
+support.
+
+8.2 License Purchase
+
+When you purchase an Enterprise Edition license, we collect and process:
+
+Data Collected:
+- Name and/or company name
+- Email address
+- Billing address
+- Payment information (processed by payment provider)
+- Licensed hostname/identifier
+
+Legal Basis (GDPR Article 6):
+- Contract performance (Art. 6(1)(b)) - to fulfill the license agreement
+- Legal obligation (Art. 6(1)(c)) - for invoicing and tax records
+
+How We Use This Data:
+- To issue and deliver your License Key
+- To send license renewal reminders
+- To provide support related to your license
+- To comply with tax and accounting obligations
+
+Data Retention:
+- License and invoice records: 7 years (Polish tax law requirement)
+- Email correspondence: 3 years after last contact
+
+Data Sharing:
+- Payment processor (for payment transactions only)
+- No other third parties
+- No marketing or advertising use
+
+8.3 Website Visits
+If you visit our website (https://dockhand.pro), standard web server
+logs may be collected. See our website privacy policy for details.
+
+
+9. LICENSE KEY DATA
+
+Enterprise Edition License Keys contain:
+- Customer name (as registered)
+- Licensed hostname or identifier
+- Expiration date
+- Cryptographic signature
+
+This information is embedded in the License Key itself and stored
+locally in your Software installation. Finsys retains a record of
+issued licenses for license management purposes.
+
+
+10. INTERNATIONAL DATA TRANSFERS
+
+Since all Software data is stored locally on your infrastructure, no
+international data transfers occur through the Software itself.
+
+If your infrastructure is located outside the European Economic Area
+(EEA), you are responsible for ensuring appropriate safeguards for
+any personal data stored therein.
+
+
+11. DATA RETENTION
+
+11.1 Software Data
+You control the retention of all data in your Software installation.
+The Software does not automatically delete data unless you configure
+retention policies or manually delete data.
+
+11.2 Communication Data
+If you contact us directly, we retain correspondence for as long as
+necessary to respond to your inquiry and for our records, typically
+not exceeding 3 years unless required for legal purposes.
+
+11.3 License Records
+We retain license purchase and activation records for the duration
+required by tax and accounting regulations (typically 5-7 years).
+
+
+12. CHILDREN'S PRIVACY
+
+The Software is not intended for use by children under 16 years of age.
+We do not knowingly collect personal data from children. If you are a
+parent or guardian and believe your child has provided personal data
+to us through direct communication, please contact us.
+
+
+13. THIRD-PARTY SERVICES
+
+13.1 Software Integrations
+
+The Software may connect to third-party services as configured by you:
+- Docker registries
+- Git repositories (GitHub, GitLab, etc.)
+- OIDC/SSO providers
+- LDAP/Active Directory servers
+- Notification services (SMTP, Discord, Slack, etc.)
+
+These connections are initiated by you, configured by you, and occur
+between your infrastructure and these third-party services. Finsys is
+not involved in these connections and has no access to the data
+exchanged. The privacy policies of these third-party services apply
+to your use of them.
+
+13.2 No Hidden Third-Party Data Sharing
+
+The Software does not share any data with third parties on our behalf.
+There are no embedded analytics services, advertising networks, or
+data brokers within the Software.
+
+
+14. SECURITY
+
+14.1 Software Security
+
+We implement security measures in the Software design:
+- Secure password hashing (Argon2id)
+- Session management with secure tokens
+- Input validation and sanitization
+- Protection against common web vulnerabilities
+
+14.2 Your Security Responsibilities
+
+Since all data is stored on your infrastructure, you are responsible
+for:
+- Keeping the Software updated
+- Securing your server and database
+- Implementing network security measures
+- Managing user access and authentication
+- Creating and securing backups
+
+
+15. CHANGES TO THIS PRIVACY POLICY
+
+We may update this Privacy Policy from time to time. Material changes
+will be communicated through:
+- Updated "Last Updated" date at the top of this Policy
+- Notice on our website
+- Notice within the Software (for significant changes)
+
+We encourage you to review this Privacy Policy periodically.
+
+
+16. GDPR COMPLIANCE
+
+Finsys complies with the General Data Protection Regulation (EU) 2016/679.
+
+Summary of Our Data Processing:
+- We only collect personal data (email, name) when you purchase a license
+- Legal basis: Contract performance and legal obligation
+- Data is stored securely in the EU (Poland)
+- Retention: 7 years for tax records, 3 years for correspondence
+- No automated decision-making or profiling
+- No data sold or shared for marketing purposes
+
+Your GDPR Rights (Articles 15-22):
+You have the right to access, rectify, erase, restrict processing,
+data portability, and object to processing of your personal data.
+
+To exercise any of these rights, contact: enterprise@dockhand.pro
+We will respond within 30 days as required by GDPR.
+
+
+17. YOUR RIGHTS
+
+If you are located in the European Economic Area (EEA), United Kingdom,
+or other jurisdiction with data protection laws, you have rights
+regarding personal data we hold about you (from direct communications
+or license purchases):
+
+- Access: Request access to personal data we hold about you
+- Rectification: Request correction of inaccurate data
+- Erasure: Request deletion of your data
+- Restriction: Request restriction of processing
+- Portability: Request a copy of your data in portable format
+- Objection: Object to processing based on legitimate interests
+- Complaint: Lodge a complaint with a supervisory authority
+
+To exercise these rights, contact us at enterprise@dockhand.pro.
+
+Note: These rights apply to data WE hold (from direct communication or
+license purchases), not to data in YOUR Software installation. For data
+in your installation, YOU are the data controller and responsible for
+handling such requests from your users.
+
+
+18. SUPERVISORY AUTHORITY
+
+If you are located in Poland, the relevant supervisory authority is:
+
+Urzad Ochrony Danych Osobowych (UODO)
+ul. Stawki 2
+00-193 Warszawa
+Poland
+https://uodo.gov.pl
+
+If you are located in another EEA country, you may contact your local
+data protection authority.
+
+
+19. CONTACT US
+
+For any privacy-related questions, concerns, or requests:
+
+Finsys Jaroslaw Krochmalski
+ul. Borki 6
+05-119 Jozefow
+Poland
+
+Email: enterprise@dockhand.pro
+Website: https://dockhand.pro
+
+
+================================================================================
+SUMMARY
+
+Dockhand is a privacy-respecting application:
+- All data stays on YOUR infrastructure
+- NO data is sent to Finsys servers
+- NO telemetry or analytics
+- YOU are the data controller for your installation
+- Finsys has NO access to your data
+
+We believe privacy is a fundamental right, and we have designed Dockhand
+to respect that right by ensuring you maintain complete control over your
+data at all times.
+================================================================================
+
+Copyright (c) 2025-2026 Finsys Jaroslaw Krochmalski. All rights reserved.
diff --git a/README.md b/README.md
index 4d77500..e687248 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="images/logo.webp" alt="Dockhand" width="300">
+  <img src="src/images/logo.webp" alt="Dockhand" width="300">
 </p>
 
 <p align="center">
@@ -7,8 +7,8 @@
 </p>
 
 <p align="center">
-  <a href="https://dockhand.io">Website</a> •
-  <a href="https://dockhand.io/docs">Documentation</a> •
+  <a href="https://dockhand.pro">Website</a> •
+  <a href="https://dockhand.pro/manual">Documentation</a> •
   <a href="#license">License</a>
 </p>
 
@@ -16,7 +16,7 @@
 
 ## About
 
-Dockhand is a modern, efficient Docker management application providing real-time container management, Compose stack orchestration, and multi-environment support.
+Dockhand is a modern, efficient Docker management application providing real-time container management, Compose stack orchestration, and multi-environment support.  All in a lightweight, secure and privacy-focused package.
 
 ### Features
 
@@ -30,10 +30,11 @@ Dockhand is a modern, efficient Docker management application providing real-tim
 
 ## Tech Stack
 
+- **Base**: own OS layer built from scratch using <a href="https://github.com/wolfi-dev/os">Wolfi packages</a> via apko. Every package is explicitly declared in the Dockerfile.
 - **Frontend**: SvelteKit 2, Svelte 5, shadcn-svelte, TailwindCSS
 - **Backend**: Bun runtime with SvelteKit API routes
 - **Database**: SQLite or PostgreSQL via Drizzle ORM
-- **Docker**: Dockerode library
+- **Docker**: direct docker API calls.
 
 ## License
 
@@ -47,10 +48,18 @@ Dockhand is licensed under the [Business Source License 1.1](LICENSE.txt) (BSL 1
 
 See [LICENSE.txt](LICENSE.txt) for full terms.
 
+
+<a href="https://buymeacoffee.com/dockhand" target="_blank">
+  <img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png"
+       alt="Buy Me A Coffee"
+       height="40">
+</a>
+
+
 ## Links
 
-- **Website**: [https://dockhand.io](https://dockhand.io)
-- **Documentation**: [https://dockhand.io/docs](https://dockhand.io/docs)
+- **Website**: [https://dockhand.pro](https://dockhand.pro)
+- **Documentation**: [https://dockhand.pro/manual](https://dockhand.pro/manual)
 
 ---
 
diff --git a/bunfig.toml b/bunfig.toml
new file mode 100644
index 0000000..51bc0ff
--- /dev/null
+++ b/bunfig.toml
@@ -0,0 +1,9 @@
+# Bun configuration for Dockhand
+
+[install]
+# Use exact versions for reproducible builds
+exact = true
+
+[run]
+# Enable source maps for better error messages
+sourcemap = "external"
diff --git a/components.json b/components.json
new file mode 100644
index 0000000..c5d91b4
--- /dev/null
+++ b/components.json
@@ -0,0 +1,16 @@
+{
+	"$schema": "https://shadcn-svelte.com/schema.json",
+	"tailwind": {
+		"css": "src/app.css",
+		"baseColor": "slate"
+	},
+	"aliases": {
+		"components": "$lib/components",
+		"utils": "$lib/utils",
+		"ui": "$lib/components/ui",
+		"hooks": "$lib/hooks",
+		"lib": "$lib"
+	},
+	"typescript": true,
+	"registry": "https://shadcn-svelte.com/registry"
+}
diff --git a/docker-compose-postgresql.yaml b/docker-compose-postgresql.yaml
new file mode 100644
index 0000000..a1fa941
--- /dev/null
+++ b/docker-compose-postgresql.yaml
@@ -0,0 +1,25 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_USER: dockhand
+      POSTGRES_PASSWORD: changeme
+      POSTGRES_DB: dockhand
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+
+  dockhand:
+    image: fnsys/dockhand:latest
+    ports:
+      - 3000:3000
+    environment:
+      DATABASE_URL: postgres://dockhand:changeme@postgres:5432/dockhand
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - dockhand_data:/app/data
+    depends_on:
+      - postgres
+
+volumes:
+  postgres_data:
+  dockhand_data:
\ No newline at end of file
diff --git a/docker-compose.yaml b/docker-compose.yaml
new file mode 100644
index 0000000..b83f7c4
--- /dev/null
+++ b/docker-compose.yaml
@@ -0,0 +1,13 @@
+services:
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    restart: unless-stopped
+    ports:
+      - 3000:3000
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - dockhand_data:/app/data
+
+volumes:
+  dockhand_data:
\ No newline at end of file
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100644
index 0000000..82ab463
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,191 @@
+#!/bin/sh
+set -e
+
+# Dockhand Docker Entrypoint
+# === Configuration ===
+PUID=${PUID:-1001}
+PGID=${PGID:-1001}
+
+# === Detect if running as root ===
+RUNNING_AS_ROOT=false
+if [ "$(id -u)" = "0" ]; then
+    RUNNING_AS_ROOT=true
+fi
+
+# === Non-root mode (user: directive in compose) ===
+# If container started as non-root, skip all user management and run directly
+if [ "$RUNNING_AS_ROOT" = "false" ]; then
+    echo "Running as user $(id -u):$(id -g) (set via container user directive)"
+
+    # Ensure data directories exist (user must have write access to DATA_DIR via volume mount)
+    DATA_DIR="${DATA_DIR:-/app/data}"
+    if [ ! -d "$DATA_DIR/db" ]; then
+        echo "Creating database directory at $DATA_DIR/db"
+        mkdir -p "$DATA_DIR/db" 2>/dev/null || {
+            echo "ERROR: Cannot create $DATA_DIR/db directory"
+            echo "Ensure the data volume is mounted with correct permissions for user $(id -u):$(id -g)"
+            echo ""
+            echo "Example docker-compose.yml:"
+            echo "  volumes:"
+            echo "    - ./data:/app/data  # This directory must be writable by user $(id -u)"
+            exit 1
+        }
+    fi
+    if [ ! -d "$DATA_DIR/stacks" ]; then
+        mkdir -p "$DATA_DIR/stacks" 2>/dev/null || true
+    fi
+
+    # Check Docker socket access if mounted
+    SOCKET_PATH="/var/run/docker.sock"
+    if [ -S "$SOCKET_PATH" ]; then
+        if test -r "$SOCKET_PATH" 2>/dev/null; then
+            echo "Docker socket accessible at $SOCKET_PATH"
+            # Detect hostname from Docker if not set
+            if [ -z "$DOCKHAND_HOSTNAME" ]; then
+                DETECTED_HOSTNAME=$(curl -s --unix-socket "$SOCKET_PATH" http://localhost/info 2>/dev/null | sed -n 's/.*"Name":"\([^"]*\)".*/\1/p')
+                if [ -n "$DETECTED_HOSTNAME" ]; then
+                    export DOCKHAND_HOSTNAME="$DETECTED_HOSTNAME"
+                    echo "Detected Docker host hostname: $DOCKHAND_HOSTNAME"
+                fi
+            fi
+        else
+            SOCKET_GID=$(stat -c '%g' "$SOCKET_PATH" 2>/dev/null || echo "unknown")
+            echo "WARNING: Docker socket not readable by user $(id -u)"
+            echo "Add --group-add $SOCKET_GID to your docker run command"
+        fi
+    else
+        echo "No Docker socket found at $SOCKET_PATH"
+        echo "Configure Docker environments via the web UI (Settings > Environments)"
+    fi
+
+    # Run directly as current user (no su-exec needed)
+    if [ "$1" = "" ]; then
+        exec bun run ./build/index.js
+    else
+        exec "$@"
+    fi
+fi
+
+# === User Setup ===
+# Root mode: PUID=0 requested OR already running as root with default PUID/PGID
+if [ "$PUID" = "0" ]; then
+    echo "Running as root user (PUID=0)"
+    RUN_USER="root"
+elif [ "$RUNNING_AS_ROOT" = "true" ] && [ "$PUID" = "1001" ] && [ "$PGID" = "1001" ]; then
+    echo "Running as root user"
+    RUN_USER="root"
+else
+    RUN_USER="dockhand"
+    # Only modify if PUID/PGID differ from image defaults (1001:1001)
+    if [ "$PUID" != "1001" ] || [ "$PGID" != "1001" ]; then
+        echo "Configuring user with PUID=$PUID PGID=$PGID"
+
+        # Remove existing dockhand user/group (using busybox commands)
+        deluser dockhand 2>/dev/null || true
+        delgroup dockhand 2>/dev/null || true
+
+        # Check for UID conflicts - warn but don't delete other users
+        SKIP_USER_CREATE=false
+        if getent passwd "$PUID" >/dev/null 2>&1; then
+            EXISTING=$(getent passwd "$PUID" | cut -d: -f1)
+            if [ "$EXISTING" = "bun" ]; then
+                echo "Note: UID $PUID is used by the 'bun' runtime user - reusing it for dockhand"
+                echo "If upgrading from a previous version, you may need to fix data permissions:"
+                echo "  chown -R $PUID:$PGID /path/to/your/data"
+                RUN_USER="bun"
+                SKIP_USER_CREATE=true
+            else
+                echo "WARNING: UID $PUID already in use by '$EXISTING'. Using default UID 1001."
+                PUID=1001
+            fi
+        fi
+
+        # Handle GID - reuse existing group or create new
+        if getent group "$PGID" >/dev/null 2>&1; then
+            TARGET_GROUP=$(getent group "$PGID" | cut -d: -f1)
+        else
+            addgroup -g "$PGID" dockhand
+            TARGET_GROUP="dockhand"
+        fi
+
+        if [ "$SKIP_USER_CREATE" = "false" ]; then
+            adduser -u "$PUID" -G "$TARGET_GROUP" -h /home/dockhand -D dockhand
+        fi
+    fi
+
+    # === Directory Ownership ===
+    chown -R "$RUN_USER":"$RUN_USER" /app/data 2>/dev/null || true
+    if [ "$RUN_USER" = "dockhand" ]; then
+        chown -R dockhand:dockhand /home/dockhand 2>/dev/null || true
+    fi
+
+    if [ -n "$DATA_DIR" ] && [ "$DATA_DIR" != "/app/data" ] && [ "$DATA_DIR" != "./data" ]; then
+        mkdir -p "$DATA_DIR"
+        chown -R "$RUN_USER":"$RUN_USER" "$DATA_DIR" 2>/dev/null || true
+    fi
+fi
+
+# === Docker Socket Access (Optional) ===
+# Check if Docker socket is mounted and accessible
+# Note: DOCKER_HOST with tcp:// requires configuring an environment via the web UI
+SOCKET_PATH="/var/run/docker.sock"
+
+if [ -S "$SOCKET_PATH" ]; then
+    # Socket exists - check if readable
+    if [ "$RUN_USER" != "root" ]; then
+        if ! su-exec "$RUN_USER" test -r "$SOCKET_PATH" 2>/dev/null; then
+            SOCKET_GID=$(stat -c '%g' "$SOCKET_PATH" 2>/dev/null || echo "unknown")
+            echo "WARNING: Docker socket at $SOCKET_PATH is not readable by $RUN_USER user"
+            echo ""
+            echo "To use local Docker, fix with one of these options:"
+            echo ""
+            echo "  1. Add container to docker group (GID: $SOCKET_GID):"
+            echo "     docker run --group-add $SOCKET_GID ..."
+            echo ""
+            echo "  2. Use a socket proxy:"
+            echo "     Configure a 'direct' environment pointing to tcp://socket-proxy:2375"
+            echo ""
+            echo "  3. Make socket world-readable (less secure):"
+            echo "     chmod 666 /var/run/docker.sock"
+            echo ""
+            echo "Continuing startup - configure environments via the web UI..."
+        else
+            echo "Docker socket accessible at $SOCKET_PATH"
+        fi
+    else
+        echo "Docker socket accessible at $SOCKET_PATH"
+    fi
+
+    # === Detect Docker Host Hostname (for license validation) ===
+    # Query Docker API to get the real host hostname (not container ID)
+    if [ -z "$DOCKHAND_HOSTNAME" ]; then
+        DETECTED_HOSTNAME=$(curl -s --unix-socket "$SOCKET_PATH" http://localhost/info 2>/dev/null | sed -n 's/.*"Name":"\([^"]*\)".*/\1/p')
+        if [ -n "$DETECTED_HOSTNAME" ]; then
+            export DOCKHAND_HOSTNAME="$DETECTED_HOSTNAME"
+            echo "Detected Docker host hostname: $DOCKHAND_HOSTNAME"
+        fi
+    else
+        echo "Using configured hostname: $DOCKHAND_HOSTNAME"
+    fi
+else
+    echo "No local Docker socket mounted (this is normal when using socket-proxy or remote Docker)"
+    echo "Configure your Docker environment via the web UI: Settings > Environments"
+fi
+
+# === Run Application ===
+if [ "$RUN_USER" = "root" ]; then
+    # Running as root - execute directly
+    if [ "$1" = "" ]; then
+        exec bun run ./build/index.js
+    else
+        exec "$@"
+    fi
+else
+    # Running as non-root user
+    echo "Running as user: $RUN_USER"
+    if [ "$1" = "" ]; then
+        exec su-exec "$RUN_USER" bun run ./build/index.js
+    else
+        exec su-exec "$RUN_USER" "$@"
+    fi
+fi
diff --git a/drizzle-pg/0000_initial_schema.sql b/drizzle-pg/0000_initial_schema.sql
new file mode 100644
index 0000000..15c71a7
--- /dev/null
+++ b/drizzle-pg/0000_initial_schema.sql
@@ -0,0 +1,401 @@
+CREATE TABLE "audit_logs" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"user_id" integer,
+	"username" text NOT NULL,
+	"action" text NOT NULL,
+	"entity_type" text NOT NULL,
+	"entity_id" text,
+	"entity_name" text,
+	"environment_id" integer,
+	"description" text,
+	"details" text,
+	"ip_address" text,
+	"user_agent" text,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "auth_settings" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"auth_enabled" boolean DEFAULT false,
+	"default_provider" text DEFAULT 'local',
+	"session_timeout" integer DEFAULT 86400,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "auto_update_settings" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"container_name" text NOT NULL,
+	"enabled" boolean DEFAULT false,
+	"schedule_type" text DEFAULT 'daily',
+	"cron_expression" text,
+	"vulnerability_criteria" text DEFAULT 'never',
+	"last_checked" timestamp,
+	"last_updated" timestamp,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "auto_update_settings_environment_id_container_name_unique" UNIQUE("environment_id","container_name")
+);
+--> statement-breakpoint
+CREATE TABLE "config_sets" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"description" text,
+	"env_vars" text,
+	"labels" text,
+	"ports" text,
+	"volumes" text,
+	"network_mode" text DEFAULT 'bridge',
+	"restart_policy" text DEFAULT 'no',
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "config_sets_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "container_events" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"container_id" text NOT NULL,
+	"container_name" text,
+	"image" text,
+	"action" text NOT NULL,
+	"actor_attributes" text,
+	"timestamp" timestamp NOT NULL,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "environment_notifications" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer NOT NULL,
+	"notification_id" integer NOT NULL,
+	"enabled" boolean DEFAULT true,
+	"event_types" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "environment_notifications_environment_id_notification_id_unique" UNIQUE("environment_id","notification_id")
+);
+--> statement-breakpoint
+CREATE TABLE "environments" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"host" text,
+	"port" integer DEFAULT 2375,
+	"protocol" text DEFAULT 'http',
+	"tls_ca" text,
+	"tls_cert" text,
+	"tls_key" text,
+	"tls_skip_verify" boolean DEFAULT false,
+	"icon" text DEFAULT 'globe',
+	"collect_activity" boolean DEFAULT true,
+	"collect_metrics" boolean DEFAULT true,
+	"highlight_changes" boolean DEFAULT true,
+	"labels" text,
+	"connection_type" text DEFAULT 'socket',
+	"socket_path" text DEFAULT '/var/run/docker.sock',
+	"hawser_token" text,
+	"hawser_last_seen" timestamp,
+	"hawser_agent_id" text,
+	"hawser_agent_name" text,
+	"hawser_version" text,
+	"hawser_capabilities" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "environments_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "git_credentials" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"auth_type" text DEFAULT 'none' NOT NULL,
+	"username" text,
+	"password" text,
+	"ssh_private_key" text,
+	"ssh_passphrase" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "git_credentials_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "git_repositories" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"url" text NOT NULL,
+	"branch" text DEFAULT 'main',
+	"credential_id" integer,
+	"compose_path" text DEFAULT 'docker-compose.yml',
+	"environment_id" integer,
+	"auto_update" boolean DEFAULT false,
+	"auto_update_schedule" text DEFAULT 'daily',
+	"auto_update_cron" text DEFAULT '0 3 * * *',
+	"webhook_enabled" boolean DEFAULT false,
+	"webhook_secret" text,
+	"last_sync" timestamp,
+	"last_commit" text,
+	"sync_status" text DEFAULT 'pending',
+	"sync_error" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "git_repositories_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "git_stacks" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"stack_name" text NOT NULL,
+	"environment_id" integer,
+	"repository_id" integer NOT NULL,
+	"compose_path" text DEFAULT 'docker-compose.yml',
+	"auto_update" boolean DEFAULT false,
+	"auto_update_schedule" text DEFAULT 'daily',
+	"auto_update_cron" text DEFAULT '0 3 * * *',
+	"webhook_enabled" boolean DEFAULT false,
+	"webhook_secret" text,
+	"last_sync" timestamp,
+	"last_commit" text,
+	"sync_status" text DEFAULT 'pending',
+	"sync_error" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "git_stacks_stack_name_environment_id_unique" UNIQUE("stack_name","environment_id")
+);
+--> statement-breakpoint
+CREATE TABLE "hawser_tokens" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"token" text NOT NULL,
+	"token_prefix" text NOT NULL,
+	"name" text NOT NULL,
+	"environment_id" integer,
+	"is_active" boolean DEFAULT true,
+	"last_used" timestamp,
+	"created_at" timestamp DEFAULT now(),
+	"expires_at" timestamp,
+	CONSTRAINT "hawser_tokens_token_unique" UNIQUE("token")
+);
+--> statement-breakpoint
+CREATE TABLE "host_metrics" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"cpu_percent" double precision NOT NULL,
+	"memory_percent" double precision NOT NULL,
+	"memory_used" bigint,
+	"memory_total" bigint,
+	"timestamp" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "ldap_config" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"enabled" boolean DEFAULT false,
+	"server_url" text NOT NULL,
+	"bind_dn" text,
+	"bind_password" text,
+	"base_dn" text NOT NULL,
+	"user_filter" text DEFAULT '(uid={{username}})',
+	"username_attribute" text DEFAULT 'uid',
+	"email_attribute" text DEFAULT 'mail',
+	"display_name_attribute" text DEFAULT 'cn',
+	"group_base_dn" text,
+	"group_filter" text,
+	"admin_group" text,
+	"role_mappings" text,
+	"tls_enabled" boolean DEFAULT false,
+	"tls_ca" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "notification_settings" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"type" text NOT NULL,
+	"name" text NOT NULL,
+	"enabled" boolean DEFAULT true,
+	"config" text NOT NULL,
+	"event_types" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "oidc_config" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"enabled" boolean DEFAULT false,
+	"issuer_url" text NOT NULL,
+	"client_id" text NOT NULL,
+	"client_secret" text NOT NULL,
+	"redirect_uri" text NOT NULL,
+	"scopes" text DEFAULT 'openid profile email',
+	"username_claim" text DEFAULT 'preferred_username',
+	"email_claim" text DEFAULT 'email',
+	"display_name_claim" text DEFAULT 'name',
+	"admin_claim" text,
+	"admin_value" text,
+	"role_mappings_claim" text DEFAULT 'groups',
+	"role_mappings" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "registries" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"url" text NOT NULL,
+	"username" text,
+	"password" text,
+	"is_default" boolean DEFAULT false,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "registries_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "roles" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"name" text NOT NULL,
+	"description" text,
+	"is_system" boolean DEFAULT false,
+	"permissions" text NOT NULL,
+	"environment_ids" text,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "roles_name_unique" UNIQUE("name")
+);
+--> statement-breakpoint
+CREATE TABLE "schedule_executions" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"schedule_type" text NOT NULL,
+	"schedule_id" integer NOT NULL,
+	"environment_id" integer,
+	"entity_name" text NOT NULL,
+	"triggered_by" text NOT NULL,
+	"triggered_at" timestamp NOT NULL,
+	"started_at" timestamp,
+	"completed_at" timestamp,
+	"duration" integer,
+	"status" text NOT NULL,
+	"error_message" text,
+	"details" text,
+	"logs" text,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "sessions" (
+	"id" text PRIMARY KEY NOT NULL,
+	"user_id" integer NOT NULL,
+	"provider" text NOT NULL,
+	"expires_at" timestamp NOT NULL,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "settings" (
+	"key" text PRIMARY KEY NOT NULL,
+	"value" text NOT NULL,
+	"updated_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+CREATE TABLE "stack_events" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"stack_name" text NOT NULL,
+	"event_type" text NOT NULL,
+	"timestamp" timestamp DEFAULT now(),
+	"metadata" text
+);
+--> statement-breakpoint
+CREATE TABLE "stack_sources" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"stack_name" text NOT NULL,
+	"environment_id" integer,
+	"source_type" text DEFAULT 'internal' NOT NULL,
+	"git_repository_id" integer,
+	"git_stack_id" integer,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "stack_sources_stack_name_environment_id_unique" UNIQUE("stack_name","environment_id")
+);
+--> statement-breakpoint
+CREATE TABLE "user_preferences" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"user_id" integer,
+	"environment_id" integer,
+	"key" text NOT NULL,
+	"value" text NOT NULL,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "user_preferences_user_id_environment_id_key_unique" UNIQUE("user_id","environment_id","key")
+);
+--> statement-breakpoint
+CREATE TABLE "user_roles" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"user_id" integer NOT NULL,
+	"role_id" integer NOT NULL,
+	"environment_id" integer,
+	"created_at" timestamp DEFAULT now(),
+	CONSTRAINT "user_roles_user_id_role_id_environment_id_unique" UNIQUE("user_id","role_id","environment_id")
+);
+--> statement-breakpoint
+CREATE TABLE "users" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"username" text NOT NULL,
+	"email" text,
+	"password_hash" text NOT NULL,
+	"display_name" text,
+	"avatar" text,
+	"auth_provider" text DEFAULT 'local',
+	"mfa_enabled" boolean DEFAULT false,
+	"mfa_secret" text,
+	"is_active" boolean DEFAULT true,
+	"last_login" timestamp,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "users_username_unique" UNIQUE("username")
+);
+--> statement-breakpoint
+CREATE TABLE "vulnerability_scans" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer,
+	"image_id" text NOT NULL,
+	"image_name" text NOT NULL,
+	"scanner" text NOT NULL,
+	"scanned_at" timestamp NOT NULL,
+	"scan_duration" integer,
+	"critical_count" integer DEFAULT 0,
+	"high_count" integer DEFAULT 0,
+	"medium_count" integer DEFAULT 0,
+	"low_count" integer DEFAULT 0,
+	"negligible_count" integer DEFAULT 0,
+	"unknown_count" integer DEFAULT 0,
+	"vulnerabilities" text,
+	"error" text,
+	"created_at" timestamp DEFAULT now()
+);
+--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "auto_update_settings" ADD CONSTRAINT "auto_update_settings_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "container_events" ADD CONSTRAINT "container_events_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_notifications" ADD CONSTRAINT "environment_notifications_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_notifications" ADD CONSTRAINT "environment_notifications_notification_id_notification_settings_id_fk" FOREIGN KEY ("notification_id") REFERENCES "public"."notification_settings"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "git_repositories" ADD CONSTRAINT "git_repositories_credential_id_git_credentials_id_fk" FOREIGN KEY ("credential_id") REFERENCES "public"."git_credentials"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "git_stacks" ADD CONSTRAINT "git_stacks_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "git_stacks" ADD CONSTRAINT "git_stacks_repository_id_git_repositories_id_fk" FOREIGN KEY ("repository_id") REFERENCES "public"."git_repositories"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "hawser_tokens" ADD CONSTRAINT "hawser_tokens_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "host_metrics" ADD CONSTRAINT "host_metrics_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "schedule_executions" ADD CONSTRAINT "schedule_executions_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "sessions" ADD CONSTRAINT "sessions_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_events" ADD CONSTRAINT "stack_events_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_sources" ADD CONSTRAINT "stack_sources_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_sources" ADD CONSTRAINT "stack_sources_git_repository_id_git_repositories_id_fk" FOREIGN KEY ("git_repository_id") REFERENCES "public"."git_repositories"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "stack_sources" ADD CONSTRAINT "stack_sources_git_stack_id_git_stacks_id_fk" FOREIGN KEY ("git_stack_id") REFERENCES "public"."git_stacks"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_preferences" ADD CONSTRAINT "user_preferences_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_preferences" ADD CONSTRAINT "user_preferences_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_role_id_roles_id_fk" FOREIGN KEY ("role_id") REFERENCES "public"."roles"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "vulnerability_scans" ADD CONSTRAINT "vulnerability_scans_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "audit_logs_user_id_idx" ON "audit_logs" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "audit_logs_created_at_idx" ON "audit_logs" USING btree ("created_at");--> statement-breakpoint
+CREATE INDEX "container_events_env_timestamp_idx" ON "container_events" USING btree ("environment_id","timestamp");--> statement-breakpoint
+CREATE INDEX "host_metrics_env_timestamp_idx" ON "host_metrics" USING btree ("environment_id","timestamp");--> statement-breakpoint
+CREATE INDEX "schedule_executions_type_id_idx" ON "schedule_executions" USING btree ("schedule_type","schedule_id");--> statement-breakpoint
+CREATE INDEX "sessions_user_id_idx" ON "sessions" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "sessions_expires_at_idx" ON "sessions" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "vulnerability_scans_env_image_idx" ON "vulnerability_scans" USING btree ("environment_id","image_id");
\ No newline at end of file
diff --git a/drizzle-pg/0001_add_stack_env_vars.sql b/drizzle-pg/0001_add_stack_env_vars.sql
new file mode 100644
index 0000000..8ee2010
--- /dev/null
+++ b/drizzle-pg/0001_add_stack_env_vars.sql
@@ -0,0 +1,14 @@
+CREATE TABLE "stack_environment_variables" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"stack_name" text NOT NULL,
+	"environment_id" integer,
+	"key" text NOT NULL,
+	"value" text NOT NULL,
+	"is_secret" boolean DEFAULT false,
+	"created_at" timestamp DEFAULT now(),
+	"updated_at" timestamp DEFAULT now(),
+	CONSTRAINT "stack_environment_variables_stack_name_environment_id_key_unique" UNIQUE("stack_name","environment_id","key")
+);
+--> statement-breakpoint
+ALTER TABLE "git_stacks" ADD COLUMN "env_file_path" text;--> statement-breakpoint
+ALTER TABLE "stack_environment_variables" ADD CONSTRAINT "stack_environment_variables_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;
\ No newline at end of file
diff --git a/drizzle-pg/0002_add_pending_container_updates.sql b/drizzle-pg/0002_add_pending_container_updates.sql
new file mode 100644
index 0000000..ac712d1
--- /dev/null
+++ b/drizzle-pg/0002_add_pending_container_updates.sql
@@ -0,0 +1,12 @@
+CREATE TABLE "pending_container_updates" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"environment_id" integer NOT NULL,
+	"container_id" text NOT NULL,
+	"container_name" text NOT NULL,
+	"current_image" text NOT NULL,
+	"checked_at" timestamp DEFAULT now(),
+	"created_at" timestamp DEFAULT now(),
+	CONSTRAINT "pending_container_updates_environment_id_container_id_unique" UNIQUE("environment_id","container_id")
+);
+--> statement-breakpoint
+ALTER TABLE "pending_container_updates" ADD CONSTRAINT "pending_container_updates_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;
\ No newline at end of file
diff --git a/drizzle-pg/0003_add_stack_paths.sql b/drizzle-pg/0003_add_stack_paths.sql
new file mode 100644
index 0000000..8102648
--- /dev/null
+++ b/drizzle-pg/0003_add_stack_paths.sql
@@ -0,0 +1,2 @@
+ALTER TABLE "stack_sources" ADD COLUMN "compose_path" text;--> statement-breakpoint
+ALTER TABLE "stack_sources" ADD COLUMN "env_path" text;
\ No newline at end of file
diff --git a/drizzle-pg/meta/0000_snapshot.json b/drizzle-pg/meta/0000_snapshot.json
new file mode 100644
index 0000000..c2004b5
--- /dev/null
+++ b/drizzle-pg/meta/0000_snapshot.json
@@ -0,0 +1,2709 @@
+{
+  "id": "50905243-3288-41de-8cef-87b4e546d7cd",
+  "prevId": "00000000-0000-0000-0000-000000000000",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.audit_logs": {
+      "name": "audit_logs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auth_settings": {
+      "name": "auth_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auto_update_settings": {
+      "name": "auto_update_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "container_name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.config_sets": {
+      "name": "config_sets",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.container_events": {
+      "name": "container_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environment_notifications": {
+      "name": "environment_notifications",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environments": {
+      "name": "environments",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_credentials": {
+      "name": "git_credentials",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_repositories": {
+      "name": "git_repositories",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_stacks": {
+      "name": "git_stacks",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.hawser_tokens": {
+      "name": "hawser_tokens",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.host_metrics": {
+      "name": "host_metrics",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ldap_config": {
+      "name": "ldap_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.notification_settings": {
+      "name": "notification_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.oidc_config": {
+      "name": "oidc_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.registries": {
+      "name": "registries",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.roles": {
+      "name": "roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schedule_executions": {
+      "name": "schedule_executions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            {
+              "expression": "schedule_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "schedule_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sessions": {
+      "name": "sessions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            {
+              "expression": "expires_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.settings": {
+      "name": "settings",
+      "schema": "",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_events": {
+      "name": "stack_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_sources": {
+      "name": "stack_sources",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_preferences": {
+      "name": "user_preferences",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_roles": {
+      "name": "user_roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.users": {
+      "name": "users",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "username"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "image_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {},
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle-pg/meta/0001_snapshot.json b/drizzle-pg/meta/0001_snapshot.json
new file mode 100644
index 0000000..c972fe5
--- /dev/null
+++ b/drizzle-pg/meta/0001_snapshot.json
@@ -0,0 +1,2803 @@
+{
+  "id": "31d336d0-689e-4403-b49e-308e13df0014",
+  "prevId": "50905243-3288-41de-8cef-87b4e546d7cd",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.audit_logs": {
+      "name": "audit_logs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auth_settings": {
+      "name": "auth_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auto_update_settings": {
+      "name": "auto_update_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "container_name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.config_sets": {
+      "name": "config_sets",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.container_events": {
+      "name": "container_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environment_notifications": {
+      "name": "environment_notifications",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environments": {
+      "name": "environments",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_credentials": {
+      "name": "git_credentials",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_repositories": {
+      "name": "git_repositories",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_stacks": {
+      "name": "git_stacks",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "env_file_path": {
+          "name": "env_file_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.hawser_tokens": {
+      "name": "hawser_tokens",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.host_metrics": {
+      "name": "host_metrics",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ldap_config": {
+      "name": "ldap_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.notification_settings": {
+      "name": "notification_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.oidc_config": {
+      "name": "oidc_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.registries": {
+      "name": "registries",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.roles": {
+      "name": "roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schedule_executions": {
+      "name": "schedule_executions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            {
+              "expression": "schedule_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "schedule_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sessions": {
+      "name": "sessions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            {
+              "expression": "expires_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.settings": {
+      "name": "settings",
+      "schema": "",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_environment_variables": {
+      "name": "stack_environment_variables",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "is_secret": {
+          "name": "is_secret",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_environment_variables_environment_id_environments_id_fk": {
+          "name": "stack_environment_variables_environment_id_environments_id_fk",
+          "tableFrom": "stack_environment_variables",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "stack_environment_variables_stack_name_environment_id_key_unique": {
+          "name": "stack_environment_variables_stack_name_environment_id_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id",
+            "key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_events": {
+      "name": "stack_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_sources": {
+      "name": "stack_sources",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_preferences": {
+      "name": "user_preferences",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_roles": {
+      "name": "user_roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.users": {
+      "name": "users",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "username"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "image_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {},
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle-pg/meta/0002_snapshot.json b/drizzle-pg/meta/0002_snapshot.json
new file mode 100644
index 0000000..209f367
--- /dev/null
+++ b/drizzle-pg/meta/0002_snapshot.json
@@ -0,0 +1,2883 @@
+{
+  "id": "eef8322a-0ccc-418c-b0f6-f51972a1850e",
+  "prevId": "31d336d0-689e-4403-b49e-308e13df0014",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.audit_logs": {
+      "name": "audit_logs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auth_settings": {
+      "name": "auth_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auto_update_settings": {
+      "name": "auto_update_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "container_name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.config_sets": {
+      "name": "config_sets",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.container_events": {
+      "name": "container_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environment_notifications": {
+      "name": "environment_notifications",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environments": {
+      "name": "environments",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_credentials": {
+      "name": "git_credentials",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_repositories": {
+      "name": "git_repositories",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_stacks": {
+      "name": "git_stacks",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "env_file_path": {
+          "name": "env_file_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.hawser_tokens": {
+      "name": "hawser_tokens",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.host_metrics": {
+      "name": "host_metrics",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ldap_config": {
+      "name": "ldap_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.notification_settings": {
+      "name": "notification_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.oidc_config": {
+      "name": "oidc_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.pending_container_updates": {
+      "name": "pending_container_updates",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "current_image": {
+          "name": "current_image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "checked_at": {
+          "name": "checked_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "pending_container_updates_environment_id_environments_id_fk": {
+          "name": "pending_container_updates_environment_id_environments_id_fk",
+          "tableFrom": "pending_container_updates",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "pending_container_updates_environment_id_container_id_unique": {
+          "name": "pending_container_updates_environment_id_container_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "container_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.registries": {
+      "name": "registries",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.roles": {
+      "name": "roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schedule_executions": {
+      "name": "schedule_executions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            {
+              "expression": "schedule_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "schedule_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sessions": {
+      "name": "sessions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            {
+              "expression": "expires_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.settings": {
+      "name": "settings",
+      "schema": "",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_environment_variables": {
+      "name": "stack_environment_variables",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "is_secret": {
+          "name": "is_secret",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_environment_variables_environment_id_environments_id_fk": {
+          "name": "stack_environment_variables_environment_id_environments_id_fk",
+          "tableFrom": "stack_environment_variables",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "stack_environment_variables_stack_name_environment_id_key_unique": {
+          "name": "stack_environment_variables_stack_name_environment_id_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id",
+            "key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_events": {
+      "name": "stack_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_sources": {
+      "name": "stack_sources",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_preferences": {
+      "name": "user_preferences",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_roles": {
+      "name": "user_roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.users": {
+      "name": "users",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "username"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "image_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {},
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle-pg/meta/0003_snapshot.json b/drizzle-pg/meta/0003_snapshot.json
new file mode 100644
index 0000000..565117e
--- /dev/null
+++ b/drizzle-pg/meta/0003_snapshot.json
@@ -0,0 +1,2895 @@
+{
+  "id": "b10cba96-4947-484f-84a2-efb65205381f",
+  "prevId": "eef8322a-0ccc-418c-b0f6-f51972a1850e",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.audit_logs": {
+      "name": "audit_logs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auth_settings": {
+      "name": "auth_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.auto_update_settings": {
+      "name": "auto_update_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "container_name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.config_sets": {
+      "name": "config_sets",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.container_events": {
+      "name": "container_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environment_notifications": {
+      "name": "environment_notifications",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environments": {
+      "name": "environments",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_credentials": {
+      "name": "git_credentials",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_repositories": {
+      "name": "git_repositories",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_stacks": {
+      "name": "git_stacks",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'docker-compose.yml'"
+        },
+        "env_file_path": {
+          "name": "env_file_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.hawser_tokens": {
+      "name": "hawser_tokens",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.host_metrics": {
+      "name": "host_metrics",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "timestamp",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ldap_config": {
+      "name": "ldap_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.notification_settings": {
+      "name": "notification_settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.oidc_config": {
+      "name": "oidc_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.pending_container_updates": {
+      "name": "pending_container_updates",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "current_image": {
+          "name": "current_image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "checked_at": {
+          "name": "checked_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "pending_container_updates_environment_id_environments_id_fk": {
+          "name": "pending_container_updates_environment_id_environments_id_fk",
+          "tableFrom": "pending_container_updates",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "pending_container_updates_environment_id_container_id_unique": {
+          "name": "pending_container_updates_environment_id_container_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "environment_id",
+            "container_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.registries": {
+      "name": "registries",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.roles": {
+      "name": "roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schedule_executions": {
+      "name": "schedule_executions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            {
+              "expression": "schedule_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "schedule_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sessions": {
+      "name": "sessions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            {
+              "expression": "expires_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.settings": {
+      "name": "settings",
+      "schema": "",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_environment_variables": {
+      "name": "stack_environment_variables",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "is_secret": {
+          "name": "is_secret",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_environment_variables_environment_id_environments_id_fk": {
+          "name": "stack_environment_variables_environment_id_environments_id_fk",
+          "tableFrom": "stack_environment_variables",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "stack_environment_variables_stack_name_environment_id_key_unique": {
+          "name": "stack_environment_variables_stack_name_environment_id_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id",
+            "key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_events": {
+      "name": "stack_events",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.stack_sources": {
+      "name": "stack_sources",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "external_compose_path": {
+          "name": "external_compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "external_env_path": {
+          "name": "external_env_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_preferences": {
+      "name": "user_preferences",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_roles": {
+      "name": "user_roles",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.users": {
+      "name": "users",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "username"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "serial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            {
+              "expression": "environment_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "image_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {},
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle-pg/meta/_journal.json b/drizzle-pg/meta/_journal.json
new file mode 100644
index 0000000..590bb1f
--- /dev/null
+++ b/drizzle-pg/meta/_journal.json
@@ -0,0 +1,34 @@
+{
+  "version": "7",
+  "dialect": "postgresql",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "7",
+      "when": 1765804022462,
+      "tag": "0000_initial_schema",
+      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "7",
+      "when": 1766378770502,
+      "tag": "0001_add_stack_env_vars",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "7",
+      "when": 1766763867484,
+      "tag": "0002_add_pending_container_updates",
+      "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "7",
+      "when": 1767687362730,
+      "tag": "0003_add_stack_paths",
+      "breakpoints": true
+    }
+  ]
+}
\ No newline at end of file
diff --git a/drizzle.config.ts b/drizzle.config.ts
new file mode 100644
index 0000000..44f2d39
--- /dev/null
+++ b/drizzle.config.ts
@@ -0,0 +1,16 @@
+import { defineConfig } from 'drizzle-kit';
+
+const databaseUrl = process.env.DATABASE_URL;
+const isPostgres = databaseUrl && (databaseUrl.startsWith('postgres://') || databaseUrl.startsWith('postgresql://'));
+
+export default defineConfig({
+	// Use different schema files for SQLite vs PostgreSQL
+	schema: isPostgres
+		? './src/lib/server/db/schema/pg-schema.ts'
+		: './src/lib/server/db/schema/index.ts',
+	out: isPostgres ? './drizzle-pg' : './drizzle',
+	dialect: isPostgres ? 'postgresql' : 'sqlite',
+	dbCredentials: isPostgres
+		? { url: databaseUrl! }
+		: { url: `file:${process.env.DATA_DIR || './data'}/dockhand.db` }
+});
diff --git a/drizzle/0000_initial_schema.sql b/drizzle/0000_initial_schema.sql
new file mode 100644
index 0000000..b04383a
--- /dev/null
+++ b/drizzle/0000_initial_schema.sql
@@ -0,0 +1,401 @@
+CREATE TABLE `audit_logs` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer,
+	`username` text NOT NULL,
+	`action` text NOT NULL,
+	`entity_type` text NOT NULL,
+	`entity_id` text,
+	`entity_name` text,
+	`environment_id` integer,
+	`description` text,
+	`details` text,
+	`ip_address` text,
+	`user_agent` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE set null,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE set null
+);
+--> statement-breakpoint
+CREATE INDEX `audit_logs_user_id_idx` ON `audit_logs` (`user_id`);--> statement-breakpoint
+CREATE INDEX `audit_logs_created_at_idx` ON `audit_logs` (`created_at`);--> statement-breakpoint
+CREATE TABLE `auth_settings` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`auth_enabled` integer DEFAULT false,
+	`default_provider` text DEFAULT 'local',
+	`session_timeout` integer DEFAULT 86400,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `auto_update_settings` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`container_name` text NOT NULL,
+	`enabled` integer DEFAULT false,
+	`schedule_type` text DEFAULT 'daily',
+	`cron_expression` text,
+	`vulnerability_criteria` text DEFAULT 'never',
+	`last_checked` text,
+	`last_updated` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE no action
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `auto_update_settings_environment_id_container_name_unique` ON `auto_update_settings` (`environment_id`,`container_name`);--> statement-breakpoint
+CREATE TABLE `config_sets` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`description` text,
+	`env_vars` text,
+	`labels` text,
+	`ports` text,
+	`volumes` text,
+	`network_mode` text DEFAULT 'bridge',
+	`restart_policy` text DEFAULT 'no',
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `config_sets_name_unique` ON `config_sets` (`name`);--> statement-breakpoint
+CREATE TABLE `container_events` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`container_id` text NOT NULL,
+	`container_name` text,
+	`image` text,
+	`action` text NOT NULL,
+	`actor_attributes` text,
+	`timestamp` text NOT NULL,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `container_events_env_timestamp_idx` ON `container_events` (`environment_id`,`timestamp`);--> statement-breakpoint
+CREATE TABLE `environment_notifications` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer NOT NULL,
+	`notification_id` integer NOT NULL,
+	`enabled` integer DEFAULT true,
+	`event_types` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`notification_id`) REFERENCES `notification_settings`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `environment_notifications_environment_id_notification_id_unique` ON `environment_notifications` (`environment_id`,`notification_id`);--> statement-breakpoint
+CREATE TABLE `environments` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`host` text,
+	`port` integer DEFAULT 2375,
+	`protocol` text DEFAULT 'http',
+	`tls_ca` text,
+	`tls_cert` text,
+	`tls_key` text,
+	`tls_skip_verify` integer DEFAULT false,
+	`icon` text DEFAULT 'globe',
+	`collect_activity` integer DEFAULT true,
+	`collect_metrics` integer DEFAULT true,
+	`highlight_changes` integer DEFAULT true,
+	`labels` text,
+	`connection_type` text DEFAULT 'socket',
+	`socket_path` text DEFAULT '/var/run/docker.sock',
+	`hawser_token` text,
+	`hawser_last_seen` text,
+	`hawser_agent_id` text,
+	`hawser_agent_name` text,
+	`hawser_version` text,
+	`hawser_capabilities` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `environments_name_unique` ON `environments` (`name`);--> statement-breakpoint
+CREATE TABLE `git_credentials` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`auth_type` text DEFAULT 'none' NOT NULL,
+	`username` text,
+	`password` text,
+	`ssh_private_key` text,
+	`ssh_passphrase` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `git_credentials_name_unique` ON `git_credentials` (`name`);--> statement-breakpoint
+CREATE TABLE `git_repositories` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`url` text NOT NULL,
+	`branch` text DEFAULT 'main',
+	`credential_id` integer,
+	`compose_path` text DEFAULT 'docker-compose.yml',
+	`environment_id` integer,
+	`auto_update` integer DEFAULT false,
+	`auto_update_schedule` text DEFAULT 'daily',
+	`auto_update_cron` text DEFAULT '0 3 * * *',
+	`webhook_enabled` integer DEFAULT false,
+	`webhook_secret` text,
+	`last_sync` text,
+	`last_commit` text,
+	`sync_status` text DEFAULT 'pending',
+	`sync_error` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`credential_id`) REFERENCES `git_credentials`(`id`) ON UPDATE no action ON DELETE set null
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `git_repositories_name_unique` ON `git_repositories` (`name`);--> statement-breakpoint
+CREATE TABLE `git_stacks` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`stack_name` text NOT NULL,
+	`environment_id` integer,
+	`repository_id` integer NOT NULL,
+	`compose_path` text DEFAULT 'docker-compose.yml',
+	`auto_update` integer DEFAULT false,
+	`auto_update_schedule` text DEFAULT 'daily',
+	`auto_update_cron` text DEFAULT '0 3 * * *',
+	`webhook_enabled` integer DEFAULT false,
+	`webhook_secret` text,
+	`last_sync` text,
+	`last_commit` text,
+	`sync_status` text DEFAULT 'pending',
+	`sync_error` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`repository_id`) REFERENCES `git_repositories`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `git_stacks_stack_name_environment_id_unique` ON `git_stacks` (`stack_name`,`environment_id`);--> statement-breakpoint
+CREATE TABLE `hawser_tokens` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`token` text NOT NULL,
+	`token_prefix` text NOT NULL,
+	`name` text NOT NULL,
+	`environment_id` integer,
+	`is_active` integer DEFAULT true,
+	`last_used` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`expires_at` text,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `hawser_tokens_token_unique` ON `hawser_tokens` (`token`);--> statement-breakpoint
+CREATE TABLE `host_metrics` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`cpu_percent` real NOT NULL,
+	`memory_percent` real NOT NULL,
+	`memory_used` integer,
+	`memory_total` integer,
+	`timestamp` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `host_metrics_env_timestamp_idx` ON `host_metrics` (`environment_id`,`timestamp`);--> statement-breakpoint
+CREATE TABLE `ldap_config` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`enabled` integer DEFAULT false,
+	`server_url` text NOT NULL,
+	`bind_dn` text,
+	`bind_password` text,
+	`base_dn` text NOT NULL,
+	`user_filter` text DEFAULT '(uid={{username}})',
+	`username_attribute` text DEFAULT 'uid',
+	`email_attribute` text DEFAULT 'mail',
+	`display_name_attribute` text DEFAULT 'cn',
+	`group_base_dn` text,
+	`group_filter` text,
+	`admin_group` text,
+	`role_mappings` text,
+	`tls_enabled` integer DEFAULT false,
+	`tls_ca` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `notification_settings` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`type` text NOT NULL,
+	`name` text NOT NULL,
+	`enabled` integer DEFAULT true,
+	`config` text NOT NULL,
+	`event_types` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `oidc_config` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`enabled` integer DEFAULT false,
+	`issuer_url` text NOT NULL,
+	`client_id` text NOT NULL,
+	`client_secret` text NOT NULL,
+	`redirect_uri` text NOT NULL,
+	`scopes` text DEFAULT 'openid profile email',
+	`username_claim` text DEFAULT 'preferred_username',
+	`email_claim` text DEFAULT 'email',
+	`display_name_claim` text DEFAULT 'name',
+	`admin_claim` text,
+	`admin_value` text,
+	`role_mappings_claim` text DEFAULT 'groups',
+	`role_mappings` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `registries` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`url` text NOT NULL,
+	`username` text,
+	`password` text,
+	`is_default` integer DEFAULT false,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `registries_name_unique` ON `registries` (`name`);--> statement-breakpoint
+CREATE TABLE `roles` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`name` text NOT NULL,
+	`description` text,
+	`is_system` integer DEFAULT false,
+	`permissions` text NOT NULL,
+	`environment_ids` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `roles_name_unique` ON `roles` (`name`);--> statement-breakpoint
+CREATE TABLE `schedule_executions` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`schedule_type` text NOT NULL,
+	`schedule_id` integer NOT NULL,
+	`environment_id` integer,
+	`entity_name` text NOT NULL,
+	`triggered_by` text NOT NULL,
+	`triggered_at` text NOT NULL,
+	`started_at` text,
+	`completed_at` text,
+	`duration` integer,
+	`status` text NOT NULL,
+	`error_message` text,
+	`details` text,
+	`logs` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `schedule_executions_type_id_idx` ON `schedule_executions` (`schedule_type`,`schedule_id`);--> statement-breakpoint
+CREATE TABLE `sessions` (
+	`id` text PRIMARY KEY NOT NULL,
+	`user_id` integer NOT NULL,
+	`provider` text NOT NULL,
+	`expires_at` text NOT NULL,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `sessions_user_id_idx` ON `sessions` (`user_id`);--> statement-breakpoint
+CREATE INDEX `sessions_expires_at_idx` ON `sessions` (`expires_at`);--> statement-breakpoint
+CREATE TABLE `settings` (
+	`key` text PRIMARY KEY NOT NULL,
+	`value` text NOT NULL,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE TABLE `stack_events` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`stack_name` text NOT NULL,
+	`event_type` text NOT NULL,
+	`timestamp` text DEFAULT CURRENT_TIMESTAMP,
+	`metadata` text,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `stack_sources` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`stack_name` text NOT NULL,
+	`environment_id` integer,
+	`source_type` text DEFAULT 'internal' NOT NULL,
+	`git_repository_id` integer,
+	`git_stack_id` integer,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`git_repository_id`) REFERENCES `git_repositories`(`id`) ON UPDATE no action ON DELETE set null,
+	FOREIGN KEY (`git_stack_id`) REFERENCES `git_stacks`(`id`) ON UPDATE no action ON DELETE set null
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `stack_sources_stack_name_environment_id_unique` ON `stack_sources` (`stack_name`,`environment_id`);--> statement-breakpoint
+CREATE TABLE `user_preferences` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer,
+	`environment_id` integer,
+	`key` text NOT NULL,
+	`value` text NOT NULL,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `user_preferences_user_id_environment_id_key_unique` ON `user_preferences` (`user_id`,`environment_id`,`key`);--> statement-breakpoint
+CREATE TABLE `user_roles` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`role_id` integer NOT NULL,
+	`environment_id` integer,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`role_id`) REFERENCES `roles`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `user_roles_user_id_role_id_environment_id_unique` ON `user_roles` (`user_id`,`role_id`,`environment_id`);--> statement-breakpoint
+CREATE TABLE `users` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`username` text NOT NULL,
+	`email` text,
+	`password_hash` text NOT NULL,
+	`display_name` text,
+	`avatar` text,
+	`auth_provider` text DEFAULT 'local',
+	`mfa_enabled` integer DEFAULT false,
+	`mfa_secret` text,
+	`is_active` integer DEFAULT true,
+	`last_login` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `users_username_unique` ON `users` (`username`);--> statement-breakpoint
+CREATE TABLE `vulnerability_scans` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer,
+	`image_id` text NOT NULL,
+	`image_name` text NOT NULL,
+	`scanner` text NOT NULL,
+	`scanned_at` text NOT NULL,
+	`scan_duration` integer,
+	`critical_count` integer DEFAULT 0,
+	`high_count` integer DEFAULT 0,
+	`medium_count` integer DEFAULT 0,
+	`low_count` integer DEFAULT 0,
+	`negligible_count` integer DEFAULT 0,
+	`unknown_count` integer DEFAULT 0,
+	`vulnerabilities` text,
+	`error` text,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE INDEX `vulnerability_scans_env_image_idx` ON `vulnerability_scans` (`environment_id`,`image_id`);
\ No newline at end of file
diff --git a/drizzle/0001_add_stack_env_vars.sql b/drizzle/0001_add_stack_env_vars.sql
new file mode 100644
index 0000000..aa52b21
--- /dev/null
+++ b/drizzle/0001_add_stack_env_vars.sql
@@ -0,0 +1,14 @@
+CREATE TABLE `stack_environment_variables` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`stack_name` text NOT NULL,
+	`environment_id` integer,
+	`key` text NOT NULL,
+	`value` text NOT NULL,
+	`is_secret` integer DEFAULT false,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	`updated_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `stack_environment_variables_stack_name_environment_id_key_unique` ON `stack_environment_variables` (`stack_name`,`environment_id`,`key`);--> statement-breakpoint
+ALTER TABLE `git_stacks` ADD `env_file_path` text;
\ No newline at end of file
diff --git a/drizzle/0002_add_pending_container_updates.sql b/drizzle/0002_add_pending_container_updates.sql
new file mode 100644
index 0000000..f3c87a6
--- /dev/null
+++ b/drizzle/0002_add_pending_container_updates.sql
@@ -0,0 +1,12 @@
+CREATE TABLE `pending_container_updates` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`environment_id` integer NOT NULL,
+	`container_id` text NOT NULL,
+	`container_name` text NOT NULL,
+	`current_image` text NOT NULL,
+	`checked_at` text DEFAULT CURRENT_TIMESTAMP,
+	`created_at` text DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (`environment_id`) REFERENCES `environments`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `pending_container_updates_environment_id_container_id_unique` ON `pending_container_updates` (`environment_id`,`container_id`);
\ No newline at end of file
diff --git a/drizzle/0003_add_stack_paths.sql b/drizzle/0003_add_stack_paths.sql
new file mode 100644
index 0000000..a9447ea
--- /dev/null
+++ b/drizzle/0003_add_stack_paths.sql
@@ -0,0 +1,2 @@
+ALTER TABLE `stack_sources` ADD `compose_path` text;--> statement-breakpoint
+ALTER TABLE `stack_sources` ADD `env_path` text;
\ No newline at end of file
diff --git a/drizzle/meta/0000_snapshot.json b/drizzle/meta/0000_snapshot.json
new file mode 100644
index 0000000..0aaf6ba
--- /dev/null
+++ b/drizzle/meta/0000_snapshot.json
@@ -0,0 +1,2824 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "d7d12244-ddb1-4246-844c-56f6c903ea29",
+  "prevId": "00000000-0000-0000-0000-000000000000",
+  "tables": {
+    "audit_logs": {
+      "name": "audit_logs",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            "created_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auth_settings": {
+      "name": "auth_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auto_update_settings": {
+      "name": "auto_update_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "columns": [
+            "environment_id",
+            "container_name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "config_sets": {
+      "name": "config_sets",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "container_events": {
+      "name": "container_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environment_notifications": {
+      "name": "environment_notifications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environments": {
+      "name": "environments",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_credentials": {
+      "name": "git_credentials",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_repositories": {
+      "name": "git_repositories",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_stacks": {
+      "name": "git_stacks",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "hawser_tokens": {
+      "name": "hawser_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "host_metrics": {
+      "name": "host_metrics",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "ldap_config": {
+      "name": "ldap_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "notification_settings": {
+      "name": "notification_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "oidc_config": {
+      "name": "oidc_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "registries": {
+      "name": "registries",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "roles": {
+      "name": "roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "schedule_executions": {
+      "name": "schedule_executions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            "schedule_type",
+            "schedule_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "sessions": {
+      "name": "sessions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            "expires_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "settings": {
+      "name": "settings",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_events": {
+      "name": "stack_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_sources": {
+      "name": "stack_sources",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_preferences": {
+      "name": "user_preferences",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_roles": {
+      "name": "user_roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            "environment_id",
+            "image_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle/meta/0001_snapshot.json b/drizzle/meta/0001_snapshot.json
new file mode 100644
index 0000000..4a5d606
--- /dev/null
+++ b/drizzle/meta/0001_snapshot.json
@@ -0,0 +1,2924 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "9dd11a39-a911-4c3f-9c2f-6920b14c2d96",
+  "prevId": "d7d12244-ddb1-4246-844c-56f6c903ea29",
+  "tables": {
+    "audit_logs": {
+      "name": "audit_logs",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            "created_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auth_settings": {
+      "name": "auth_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auto_update_settings": {
+      "name": "auto_update_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "columns": [
+            "environment_id",
+            "container_name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "config_sets": {
+      "name": "config_sets",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "container_events": {
+      "name": "container_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environment_notifications": {
+      "name": "environment_notifications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environments": {
+      "name": "environments",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_credentials": {
+      "name": "git_credentials",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_repositories": {
+      "name": "git_repositories",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_stacks": {
+      "name": "git_stacks",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "env_file_path": {
+          "name": "env_file_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "hawser_tokens": {
+      "name": "hawser_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "host_metrics": {
+      "name": "host_metrics",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "ldap_config": {
+      "name": "ldap_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "notification_settings": {
+      "name": "notification_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "oidc_config": {
+      "name": "oidc_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "registries": {
+      "name": "registries",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "roles": {
+      "name": "roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "schedule_executions": {
+      "name": "schedule_executions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            "schedule_type",
+            "schedule_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "sessions": {
+      "name": "sessions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            "expires_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "settings": {
+      "name": "settings",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_environment_variables": {
+      "name": "stack_environment_variables",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "is_secret": {
+          "name": "is_secret",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "stack_environment_variables_stack_name_environment_id_key_unique": {
+          "name": "stack_environment_variables_stack_name_environment_id_key_unique",
+          "columns": [
+            "stack_name",
+            "environment_id",
+            "key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "stack_environment_variables_environment_id_environments_id_fk": {
+          "name": "stack_environment_variables_environment_id_environments_id_fk",
+          "tableFrom": "stack_environment_variables",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_events": {
+      "name": "stack_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_sources": {
+      "name": "stack_sources",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_preferences": {
+      "name": "user_preferences",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_roles": {
+      "name": "user_roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            "environment_id",
+            "image_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle/meta/0002_snapshot.json b/drizzle/meta/0002_snapshot.json
new file mode 100644
index 0000000..f99d580
--- /dev/null
+++ b/drizzle/meta/0002_snapshot.json
@@ -0,0 +1,3008 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "31bce98b-04c0-4e21-8cb0-49a67c345d87",
+  "prevId": "9dd11a39-a911-4c3f-9c2f-6920b14c2d96",
+  "tables": {
+    "audit_logs": {
+      "name": "audit_logs",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            "created_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auth_settings": {
+      "name": "auth_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auto_update_settings": {
+      "name": "auto_update_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "columns": [
+            "environment_id",
+            "container_name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "config_sets": {
+      "name": "config_sets",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "container_events": {
+      "name": "container_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environment_notifications": {
+      "name": "environment_notifications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environments": {
+      "name": "environments",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_credentials": {
+      "name": "git_credentials",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_repositories": {
+      "name": "git_repositories",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_stacks": {
+      "name": "git_stacks",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "env_file_path": {
+          "name": "env_file_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "hawser_tokens": {
+      "name": "hawser_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "host_metrics": {
+      "name": "host_metrics",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "ldap_config": {
+      "name": "ldap_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "notification_settings": {
+      "name": "notification_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "oidc_config": {
+      "name": "oidc_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "pending_container_updates": {
+      "name": "pending_container_updates",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "current_image": {
+          "name": "current_image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "checked_at": {
+          "name": "checked_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "pending_container_updates_environment_id_container_id_unique": {
+          "name": "pending_container_updates_environment_id_container_id_unique",
+          "columns": [
+            "environment_id",
+            "container_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "pending_container_updates_environment_id_environments_id_fk": {
+          "name": "pending_container_updates_environment_id_environments_id_fk",
+          "tableFrom": "pending_container_updates",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "registries": {
+      "name": "registries",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "roles": {
+      "name": "roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "schedule_executions": {
+      "name": "schedule_executions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            "schedule_type",
+            "schedule_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "sessions": {
+      "name": "sessions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            "expires_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "settings": {
+      "name": "settings",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_environment_variables": {
+      "name": "stack_environment_variables",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "is_secret": {
+          "name": "is_secret",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "stack_environment_variables_stack_name_environment_id_key_unique": {
+          "name": "stack_environment_variables_stack_name_environment_id_key_unique",
+          "columns": [
+            "stack_name",
+            "environment_id",
+            "key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "stack_environment_variables_environment_id_environments_id_fk": {
+          "name": "stack_environment_variables_environment_id_environments_id_fk",
+          "tableFrom": "stack_environment_variables",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_events": {
+      "name": "stack_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_sources": {
+      "name": "stack_sources",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_preferences": {
+      "name": "user_preferences",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_roles": {
+      "name": "user_roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            "environment_id",
+            "image_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle/meta/0003_snapshot.json b/drizzle/meta/0003_snapshot.json
new file mode 100644
index 0000000..5a24de1
--- /dev/null
+++ b/drizzle/meta/0003_snapshot.json
@@ -0,0 +1,3022 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "6414712d-d1a8-437b-9d1c-e339b4829a85",
+  "prevId": "31bce98b-04c0-4e21-8cb0-49a67c345d87",
+  "tables": {
+    "audit_logs": {
+      "name": "audit_logs",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "audit_logs_user_id_idx": {
+          "name": "audit_logs_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "audit_logs_created_at_idx": {
+          "name": "audit_logs_created_at_idx",
+          "columns": [
+            "created_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "audit_logs_user_id_users_id_fk": {
+          "name": "audit_logs_user_id_users_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_logs_environment_id_environments_id_fk": {
+          "name": "audit_logs_environment_id_environments_id_fk",
+          "tableFrom": "audit_logs",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auth_settings": {
+      "name": "auth_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "auth_enabled": {
+          "name": "auth_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "default_provider": {
+          "name": "default_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "session_timeout": {
+          "name": "session_timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 86400
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "auto_update_settings": {
+      "name": "auto_update_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "vulnerability_criteria": {
+          "name": "vulnerability_criteria",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'never'"
+        },
+        "last_checked": {
+          "name": "last_checked",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_updated": {
+          "name": "last_updated",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "auto_update_settings_environment_id_container_name_unique": {
+          "name": "auto_update_settings_environment_id_container_name_unique",
+          "columns": [
+            "environment_id",
+            "container_name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "auto_update_settings_environment_id_environments_id_fk": {
+          "name": "auto_update_settings_environment_id_environments_id_fk",
+          "tableFrom": "auto_update_settings",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "config_sets": {
+      "name": "config_sets",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "env_vars": {
+          "name": "env_vars",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ports": {
+          "name": "ports",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "volumes": {
+          "name": "volumes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "network_mode": {
+          "name": "network_mode",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'bridge'"
+        },
+        "restart_policy": {
+          "name": "restart_policy",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'no'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "config_sets_name_unique": {
+          "name": "config_sets_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "container_events": {
+      "name": "container_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "actor_attributes": {
+          "name": "actor_attributes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "container_events_env_timestamp_idx": {
+          "name": "container_events_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "container_events_environment_id_environments_id_fk": {
+          "name": "container_events_environment_id_environments_id_fk",
+          "tableFrom": "container_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environment_notifications": {
+      "name": "environment_notifications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "notification_id": {
+          "name": "notification_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environment_notifications_environment_id_notification_id_unique": {
+          "name": "environment_notifications_environment_id_notification_id_unique",
+          "columns": [
+            "environment_id",
+            "notification_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "environment_notifications_environment_id_environments_id_fk": {
+          "name": "environment_notifications_environment_id_environments_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "environment_notifications_notification_id_notification_settings_id_fk": {
+          "name": "environment_notifications_notification_id_notification_settings_id_fk",
+          "tableFrom": "environment_notifications",
+          "tableTo": "notification_settings",
+          "columnsFrom": [
+            "notification_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "environments": {
+      "name": "environments",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 2375
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'http'"
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_cert": {
+          "name": "tls_cert",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_key": {
+          "name": "tls_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_skip_verify": {
+          "name": "tls_skip_verify",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'globe'"
+        },
+        "collect_activity": {
+          "name": "collect_activity",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "collect_metrics": {
+          "name": "collect_metrics",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "highlight_changes": {
+          "name": "highlight_changes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "labels": {
+          "name": "labels",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "connection_type": {
+          "name": "connection_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'socket'"
+        },
+        "socket_path": {
+          "name": "socket_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'/var/run/docker.sock'"
+        },
+        "hawser_token": {
+          "name": "hawser_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_last_seen": {
+          "name": "hawser_last_seen",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_id": {
+          "name": "hawser_agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_agent_name": {
+          "name": "hawser_agent_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_version": {
+          "name": "hawser_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hawser_capabilities": {
+          "name": "hawser_capabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "environments_name_unique": {
+          "name": "environments_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_credentials": {
+      "name": "git_credentials",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'none'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_private_key": {
+          "name": "ssh_private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "ssh_passphrase": {
+          "name": "ssh_passphrase",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_credentials_name_unique": {
+          "name": "git_credentials_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_repositories": {
+      "name": "git_repositories",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'main'"
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_repositories_name_unique": {
+          "name": "git_repositories_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_repositories_credential_id_git_credentials_id_fk": {
+          "name": "git_repositories_credential_id_git_credentials_id_fk",
+          "tableFrom": "git_repositories",
+          "tableTo": "git_credentials",
+          "columnsFrom": [
+            "credential_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "git_stacks": {
+      "name": "git_stacks",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "repository_id": {
+          "name": "repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'docker-compose.yml'"
+        },
+        "env_file_path": {
+          "name": "env_file_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auto_update": {
+          "name": "auto_update",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "auto_update_schedule": {
+          "name": "auto_update_schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'daily'"
+        },
+        "auto_update_cron": {
+          "name": "auto_update_cron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'0 3 * * *'"
+        },
+        "webhook_enabled": {
+          "name": "webhook_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "webhook_secret": {
+          "name": "webhook_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_sync": {
+          "name": "last_sync",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_commit": {
+          "name": "last_commit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "sync_status": {
+          "name": "sync_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'pending'"
+        },
+        "sync_error": {
+          "name": "sync_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "git_stacks_stack_name_environment_id_unique": {
+          "name": "git_stacks_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "git_stacks_environment_id_environments_id_fk": {
+          "name": "git_stacks_environment_id_environments_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_stacks_repository_id_git_repositories_id_fk": {
+          "name": "git_stacks_repository_id_git_repositories_id_fk",
+          "tableFrom": "git_stacks",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "hawser_tokens": {
+      "name": "hawser_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_prefix": {
+          "name": "token_prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "hawser_tokens_token_unique": {
+          "name": "hawser_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "hawser_tokens_environment_id_environments_id_fk": {
+          "name": "hawser_tokens_environment_id_environments_id_fk",
+          "tableFrom": "hawser_tokens",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "host_metrics": {
+      "name": "host_metrics",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "cpu_percent": {
+          "name": "cpu_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_percent": {
+          "name": "memory_percent",
+          "type": "real",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "memory_used": {
+          "name": "memory_used",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "memory_total": {
+          "name": "memory_total",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "host_metrics_env_timestamp_idx": {
+          "name": "host_metrics_env_timestamp_idx",
+          "columns": [
+            "environment_id",
+            "timestamp"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "host_metrics_environment_id_environments_id_fk": {
+          "name": "host_metrics_environment_id_environments_id_fk",
+          "tableFrom": "host_metrics",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "ldap_config": {
+      "name": "ldap_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "server_url": {
+          "name": "server_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "bind_dn": {
+          "name": "bind_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "bind_password": {
+          "name": "bind_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "base_dn": {
+          "name": "base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_filter": {
+          "name": "user_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'(uid={{username}})'"
+        },
+        "username_attribute": {
+          "name": "username_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'uid'"
+        },
+        "email_attribute": {
+          "name": "email_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mail'"
+        },
+        "display_name_attribute": {
+          "name": "display_name_attribute",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'cn'"
+        },
+        "group_base_dn": {
+          "name": "group_base_dn",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "group_filter": {
+          "name": "group_filter",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_group": {
+          "name": "admin_group",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tls_enabled": {
+          "name": "tls_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "tls_ca": {
+          "name": "tls_ca",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "notification_settings": {
+      "name": "notification_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "config": {
+          "name": "config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_types": {
+          "name": "event_types",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "oidc_config": {
+      "name": "oidc_config",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "issuer_url": {
+          "name": "issuer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'openid profile email'"
+        },
+        "username_claim": {
+          "name": "username_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'preferred_username'"
+        },
+        "email_claim": {
+          "name": "email_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'email'"
+        },
+        "display_name_claim": {
+          "name": "display_name_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'name'"
+        },
+        "admin_claim": {
+          "name": "admin_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "admin_value": {
+          "name": "admin_value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "role_mappings_claim": {
+          "name": "role_mappings_claim",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'groups'"
+        },
+        "role_mappings": {
+          "name": "role_mappings",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "pending_container_updates": {
+      "name": "pending_container_updates",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_id": {
+          "name": "container_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "container_name": {
+          "name": "container_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "current_image": {
+          "name": "current_image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "checked_at": {
+          "name": "checked_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "pending_container_updates_environment_id_container_id_unique": {
+          "name": "pending_container_updates_environment_id_container_id_unique",
+          "columns": [
+            "environment_id",
+            "container_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "pending_container_updates_environment_id_environments_id_fk": {
+          "name": "pending_container_updates_environment_id_environments_id_fk",
+          "tableFrom": "pending_container_updates",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "registries": {
+      "name": "registries",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "registries_name_unique": {
+          "name": "registries_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "roles": {
+      "name": "roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_system": {
+          "name": "is_system",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_ids": {
+          "name": "environment_ids",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "roles_name_unique": {
+          "name": "roles_name_unique",
+          "columns": [
+            "name"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "schedule_executions": {
+      "name": "schedule_executions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "schedule_type": {
+          "name": "schedule_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_id": {
+          "name": "schedule_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "entity_name": {
+          "name": "entity_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_by": {
+          "name": "triggered_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "triggered_at": {
+          "name": "triggered_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "details": {
+          "name": "details",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "logs": {
+          "name": "logs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "schedule_executions_type_id_idx": {
+          "name": "schedule_executions_type_id_idx",
+          "columns": [
+            "schedule_type",
+            "schedule_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "schedule_executions_environment_id_environments_id_fk": {
+          "name": "schedule_executions_environment_id_environments_id_fk",
+          "tableFrom": "schedule_executions",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "sessions": {
+      "name": "sessions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": false
+        },
+        "sessions_expires_at_idx": {
+          "name": "sessions_expires_at_idx",
+          "columns": [
+            "expires_at"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "settings": {
+      "name": "settings",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_environment_variables": {
+      "name": "stack_environment_variables",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "is_secret": {
+          "name": "is_secret",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "stack_environment_variables_stack_name_environment_id_key_unique": {
+          "name": "stack_environment_variables_stack_name_environment_id_key_unique",
+          "columns": [
+            "stack_name",
+            "environment_id",
+            "key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "stack_environment_variables_environment_id_environments_id_fk": {
+          "name": "stack_environment_variables_environment_id_environments_id_fk",
+          "tableFrom": "stack_environment_variables",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_events": {
+      "name": "stack_events",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "event_type": {
+          "name": "event_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "timestamp": {
+          "name": "timestamp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "stack_events_environment_id_environments_id_fk": {
+          "name": "stack_events_environment_id_environments_id_fk",
+          "tableFrom": "stack_events",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "stack_sources": {
+      "name": "stack_sources",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "stack_name": {
+          "name": "stack_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "source_type": {
+          "name": "source_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'internal'"
+        },
+        "git_repository_id": {
+          "name": "git_repository_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "git_stack_id": {
+          "name": "git_stack_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "compose_path": {
+          "name": "compose_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "env_path": {
+          "name": "env_path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "stack_sources_stack_name_environment_id_unique": {
+          "name": "stack_sources_stack_name_environment_id_unique",
+          "columns": [
+            "stack_name",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "stack_sources_environment_id_environments_id_fk": {
+          "name": "stack_sources_environment_id_environments_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_repository_id_git_repositories_id_fk": {
+          "name": "stack_sources_git_repository_id_git_repositories_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_repositories",
+          "columnsFrom": [
+            "git_repository_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "stack_sources_git_stack_id_git_stacks_id_fk": {
+          "name": "stack_sources_git_stack_id_git_stacks_id_fk",
+          "tableFrom": "stack_sources",
+          "tableTo": "git_stacks",
+          "columnsFrom": [
+            "git_stack_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_preferences": {
+      "name": "user_preferences",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_preferences_user_id_environment_id_key_unique": {
+          "name": "user_preferences_user_id_environment_id_key_unique",
+          "columns": [
+            "user_id",
+            "environment_id",
+            "key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_preferences_user_id_users_id_fk": {
+          "name": "user_preferences_user_id_users_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_preferences_environment_id_environments_id_fk": {
+          "name": "user_preferences_environment_id_environments_id_fk",
+          "tableFrom": "user_preferences",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_roles": {
+      "name": "user_roles",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "role_id": {
+          "name": "role_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_roles_user_id_role_id_environment_id_unique": {
+          "name": "user_roles_user_id_role_id_environment_id_unique",
+          "columns": [
+            "user_id",
+            "role_id",
+            "environment_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_roles_user_id_users_id_fk": {
+          "name": "user_roles_user_id_users_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_role_id_roles_id_fk": {
+          "name": "user_roles_role_id_roles_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "roles",
+          "columnsFrom": [
+            "role_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "user_roles_environment_id_environments_id_fk": {
+          "name": "user_roles_environment_id_environments_id_fk",
+          "tableFrom": "user_roles",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar": {
+          "name": "avatar",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "mfa_enabled": {
+          "name": "mfa_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "mfa_secret": {
+          "name": "mfa_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login": {
+          "name": "last_login",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "vulnerability_scans": {
+      "name": "vulnerability_scans",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "environment_id": {
+          "name": "environment_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "image_id": {
+          "name": "image_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "image_name": {
+          "name": "image_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanner": {
+          "name": "scanner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scanned_at": {
+          "name": "scanned_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "scan_duration": {
+          "name": "scan_duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "critical_count": {
+          "name": "critical_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "high_count": {
+          "name": "high_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "medium_count": {
+          "name": "medium_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "low_count": {
+          "name": "low_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "negligible_count": {
+          "name": "negligible_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "unknown_count": {
+          "name": "unknown_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": 0
+        },
+        "vulnerabilities": {
+          "name": "vulnerabilities",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "vulnerability_scans_env_image_idx": {
+          "name": "vulnerability_scans_env_image_idx",
+          "columns": [
+            "environment_id",
+            "image_id"
+          ],
+          "isUnique": false
+        }
+      },
+      "foreignKeys": {
+        "vulnerability_scans_environment_id_environments_id_fk": {
+          "name": "vulnerability_scans_environment_id_environments_id_fk",
+          "tableFrom": "vulnerability_scans",
+          "tableTo": "environments",
+          "columnsFrom": [
+            "environment_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
\ No newline at end of file
diff --git a/drizzle/meta/_journal.json b/drizzle/meta/_journal.json
new file mode 100644
index 0000000..f4192f3
--- /dev/null
+++ b/drizzle/meta/_journal.json
@@ -0,0 +1,34 @@
+{
+  "version": "7",
+  "dialect": "sqlite",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "6",
+      "when": 1765804016391,
+      "tag": "0000_initial_schema",
+      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "6",
+      "when": 1766378754939,
+      "tag": "0001_add_stack_env_vars",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "6",
+      "when": 1766763860091,
+      "tag": "0002_add_pending_container_updates",
+      "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "6",
+      "when": 1767689000000,
+      "tag": "0003_add_stack_paths",
+      "breakpoints": true
+    }
+  ]
+}
\ No newline at end of file
diff --git a/lib/.DS_Store b/lib/.DS_Store
deleted file mode 100644
index cd8d495..0000000
Binary files a/lib/.DS_Store and /dev/null differ
diff --git a/lib/components/StackEnvVarsPanel.svelte b/lib/components/StackEnvVarsPanel.svelte
deleted file mode 100644
index 15446ec..0000000
--- a/lib/components/StackEnvVarsPanel.svelte
+++ /dev/null
@@ -1,236 +0,0 @@
-<script lang="ts">
-	import { Button } from '$lib/components/ui/button';
-	import StackEnvVarsEditor, { type EnvVar, type ValidationResult } from '$lib/components/StackEnvVarsEditor.svelte';
-	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
-	import { Plus, Info, Upload, Trash2 } from 'lucide-svelte';
-	import * as Tooltip from '$lib/components/ui/tooltip';
-
-	interface Props {
-		variables: EnvVar[];
-		validation?: ValidationResult | null;
-		readonly?: boolean;
-		showSource?: boolean;
-		sources?: Record<string, 'file' | 'override'>;
-		placeholder?: { key: string; value: string };
-		infoText?: string;
-		existingSecretKeys?: Set<string>;
-		class?: string;
-		onchange?: () => void;
-	}
-
-	let {
-		variables = $bindable(),
-		validation = null,
-		readonly = false,
-		showSource = false,
-		sources = {},
-		placeholder = { key: 'VARIABLE_NAME', value: 'value' },
-		infoText,
-		existingSecretKeys = new Set<string>(),
-		class: className = '',
-		onchange
-	}: Props = $props();
-
-	let fileInputRef: HTMLInputElement;
-
-	function addEnvVariable() {
-		variables = [...variables, { key: '', value: '', isSecret: false }];
-	}
-
-	function handleLoadFromFile() {
-		fileInputRef?.click();
-	}
-
-	function parseEnvFile(content: string): EnvVar[] {
-		const lines = content.split('\n');
-		const envVars: EnvVar[] = [];
-
-		for (const line of lines) {
-			// Skip empty lines and comments
-			const trimmed = line.trim();
-			if (!trimmed || trimmed.startsWith('#')) continue;
-
-			// Parse KEY=VALUE format
-			const eqIndex = trimmed.indexOf('=');
-			if (eqIndex === -1) continue;
-
-			const key = trimmed.slice(0, eqIndex).trim();
-			let value = trimmed.slice(eqIndex + 1).trim();
-
-			// Remove surrounding quotes if present
-			if ((value.startsWith('"') && value.endsWith('"')) ||
-			    (value.startsWith("'") && value.endsWith("'"))) {
-				value = value.slice(1, -1);
-			}
-
-			if (key) {
-				envVars.push({ key, value, isSecret: false });
-			}
-		}
-
-		return envVars;
-	}
-
-	function handleFileSelect(event: Event) {
-		const input = event.target as HTMLInputElement;
-		const file = input.files?.[0];
-		if (!file) return;
-
-		const reader = new FileReader();
-		reader.onload = (e) => {
-			const content = e.target?.result as string;
-			const parsedVars = parseEnvFile(content);
-
-			if (parsedVars.length > 0) {
-				// Get existing keys to avoid duplicates
-				const existingKeys = new Set(variables.filter(v => v.key.trim()).map(v => v.key.trim()));
-
-				// Filter empty entries from current variables
-				const nonEmptyVars = variables.filter(v => v.key.trim());
-
-				// Add new variables, updating existing ones or appending new
-				for (const newVar of parsedVars) {
-					if (existingKeys.has(newVar.key)) {
-						// Update existing variable
-						const idx = nonEmptyVars.findIndex(v => v.key.trim() === newVar.key);
-						if (idx !== -1) {
-							nonEmptyVars[idx] = { ...nonEmptyVars[idx], value: newVar.value };
-						}
-					} else {
-						// Add new variable
-						nonEmptyVars.push(newVar);
-						existingKeys.add(newVar.key);
-					}
-				}
-
-				variables = nonEmptyVars;
-				// Notify parent of change (important for async file load)
-				onchange?.();
-			}
-		};
-		reader.readAsText(file);
-
-		// Reset input so the same file can be selected again
-		input.value = '';
-	}
-
-	function clearAllVariables() {
-		variables = [];
-	}
-
-	// Count of non-empty variables
-	const hasVariables = $derived(variables.some(v => v.key.trim()));
-</script>
-
-<div class="flex flex-col h-full {className}">
-	<!-- Header -->
-	<div class="px-4 py-2.5 border-b border-zinc-200 dark:border-zinc-700 flex flex-col gap-1.5">
-		<div class="flex items-center justify-between">
-			<div class="flex items-center gap-2">
-				<span class="text-xs text-zinc-500 dark:text-zinc-400">Environment variables</span>
-				{#if infoText}
-					<Tooltip.Root>
-						<Tooltip.Trigger>
-							<Info class="w-3.5 h-3.5 text-blue-400" />
-						</Tooltip.Trigger>
-						<Tooltip.Content class="max-w-md">
-							<p class="text-xs">{infoText}</p>
-						</Tooltip.Content>
-					</Tooltip.Root>
-				{/if}
-			</div>
-			{#if !readonly}
-				<div class="flex items-center gap-1">
-					<Button type="button" size="sm" variant="ghost" onclick={handleLoadFromFile} class="h-6 text-xs px-2">
-						<Upload class="w-3.5 h-3.5 mr-1" />
-						Load .env
-					</Button>
-					<Button type="button" size="sm" variant="ghost" onclick={addEnvVariable} class="h-6 text-xs px-2">
-						<Plus class="w-3.5 h-3.5 mr-1" />
-						Add
-					</Button>
-					{#if hasVariables}
-						<ConfirmPopover
-							title="Clear all variables"
-							description="This will remove all environment variables. This cannot be undone."
-							confirmText="Clear all"
-							onConfirm={clearAllVariables}
-						>
-							<Button type="button" size="sm" variant="ghost" class="h-6 text-xs px-2 text-destructive hover:text-destructive">
-								<Trash2 class="w-3.5 h-3.5 mr-1" />
-								Clear
-							</Button>
-						</ConfirmPopover>
-					{/if}
-				</div>
-				<input
-					bind:this={fileInputRef}
-					type="file"
-					accept=".env,.env.*,text/plain"
-					class="hidden"
-					onchange={handleFileSelect}
-				/>
-			{/if}
-		</div>
-		<!-- Variable syntax help -->
-		<div class="flex flex-wrap gap-x-3 gap-y-0.5 text-2xs text-zinc-400 dark:text-zinc-500 font-mono">
-			<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR}`}</span> required</span>
-			<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:-default}`}</span> optional</span>
-			<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:?error}`}</span> required w/ error</span>
-		</div>
-		<!-- Validation status pills -->
-		{#if validation}
-			<div class="flex flex-wrap gap-1">
-				{#if validation.missing.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-300">
-						{validation.missing.length} missing
-					</span>
-				{/if}
-				{#if validation.required.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-green-100 text-green-700 dark:bg-green-900/30 dark:text-green-300">
-						{validation.required.length - validation.missing.length} required
-					</span>
-				{/if}
-				{#if validation.optional.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-blue-100 text-blue-700 dark:bg-blue-900/30 dark:text-blue-300">
-						{validation.optional.length} optional
-					</span>
-				{/if}
-				{#if validation.unused.length > 0}
-					<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-amber-100 text-amber-700 dark:bg-amber-900/30 dark:text-amber-300">
-						{validation.unused.length} unused
-					</span>
-				{/if}
-			</div>
-		{/if}
-		<!-- Add missing variables -->
-		{#if validation && validation.missing.length > 0 && !readonly}
-			<div class="flex flex-wrap gap-1 items-center">
-				<span class="text-xs text-muted-foreground mr-1">Add missing:</span>
-				{#each validation.missing as missing}
-					<button
-						type="button"
-						onclick={() => {
-							variables = [...variables, { key: missing, value: '', isSecret: false }];
-						}}
-						class="text-xs px-1.5 py-0.5 rounded bg-red-100 text-red-700 hover:bg-red-200 dark:bg-red-900/30 dark:text-red-300 dark:hover:bg-red-900/50 transition-colors"
-					>
-						{missing}
-					</button>
-				{/each}
-			</div>
-		{/if}
-	</div>
-	<!-- Variables list -->
-	<div class="flex-1 overflow-auto px-4 py-3">
-		<StackEnvVarsEditor
-			bind:variables
-			{validation}
-			{readonly}
-			{showSource}
-			{sources}
-			{placeholder}
-			{existingSecretKeys}
-		/>
-	</div>
-</div>
diff --git a/lib/server/.DS_Store b/lib/server/.DS_Store
deleted file mode 100644
index 7d5961e..0000000
Binary files a/lib/server/.DS_Store and /dev/null differ
diff --git a/lib/server/db/.DS_Store b/lib/server/db/.DS_Store
deleted file mode 100644
index cff8ab3..0000000
Binary files a/lib/server/db/.DS_Store and /dev/null differ
diff --git a/lib/server/metrics-collector.ts b/lib/server/metrics-collector.ts
deleted file mode 100644
index dbccbff..0000000
--- a/lib/server/metrics-collector.ts
+++ /dev/null
@@ -1,271 +0,0 @@
-import { saveHostMetric, getEnvironments, getEnvSetting } from './db';
-import { listContainers, getContainerStats, getDockerInfo, getDiskUsage } from './docker';
-import { sendEventNotification } from './notifications';
-import os from 'node:os';
-
-const COLLECT_INTERVAL = 10000; // 10 seconds
-const DISK_CHECK_INTERVAL = 300000; // 5 minutes
-const DEFAULT_DISK_THRESHOLD = 80; // 80% threshold for disk warnings
-
-let collectorInterval: ReturnType<typeof setInterval> | null = null;
-let diskCheckInterval: ReturnType<typeof setInterval> | null = null;
-
-// Track last disk warning sent per environment to avoid spamming
-const lastDiskWarning: Map<number, number> = new Map();
-const DISK_WARNING_COOLDOWN = 3600000; // 1 hour between warnings
-
-/**
- * Collect metrics for a single environment
- */
-async function collectEnvMetrics(env: { id: number; name: string; collectMetrics?: boolean }) {
-	try {
-		// Skip environments where metrics collection is disabled
-		if (env.collectMetrics === false) {
-			return;
-		}
-
-		// Get running containers
-		const containers = await listContainers(false, env.id); // Only running
-		let totalCpuPercent = 0;
-		let totalMemUsed = 0;
-
-		// Get stats for each running container
-		const statsPromises = containers.map(async (container) => {
-			try {
-				const stats = await getContainerStats(container.id, env.id) as any;
-
-				// Calculate CPU percentage
-				const cpuDelta = stats.cpu_stats.cpu_usage.total_usage - stats.precpu_stats.cpu_usage.total_usage;
-				const systemDelta = stats.cpu_stats.system_cpu_usage - stats.precpu_stats.system_cpu_usage;
-				const cpuCount = stats.cpu_stats.online_cpus || os.cpus().length;
-
-				let cpuPercent = 0;
-				if (systemDelta > 0 && cpuDelta > 0) {
-					cpuPercent = (cpuDelta / systemDelta) * cpuCount * 100;
-				}
-
-				// Get container memory usage
-				const memUsage = stats.memory_stats?.usage || 0;
-				const memCache = stats.memory_stats?.stats?.cache || 0;
-				// Subtract cache from usage to get actual memory used by the container
-				const actualMemUsed = memUsage - memCache;
-
-				return { cpu: cpuPercent, mem: actualMemUsed > 0 ? actualMemUsed : memUsage };
-			} catch {
-				return { cpu: 0, mem: 0 };
-			}
-		});
-
-		const statsResults = await Promise.all(statsPromises);
-		totalCpuPercent = statsResults.reduce((sum, v) => sum + v.cpu, 0);
-		totalMemUsed = statsResults.reduce((sum, v) => sum + v.mem, 0);
-
-		// Get host total memory from Docker info (this is the remote host's memory)
-		const info = await getDockerInfo(env.id) as any;
-		const memTotal = info.MemTotal || os.totalmem();
-
-		// Calculate memory percentage based on container usage vs host total
-		const memPercent = memTotal > 0 ? (totalMemUsed / memTotal) * 100 : 0;
-
-		// Normalize CPU by number of cores from the remote host
-		const cpuCount = info.NCPU || os.cpus().length;
-		const normalizedCpu = totalCpuPercent / cpuCount;
-
-		// Save to database
-		await saveHostMetric(
-			normalizedCpu,
-			memPercent,
-			totalMemUsed,
-			memTotal,
-			env.id
-		);
-	} catch (error) {
-		// Skip this environment if it fails (might be offline)
-		console.error(`Failed to collect metrics for ${env.name}:`, error);
-	}
-}
-
-async function collectMetrics() {
-	try {
-		const environments = await getEnvironments();
-
-		// Filter enabled environments and collect metrics in parallel
-		const enabledEnvs = environments.filter(env => env.collectMetrics !== false);
-
-		// Process all environments in parallel for better performance
-		await Promise.all(enabledEnvs.map(env => collectEnvMetrics(env)));
-	} catch (error) {
-		console.error('Metrics collection error:', error);
-	}
-}
-
-/**
- * Check disk space for a single environment
- */
-async function checkEnvDiskSpace(env: { id: number; name: string; collectMetrics?: boolean }) {
-	try {
-		// Skip environments where metrics collection is disabled
-		if (env.collectMetrics === false) {
-			return;
-		}
-
-		// Check if we're in cooldown for this environment
-		const lastWarningTime = lastDiskWarning.get(env.id);
-		if (lastWarningTime && Date.now() - lastWarningTime < DISK_WARNING_COOLDOWN) {
-			return; // Skip this environment, still in cooldown
-		}
-
-		// Get Docker disk usage data
-		const diskData = await getDiskUsage(env.id) as any;
-		if (!diskData) return;
-
-		// Calculate total Docker disk usage using reduce for cleaner code
-		let totalUsed = 0;
-		if (diskData.Images) {
-			totalUsed += diskData.Images.reduce((sum: number, img: any) => sum + (img.Size || 0), 0);
-		}
-		if (diskData.Containers) {
-			totalUsed += diskData.Containers.reduce((sum: number, c: any) => sum + (c.SizeRw || 0), 0);
-		}
-		if (diskData.Volumes) {
-			totalUsed += diskData.Volumes.reduce((sum: number, v: any) => sum + (v.UsageData?.Size || 0), 0);
-		}
-		if (diskData.BuildCache) {
-			totalUsed += diskData.BuildCache.reduce((sum: number, bc: any) => sum + (bc.Size || 0), 0);
-		}
-
-		// Get Docker root filesystem info from Docker info
-		const info = await getDockerInfo(env.id) as any;
-		const driverStatus = info?.DriverStatus;
-
-		// Try to find "Data Space Total" from driver status
-		let dataSpaceTotal = 0;
-		let diskPercentUsed = 0;
-
-		if (driverStatus) {
-			for (const [key, value] of driverStatus) {
-				if (key === 'Data Space Total' && typeof value === 'string') {
-					dataSpaceTotal = parseSize(value);
-					break;
-				}
-			}
-		}
-
-		// If we found total disk space, calculate percentage
-		if (dataSpaceTotal > 0) {
-			diskPercentUsed = (totalUsed / dataSpaceTotal) * 100;
-		} else {
-			// Fallback: just report absolute usage if we can't determine percentage
-			const GB = 1024 * 1024 * 1024;
-			if (totalUsed > 50 * GB) {
-				await sendEventNotification('disk_space_warning', {
-					title: 'High Docker disk usage',
-					message: `Environment "${env.name}" is using ${formatSize(totalUsed)} of Docker disk space`,
-					type: 'warning'
-				}, env.id);
-				lastDiskWarning.set(env.id, Date.now());
-			}
-			return;
-		}
-
-		// Check against threshold
-		const threshold = await getEnvSetting('disk_warning_threshold', env.id) || DEFAULT_DISK_THRESHOLD;
-		if (diskPercentUsed >= threshold) {
-			console.log(`[Metrics] Docker disk usage for ${env.name}: ${diskPercentUsed.toFixed(1)}% (threshold: ${threshold}%)`);
-
-			await sendEventNotification('disk_space_warning', {
-				title: 'Disk space warning',
-				message: `Environment "${env.name}" Docker disk usage is at ${diskPercentUsed.toFixed(1)}% (${formatSize(totalUsed)} used)`,
-				type: 'warning'
-			}, env.id);
-
-			lastDiskWarning.set(env.id, Date.now());
-		}
-	} catch (error) {
-		// Skip this environment if it fails
-		console.error(`Failed to check disk space for ${env.name}:`, error);
-	}
-}
-
-/**
- * Check Docker disk usage and send warnings if above threshold
- */
-async function checkDiskSpace() {
-	try {
-		const environments = await getEnvironments();
-
-		// Filter enabled environments and check disk space in parallel
-		const enabledEnvs = environments.filter(env => env.collectMetrics !== false);
-
-		// Process all environments in parallel for better performance
-		await Promise.all(enabledEnvs.map(env => checkEnvDiskSpace(env)));
-	} catch (error) {
-		console.error('Disk space check error:', error);
-	}
-}
-
-/**
- * Parse size string like "107.4GB" to bytes
- */
-function parseSize(sizeStr: string): number {
-	const units: Record<string, number> = {
-		'B': 1,
-		'KB': 1024,
-		'MB': 1024 * 1024,
-		'GB': 1024 * 1024 * 1024,
-		'TB': 1024 * 1024 * 1024 * 1024
-	};
-
-	const match = sizeStr.match(/^([\d.]+)\s*([KMGT]?B)$/i);
-	if (!match) return 0;
-
-	const value = parseFloat(match[1]);
-	const unit = match[2].toUpperCase();
-	return value * (units[unit] || 1);
-}
-
-/**
- * Format bytes to human readable string
- */
-function formatSize(bytes: number): string {
-	const units = ['B', 'KB', 'MB', 'GB', 'TB'];
-	let unitIndex = 0;
-	let size = bytes;
-
-	while (size >= 1024 && unitIndex < units.length - 1) {
-		size /= 1024;
-		unitIndex++;
-	}
-
-	return `${size.toFixed(1)} ${units[unitIndex]}`;
-}
-
-export function startMetricsCollector() {
-	if (collectorInterval) return; // Already running
-
-	console.log('Starting server-side metrics collector (every 10s)');
-
-	// Initial collection
-	collectMetrics();
-
-	// Schedule regular collection
-	collectorInterval = setInterval(collectMetrics, COLLECT_INTERVAL);
-
-	// Start disk space checking (every 5 minutes)
-	console.log('Starting disk space monitoring (every 5 minutes)');
-	checkDiskSpace(); // Initial check
-	diskCheckInterval = setInterval(checkDiskSpace, DISK_CHECK_INTERVAL);
-}
-
-export function stopMetricsCollector() {
-	if (collectorInterval) {
-		clearInterval(collectorInterval);
-		collectorInterval = null;
-	}
-	if (diskCheckInterval) {
-		clearInterval(diskCheckInterval);
-		diskCheckInterval = null;
-	}
-	lastDiskWarning.clear();
-	console.log('Metrics collector stopped');
-}
diff --git a/lib/server/stacks.ts b/lib/server/stacks.ts
deleted file mode 100644
index d4c99a1..0000000
--- a/lib/server/stacks.ts
+++ /dev/null
@@ -1,1109 +0,0 @@
-/**
- * Stack Management Module
- *
- * Provides compose-first stack operations for internal, git, and external stacks.
- * All lifecycle operations use docker compose commands.
- */
-
-import { existsSync, mkdirSync, rmSync, readdirSync } from 'node:fs';
-import { join, resolve } from 'node:path';
-import {
-	getEnvironment,
-	getStackEnvVarsAsRecord,
-	getStackSource,
-	upsertStackSource,
-	deleteStackSource,
-	getGitStackByName,
-	deleteGitStack,
-	getStackSources,
-	deleteStackEnvVars
-} from './db';
-import { deleteGitStackFiles } from './git';
-
-// =============================================================================
-// TYPES
-// =============================================================================
-
-/**
- * Stack source types
- */
-export type StackSourceType = 'internal' | 'git' | 'external';
-
-/**
- * Stack operation result
- */
-export interface StackOperationResult {
-	success: boolean;
-	output?: string;
-	error?: string;
-}
-
-/**
- * Container detail within a stack
- */
-export interface ContainerDetail {
-	id: string;
-	name: string;
-	service: string;
-	state: string;
-	status: string;
-	health?: string;
-	image: string;
-	ports: Array<{ publicPort: number; privatePort: number; type: string; display: string }>;
-	networks: Array<{ name: string; ipAddress: string }>;
-	volumeCount: number;
-	restartCount: number;
-	created: number;
-}
-
-/**
- * Compose stack information
- */
-export interface ComposeStackInfo {
-	name: string;
-	containers: string[];
-	containerDetails: ContainerDetail[];
-	status: 'running' | 'stopped' | 'partial' | 'created';
-	sourceType?: StackSourceType;
-	hasComposeFile?: boolean;
-}
-
-/**
- * Stack deployment options
- */
-export interface DeployStackOptions {
-	name: string;
-	compose: string;
-	envId?: number | null;
-	envFileVars?: Record<string, string>;
-	forceRecreate?: boolean;
-}
-
-// =============================================================================
-// ERRORS
-// =============================================================================
-
-/**
- * Error for operations on external stacks without compose files
- */
-export class ExternalStackError extends Error {
-	public readonly stackName: string;
-
-	constructor(stackName: string) {
-		super(
-			`Stack "${stackName}" was created outside of Dockhand. ` +
-				`To manage this stack, first import it by clicking the Import button in the stack menu.`
-		);
-		this.name = 'ExternalStackError';
-		this.stackName = stackName;
-	}
-}
-
-/**
- * Error when compose file is missing for a managed stack
- */
-export class ComposeFileNotFoundError extends Error {
-	public readonly stackName: string;
-
-	constructor(stackName: string) {
-		super(
-			`Compose file not found for stack "${stackName}". ` +
-				`The stack may have been deleted or was created outside of Dockhand.`
-		);
-		this.name = 'ComposeFileNotFoundError';
-		this.stackName = stackName;
-	}
-}
-
-// =============================================================================
-// INTERNAL STATE
-// =============================================================================
-
-// Cache stacks directory
-let _stacksDir: string | null = null;
-
-// Per-stack locking mechanism to prevent race conditions during concurrent operations
-const stackLocks = new Map<string, Promise<void>>();
-
-/**
- * Execute a function with exclusive lock on a stack.
- * Prevents race conditions when multiple operations target the same stack.
- */
-async function withStackLock<T>(stackName: string, fn: () => Promise<T>): Promise<T> {
-	const lockKey = stackName;
-
-	// Wait for any existing lock to release
-	while (stackLocks.has(lockKey)) {
-		await stackLocks.get(lockKey);
-	}
-
-	// Create new lock
-	let releaseLock: () => void;
-	const lockPromise = new Promise<void>((resolve) => {
-		releaseLock = resolve;
-	});
-	stackLocks.set(lockKey, lockPromise);
-
-	try {
-		return await fn();
-	} finally {
-		stackLocks.delete(lockKey);
-		releaseLock!();
-	}
-}
-
-// Timeout configuration for compose operations
-const COMPOSE_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
-const COMPOSE_KILL_GRACE_MS = 5000; // 5 seconds grace period before SIGKILL
-
-// =============================================================================
-// DEBUG UTILITIES
-// =============================================================================
-
-/**
- * Mask sensitive values in environment variables for safe logging.
- * Masks values for keys containing common secret patterns and truncates long values.
- */
-function maskSecrets(vars: Record<string, string>): Record<string, string> {
-	const masked: Record<string, string> = {};
-	const secretPatterns = /password|secret|token|key|api_key|apikey|auth|credential|private/i;
-	for (const [key, value] of Object.entries(vars)) {
-		if (secretPatterns.test(key)) {
-			masked[key] = '***';
-		} else if (value.length > 50) {
-			// Truncate long values that might be secrets
-			masked[key] = value.substring(0, 10) + '...(truncated)';
-		} else {
-			masked[key] = value;
-		}
-	}
-	return masked;
-}
-
-// =============================================================================
-// UTILITIES
-// =============================================================================
-
-/**
- * Get the compose stacks directory (always returns absolute path)
- */
-export function getStacksDir(): string {
-	if (_stacksDir) return _stacksDir;
-	const dataDir = process.env.DATA_DIR || './data';
-	// Resolve to absolute path to avoid issues with relative paths in docker compose
-	_stacksDir = resolve(join(dataDir, 'stacks'));
-	if (!existsSync(_stacksDir)) {
-		mkdirSync(_stacksDir, { recursive: true });
-	}
-	return _stacksDir;
-}
-
-/**
- * List stacks that have compose files stored locally
- */
-export function listManagedStacks(): string[] {
-	const stacksDir = getStacksDir();
-	if (!existsSync(stacksDir)) {
-		return [];
-	}
-
-	return readdirSync(stacksDir, { withFileTypes: true })
-		.filter((dirent) => dirent.isDirectory())
-		.filter((dirent) => {
-			const composeYml = join(stacksDir, dirent.name, 'docker-compose.yml');
-			const composeYaml = join(stacksDir, dirent.name, 'docker-compose.yaml');
-			return existsSync(composeYml) || existsSync(composeYaml);
-		})
-		.map((dirent) => dirent.name);
-}
-
-// =============================================================================
-// COMPOSE FILE MANAGEMENT
-// =============================================================================
-
-/**
- * Get compose file content for a stack
- */
-export async function getStackComposeFile(
-	stackName: string
-): Promise<{ success: boolean; content?: string; error?: string }> {
-	const stacksDir = getStacksDir();
-	const stackDir = join(stacksDir, stackName);
-	const composeFile = join(stackDir, 'docker-compose.yml');
-
-	const ymlFile = Bun.file(composeFile);
-	if (await ymlFile.exists()) {
-		return {
-			success: true,
-			content: await ymlFile.text()
-		};
-	}
-
-	const yamlFile = Bun.file(join(stackDir, 'docker-compose.yaml'));
-	if (await yamlFile.exists()) {
-		return {
-			success: true,
-			content: await yamlFile.text()
-		};
-	}
-
-	return {
-		success: false,
-		error: `Compose file not found for stack "${stackName}". The stack may have been created outside of Dockhand.`
-	};
-}
-
-/**
- * Save or create a stack compose file without deploying.
- * @param name - Stack name
- * @param content - Compose file content
- * @param create - If true, creates a new stack (fails if exists). If false, updates existing (fails if not exists).
- */
-export async function saveStackComposeFile(
-	name: string,
-	content: string,
-	create = false
-): Promise<{ success: boolean; error?: string }> {
-	// Validate stack name
-	if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
-		return {
-			success: false,
-			error: 'Stack name can only contain letters, numbers, hyphens, and underscores'
-		};
-	}
-
-	const stacksDir = getStacksDir();
-	const stackDir = join(stacksDir, name);
-	const composeFile = join(stackDir, 'docker-compose.yml');
-	const exists = existsSync(stackDir);
-
-	if (create) {
-		// Creating new stack - if directory exists, it's orphaned (clean it up)
-		if (exists) {
-			try {
-				console.log(`Cleaning up orphaned stack directory: ${stackDir}`);
-				rmSync(stackDir, { recursive: true, force: true });
-			} catch (err: any) {
-				return { success: false, error: `Stack directory exists and cleanup failed: ${err.message}` };
-			}
-		}
-		try {
-			mkdirSync(stackDir, { recursive: true });
-		} catch (err: any) {
-			return { success: false, error: `Failed to create stack directory: ${err.message}` };
-		}
-	} else {
-		// Updating existing stack - must exist
-		if (!exists) {
-			return { success: false, error: `Stack "${name}" not found` };
-		}
-	}
-
-	try {
-		await Bun.write(composeFile, content);
-		return { success: true };
-	} catch (err: any) {
-		return { success: false, error: `Failed to ${create ? 'create' : 'save'} compose file: ${err.message}` };
-	}
-}
-
-// =============================================================================
-// COMPOSE COMMAND EXECUTION
-// =============================================================================
-
-interface ComposeCommandOptions {
-	stackName: string;
-	envId?: number | null;
-	forceRecreate?: boolean;
-	removeVolumes?: boolean;
-}
-
-/**
- * Execute a docker compose command locally via Bun.spawn
- */
-async function executeLocalCompose(
-	operation: 'up' | 'down' | 'stop' | 'start' | 'restart' | 'pull',
-	stackName: string,
-	composeContent: string,
-	dockerHost?: string,
-	envVars?: Record<string, string>,
-	forceRecreate?: boolean,
-	removeVolumes?: boolean
-): Promise<StackOperationResult> {
-	const logPrefix = `[Stack:${stackName}]`;
-	const stacksDir = getStacksDir();
-	const stackDir = join(stacksDir, stackName);
-	mkdirSync(stackDir, { recursive: true });
-
-	const composeFile = join(stackDir, 'docker-compose.yml');
-	await Bun.write(composeFile, composeContent);
-
-	const spawnEnv: Record<string, string> = { ...(process.env as Record<string, string>) };
-	if (dockerHost) {
-		spawnEnv.DOCKER_HOST = dockerHost;
-	}
-	// Add stack-specific environment variables
-	if (envVars) {
-		Object.assign(spawnEnv, envVars);
-	}
-
-	// Build command based on operation
-	const args = ['docker', 'compose', '-p', stackName, '-f', composeFile];
-
-	switch (operation) {
-		case 'up':
-			args.push('up', '-d', '--remove-orphans');
-			if (forceRecreate) args.push('--force-recreate');
-			break;
-		case 'down':
-			args.push('down');
-			if (removeVolumes) args.push('--volumes');
-			break;
-		case 'stop':
-			args.push('stop');
-			break;
-		case 'start':
-			args.push('start');
-			break;
-		case 'restart':
-			args.push('restart');
-			break;
-		case 'pull':
-			args.push('pull');
-			break;
-	}
-
-	console.log(`${logPrefix} ----------------------------------------`);
-	console.log(`${logPrefix} EXECUTE LOCAL COMPOSE`);
-	console.log(`${logPrefix} ----------------------------------------`);
-	console.log(`${logPrefix} Operation:`, operation);
-	console.log(`${logPrefix} Command:`, args.join(' '));
-	console.log(`${logPrefix} Working directory:`, stackDir);
-	console.log(`${logPrefix} Compose file:`, composeFile);
-	console.log(`${logPrefix} DOCKER_HOST:`, dockerHost || '(local socket)');
-	console.log(`${logPrefix} Force recreate:`, forceRecreate ?? false);
-	console.log(`${logPrefix} Remove volumes:`, removeVolumes ?? false);
-	console.log(`${logPrefix} Env vars count:`, envVars ? Object.keys(envVars).length : 0);
-	if (envVars && Object.keys(envVars).length > 0) {
-		console.log(`${logPrefix} Env vars being injected (masked):`, JSON.stringify(maskSecrets(envVars), null, 2));
-	}
-
-	try {
-		console.log(`${logPrefix} Spawning docker compose process...`);
-		const proc = Bun.spawn(args, {
-			cwd: stackDir,
-			env: spawnEnv,
-			stdout: 'pipe',
-			stderr: 'pipe'
-		});
-
-		// Set up timeout with SIGTERM -> SIGKILL escalation
-		let timedOut = false;
-		const timeoutId = setTimeout(() => {
-			timedOut = true;
-			console.log(`${logPrefix} TIMEOUT: Process exceeded ${COMPOSE_TIMEOUT_MS / 1000} seconds, sending SIGTERM`);
-			proc.kill('SIGTERM');
-			// Give process grace period to terminate cleanly before SIGKILL
-			setTimeout(() => {
-				try {
-					proc.kill('SIGKILL');
-					console.log(`${logPrefix} TIMEOUT: Sent SIGKILL after grace period`);
-				} catch {
-					// Process may already be dead
-				}
-			}, COMPOSE_KILL_GRACE_MS);
-		}, COMPOSE_TIMEOUT_MS);
-
-		try {
-			const [stdout, stderr] = await Promise.all([
-				new Response(proc.stdout).text(),
-				new Response(proc.stderr).text()
-			]);
-
-			const code = await proc.exited;
-
-			console.log(`${logPrefix} ----------------------------------------`);
-			console.log(`${logPrefix} COMPOSE PROCESS COMPLETE`);
-			console.log(`${logPrefix} ----------------------------------------`);
-			console.log(`${logPrefix} Exit code:`, code);
-			console.log(`${logPrefix} Timed out:`, timedOut);
-			if (stdout) {
-				console.log(`${logPrefix} STDOUT:`);
-				console.log(stdout);
-			}
-			if (stderr) {
-				console.log(`${logPrefix} STDERR:`);
-				console.log(stderr);
-			}
-
-			if (timedOut) {
-				return {
-					success: false,
-					output: stdout,
-					error: `docker compose ${operation} timed out after ${COMPOSE_TIMEOUT_MS / 1000} seconds`
-				};
-			}
-
-			if (code === 0) {
-				return {
-					success: true,
-					output: stdout || stderr || `Stack "${stackName}" ${operation} completed successfully`
-				};
-			} else {
-				return {
-					success: false,
-					output: stdout,
-					error: stderr || `docker compose ${operation} exited with code ${code}`
-				};
-			}
-		} finally {
-			clearTimeout(timeoutId);
-		}
-	} catch (err: any) {
-		console.log(`${logPrefix} EXCEPTION in executeLocalCompose:`, err.message);
-		return {
-			success: false,
-			output: '',
-			error: `Failed to run docker compose ${operation}: ${err.message}`
-		};
-	}
-}
-
-/**
- * Execute a docker compose command via Hawser agent
- */
-async function executeComposeViaHawser(
-	operation: 'up' | 'down' | 'stop' | 'start' | 'restart' | 'pull',
-	stackName: string,
-	composeContent: string,
-	envId: number,
-	envVars?: Record<string, string>,
-	forceRecreate?: boolean,
-	removeVolumes?: boolean
-): Promise<StackOperationResult> {
-	const logPrefix = `[Stack:${stackName}]`;
-	// Import dockerFetch dynamically to avoid circular dependency
-	const { dockerFetch } = await import('./docker.js');
-
-	console.log(`${logPrefix} ----------------------------------------`);
-	console.log(`${logPrefix} EXECUTE COMPOSE VIA HAWSER`);
-	console.log(`${logPrefix} ----------------------------------------`);
-	console.log(`${logPrefix} Operation:`, operation);
-	console.log(`${logPrefix} Environment ID:`, envId);
-	console.log(`${logPrefix} Force recreate:`, forceRecreate ?? false);
-	console.log(`${logPrefix} Remove volumes:`, removeVolumes ?? false);
-	console.log(`${logPrefix} Env vars count:`, envVars ? Object.keys(envVars).length : 0);
-	if (envVars && Object.keys(envVars).length > 0) {
-		console.log(`${logPrefix} Env vars being sent (masked):`, JSON.stringify(maskSecrets(envVars), null, 2));
-	}
-	console.log(`${logPrefix} Compose content length:`, composeContent.length, 'chars');
-
-	try {
-		const body = JSON.stringify({
-			operation,
-			projectName: stackName,
-			composeFile: composeContent,
-			envVars: envVars || {},
-			forceRecreate: forceRecreate || false,
-			removeVolumes: removeVolumes || false
-		});
-
-		console.log(`${logPrefix} Sending request to Hawser agent...`);
-		const response = await dockerFetch(
-			'/_hawser/compose',
-			{
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body
-			},
-			envId
-		);
-
-		const result = (await response.json()) as {
-			success: boolean;
-			output?: string;
-			error?: string;
-		};
-
-		console.log(`${logPrefix} ----------------------------------------`);
-		console.log(`${logPrefix} HAWSER RESPONSE`);
-		console.log(`${logPrefix} ----------------------------------------`);
-		console.log(`${logPrefix} Success:`, result.success);
-		if (result.output) {
-			console.log(`${logPrefix} Output:`, result.output);
-		}
-		if (result.error) {
-			console.log(`${logPrefix} Error:`, result.error);
-		}
-
-		if (result.success) {
-			return {
-				success: true,
-				output: result.output || `Stack "${stackName}" ${operation} completed via Hawser`
-			};
-		} else {
-			return {
-				success: false,
-				output: result.output || '',
-				error: result.error || `Compose ${operation} failed`
-			};
-		}
-	} catch (err: any) {
-		console.log(`${logPrefix} EXCEPTION in executeComposeViaHawser:`, err.message);
-		return {
-			success: false,
-			output: '',
-			error: `Failed to ${operation} via Hawser: ${err.message}`
-		};
-	}
-}
-
-/**
- * Route compose command to appropriate executor based on connection type
- */
-async function executeComposeCommand(
-	operation: 'up' | 'down' | 'stop' | 'start' | 'restart' | 'pull',
-	options: ComposeCommandOptions,
-	composeContent: string,
-	envVars?: Record<string, string>
-): Promise<StackOperationResult> {
-	const { stackName, envId, forceRecreate, removeVolumes } = options;
-
-	// Get environment configuration
-	const env = envId ? await getEnvironment(envId) : null;
-
-	if (!env) {
-		// Local socket connection (no environment specified)
-		return executeLocalCompose(
-			operation,
-			stackName,
-			composeContent,
-			undefined,
-			envVars,
-			forceRecreate,
-			removeVolumes
-		);
-	}
-
-	switch (env.connectionType) {
-		case 'hawser-standard':
-		case 'hawser-edge':
-			return executeComposeViaHawser(
-				operation,
-				stackName,
-				composeContent,
-				envId!,
-				envVars,
-				forceRecreate,
-				removeVolumes
-			);
-
-		case 'direct': {
-			const port = env.port || 2375;
-			const dockerHost = `tcp://${env.host}:${port}`;
-			return executeLocalCompose(
-				operation,
-				stackName,
-				composeContent,
-				dockerHost,
-				envVars,
-				forceRecreate,
-				removeVolumes
-			);
-		}
-
-		case 'socket':
-		default:
-			return executeLocalCompose(
-				operation,
-				stackName,
-				composeContent,
-				undefined,
-				envVars,
-				forceRecreate,
-				removeVolumes
-			);
-	}
-}
-
-// =============================================================================
-// STACK DISCOVERY
-// =============================================================================
-
-/**
- * List all compose stacks from Docker containers
- */
-export async function listComposeStacks(envId?: number | null): Promise<ComposeStackInfo[]> {
-	// Import dynamically to avoid circular dependency
-	const { listContainers } = await import('./docker.js');
-
-	const containers = await listContainers(true, envId);
-	const stacks = new Map<string, Set<string>>();
-
-	containers.forEach((container) => {
-		const projectLabel = container.labels['com.docker.compose.project'];
-		if (projectLabel) {
-			if (!stacks.has(projectLabel)) {
-				stacks.set(projectLabel, new Set());
-			}
-			stacks.get(projectLabel)?.add(container.id);
-		}
-	});
-
-	const result: ComposeStackInfo[] = Array.from(stacks.entries()).map(([name, containerIds]) => {
-		const stackContainers = containers.filter((c) => containerIds.has(c.id));
-		const runningCount = stackContainers.filter((c) => c.state === 'running').length;
-
-		const containerDetails: ContainerDetail[] = stackContainers
-			.map((c) => {
-				const service = c.labels['com.docker.compose.service'] || c.name;
-
-				// Build ports with structured data for clickable links
-				const ports = (c.ports || [])
-					.filter((p) => p.PublicPort)
-					.map((p) => ({
-						publicPort: p.PublicPort!,
-						privatePort: p.PrivatePort,
-						type: p.Type,
-						display: `${p.PublicPort}:${p.PrivatePort}/${p.Type}`
-					}));
-
-				// Build networks with IP addresses
-				const networks = Object.entries(c.networks || {}).map(([name, data]) => ({
-					name,
-					ipAddress: data?.ipAddress || ''
-				}));
-
-				const volumeCount = c.mounts?.length || 0;
-
-				return {
-					id: c.id,
-					name: c.name,
-					service,
-					state: c.state,
-					status: c.status,
-					health: c.health,
-					image: c.image,
-					ports,
-					networks,
-					volumeCount,
-					restartCount: c.restartCount || 0,
-					created: c.created
-				};
-			})
-			.sort((a, b) => a.service.localeCompare(b.service));
-
-		return {
-			name,
-			containers: Array.from(containerIds),
-			containerDetails,
-			status:
-				runningCount === stackContainers.length
-					? 'running'
-					: runningCount === 0
-						? 'stopped'
-						: 'partial'
-		};
-	});
-
-	return result;
-}
-
-/**
- * Get containers for a specific stack by label
- */
-async function getStackContainers(stackName: string, envId?: number | null): Promise<any[]> {
-	const { listContainers } = await import('./docker.js');
-	const containers = await listContainers(true, envId);
-	return containers.filter((c) => c.labels['com.docker.compose.project'] === stackName);
-}
-
-/**
- * Helper to perform container-based operations for external stacks
- * Used as fallback when no compose file exists.
- * Uses Promise.allSettled for parallel execution.
- */
-async function withContainerFallback(
-	stackName: string,
-	envId: number | null | undefined,
-	operation: 'start' | 'stop' | 'restart' | 'remove'
-): Promise<StackOperationResult> {
-	const { startContainer, stopContainer, restartContainer, removeContainer } = await import('./docker.js');
-
-	const containers = await getStackContainers(stackName, envId);
-	if (containers.length === 0) {
-		return { success: false, error: `No containers found for stack "${stackName}"` };
-	}
-
-	// Execute all container operations in parallel
-	// Note: listContainers returns containers with lowercase property names: id, name, labels
-	const operationResults = await Promise.allSettled(
-		containers.map(async (container) => {
-			const containerName = container.name || container.id;
-			switch (operation) {
-				case 'start':
-					await startContainer(container.id, envId);
-					break;
-				case 'stop':
-					await stopContainer(container.id, envId);
-					break;
-				case 'restart':
-					await restartContainer(container.id, envId);
-					break;
-				case 'remove':
-					await removeContainer(container.id, true, envId);
-					break;
-			}
-			return containerName;
-		})
-	);
-
-	// Collect successes and failures
-	const successes: string[] = [];
-	const errors: string[] = [];
-
-	operationResults.forEach((result, index) => {
-		const containerName = containers[index].name || containers[index].id;
-		if (result.status === 'fulfilled') {
-			successes.push(result.value);
-		} else {
-			errors.push(`${containerName}: ${result.reason?.message || 'Unknown error'}`);
-		}
-	});
-
-	if (errors.length > 0) {
-		return {
-			success: successes.length > 0,
-			error: errors.join('; '),
-			output: successes.length > 0 ? `Partial success: ${successes.join(', ')}` : undefined
-		};
-	}
-
-	return {
-		success: true,
-		output: `${operation} completed for ${successes.length} container(s): ${successes.join(', ')}`
-	};
-}
-
-// =============================================================================
-// STACK LIFECYCLE OPERATIONS
-// =============================================================================
-
-/**
- * Ensure we have a compose file for operations, throw appropriate error if not
- */
-async function requireComposeFile(
-	stackName: string,
-	envId?: number | null
-): Promise<{ content: string; envVars: Record<string, string> }> {
-	const composeResult = await getStackComposeFile(stackName);
-
-	if (!composeResult.success) {
-		// Check if this is an external stack
-		const source = await getStackSource(stackName, envId);
-		if (!source || source.sourceType === 'external') {
-			throw new ExternalStackError(stackName);
-		}
-		throw new ComposeFileNotFoundError(stackName);
-	}
-
-	// Get environment variables from database
-	const envVars = await getStackEnvVarsAsRecord(stackName, envId);
-
-	return { content: composeResult.content!, envVars };
-}
-
-/**
- * Start a stack using docker compose up
- * Falls back to individual container start for external stacks
- */
-export async function startStack(
-	stackName: string,
-	envId?: number | null
-): Promise<StackOperationResult> {
-	try {
-		const { content, envVars } = await requireComposeFile(stackName, envId);
-		return executeComposeCommand('up', { stackName, envId }, content, envVars);
-	} catch (err) {
-		if (err instanceof ExternalStackError) {
-			return withContainerFallback(stackName, envId, 'start');
-		}
-		throw err;
-	}
-}
-
-/**
- * Stop a stack using docker compose stop
- * Falls back to individual container stop for external stacks
- */
-export async function stopStack(
-	stackName: string,
-	envId?: number | null
-): Promise<StackOperationResult> {
-	try {
-		const { content, envVars } = await requireComposeFile(stackName, envId);
-		return executeComposeCommand('stop', { stackName, envId }, content, envVars);
-	} catch (err) {
-		if (err instanceof ExternalStackError) {
-			return withContainerFallback(stackName, envId, 'stop');
-		}
-		throw err;
-	}
-}
-
-/**
- * Restart a stack using docker compose restart
- * Falls back to individual container restart for external stacks
- */
-export async function restartStack(
-	stackName: string,
-	envId?: number | null
-): Promise<StackOperationResult> {
-	try {
-		const { content, envVars } = await requireComposeFile(stackName, envId);
-		return executeComposeCommand('restart', { stackName, envId }, content, envVars);
-	} catch (err) {
-		if (err instanceof ExternalStackError) {
-			return withContainerFallback(stackName, envId, 'restart');
-		}
-		throw err;
-	}
-}
-
-/**
- * Down a stack using docker compose down (removes containers, keeps files)
- * For external stacks, this is equivalent to stop (no compose file to "down")
- */
-export async function downStack(
-	stackName: string,
-	envId?: number | null,
-	removeVolumes = false
-): Promise<StackOperationResult> {
-	try {
-		const { content, envVars } = await requireComposeFile(stackName, envId);
-		return executeComposeCommand('down', { stackName, envId, removeVolumes }, content, envVars);
-	} catch (err) {
-		if (err instanceof ExternalStackError) {
-			// For external stacks, down is the same as stop (no compose file to tear down)
-			return withContainerFallback(stackName, envId, 'stop');
-		}
-		throw err;
-	}
-}
-
-/**
- * Remove a stack completely (compose down + delete files + cleanup database)
- * Uses stack locking to prevent concurrent operations.
- */
-export async function removeStack(
-	stackName: string,
-	envId?: number | null,
-	force = false
-): Promise<StackOperationResult> {
-	return withStackLock(stackName, async () => {
-		// Get compose file (may not exist for external stacks)
-		const composeResult = await getStackComposeFile(stackName);
-
-		// If compose file exists, run docker compose down first
-		if (composeResult.success) {
-			const envVars = await getStackEnvVarsAsRecord(stackName, envId);
-			const downResult = await executeComposeCommand(
-				'down',
-				{ stackName, envId },
-				composeResult.content!,
-				envVars
-			);
-			if (!downResult.success && !force) {
-				return downResult;
-			}
-		} else {
-			// External stack - remove containers directly in parallel
-			const { removeContainer } = await import('./docker.js');
-			const stackContainers = await getStackContainers(stackName, envId);
-
-			const removalResults = await Promise.allSettled(
-				stackContainers.map((container) =>
-					removeContainer(container.id, force, envId).then(() => container.name)
-				)
-			);
-
-			const errors: string[] = [];
-			removalResults.forEach((result, index) => {
-				if (result.status === 'rejected') {
-					const containerName = stackContainers[index].name || stackContainers[index].id;
-					errors.push(`Failed to remove ${containerName}: ${result.reason?.message || 'Unknown error'}`);
-				}
-			});
-
-			if (errors.length > 0 && !force) {
-				return {
-					success: false,
-					error: errors.join('; ')
-				};
-			}
-		}
-
-		// Clean up database records - collect errors but don't stop
-		const cleanupErrors: string[] = [];
-
-		// Delete compose file and directory
-		const stacksDir = getStacksDir();
-		const stackDir = join(stacksDir, stackName);
-		if (existsSync(stackDir)) {
-			try {
-				rmSync(stackDir, { recursive: true, force: true });
-			} catch (err: any) {
-				console.error(`Failed to delete stack directory: ${err.message}`);
-				cleanupErrors.push(`directory: ${err.message}`);
-			}
-			// Verify deletion succeeded (rmSync with force:true may not throw on some failures)
-			if (existsSync(stackDir)) {
-				const verifyErr = 'Directory still exists after deletion attempt';
-				console.error(`Failed to delete stack directory: ${verifyErr}`);
-				cleanupErrors.push(`directory: ${verifyErr}`);
-			}
-		}
-
-		try {
-			await deleteStackSource(stackName, envId);
-		} catch (err: any) {
-			cleanupErrors.push(`stack source: ${err.message}`);
-		}
-
-		try {
-			await deleteStackEnvVars(stackName, envId);
-		} catch (err: any) {
-			cleanupErrors.push(`env vars: ${err.message}`);
-		}
-
-		// If git stack, clean up git stack record
-		try {
-			const gitStack = await getGitStackByName(stackName, envId);
-			if (gitStack) {
-				await deleteGitStack(gitStack.id);
-				deleteGitStackFiles(gitStack.id);
-			}
-			// Also cleanup any orphaned git stacks with NULL environment_id for this stack name
-			if (envId !== undefined && envId !== null) {
-				const orphanedGitStack = await getGitStackByName(stackName, null);
-				if (orphanedGitStack) {
-					await deleteGitStack(orphanedGitStack.id);
-					deleteGitStackFiles(orphanedGitStack.id);
-				}
-			}
-		} catch (err: any) {
-			cleanupErrors.push(`git stack: ${err.message}`);
-		}
-
-		// Check if directory deletion failed - this blocks stack recreation
-		const directoryError = cleanupErrors.find(e => e.startsWith('directory:'));
-		if (directoryError) {
-			return {
-				success: false,
-				error: `Stack containers stopped but directory cleanup failed (${directoryError}). Cannot recreate stack with same name until directory is manually removed.`
-			};
-		}
-
-		// Return success with optional cleanup warnings for non-critical errors
-		const output = cleanupErrors.length > 0
-			? `Stack "${stackName}" removed with cleanup warnings: ${cleanupErrors.join('; ')}`
-			: `Stack "${stackName}" removed successfully`;
-
-		return { success: true, output };
-	});
-}
-
-/**
- * Deploy a stack (create or update)
- * Uses stack locking to prevent concurrent deployments.
- */
-export async function deployStack(options: DeployStackOptions): Promise<StackOperationResult> {
-	const { name, compose, envId, envFileVars, forceRecreate } = options;
-	const logPrefix = `[Stack:${name}]`;
-
-	console.log(`${logPrefix} ========================================`);
-	console.log(`${logPrefix} DEPLOY STACK START`);
-	console.log(`${logPrefix} ========================================`);
-	console.log(`${logPrefix} Environment ID:`, envId ?? '(none - local)');
-	console.log(`${logPrefix} Force recreate:`, forceRecreate ?? false);
-	console.log(`${logPrefix} Env file vars provided:`, envFileVars ? Object.keys(envFileVars).length : 0);
-	if (envFileVars && Object.keys(envFileVars).length > 0) {
-		console.log(`${logPrefix} Env file var keys:`, Object.keys(envFileVars).join(', '));
-		console.log(`${logPrefix} Env file vars (masked):`, JSON.stringify(maskSecrets(envFileVars), null, 2));
-	}
-
-	// Validate stack name
-	if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
-		console.log(`${logPrefix} ERROR: Invalid stack name format`);
-		return {
-			success: false,
-			output: '',
-			error: 'Stack name can only contain letters, numbers, hyphens, and underscores'
-		};
-	}
-
-	return withStackLock(name, async () => {
-		// Ensure stack directory exists and write compose file (for local reference)
-		const stacksDir = getStacksDir();
-		const stackDir = join(stacksDir, name);
-		mkdirSync(stackDir, { recursive: true });
-
-		const composeFile = join(stackDir, 'docker-compose.yml');
-		await Bun.write(composeFile, compose);
-		console.log(`${logPrefix} Compose file written to:`, composeFile);
-		console.log(`${logPrefix} Compose content length:`, compose.length, 'chars');
-		console.log(`${logPrefix} Compose content (full):`);
-		console.log(compose);
-
-		// Fetch stack environment variables from database (these are user overrides)
-		const dbEnvVars = await getStackEnvVarsAsRecord(name, envId);
-		console.log(`${logPrefix} DB env vars count:`, Object.keys(dbEnvVars).length);
-		if (Object.keys(dbEnvVars).length > 0) {
-			console.log(`${logPrefix} DB env var keys:`, Object.keys(dbEnvVars).join(', '));
-			console.log(`${logPrefix} DB env vars (masked):`, JSON.stringify(maskSecrets(dbEnvVars), null, 2));
-		}
-
-		// Merge: env file vars as base, database overrides take precedence
-		const envVars = { ...envFileVars, ...dbEnvVars };
-		console.log(`${logPrefix} Merged env vars count:`, Object.keys(envVars).length);
-		if (Object.keys(envVars).length > 0) {
-			console.log(`${logPrefix} Merged env var keys:`, Object.keys(envVars).join(', '));
-			console.log(`${logPrefix} Merged env vars (masked):`, JSON.stringify(maskSecrets(envVars), null, 2));
-		}
-
-		console.log(`${logPrefix} Calling executeComposeCommand...`);
-		const result = await executeComposeCommand('up', { stackName: name, envId, forceRecreate }, compose, envVars);
-		console.log(`${logPrefix} ========================================`);
-		console.log(`${logPrefix} DEPLOY STACK RESULT`);
-		console.log(`${logPrefix} ========================================`);
-		console.log(`${logPrefix} Success:`, result.success);
-		if (result.output) {
-			console.log(`${logPrefix} Output:`, result.output);
-		}
-		if (result.error) {
-			console.log(`${logPrefix} Error:`, result.error);
-		}
-		return result;
-	});
-}
-
-/**
- * Pull images for a stack
- */
-export async function pullStackImages(
-	stackName: string,
-	envId?: number | null
-): Promise<{ success: boolean; output?: string; error?: string }> {
-	const { content, envVars } = await requireComposeFile(stackName, envId);
-
-	return executeComposeCommand('pull', { stackName, envId }, content, envVars);
-}
-
-// =============================================================================
-// RE-EXPORTS FOR BACKWARDS COMPATIBILITY
-// =============================================================================
-
-// These exports maintain API compatibility with code that imports from docker.ts
-// They can be removed once all imports are updated
-
-export type { StackOperationResult as CreateStackResult };
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..eea5398
--- /dev/null
+++ b/package.json
@@ -0,0 +1,118 @@
+{
+	"name": "dockhand",
+	"private": true,
+	"version": "1.0.7",
+	"type": "module",
+	"scripts": {
+		"dev": "bunx --bun vite dev",
+		"prebuild": "bunx license-checker --json --production | jq 'to_entries | map({name: (.key | split(\"@\")[0:-1] | join(\"@\")), version: (.key | split(\"@\")[-1]), license: .value.licenses, repository: .value.repository}) | sort_by(.name)' > src/lib/data/dependencies.json.tmp && mv src/lib/data/dependencies.json.tmp src/lib/data/dependencies.json || true",
+		"build": "bunx --bun vite build && bun scripts/patch-build.ts && bun scripts/build-subprocesses.ts",
+		"start": "bun ./build/index.js",
+		"preview": "bun ./build/index.js",
+		"prepare": "bunx --bun svelte-kit sync || echo ''",
+		"check": "bunx --bun svelte-kit sync && bunx --bun svelte-check --tsconfig ./tsconfig.json",
+		"check:watch": "bunx --bun svelte-kit sync && bunx --bun svelte-check --tsconfig ./tsconfig.json --watch",
+		"test": "bun test",
+		"test:smoke": "bun test tests/api-smoke.test.ts",
+		"test:containers": "bun test tests/container-lifecycle.test.ts",
+		"test:notifications": "bun test tests/notifications.test.ts",
+		"test:hawser": "bun test tests/hawser-connection.test.ts",
+		"test:build": "SKIP_BUILD_TEST=1 bun test tests/build.test.ts",
+		"test:postgres": "bun test tests/database-postgres.test.ts",
+		"test:crud": "bun test tests/crud-operations.test.ts",
+		"test:scheduling": "bun test tests/scheduling.test.ts",
+		"test:images": "bun test tests/images.test.ts",
+		"test:volumes": "bun test tests/volumes-networks.test.ts",
+		"test:stacks": "bun test tests/stacks.test.ts",
+		"test:stacks:matrix": "bun test tests/stack-matrix.test.ts",
+		"test:stacks:git": "bun test tests/stack-git-flow.test.ts",
+		"test:stacks:env": "bun test tests/stack-env-vars.test.ts",
+		"test:stacks:all": "bun test tests/stack-*.test.ts tests/stacks.test.ts",
+		"test:files": "bun test tests/container-files.test.ts",
+		"test:license": "bun test tests/license.test.ts",
+		"test:activity": "bun test tests/activity-dashboard.test.ts",
+		"test:all": "bun test tests/",
+		"test:quick": "bun test tests/api-smoke.test.ts tests/notifications.test.ts",
+		"test:integration": "bun test tests/api-smoke.test.ts tests/crud-operations.test.ts tests/scheduling.test.ts tests/hawser-connection.test.ts",
+		"test:e2e": "bunx playwright test tests/e2e/",
+		"generate:legal": "bun scripts/generate-legal-pages.ts"
+	},
+	"dependencies": {
+		"@codemirror/autocomplete": "6.20.0",
+		"@codemirror/commands": "6.10.1",
+		"@codemirror/lang-css": "6.3.1",
+		"@codemirror/lang-html": "6.4.11",
+		"@codemirror/lang-javascript": "6.2.4",
+		"@codemirror/lang-json": "6.0.2",
+		"@codemirror/lang-markdown": "6.5.0",
+		"@codemirror/lang-python": "6.2.1",
+		"@codemirror/lang-sql": "6.10.0",
+		"@codemirror/lang-xml": "6.1.0",
+		"@codemirror/lang-yaml": "6.1.2",
+		"@codemirror/language": "6.12.1",
+		"@codemirror/search": "6.5.11",
+		"@codemirror/state": "6.5.3",
+		"@codemirror/theme-one-dark": "6.1.3",
+		"@codemirror/view": "6.39.9",
+		"@lezer/highlight": "1.2.3",
+		"@lucide/lab": "^0.1.2",
+		"codemirror": "6.0.2",
+		"croner": "9.1.0",
+		"cronstrue": "3.9.0",
+		"drizzle-orm": "0.45.1",
+		"hash-wasm": "4.12.0",
+		"js-yaml": "^4.1.1",
+		"ldapts": "^8.1.3",
+		"nodemailer": "^7.0.12",
+		"otpauth": "^9.4.1",
+		"postgres": "3.4.8",
+		"qrcode": "^1.5.4",
+		"svelte-dnd-action": "0.9.69",
+		"svelte-sonner": "1.0.7"
+	},
+	"devDependencies": {
+		"@internationalized/date": "^3.10.1",
+		"@layerstack/tailwind": "^1.0.1",
+		"@lucide/svelte": "^0.562.0",
+		"@playwright/test": "1.57.0",
+		"@sveltejs/kit": "^2.49.3",
+		"@sveltejs/vite-plugin-svelte": "^6.2.3",
+		"@tailwindcss/vite": "^4.1.18",
+		"@types/bun": "^1.3.5",
+		"@types/js-yaml": "^4.0.9",
+		"@types/nodemailer": "^7.0.4",
+		"@types/qrcode": "^1.5.6",
+		"@xterm/addon-fit": "^0.11.0",
+		"@xterm/addon-web-links": "^0.12.0",
+		"@xterm/xterm": "^6.0.0",
+		"autoprefixer": "^10.4.23",
+		"bits-ui": "^2.15.4",
+		"clsx": "^2.1.1",
+		"cytoscape": "^3.33.1",
+		"d3-scale": "^4.0.2",
+		"d3-shape": "^3.2.0",
+		"drizzle-kit": "0.31.8",
+		"layerchart": "^1.0.13",
+		"lucide-svelte": "^0.562.0",
+		"mode-watcher": "^1.1.0",
+		"postcss": "^8.5.6",
+		"svelte": "^5.46.1",
+		"svelte-adapter-bun": "1.0.1",
+		"svelte-check": "^4.3.5",
+		"svelte-easy-crop": "^5.0.0",
+		"svelte-virtual-scroll-list": "^1.3.0",
+		"tailwind-merge": "^3.4.0",
+		"tailwind-variants": "^3.2.2",
+		"tailwindcss": "^4.1.18",
+		"tw-animate-css": "^1.4.0",
+		"typescript": "^5.9.3",
+		"vite": "^7.3.1"
+	},
+	"overrides": {
+		"@codemirror/state": "6.5.3",
+		"@codemirror/view": "6.39.9",
+		"@codemirror/language": "6.12.1",
+		"@lezer/common": "1.5.0",
+		"@lezer/highlight": "1.2.3"
+	}
+}
diff --git a/routes/api/stacks/[name]/env/+server.ts b/routes/api/stacks/[name]/env/+server.ts
deleted file mode 100644
index 23d7a4a..0000000
--- a/routes/api/stacks/[name]/env/+server.ts
+++ /dev/null
@@ -1,122 +0,0 @@
-import { json } from '@sveltejs/kit';
-import { getStackEnvVars, setStackEnvVars } from '$lib/server/db';
-import { authorize } from '$lib/server/authorize';
-import type { RequestHandler } from './$types';
-
-/**
- * GET /api/stacks/[name]/env?env=X
- * Get all environment variables for a stack.
- * Secrets are masked with '***' in the response.
- */
-export const GET: RequestHandler = async ({ params, url, cookies }) => {
-	const auth = await authorize(cookies);
-	const envId = url.searchParams.get('env');
-	const envIdNum = envId ? parseInt(envId) : null;
-
-	// Permission check with environment context
-	if (auth.authEnabled && !await auth.can('stacks', 'view', envIdNum ?? undefined)) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
-
-	// Environment access check (enterprise only)
-	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
-		return json({ error: 'Access denied to this environment' }, { status: 403 });
-	}
-
-	try {
-		const stackName = decodeURIComponent(params.name);
-		const variables = await getStackEnvVars(stackName, envIdNum, true);
-
-		return json({
-			variables: variables.map(v => ({
-				key: v.key,
-				value: v.value,
-				isSecret: v.isSecret
-			}))
-		});
-	} catch (error) {
-		console.error('Error getting stack env vars:', error);
-		return json({ error: 'Failed to get environment variables' }, { status: 500 });
-	}
-};
-
-/**
- * PUT /api/stacks/[name]/env?env=X
- * Set/replace all environment variables for a stack.
- * Body: { variables: [{ key, value, isSecret? }] }
- *
- * Note: For secrets, if the value is '***' (the masked placeholder), the original
- * secret value from the database is preserved instead of overwriting with '***'.
- */
-export const PUT: RequestHandler = async ({ params, url, cookies, request }) => {
-	const auth = await authorize(cookies);
-	const envId = url.searchParams.get('env');
-	const envIdNum = envId ? parseInt(envId) : null;
-
-	// Permission check with environment context
-	if (auth.authEnabled && !await auth.can('stacks', 'edit', envIdNum ?? undefined)) {
-		return json({ error: 'Permission denied' }, { status: 403 });
-	}
-
-	// Environment access check (enterprise only)
-	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
-		return json({ error: 'Access denied to this environment' }, { status: 403 });
-	}
-
-	try {
-		const stackName = decodeURIComponent(params.name);
-		const body = await request.json();
-
-		if (!body.variables || !Array.isArray(body.variables)) {
-			return json({ error: 'Invalid request body: variables array required' }, { status: 400 });
-		}
-
-		// Validate variables
-		for (const v of body.variables) {
-			if (!v.key || typeof v.key !== 'string') {
-				return json({ error: 'Invalid variable: key is required and must be a string' }, { status: 400 });
-			}
-			if (typeof v.value !== 'string') {
-				return json({ error: `Invalid variable "${v.key}": value must be a string` }, { status: 400 });
-			}
-			// Validate key format (env var naming convention)
-			if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(v.key)) {
-				return json({ error: `Invalid variable name "${v.key}": must start with a letter or underscore and contain only alphanumeric characters and underscores` }, { status: 400 });
-			}
-		}
-
-		// Check if any secrets have the masked placeholder '***'
-		// If so, we need to preserve their original values from the database
-		const secretsWithMaskedValue = body.variables.filter(
-			(v: { key: string; value: string; isSecret?: boolean }) =>
-				v.isSecret && v.value === '***'
-		);
-
-		let variablesToSave = body.variables;
-
-		if (secretsWithMaskedValue.length > 0) {
-			// Get existing variables (unmasked) to preserve secret values
-			const existingVars = await getStackEnvVars(stackName, envIdNum, false);
-			const existingByKey = new Map(existingVars.map(v => [v.key, v]));
-
-			// Replace masked secrets with their original values
-			variablesToSave = body.variables.map((v: { key: string; value: string; isSecret?: boolean }) => {
-				if (v.isSecret && v.value === '***') {
-					const existing = existingByKey.get(v.key);
-					if (existing && existing.isSecret) {
-						// Preserve the original secret value
-						return { ...v, value: existing.value };
-					}
-				}
-				return v;
-			});
-		}
-
-		await setStackEnvVars(stackName, envIdNum, variablesToSave);
-
-		return json({ success: true, count: variablesToSave.length });
-	} catch (error) {
-		console.error('Error setting stack env vars:', error);
-		return json({ error: 'Failed to set environment variables' }, { status: 500 });
-	}
-};
diff --git a/routes/containers/CreateContainerModal.svelte b/routes/containers/CreateContainerModal.svelte
deleted file mode 100644
index 6796704..0000000
--- a/routes/containers/CreateContainerModal.svelte
+++ /dev/null
@@ -1,1657 +0,0 @@
-<script lang="ts">
-	import { tick } from 'svelte';
-	import * as Dialog from '$lib/components/ui/dialog';
-	import * as Select from '$lib/components/ui/select';
-	import { Label } from '$lib/components/ui/label';
-	import { Input } from '$lib/components/ui/input';
-	import { Button } from '$lib/components/ui/button';
-	import { Checkbox } from '$lib/components/ui/checkbox';
-	import { TogglePill, ToggleGroup } from '$lib/components/ui/toggle-pill';
-	import { Plus, Trash2, Settings2, RefreshCw, Network, X, Ban, RotateCw, AlertTriangle, PauseCircle, Share2, Server, CircleOff, ChevronDown, ChevronRight, ArrowBigRight, Cpu, Shield, HeartPulse, Wifi, HardDrive, Lock, User, Loader2, Download, CheckCircle2, XCircle, ShieldCheck, ShieldAlert, ShieldX, Package, AlertCircle, Play } from 'lucide-svelte';
-	import { toast } from 'svelte-sonner';
-	import AutoUpdateSettings from './AutoUpdateSettings.svelte';
-	import { Badge } from '$lib/components/ui/badge';
-	import { currentEnvironment, appendEnvParam } from '$lib/stores/environment';
-	import { focusFirstInput } from '$lib/utils';
-	import PullTab from '$lib/components/PullTab.svelte';
-	import ScanTab from '$lib/components/ScanTab.svelte';
-	import type { ScanResult } from '$lib/components/ScanTab.svelte';
-
-	// Protocol options for ports
-	const protocolOptions = [
-		{ value: 'tcp', label: 'TCP' },
-		{ value: 'udp', label: 'UDP' }
-	];
-
-	// Mode options for volumes
-	const volumeModeOptions = [
-		{ value: 'rw', label: 'RW' },
-		{ value: 'ro', label: 'RO' }
-	];
-
-	// Parse shell command respecting quotes
-	function parseShellCommand(cmd: string): string[] {
-		const args: string[] = [];
-		let current = '';
-		let inQuotes = false;
-		let quoteChar = '';
-
-		for (let i = 0; i < cmd.length; i++) {
-			const char = cmd[i];
-
-			if ((char === '"' || char === "'") && !inQuotes) {
-				inQuotes = true;
-				quoteChar = char;
-			} else if (char === quoteChar && inQuotes) {
-				inQuotes = false;
-				quoteChar = '';
-			} else if (char === ' ' && !inQuotes) {
-				if (current) {
-					args.push(current);
-					current = '';
-				}
-			} else {
-				current += char;
-			}
-		}
-
-		if (current) {
-			args.push(current);
-		}
-
-		return args;
-	}
-
-	interface ConfigSet {
-		id: number;
-		name: string;
-		description?: string;
-		env_vars?: { key: string; value: string }[];
-		labels?: { key: string; value: string }[];
-		ports?: { hostPort: string; containerPort: string; protocol: string }[];
-		volumes?: { hostPath: string; containerPath: string; mode: string }[];
-		network_mode: string;
-		restart_policy: string;
-	}
-
-
-	interface Props {
-		open: boolean;
-		onClose?: () => void;
-		onSuccess?: () => void;
-		prefilledImage?: string;
-		skipPullTab?: boolean;
-		autoPull?: boolean;
-	}
-
-	let { open = $bindable(), onClose, onSuccess, prefilledImage, skipPullTab = false, autoPull = false }: Props = $props();
-
-	// Track if we've already auto-pulled for this modal session
-	let hasAutoPulled = $state(false);
-
-	// Tab state - start on settings if skipping pull tab
-	let activeTab = $state<'pull' | 'scan' | 'container'>(skipPullTab ? 'container' : 'pull');
-
-	// Config sets
-	let configSets = $state<ConfigSet[]>([]);
-	let selectedConfigSetId = $state<string>('');
-
-	// Form state
-	let name = $state('');
-	let image = $state('');
-	let command = $state('');
-	let restartPolicy = $state('no');
-	let networkMode = $state('bridge');
-	let startAfterCreate = $state(true);
-
-	// Port mappings
-	let portMappings = $state<{ hostPort: string; containerPort: string; protocol: string }[]>([
-		{ hostPort: '', containerPort: '', protocol: 'tcp' }
-	]);
-
-	// Volume mappings
-	let volumeMappings = $state<{ hostPath: string; containerPath: string; mode: string }[]>([
-		{ hostPath: '', containerPath: '', mode: 'rw' }
-	]);
-
-	// Environment variables
-	let envVars = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
-
-	// Labels
-	let labels = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
-
-	// Networks
-	interface DockerNetwork {
-		id: string;
-		name: string;
-		driver: string;
-	}
-	let availableNetworks = $state<DockerNetwork[]>([]);
-	let selectedNetworks = $state<string[]>([]);
-
-	// Auto-update settings
-	let autoUpdateEnabled = $state(false);
-	let autoUpdateCronExpression = $state('0 3 * * *');
-	let vulnerabilityCriteria = $state<string>('never');
-
-	// Collapsible sections state
-	let showResources = $state(false);
-	let showSecurity = $state(false);
-	let showHealth = $state(false);
-	let showDns = $state(false);
-	let showDevices = $state(false);
-	let showUlimits = $state(false);
-
-	// User/Group
-	let containerUser = $state('');
-
-	// Privileged mode
-	let privilegedMode = $state(false);
-
-	// Healthcheck settings
-	let healthcheckEnabled = $state(false);
-	let healthcheckCommand = $state('');
-	let healthcheckInterval = $state(30);
-	let healthcheckTimeout = $state(30);
-	let healthcheckRetries = $state(3);
-	let healthcheckStartPeriod = $state(0);
-
-	// Resource limits
-	let memoryLimit = $state('');
-	let memoryReservation = $state('');
-	let cpuShares = $state('');
-	let nanoCpus = $state('');
-
-	// Capabilities
-	let capAdd = $state<string[]>([]);
-	let capDrop = $state<string[]>([]);
-	let capabilityInput = $state('');
-
-	const commonCapabilities = [
-		'SYS_ADMIN', 'SYS_PTRACE', 'NET_ADMIN', 'NET_RAW', 'IPC_LOCK',
-		'SYS_TIME', 'SYS_RESOURCE', 'MKNOD', 'AUDIT_WRITE', 'SETFCAP',
-		'CHOWN', 'DAC_OVERRIDE', 'FOWNER', 'FSETID', 'KILL', 'SETGID',
-		'SETUID', 'SETPCAP', 'NET_BIND_SERVICE', 'SYS_CHROOT', 'AUDIT_CONTROL'
-	];
-
-	// Devices
-	let deviceMappings = $state<{ hostPath: string; containerPath: string; permissions: string }[]>([]);
-
-	// DNS settings
-	let dnsServers = $state<string[]>([]);
-	let dnsSearch = $state<string[]>([]);
-	let dnsOptions = $state<string[]>([]);
-	let dnsInput = $state('');
-	let dnsSearchInput = $state('');
-	let dnsOptionInput = $state('');
-
-	// Security options
-	let securityOptions = $state<string[]>([]);
-	let securityOptionInput = $state('');
-
-	// Ulimits
-	let ulimits = $state<{ name: string; soft: string; hard: string }[]>([]);
-	const commonUlimits = ['nofile', 'nproc', 'core', 'memlock', 'stack', 'cpu', 'fsize', 'locks'];
-
-	let loading = $state(false);
-	let errors = $state<{ name?: string; image?: string }>({});
-
-	// Component refs
-	let pullTabRef: PullTab | undefined;
-	let scanTabRef: ScanTab | undefined;
-
-	// Pull & Scan status (tracked via component callbacks)
-	let pullStatus = $state<'idle' | 'pulling' | 'complete' | 'error'>('idle');
-	let pullStarted = $state(false);
-	let scanStatus = $state<'idle' | 'scanning' | 'complete' | 'error'>('idle');
-	let scanStarted = $state(false);
-	let scanResults = $state<ScanResult[]>([]);
-
-	// Scanner settings - scanning is enabled if a scanner is configured
-	let envHasScanning = $state(false);
-
-	// Fetch config sets and networks when modal opens
-	$effect(() => {
-		if (open) {
-			fetchConfigSets();
-			fetchNetworks();
-			fetchScannerSettings();
-		}
-	});
-
-	// Track previous open state to detect when modal opens
-	let wasOpen = $state(false);
-
-	$effect(() => {
-		if (open && !wasOpen) {
-			// Modal just opened - reset state
-			pullStatus = 'idle';
-			pullStarted = !skipPullTab;
-			scanStatus = 'idle';
-			scanStarted = false;
-			scanResults = [];
-			hasAutoPulled = false;
-			autoSwitchedToScan = false;
-			autoSwitchedToContainer = false;
-			activeTab = skipPullTab ? 'container' : 'pull';
-
-			// Reset components
-			pullTabRef?.reset();
-			scanTabRef?.reset();
-
-			// Set image from prefilledImage if provided
-			if (prefilledImage) {
-				image = prefilledImage;
-			}
-		}
-		wasOpen = open;
-	});
-
-	// Auto-pull when autoPull is true and modal opens with an image
-	$effect(() => {
-		if (autoPull && open && prefilledImage && !hasAutoPulled && pullStatus === 'idle') {
-			hasAutoPulled = true;
-			// Small delay to ensure component is mounted
-			setTimeout(() => pullTabRef?.startPull(), 100);
-		}
-	});
-
-	// Track auto-switch state to prevent re-triggering when user manually clicks tabs
-	let autoSwitchedToScan = $state(false);
-	let autoSwitchedToContainer = $state(false);
-
-	// Handle pull completion
-	function handlePullComplete() {
-		pullStatus = 'complete';
-		// Auto-start scan if enabled
-		if (envHasScanning && !autoSwitchedToScan) {
-			autoSwitchedToScan = true;
-			scanStarted = true;
-			activeTab = 'scan';
-			// Start scan with small delay for tab switch
-			setTimeout(() => scanTabRef?.startScan(), 100);
-		} else if (!envHasScanning && !autoSwitchedToContainer) {
-			// Go to container tab if no scan
-			autoSwitchedToContainer = true;
-			activeTab = 'container';
-		}
-	}
-
-	function handlePullError(error: string) {
-		pullStatus = 'error';
-	}
-
-	function handlePullStatusChange(status: 'idle' | 'pulling' | 'complete' | 'error') {
-		pullStatus = status;
-	}
-
-	function handleScanComplete(results: ScanResult[]) {
-		scanStatus = 'complete';
-		scanResults = results;
-		// Auto-switch to container tab
-		if (!autoSwitchedToContainer) {
-			autoSwitchedToContainer = true;
-			activeTab = 'container';
-		}
-	}
-
-	function handleScanError(error: string) {
-		scanStatus = 'error';
-	}
-
-	function handleScanStatusChange(status: 'idle' | 'scanning' | 'complete' | 'error') {
-		scanStatus = status;
-	}
-
-	async function fetchNetworks() {
-		try {
-			const envParam = $currentEnvironment ? `?env=${$currentEnvironment.id}` : '';
-			const response = await fetch(`/api/networks${envParam}`);
-			if (response.ok) {
-				availableNetworks = await response.json();
-			}
-		} catch (err) {
-			console.error('Failed to fetch networks:', err);
-		}
-	}
-
-	async function fetchConfigSets() {
-		try {
-			const response = await fetch('/api/config-sets');
-			if (response.ok) {
-				configSets = await response.json();
-			}
-		} catch (err) {
-			console.error('Failed to fetch config sets:', err);
-		}
-	}
-
-	async function fetchScannerSettings() {
-		try {
-			const envId = $currentEnvironment?.id;
-			const url = envId ? `/api/settings/scanner?env=${envId}&settingsOnly=true` : '/api/settings/scanner?settingsOnly=true';
-			const response = await fetch(url);
-			if (response.ok) {
-				const data = await response.json();
-				const scanner = data.settings?.scanner ?? 'none';
-				// Scanning is enabled if a scanner is configured
-				envHasScanning = scanner !== 'none';
-			}
-		} catch (err) {
-			console.error('Failed to fetch scanner settings:', err);
-		}
-	}
-
-	function applyConfigSet(configSetId: string) {
-		selectedConfigSetId = configSetId;
-		if (!configSetId) return;
-
-		const configSet = configSets.find((c) => c.id === parseInt(configSetId));
-		if (!configSet) return;
-
-		if (configSet.env_vars && configSet.env_vars.length > 0) {
-			envVars = configSet.env_vars.map((e) => ({ ...e }));
-		}
-		if (configSet.labels && configSet.labels.length > 0) {
-			labels = configSet.labels.map((l) => ({ ...l }));
-		}
-		if (configSet.ports && configSet.ports.length > 0) {
-			portMappings = configSet.ports.map((p) => ({ ...p }));
-		}
-		if (configSet.volumes && configSet.volumes.length > 0) {
-			volumeMappings = configSet.volumes.map((v) => ({ ...v }));
-		}
-		if (configSet.network_mode) {
-			networkMode = configSet.network_mode;
-		}
-		if (configSet.restart_policy) {
-			restartPolicy = configSet.restart_policy;
-		}
-	}
-
-	// Helper functions for form
-	function addPortMapping() {
-		portMappings = [...portMappings, { hostPort: '', containerPort: '', protocol: 'tcp' }];
-	}
-
-	function removePortMapping(index: number) {
-		portMappings = portMappings.filter((_, i) => i !== index);
-	}
-
-	function addVolumeMapping() {
-		volumeMappings = [...volumeMappings, { hostPath: '', containerPath: '', mode: 'rw' }];
-	}
-
-	function removeVolumeMapping(index: number) {
-		volumeMappings = volumeMappings.filter((_, i) => i !== index);
-	}
-
-	function addEnvVar() {
-		envVars = [...envVars, { key: '', value: '' }];
-	}
-
-	function removeEnvVar(index: number) {
-		envVars = envVars.filter((_, i) => i !== index);
-	}
-
-	function addLabel() {
-		labels = [...labels, { key: '', value: '' }];
-	}
-
-	function removeLabel(index: number) {
-		labels = labels.filter((_, i) => i !== index);
-	}
-
-	function addNetwork(networkId: string) {
-		if (networkId && !selectedNetworks.includes(networkId)) {
-			selectedNetworks = [...selectedNetworks, networkId];
-		}
-	}
-
-	function removeNetwork(networkId: string) {
-		selectedNetworks = selectedNetworks.filter((n) => n !== networkId);
-	}
-
-	function addDeviceMapping() {
-		deviceMappings = [...deviceMappings, { hostPath: '', containerPath: '', permissions: 'rwm' }];
-	}
-
-	function removeDeviceMapping(index: number) {
-		deviceMappings = deviceMappings.filter((_, i) => i !== index);
-	}
-
-	function addUlimit() {
-		ulimits = [...ulimits, { name: 'nofile', soft: '', hard: '' }];
-	}
-
-	function removeUlimit(index: number) {
-		ulimits = ulimits.filter((_, i) => i !== index);
-	}
-
-	function addCapability(type: 'add' | 'drop', cap: string) {
-		if (!cap) return;
-		const capUpper = cap.toUpperCase();
-		if (type === 'add') {
-			if (!capAdd.includes(capUpper)) {
-				capAdd = [...capAdd, capUpper];
-			}
-		} else {
-			if (!capDrop.includes(capUpper)) {
-				capDrop = [...capDrop, capUpper];
-			}
-		}
-	}
-
-	function removeCapability(type: 'add' | 'drop', cap: string) {
-		if (type === 'add') {
-			capAdd = capAdd.filter(c => c !== cap);
-		} else {
-			capDrop = capDrop.filter(c => c !== cap);
-		}
-	}
-
-	function addDnsServer() {
-		if (dnsInput.trim() && !dnsServers.includes(dnsInput.trim())) {
-			dnsServers = [...dnsServers, dnsInput.trim()];
-			dnsInput = '';
-		}
-	}
-
-	function removeDnsServer(server: string) {
-		dnsServers = dnsServers.filter(s => s !== server);
-	}
-
-	function addDnsSearch() {
-		if (dnsSearchInput.trim() && !dnsSearch.includes(dnsSearchInput.trim())) {
-			dnsSearch = [...dnsSearch, dnsSearchInput.trim()];
-			dnsSearchInput = '';
-		}
-	}
-
-	function removeDnsSearch(domain: string) {
-		dnsSearch = dnsSearch.filter(d => d !== domain);
-	}
-
-	function addDnsOption() {
-		if (dnsOptionInput.trim() && !dnsOptions.includes(dnsOptionInput.trim())) {
-			dnsOptions = [...dnsOptions, dnsOptionInput.trim()];
-			dnsOptionInput = '';
-		}
-	}
-
-	function removeDnsOption(option: string) {
-		dnsOptions = dnsOptions.filter(o => o !== option);
-	}
-
-	function addSecurityOption() {
-		if (securityOptionInput.trim() && !securityOptions.includes(securityOptionInput.trim())) {
-			securityOptions = [...securityOptions, securityOptionInput.trim()];
-			securityOptionInput = '';
-		}
-	}
-
-	function removeSecurityOption(option: string) {
-		securityOptions = securityOptions.filter(o => o !== option);
-	}
-
-	function parseMemory(value: string): number | undefined {
-		if (!value) return undefined;
-		const match = value.trim().toLowerCase().match(/^(\d+(?:\.\d+)?)\s*([kmgt]?b?)?$/);
-		if (!match) return undefined;
-		const num = parseFloat(match[1]);
-		const unit = match[2] || '';
-		switch (unit) {
-			case 'k': case 'kb': return Math.floor(num * 1024);
-			case 'm': case 'mb': return Math.floor(num * 1024 * 1024);
-			case 'g': case 'gb': return Math.floor(num * 1024 * 1024 * 1024);
-			case 't': case 'tb': return Math.floor(num * 1024 * 1024 * 1024 * 1024);
-			default: return Math.floor(num);
-		}
-	}
-
-	function parseNanoCpus(value: string): number | undefined {
-		if (!value) return undefined;
-		const num = parseFloat(value);
-		if (isNaN(num)) return undefined;
-		return Math.floor(num * 1e9);
-	}
-
-	function getDriverBadgeClasses(driver: string): string {
-		const base = 'text-2xs px-1.5 py-0.5 rounded font-medium';
-		switch (driver.toLowerCase()) {
-			case 'bridge': return `${base} bg-emerald-100 text-emerald-700 dark:bg-emerald-900/50 dark:text-emerald-300`;
-			case 'host': return `${base} bg-sky-100 text-sky-700 dark:bg-sky-900/50 dark:text-sky-300`;
-			case 'null': case 'none': return `${base} bg-slate-100 text-slate-600 dark:bg-slate-800 dark:text-slate-400`;
-			case 'overlay': return `${base} bg-violet-100 text-violet-700 dark:bg-violet-900/50 dark:text-violet-300`;
-			case 'macvlan': return `${base} bg-amber-100 text-amber-700 dark:bg-amber-900/50 dark:text-amber-300`;
-			default: return `${base} bg-slate-100 text-slate-600 dark:bg-slate-800 dark:text-slate-400`;
-		}
-	}
-
-	async function handleSubmit(e: Event) {
-		e.preventDefault();
-		errors = {};
-
-		let hasErrors = false;
-		if (!name.trim()) {
-			errors.name = 'Container name is required';
-			hasErrors = true;
-		}
-
-		if (!image.trim()) {
-			errors.image = 'Image name is required';
-			hasErrors = true;
-		}
-
-		if (hasErrors) {
-			return;
-		}
-
-		loading = true;
-
-		try {
-			const ports: any = {};
-			portMappings
-				.filter((p) => p.containerPort && p.hostPort)
-				.forEach((p) => {
-					const key = `${p.containerPort}/${p.protocol}`;
-					ports[key] = { HostPort: String(p.hostPort) };
-				});
-
-			const volumeBinds = volumeMappings
-				.filter((v) => v.hostPath && v.containerPath)
-				.map((v) => `${v.hostPath}:${v.containerPath}:${v.mode}`);
-
-			const env = envVars
-				.filter((e) => e.key && e.value)
-				.map((e) => `${e.key}=${e.value}`);
-
-			const labelsObj: any = {};
-			labels
-				.filter((l) => l.key && l.value)
-				.forEach((l) => {
-					labelsObj[l.key] = l.value;
-				});
-
-			const cmd = command.trim() ? parseShellCommand(command.trim()) : undefined;
-
-			let healthcheck: any = undefined;
-			if (healthcheckEnabled && healthcheckCommand.trim()) {
-				healthcheck = {
-					test: ['CMD-SHELL', healthcheckCommand.trim()],
-					interval: healthcheckInterval * 1e9,
-					timeout: healthcheckTimeout * 1e9,
-					retries: healthcheckRetries,
-					startPeriod: healthcheckStartPeriod * 1e9
-				};
-			}
-
-			const devices = deviceMappings
-				.filter(d => d.hostPath && d.containerPath)
-				.map(d => ({
-					hostPath: d.hostPath,
-					containerPath: d.containerPath,
-					permissions: d.permissions || 'rwm'
-				}));
-
-			const ulimitsArray = ulimits
-				.filter(u => u.name && u.soft && u.hard)
-				.map(u => ({
-					name: u.name,
-					soft: parseInt(u.soft) || 0,
-					hard: parseInt(u.hard) || 0
-				}));
-
-			const payload = {
-				name: name.trim(),
-				image: image.trim(),
-				ports: Object.keys(ports).length > 0 ? ports : undefined,
-				volumeBinds: volumeBinds.length > 0 ? volumeBinds : undefined,
-				env: env.length > 0 ? env : undefined,
-				labels: Object.keys(labelsObj).length > 0 ? labelsObj : undefined,
-				cmd,
-				restartPolicy,
-				networkMode,
-				networks: selectedNetworks.length > 0 ? selectedNetworks : undefined,
-				startAfterCreate,
-				user: containerUser.trim() || undefined,
-				privileged: privilegedMode || undefined,
-				healthcheck,
-				memory: parseMemory(memoryLimit),
-				memoryReservation: parseMemory(memoryReservation),
-				cpuShares: cpuShares ? parseInt(cpuShares) : undefined,
-				nanoCpus: parseNanoCpus(nanoCpus),
-				capAdd: capAdd.length > 0 ? capAdd : undefined,
-				capDrop: capDrop.length > 0 ? capDrop : undefined,
-				devices: devices.length > 0 ? devices : undefined,
-				dns: dnsServers.length > 0 ? dnsServers : undefined,
-				dnsSearch: dnsSearch.length > 0 ? dnsSearch : undefined,
-				dnsOptions: dnsOptions.length > 0 ? dnsOptions : undefined,
-				securityOpt: securityOptions.length > 0 ? securityOptions : undefined,
-				ulimits: ulimitsArray.length > 0 ? ulimitsArray : undefined
-			};
-
-			const envParam = $currentEnvironment ? `?env=${$currentEnvironment.id}` : '';
-			const response = await fetch(`/api/containers${envParam}`, {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify(payload)
-			});
-
-			const result = await response.json();
-
-			if (!response.ok) {
-				let errorMsg = result.error || 'Failed to create container';
-				if (result.details) {
-					errorMsg += ': ' + result.details;
-				}
-				toast.error(errorMsg);
-				return;
-			}
-
-			if (autoUpdateEnabled) {
-				try {
-					const envParam = $currentEnvironment ? `?env=${$currentEnvironment.id}` : '';
-					await fetch(`/api/auto-update/${encodeURIComponent(name.trim())}${envParam}`, {
-						method: 'POST',
-						headers: { 'Content-Type': 'application/json' },
-						body: JSON.stringify({
-							enabled: autoUpdateEnabled,
-							cronExpression: autoUpdateCronExpression,
-							vulnerabilityCriteria: vulnerabilityCriteria
-						})
-					});
-				} catch (err) {
-					console.error('Failed to save auto-update settings:', err);
-				}
-			}
-
-			if (result.imagePulled) {
-				toast.success(`Container created (image ${image.trim()} was pulled automatically)`);
-			} else {
-				toast.success('Container created successfully');
-			}
-
-			open = false;
-			resetForm();
-			onSuccess?.();
-			onClose?.();
-		} catch (err) {
-			toast.error('Failed to create container: ' + String(err));
-		} finally {
-			loading = false;
-		}
-	}
-
-	function resetForm() {
-		name = '';
-		image = '';
-		command = '';
-		restartPolicy = 'no';
-		networkMode = 'bridge';
-		startAfterCreate = true;
-		portMappings = [{ hostPort: '', containerPort: '', protocol: 'tcp' }];
-		volumeMappings = [{ hostPath: '', containerPath: '', mode: 'rw' }];
-		envVars = [{ key: '', value: '' }];
-		labels = [{ key: '', value: '' }];
-		selectedNetworks = [];
-		autoUpdateEnabled = false;
-		autoUpdateCronExpression = '0 3 * * *';
-		vulnerabilityCriteria = 'never';
-		errors = {};
-		selectedConfigSetId = '';
-		showResources = false;
-		showSecurity = false;
-		showHealth = false;
-		showDns = false;
-		showDevices = false;
-		showUlimits = false;
-		containerUser = '';
-		privilegedMode = false;
-		healthcheckEnabled = false;
-		healthcheckCommand = '';
-		healthcheckInterval = 30;
-		healthcheckTimeout = 30;
-		healthcheckRetries = 3;
-		healthcheckStartPeriod = 0;
-		memoryLimit = '';
-		memoryReservation = '';
-		cpuShares = '';
-		nanoCpus = '';
-		capAdd = [];
-		capDrop = [];
-		capabilityInput = '';
-		deviceMappings = [];
-		dnsServers = [];
-		dnsSearch = [];
-		dnsOptions = [];
-		dnsInput = '';
-		dnsSearchInput = '';
-		dnsOptionInput = '';
-		securityOptions = [];
-		securityOptionInput = '';
-		ulimits = [];
-		// Reset pull/scan state
-		activeTab = skipPullTab ? 'container' : 'pull';
-		pullStatus = 'idle';
-		pullStarted = false;
-		scanStatus = 'idle';
-		scanStarted = false;
-		scanResults = [];
-		hasAutoPulled = false;
-		autoSwitchedToScan = false;
-		autoSwitchedToContainer = false;
-		// Reset components
-		pullTabRef?.reset();
-		scanTabRef?.reset();
-	}
-
-	function handleClose() {
-		open = false;
-		resetForm();
-		onClose?.();
-	}
-
-	const totalVulnerabilities = $derived(
-		scanResults.reduce((total, r) => total + r.vulnerabilities.length, 0)
-	);
-
-	const hasCriticalOrHigh = $derived(
-		scanResults.some(r => r.summary.critical > 0 || r.summary.high > 0)
-	);
-
-	const isPulling = $derived(pullStatus === 'pulling');
-	const isScanning = $derived(scanStatus === 'scanning');
-	const imageReady = $derived(pullStatus === 'complete');
-</script>
-
-<Dialog.Root bind:open onOpenChange={(isOpen) => isOpen && focusFirstInput()}>
-	<Dialog.Content class="max-w-4xl w-full h-[85vh] p-0 flex flex-col overflow-hidden !zoom-in-0 !zoom-out-0" showCloseButton={false}>
-		<Dialog.Header class="px-5 py-4 border-b bg-muted/30 shrink-0 sticky top-0 z-10">
-			<Dialog.Title class="text-base font-semibold">Create new container</Dialog.Title>
-			<button
-				type="button"
-				onclick={handleClose}
-				disabled={loading || isPulling || isScanning}
-				class="absolute right-4 top-4 rounded-sm opacity-70 ring-offset-background transition-opacity hover:opacity-100 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:pointer-events-none disabled:opacity-30"
-			>
-				<X class="h-4 w-4" />
-				<span class="sr-only">Close</span>
-			</button>
-		</Dialog.Header>
-
-		<!-- Tabs (hidden when skipPullTab) -->
-		{#if !skipPullTab}
-		<div class="flex items-center border-b shrink-0 px-5 bg-muted/10">
-			<!-- Pull Tab -->
-			<button
-				class="px-4 py-2.5 text-sm font-medium border-b-2 transition-colors cursor-pointer flex items-center gap-2 {activeTab === 'pull' ? 'border-primary text-foreground' : 'border-transparent text-muted-foreground hover:text-foreground'}"
-				onclick={() => activeTab = 'pull'}
-			>
-				<Download class="w-4 h-4" />
-				Pull
-				{#if pullStatus === 'complete'}
-					<CheckCircle2 class="w-3.5 h-3.5 text-green-500" />
-				{:else if pullStatus === 'pulling'}
-					<Loader2 class="w-3.5 h-3.5 animate-spin" />
-				{:else if pullStatus === 'error'}
-					<XCircle class="w-3.5 h-3.5 text-red-500" />
-				{/if}
-			</button>
-			{#if envHasScanning}
-				<ArrowBigRight class="w-3.5 h-3.5 text-muted-foreground/50 shrink-0" />
-				<!-- Scan Tab -->
-				<button
-					class="px-4 py-2.5 text-sm font-medium border-b-2 transition-colors cursor-pointer flex items-center gap-2 {activeTab === 'scan' ? 'border-primary text-foreground' : 'border-transparent text-muted-foreground hover:text-foreground'}"
-					onclick={() => activeTab = 'scan'}
-					disabled={pullStatus === 'idle' || pullStatus === 'pulling'}
-				>
-					<Shield class="w-4 h-4" />
-					Scan
-					{#if scanStatus === 'complete' && scanResults.length > 0}
-						{#if hasCriticalOrHigh}
-							<ShieldX class="w-3.5 h-3.5 text-red-500" />
-						{:else if totalVulnerabilities > 0}
-							<ShieldAlert class="w-3.5 h-3.5 text-yellow-500" />
-						{:else}
-							<ShieldCheck class="w-3.5 h-3.5 text-green-500" />
-						{/if}
-					{:else if scanStatus === 'scanning'}
-						<Loader2 class="w-3.5 h-3.5 animate-spin" />
-					{/if}
-				</button>
-			{/if}
-			<ArrowBigRight class="w-3.5 h-3.5 text-muted-foreground/50 shrink-0" />
-			<!-- Container Tab -->
-			<button
-				class="px-4 py-2.5 text-sm font-medium border-b-2 transition-colors cursor-pointer flex items-center gap-2 {activeTab === 'container' ? 'border-primary text-foreground' : 'border-transparent text-muted-foreground hover:text-foreground'}"
-				onclick={() => activeTab = 'container'}
-			>
-				<Settings2 class="w-4 h-4" />
-				Container
-			</button>
-		</div>
-		{/if}
-
-		<!-- Tab Content -->
-		<!-- Pull Tab - using PullTab component -->
-		<div class="px-5 py-4 flex-1 min-h-0 flex flex-col" class:hidden={activeTab !== 'pull'}>
-			<PullTab
-				bind:this={pullTabRef}
-				imageName={image}
-				envId={$currentEnvironment?.id}
-				showImageInput={!autoPull}
-				autoStart={pullStarted && pullStatus === 'idle'}
-				onComplete={handlePullComplete}
-				onError={handlePullError}
-				onStatusChange={handlePullStatusChange}
-				onImageChange={(newImage) => image = newImage}
-			/>
-		</div>
-
-		<!-- Scan Tab - using ScanTab component -->
-		<div class="px-5 py-4 flex-1 min-h-0 flex flex-col" class:hidden={activeTab !== 'scan'}>
-			{#if envHasScanning}
-				<ScanTab
-					bind:this={scanTabRef}
-					imageName={image}
-					envId={$currentEnvironment?.id}
-					autoStart={scanStarted && scanStatus === 'idle'}
-					onComplete={handleScanComplete}
-					onError={handleScanError}
-					onStatusChange={handleScanStatusChange}
-				/>
-			{:else}
-				<!-- Scanning disabled -->
-				<div class="flex-1 flex items-center justify-center">
-					<div class="text-center">
-						<Shield class="w-12 h-12 text-muted-foreground/50 mx-auto mb-2" />
-						<p class="text-sm text-muted-foreground">Vulnerability scanning is disabled for this environment.</p>
-						<p class="text-xs text-muted-foreground mt-1">Enable it in Settings → Environments to scan images.</p>
-					</div>
-				</div>
-			{/if}
-		</div>
-
-		<!-- Container Settings Tab -->
-		<div class="px-5 py-4 space-y-5 flex-1 overflow-y-auto" class:hidden={activeTab !== 'container'}>
-			<!-- Image Summary -->
-				<div class="p-3 rounded-lg bg-muted/50 border">
-					<div class="flex items-center gap-3">
-						<Package class="w-5 h-5 text-muted-foreground" />
-						<div>
-							<p class="text-sm font-medium">Image: <code class="bg-muted px-1.5 py-0.5 rounded">{image || 'Not set'}</code></p>
-							{#if isPulling || isScanning}
-								<p class="text-xs text-blue-600 flex items-center gap-1 mt-0.5">
-									<Loader2 class="w-3 h-3 animate-spin" />
-									{isScanning ? 'Scanning...' : 'Pulling...'}
-								</p>
-							{:else if imageReady}
-								<p class="text-xs text-muted-foreground flex items-center gap-1 mt-0.5">
-									<CheckCircle2 class="w-3 h-3" />
-									Image pulled and ready
-									{#if scanResults.length > 0}
-										• <span class="{hasCriticalOrHigh ? 'text-red-600' : totalVulnerabilities > 0 ? 'text-amber-600' : 'text-green-600'}">{totalVulnerabilities} vulnerabilities</span>
-									{/if}
-								</p>
-							{:else if !image && !skipPullTab}
-								<p class="text-xs text-amber-600 flex items-center gap-1 mt-0.5">
-									<AlertTriangle class="w-3 h-3" />
-									Go to "Pull" tab to set the image
-								</p>
-							{/if}
-						</div>
-					</div>
-				</div>
-
-				<!-- Config Set Selector -->
-				{#if configSets.length > 0}
-					<div class="space-y-2">
-						<div class="flex items-center gap-2 pb-2 border-b">
-							<Settings2 class="w-4 h-4 text-muted-foreground" />
-							<h3 class="text-sm font-semibold text-foreground">Config set</h3>
-						</div>
-						<div class="flex gap-2 items-end">
-							<div class="flex-1">
-								<Select.Root type="single" value={selectedConfigSetId} onValueChange={applyConfigSet}>
-									<Select.Trigger class="w-full h-9">
-										<span>{selectedConfigSetId ? configSets.find(c => c.id === parseInt(selectedConfigSetId))?.name : 'Select a config set to pre-fill values...'}</span>
-									</Select.Trigger>
-									<Select.Content>
-										{#each configSets as configSet}
-											<Select.Item value={String(configSet.id)} label={configSet.name}>
-												<div class="flex flex-col">
-													<span>{configSet.name}</span>
-													{#if configSet.description}
-														<span class="text-xs text-muted-foreground">{configSet.description}</span>
-													{/if}
-												</div>
-											</Select.Item>
-										{/each}
-									</Select.Content>
-								</Select.Root>
-							</div>
-						</div>
-					</div>
-				{/if}
-
-				<!-- Basic Settings -->
-				<div class="space-y-3">
-					<div class="flex items-center gap-2 pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Basic settings</h3>
-					</div>
-
-					<div class="space-y-1.5">
-						<Label for="name" class="text-xs font-medium">Container name *</Label>
-						<Input
-							id="name"
-							bind:value={name}
-							placeholder="my-container"
-							required
-							class="h-9 {errors.name ? 'border-destructive focus-visible:ring-destructive' : ''}"
-							oninput={() => errors.name = undefined}
-						/>
-						{#if errors.name}
-							<p class="text-xs text-destructive">{errors.name}</p>
-						{/if}
-					</div>
-
-					<div class="space-y-1.5">
-						<Label for="command" class="text-xs font-medium">Command (optional)</Label>
-						<Input id="command" bind:value={command} placeholder="/bin/sh -c 'echo hello'" class="h-9" />
-					</div>
-
-					<div class="grid grid-cols-2 gap-3">
-						<div class="space-y-1.5">
-							<Label class="text-xs font-medium">Restart policy</Label>
-							<Select.Root type="single" bind:value={restartPolicy}>
-								<Select.Trigger id="restartPolicy" tabindex={0} class="w-full h-9">
-									<span class="flex items-center">
-										{#if restartPolicy === 'no'}
-											<Ban class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-										{:else if restartPolicy === 'always'}
-											<RotateCw class="w-3.5 h-3.5 mr-2 text-green-500" />
-										{:else if restartPolicy === 'on-failure'}
-											<AlertTriangle class="w-3.5 h-3.5 mr-2 text-amber-500" />
-										{:else}
-											<PauseCircle class="w-3.5 h-3.5 mr-2 text-blue-500" />
-										{/if}
-										{restartPolicy === 'no' ? 'No' : restartPolicy === 'always' ? 'Always' : restartPolicy === 'on-failure' ? 'On failure' : 'Unless stopped'}
-									</span>
-								</Select.Trigger>
-								<Select.Content>
-									<Select.Item value="no">
-										{#snippet children()}
-											<Ban class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-											No
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="always">
-										{#snippet children()}
-											<RotateCw class="w-3.5 h-3.5 mr-2 text-green-500" />
-											Always
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="on-failure">
-										{#snippet children()}
-											<AlertTriangle class="w-3.5 h-3.5 mr-2 text-amber-500" />
-											On failure
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="unless-stopped">
-										{#snippet children()}
-											<PauseCircle class="w-3.5 h-3.5 mr-2 text-blue-500" />
-											Unless stopped
-										{/snippet}
-									</Select.Item>
-								</Select.Content>
-							</Select.Root>
-						</div>
-
-						<div class="space-y-1.5">
-							<Label class="text-xs font-medium">Network mode</Label>
-							<Select.Root type="single" bind:value={networkMode}>
-								<Select.Trigger id="networkMode" tabindex={0} class="w-full h-9">
-									<span class="flex items-center">
-										{#if networkMode === 'bridge'}
-											<Share2 class="w-3.5 h-3.5 mr-2 text-emerald-500" />
-										{:else if networkMode === 'host'}
-											<Server class="w-3.5 h-3.5 mr-2 text-sky-500" />
-										{:else}
-											<CircleOff class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-										{/if}
-										{networkMode === 'bridge' ? 'Bridge' : networkMode === 'host' ? 'Host' : 'None'}
-									</span>
-								</Select.Trigger>
-								<Select.Content>
-									<Select.Item value="bridge">
-										{#snippet children()}
-											<Share2 class="w-3.5 h-3.5 mr-2 text-emerald-500" />
-											Bridge
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="host">
-										{#snippet children()}
-											<Server class="w-3.5 h-3.5 mr-2 text-sky-500" />
-											Host
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="none">
-										{#snippet children()}
-											<CircleOff class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-											None
-										{/snippet}
-									</Select.Item>
-								</Select.Content>
-							</Select.Root>
-						</div>
-					</div>
-
-					<div class="flex items-center gap-3 pt-1">
-						<Label class="text-xs font-normal">Start container after creation</Label>
-						<TogglePill bind:checked={startAfterCreate} />
-					</div>
-				</div>
-
-				<!-- Networks -->
-				{#if availableNetworks.length > 0}
-					<div class="space-y-2">
-						<div class="flex justify-between items-center pb-2 border-b">
-							<div class="flex items-center gap-2">
-								<Network class="w-4 h-4 text-muted-foreground" />
-								<h3 class="text-sm font-semibold text-foreground">Networks</h3>
-							</div>
-						</div>
-
-						<div class="space-y-2">
-							<Select.Root type="single" value="" onValueChange={addNetwork}>
-								<Select.Trigger tabindex={0} class="w-full h-9">
-									<span class="text-muted-foreground">Select network to add...</span>
-								</Select.Trigger>
-								<Select.Content>
-									{#each availableNetworks.filter(n => !selectedNetworks.includes(n.name) && !['bridge', 'host', 'none'].includes(n.name)) as network}
-										<Select.Item value={network.name}>
-											{#snippet children()}
-												<div class="flex items-center justify-between w-full">
-													<span>{network.name}</span>
-													<span class={getDriverBadgeClasses(network.driver)}>{network.driver}</span>
-												</div>
-											{/snippet}
-										</Select.Item>
-									{/each}
-								</Select.Content>
-							</Select.Root>
-
-							{#if selectedNetworks.length > 0}
-								<div class="flex flex-wrap gap-2 pt-1">
-									{#each selectedNetworks as networkName}
-										{@const network = availableNetworks.find(n => n.name === networkName)}
-										<Badge variant="secondary" class="flex items-center gap-1.5 pr-1">
-											{networkName}
-											{#if network}
-												<span class={getDriverBadgeClasses(network.driver)}>{network.driver}</span>
-											{/if}
-											<button
-												type="button"
-												onclick={() => removeNetwork(networkName)}
-												class="ml-0.5 hover:bg-destructive/20 rounded p-0.5"
-											>
-												<X class="w-3 h-3" />
-											</button>
-										</Badge>
-									{/each}
-								</div>
-							{/if}
-						</div>
-					</div>
-				{/if}
-
-				<!-- Port Mappings -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Port mappings</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addPortMapping} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each portMappings as mapping, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Host</span>
-									<Input bind:value={mapping.hostPort} type="number" class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Container</span>
-									<Input bind:value={mapping.containerPort} type="number" class="h-9" />
-								</div>
-								<ToggleGroup
-									value={mapping.protocol}
-									options={protocolOptions}
-									onchange={(v) => { portMappings[index].protocol = v; }}
-								/>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removePortMapping(index)}
-									disabled={portMappings.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Volume Mappings -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Volume mappings</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addVolumeMapping} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each volumeMappings as mapping, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Host path</span>
-									<Input bind:value={mapping.hostPath} class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Container path</span>
-									<Input bind:value={mapping.containerPath} class="h-9" />
-								</div>
-								<ToggleGroup
-									value={mapping.mode}
-									options={volumeModeOptions}
-									onchange={(v) => { volumeMappings[index].mode = v; }}
-								/>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removeVolumeMapping(index)}
-									disabled={volumeMappings.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Environment Variables -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Environment variables</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addEnvVar} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each envVars as envVar, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Key</span>
-									<Input bind:value={envVar.key} class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Value</span>
-									<Input bind:value={envVar.value} class="h-9" />
-								</div>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removeEnvVar(index)}
-									disabled={envVars.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Labels -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Labels</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addLabel} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each labels as label, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Key</span>
-									<Input bind:value={label.key} class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Value</span>
-									<Input bind:value={label.value} class="h-9" />
-								</div>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removeLabel(index)}
-									disabled={labels.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Advanced Options Header -->
-				<div class="pt-2">
-					<p class="text-xs text-muted-foreground mb-3">Advanced container options (click to expand)</p>
-				</div>
-
-				<!-- Resources Section (Collapsible) -->
-				<div class="border rounded-lg">
-					<button
-						type="button"
-						onclick={() => showResources = !showResources}
-						class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
-					>
-						<div class="flex items-center gap-2">
-							<Cpu class="w-4 h-4 text-muted-foreground" />
-							<span class="text-sm font-medium">Resources</span>
-							{#if memoryLimit || nanoCpus || cpuShares}
-								<Badge variant="secondary" class="text-2xs">configured</Badge>
-							{/if}
-						</div>
-						{#if showResources}
-							<ChevronDown class="w-4 h-4 text-muted-foreground" />
-						{:else}
-							<ChevronRight class="w-4 h-4 text-muted-foreground" />
-						{/if}
-					</button>
-					{#if showResources}
-						<div class="px-3 pb-3 space-y-3 border-t">
-							<p class="text-xs text-muted-foreground pt-2">Configure memory and CPU limits for this container</p>
-							<div class="grid grid-cols-2 gap-3">
-								<div class="space-y-1.5">
-									<Label for="memoryLimit" class="text-xs font-medium">Memory limit</Label>
-									<Input id="memoryLimit" bind:value={memoryLimit} placeholder="e.g., 512m, 1g" class="h-9" />
-								</div>
-								<div class="space-y-1.5">
-									<Label for="memoryReservation" class="text-xs font-medium">Memory reservation</Label>
-									<Input id="memoryReservation" bind:value={memoryReservation} placeholder="e.g., 256m" class="h-9" />
-								</div>
-							</div>
-							<div class="grid grid-cols-2 gap-3">
-								<div class="space-y-1.5">
-									<Label for="nanoCpus" class="text-xs font-medium">CPU limit</Label>
-									<Input id="nanoCpus" bind:value={nanoCpus} placeholder="e.g., 0.5, 1.5, 2" class="h-9" />
-								</div>
-								<div class="space-y-1.5">
-									<Label for="cpuShares" class="text-xs font-medium">CPU shares</Label>
-									<Input id="cpuShares" bind:value={cpuShares} type="number" placeholder="1024" class="h-9" />
-								</div>
-							</div>
-						</div>
-					{/if}
-				</div>
-
-				<!-- Security Section (Collapsible) -->
-				<div class="border rounded-lg">
-					<button
-						type="button"
-						onclick={() => showSecurity = !showSecurity}
-						class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
-					>
-						<div class="flex items-center gap-2">
-							<Shield class="w-4 h-4 text-muted-foreground" />
-							<span class="text-sm font-medium">Security</span>
-							{#if privilegedMode || containerUser || capAdd.length > 0 || capDrop.length > 0}
-								<Badge variant="secondary" class="text-2xs">configured</Badge>
-							{/if}
-						</div>
-						{#if showSecurity}
-							<ChevronDown class="w-4 h-4 text-muted-foreground" />
-						{:else}
-							<ChevronRight class="w-4 h-4 text-muted-foreground" />
-						{/if}
-					</button>
-					{#if showSecurity}
-						<div class="px-3 pb-3 space-y-3 border-t">
-							<div class="grid grid-cols-2 gap-3 pt-2">
-								<div class="space-y-1.5">
-									<Label for="containerUser" class="text-xs font-medium">User</Label>
-									<Input id="containerUser" bind:value={containerUser} placeholder="user:group or UID:GID" class="h-9" />
-								</div>
-								<div class="space-y-1.5 flex flex-col justify-center pt-4">
-									<div class="flex items-center space-x-2">
-										<Checkbox id="privilegedMode" bind:checked={privilegedMode} />
-										<Label for="privilegedMode" class="text-xs font-normal flex items-center gap-1">
-											<Lock class="w-3 h-3 text-amber-500" />
-											Privileged mode
-										</Label>
-									</div>
-								</div>
-							</div>
-
-							<div class="space-y-2">
-								<Label class="text-xs font-medium">Add capabilities</Label>
-								<Select.Root type="single" value="" onValueChange={(v) => { addCapability('add', v); }}>
-									<Select.Trigger class="h-9">
-										<span class="text-muted-foreground">Select capability to add...</span>
-									</Select.Trigger>
-									<Select.Content>
-										{#each commonCapabilities.filter(c => !capAdd.includes(c)) as cap}
-											<Select.Item value={cap} label={cap} />
-										{/each}
-									</Select.Content>
-								</Select.Root>
-								{#if capAdd.length > 0}
-									<div class="flex flex-wrap gap-1.5">
-										{#each capAdd as cap}
-											<Badge variant="outline" class="text-2xs bg-green-50 text-green-700 dark:bg-green-900/30 dark:text-green-400">
-												+{cap}
-												<button type="button" onclick={() => removeCapability('add', cap)} class="ml-1 hover:text-destructive">
-													<X class="w-3 h-3" />
-												</button>
-											</Badge>
-										{/each}
-									</div>
-								{/if}
-							</div>
-
-							<div class="space-y-2">
-								<Label class="text-xs font-medium">Drop capabilities</Label>
-								<Select.Root type="single" value="" onValueChange={(v) => { addCapability('drop', v); }}>
-									<Select.Trigger class="h-9">
-										<span class="text-muted-foreground">Select capability to drop...</span>
-									</Select.Trigger>
-									<Select.Content>
-										{#each commonCapabilities.filter(c => !capDrop.includes(c)) as cap}
-											<Select.Item value={cap} label={cap} />
-										{/each}
-									</Select.Content>
-								</Select.Root>
-								{#if capDrop.length > 0}
-									<div class="flex flex-wrap gap-1.5">
-										{#each capDrop as cap}
-											<Badge variant="outline" class="text-2xs bg-red-50 text-red-700 dark:bg-red-900/30 dark:text-red-400">
-												-{cap}
-												<button type="button" onclick={() => removeCapability('drop', cap)} class="ml-1 hover:text-destructive">
-													<X class="w-3 h-3" />
-												</button>
-											</Badge>
-										{/each}
-									</div>
-								{/if}
-							</div>
-						</div>
-					{/if}
-				</div>
-
-				<!-- Health Section (Collapsible) -->
-				<div class="border rounded-lg">
-					<button
-						type="button"
-						onclick={() => showHealth = !showHealth}
-						class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
-					>
-						<div class="flex items-center gap-2">
-							<HeartPulse class="w-4 h-4 text-muted-foreground" />
-							<span class="text-sm font-medium">Healthcheck</span>
-							{#if healthcheckEnabled}
-								<Badge variant="secondary" class="text-2xs">enabled</Badge>
-							{/if}
-						</div>
-						{#if showHealth}
-							<ChevronDown class="w-4 h-4 text-muted-foreground" />
-						{:else}
-							<ChevronRight class="w-4 h-4 text-muted-foreground" />
-						{/if}
-					</button>
-					{#if showHealth}
-						<div class="px-3 pb-3 space-y-3 border-t">
-							<div class="flex items-center space-x-2 pt-2">
-								<Checkbox id="healthcheckEnabled" bind:checked={healthcheckEnabled} />
-								<Label for="healthcheckEnabled" class="text-xs font-normal">Enable healthcheck</Label>
-							</div>
-							{#if healthcheckEnabled}
-								<div class="space-y-1.5">
-									<Label for="healthcheckCommand" class="text-xs font-medium">Command</Label>
-									<Input id="healthcheckCommand" bind:value={healthcheckCommand} placeholder="e.g., curl -f http://localhost/ || exit 1" class="h-9" />
-								</div>
-								<div class="grid grid-cols-4 gap-3">
-									<div class="space-y-1.5">
-										<Label for="healthcheckInterval" class="text-xs font-medium">Interval (s)</Label>
-										<Input id="healthcheckInterval" type="number" bind:value={healthcheckInterval} min="1" class="h-9" />
-									</div>
-									<div class="space-y-1.5">
-										<Label for="healthcheckTimeout" class="text-xs font-medium">Timeout (s)</Label>
-										<Input id="healthcheckTimeout" type="number" bind:value={healthcheckTimeout} min="1" class="h-9" />
-									</div>
-									<div class="space-y-1.5">
-										<Label for="healthcheckRetries" class="text-xs font-medium">Retries</Label>
-										<Input id="healthcheckRetries" type="number" bind:value={healthcheckRetries} min="1" class="h-9" />
-									</div>
-									<div class="space-y-1.5">
-										<Label for="healthcheckStartPeriod" class="text-xs font-medium">Start (s)</Label>
-										<Input id="healthcheckStartPeriod" type="number" bind:value={healthcheckStartPeriod} min="0" class="h-9" />
-									</div>
-								</div>
-							{/if}
-						</div>
-					{/if}
-				</div>
-
-				<!-- DNS Section (Collapsible) -->
-				<div class="border rounded-lg">
-					<button
-						type="button"
-						onclick={() => showDns = !showDns}
-						class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
-					>
-						<div class="flex items-center gap-2">
-							<Wifi class="w-4 h-4 text-muted-foreground" />
-							<span class="text-sm font-medium">DNS settings</span>
-							{#if dnsServers.length > 0 || dnsSearch.length > 0}
-								<Badge variant="secondary" class="text-2xs">configured</Badge>
-							{/if}
-						</div>
-						{#if showDns}
-							<ChevronDown class="w-4 h-4 text-muted-foreground" />
-						{:else}
-							<ChevronRight class="w-4 h-4 text-muted-foreground" />
-						{/if}
-					</button>
-					{#if showDns}
-						<div class="px-3 pb-3 space-y-3 border-t">
-							<div class="space-y-2 pt-2">
-								<Label class="text-xs font-medium">DNS servers</Label>
-								<div class="flex gap-2">
-									<Input
-										bind:value={dnsInput}
-										placeholder="e.g., 8.8.8.8"
-										class="h-9 flex-1"
-										onkeydown={(e) => { if (e.key === 'Enter') { e.preventDefault(); addDnsServer(); } }}
-									/>
-									<Button type="button" size="sm" variant="outline" onclick={addDnsServer} class="h-9">
-										<Plus class="w-4 h-4" />
-									</Button>
-								</div>
-								{#if dnsServers.length > 0}
-									<div class="flex flex-wrap gap-1.5">
-										{#each dnsServers as server}
-											<Badge variant="secondary" class="text-2xs">
-												{server}
-												<button type="button" onclick={() => removeDnsServer(server)} class="ml-1 hover:text-destructive">
-													<X class="w-3 h-3" />
-												</button>
-											</Badge>
-										{/each}
-									</div>
-								{/if}
-							</div>
-						</div>
-					{/if}
-				</div>
-
-				<!-- Devices Section (Collapsible) -->
-				<div class="border rounded-lg">
-					<button
-						type="button"
-						onclick={() => showDevices = !showDevices}
-						class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
-					>
-						<div class="flex items-center gap-2">
-							<HardDrive class="w-4 h-4 text-muted-foreground" />
-							<span class="text-sm font-medium">Devices</span>
-							{#if deviceMappings.length > 0}
-								<Badge variant="secondary" class="text-2xs">{deviceMappings.length}</Badge>
-							{/if}
-						</div>
-						{#if showDevices}
-							<ChevronDown class="w-4 h-4 text-muted-foreground" />
-						{:else}
-							<ChevronRight class="w-4 h-4 text-muted-foreground" />
-						{/if}
-					</button>
-					{#if showDevices}
-						<div class="px-3 pb-3 space-y-3 border-t">
-							<div class="flex justify-end pt-2">
-								<Button type="button" size="sm" variant="ghost" onclick={addDeviceMapping} class="h-7 text-xs">
-									<Plus class="w-3.5 h-3.5 mr-1" />
-									Add device
-								</Button>
-							</div>
-							{#each deviceMappings as mapping, index}
-								<div class="flex gap-2 items-center">
-									<Input bind:value={mapping.hostPath} placeholder="/dev/sda" class="h-9 flex-1" />
-									<Input bind:value={mapping.containerPath} placeholder="/dev/sda" class="h-9 flex-1" />
-									<Button
-										type="button"
-										size="icon"
-										variant="ghost"
-										onclick={() => removeDeviceMapping(index)}
-										class="h-9 w-9 text-muted-foreground hover:text-destructive"
-									>
-										<Trash2 class="w-4 h-4" />
-									</Button>
-								</div>
-							{/each}
-						</div>
-					{/if}
-				</div>
-
-				<!-- Ulimits Section (Collapsible) -->
-				<div class="border rounded-lg">
-					<button
-						type="button"
-						onclick={() => showUlimits = !showUlimits}
-						class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
-					>
-						<div class="flex items-center gap-2">
-							<Settings2 class="w-4 h-4 text-muted-foreground" />
-							<span class="text-sm font-medium">Ulimits</span>
-							{#if ulimits.length > 0}
-								<Badge variant="secondary" class="text-2xs">{ulimits.length}</Badge>
-							{/if}
-						</div>
-						{#if showUlimits}
-							<ChevronDown class="w-4 h-4 text-muted-foreground" />
-						{:else}
-							<ChevronRight class="w-4 h-4 text-muted-foreground" />
-						{/if}
-					</button>
-					{#if showUlimits}
-						<div class="px-3 pb-3 space-y-3 border-t">
-							<div class="flex justify-end pt-2">
-								<Button type="button" size="sm" variant="ghost" onclick={addUlimit} class="h-7 text-xs">
-									<Plus class="w-3.5 h-3.5 mr-1" />
-									Add ulimit
-								</Button>
-							</div>
-							{#each ulimits as ulimit, index}
-								<div class="flex gap-2 items-center">
-									<Select.Root type="single" bind:value={ulimit.name}>
-										<Select.Trigger class="w-32 h-9">
-											<span>{ulimit.name}</span>
-										</Select.Trigger>
-										<Select.Content>
-											{#each commonUlimits as name}
-												<Select.Item value={name} label={name} />
-											{/each}
-										</Select.Content>
-									</Select.Root>
-									<Input bind:value={ulimit.soft} type="number" placeholder="Soft" class="h-9 flex-1" />
-									<Input bind:value={ulimit.hard} type="number" placeholder="Hard" class="h-9 flex-1" />
-									<Button
-										type="button"
-										size="icon"
-										variant="ghost"
-										onclick={() => removeUlimit(index)}
-										class="h-9 w-9 text-muted-foreground hover:text-destructive"
-									>
-										<Trash2 class="w-4 h-4" />
-									</Button>
-								</div>
-							{/each}
-						</div>
-					{/if}
-				</div>
-
-				<!-- Auto-update Settings -->
-				<div class="space-y-3">
-					<div class="flex items-center gap-2 pb-2 border-b">
-						<RefreshCw class="w-4 h-4 text-muted-foreground" />
-						<h3 class="text-sm font-semibold text-foreground">Auto-update</h3>
-					</div>
-					<AutoUpdateSettings
-						bind:enabled={autoUpdateEnabled}
-						bind:cronExpression={autoUpdateCronExpression}
-						bind:vulnerabilityCriteria={vulnerabilityCriteria}
-					/>
-				</div>
-		</div>
-
-		<div class="flex justify-between gap-2 px-5 py-3 border-t bg-muted/30 shrink-0">
-			<div>
-				{#if activeTab === 'container' && hasCriticalOrHigh}
-					<div class="flex items-center gap-2 text-amber-600 text-xs">
-						<AlertTriangle class="w-4 h-4" />
-						<span>Critical/high vulnerabilities found in image</span>
-					</div>
-				{/if}
-			</div>
-			<div class="flex gap-2">
-				<Button type="button" variant="outline" onclick={handleClose} disabled={loading || isPulling || isScanning}>
-					Cancel
-				</Button>
-				<Button type="button" disabled={loading || isPulling || isScanning || activeTab !== 'container'} onclick={handleSubmit}>
-					{#if loading}
-						<Loader2 class="w-4 h-4 mr-2 animate-spin" />
-						Creating...
-					{:else}
-						<Play class="w-4 h-4 mr-2" />
-						Create container
-					{/if}
-				</Button>
-			</div>
-		</div>
-	</Dialog.Content>
-</Dialog.Root>
diff --git a/routes/containers/EditContainerModal.svelte b/routes/containers/EditContainerModal.svelte
deleted file mode 100644
index f0f41f3..0000000
--- a/routes/containers/EditContainerModal.svelte
+++ /dev/null
@@ -1,1299 +0,0 @@
-<script lang="ts">
-	import * as Dialog from '$lib/components/ui/dialog';
-	import * as Select from '$lib/components/ui/select';
-	import { Label } from '$lib/components/ui/label';
-	import { Input } from '$lib/components/ui/input';
-	import { Button } from '$lib/components/ui/button';
-	import { Checkbox } from '$lib/components/ui/checkbox';
-	import { Plus, Trash2, Settings2, RefreshCw, Network, X, Ban, RotateCw, AlertTriangle, PauseCircle, Share2, Server, CircleOff, Pencil, Check, Loader2, CircleArrowUp, Info, Layers } from 'lucide-svelte';
-	import { TogglePill } from '$lib/components/ui/toggle-pill';
-	import { Badge } from '$lib/components/ui/badge';
-	import { onMount } from 'svelte';
-	import { currentEnvironment, appendEnvParam } from '$lib/stores/environment';
-	import { focusFirstInput } from '$lib/utils';
-	import AutoUpdateSettings from './AutoUpdateSettings.svelte';
-
-	// Parse shell command respecting quotes
-	function parseShellCommand(cmd: string): string[] {
-		const args: string[] = [];
-		let current = '';
-		let inQuotes = false;
-		let quoteChar = '';
-
-		for (let i = 0; i < cmd.length; i++) {
-			const char = cmd[i];
-
-			if ((char === '"' || char === "'") && !inQuotes) {
-				inQuotes = true;
-				quoteChar = char;
-			} else if (char === quoteChar && inQuotes) {
-				inQuotes = false;
-				quoteChar = '';
-			} else if (char === ' ' && !inQuotes) {
-				if (current) {
-					args.push(current);
-					current = '';
-				}
-			} else {
-				current += char;
-			}
-		}
-
-		if (current) {
-			args.push(current);
-		}
-
-		return args;
-	}
-
-	interface ConfigSet {
-		id: number;
-		name: string;
-		description?: string;
-		env_vars?: { key: string; value: string }[];
-		labels?: { key: string; value: string }[];
-		ports?: { hostPort: string; containerPort: string; protocol: string }[];
-		volumes?: { hostPath: string; containerPath: string; mode: string }[];
-		network_mode: string;
-		restart_policy: string;
-	}
-
-	interface Props {
-		open: boolean;
-		containerId: string;
-		onClose: () => void;
-		onSuccess: () => void;
-	}
-
-	let { open = $bindable(), containerId, onClose, onSuccess }: Props = $props();
-
-	// Config sets
-	let configSets = $state<ConfigSet[]>([]);
-	let selectedConfigSetId = $state<string>('');
-
-	async function fetchConfigSets() {
-		try {
-			const response = await fetch('/api/config-sets');
-			if (response.ok) {
-				configSets = await response.json();
-			}
-		} catch (err) {
-			console.error('Failed to fetch config sets:', err);
-		}
-	}
-
-	function applyConfigSet(configSetId: string) {
-		selectedConfigSetId = configSetId;
-		if (!configSetId) return;
-
-		const configSet = configSets.find((c) => c.id === parseInt(configSetId));
-		if (!configSet) return;
-
-		// Apply env vars (merge with existing)
-		if (configSet.env_vars && configSet.env_vars.length > 0) {
-			const existingKeys = new Set(envVars.map(e => e.key).filter(k => k));
-			const newEnvVars = configSet.env_vars.filter(e => !existingKeys.has(e.key));
-			envVars = [...envVars.filter(e => e.key), ...newEnvVars.map(e => ({ ...e }))];
-			if (envVars.length === 0) envVars = [{ key: '', value: '' }];
-		}
-
-		// Apply labels (merge with existing)
-		if (configSet.labels && configSet.labels.length > 0) {
-			const existingKeys = new Set(labels.map(l => l.key).filter(k => k));
-			const newLabels = configSet.labels.filter(l => !existingKeys.has(l.key));
-			labels = [...labels.filter(l => l.key), ...newLabels.map(l => ({ ...l }))];
-			if (labels.length === 0) labels = [{ key: '', value: '' }];
-		}
-
-		// Apply ports (merge with existing)
-		if (configSet.ports && configSet.ports.length > 0) {
-			const existingPorts = new Set(portMappings.map(p => `${p.hostPort}:${p.containerPort}`).filter(p => p !== ':'));
-			const newPorts = configSet.ports.filter(p => !existingPorts.has(`${p.hostPort}:${p.containerPort}`));
-			portMappings = [...portMappings.filter(p => p.hostPort || p.containerPort), ...newPorts.map(p => ({ ...p }))];
-			if (portMappings.length === 0) portMappings = [{ hostPort: '', containerPort: '', protocol: 'tcp' }];
-		}
-
-		// Apply volumes (merge with existing)
-		if (configSet.volumes && configSet.volumes.length > 0) {
-			const existingPaths = new Set(volumeMappings.map(v => v.containerPath).filter(p => p));
-			const newVolumes = configSet.volumes.filter(v => !existingPaths.has(v.containerPath));
-			volumeMappings = [...volumeMappings.filter(v => v.hostPath || v.containerPath), ...newVolumes.map(v => ({ ...v }))];
-			if (volumeMappings.length === 0) volumeMappings = [{ hostPath: '', containerPath: '', mode: 'rw' }];
-		}
-
-		// Apply network mode
-		if (configSet.network_mode) {
-			networkMode = configSet.network_mode;
-		}
-
-		// Apply restart policy
-		if (configSet.restart_policy) {
-			restartPolicy = configSet.restart_policy;
-		}
-	}
-
-	// Form state
-	let name = $state('');
-	let image = $state('');
-	let command = $state('');
-	let restartPolicy = $state('no');
-	let networkMode = $state('bridge');
-	let startAfterUpdate = $state(true);
-
-	// Port mappings
-	let portMappings = $state<{ hostPort: string; containerPort: string; protocol: string }[]>([
-		{ hostPort: '', containerPort: '', protocol: 'tcp' }
-	]);
-
-	// Volume mappings
-	let volumeMappings = $state<{ hostPath: string; containerPath: string; mode: string }[]>([
-		{ hostPath: '', containerPath: '', mode: 'rw' }
-	]);
-
-	// Environment variables
-	let envVars = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
-
-	// Labels
-	let labels = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
-
-	// Networks
-	interface DockerNetwork {
-		id: string;
-		name: string;
-		driver: string;
-	}
-	let availableNetworks = $state<DockerNetwork[]>([]);
-	let selectedNetworks = $state<string[]>([]);
-
-	// Auto-update settings
-	let autoUpdateEnabled = $state(false);
-	let autoUpdateCronExpression = $state('0 3 * * *');
-	let vulnerabilityCriteria = $state<string>('never');
-	let envHasScanning = $state(false);
-	let currentEnvId = $state<number | null>(null);
-	currentEnvironment.subscribe(env => currentEnvId = env?.id || null);
-
-	// Track original values to detect changes
-	let originalConfig = $state<{
-		name: string;
-		image: string;
-		command: string;
-		restartPolicy: string;
-		networkMode: string;
-		portMappings: typeof portMappings;
-		volumeMappings: typeof volumeMappings;
-		envVars: typeof envVars;
-		labels: typeof labels;
-		selectedNetworks: string[];
-	} | null>(null);
-
-	// Compose container detection
-	let isComposeContainer = $state(false);
-	let composeStackName = $state('');
-
-	let originalAutoUpdate = $state<{
-		enabled: boolean;
-		cronExpression: string;
-		vulnerabilityCriteria: string;
-	} | null>(null);
-
-	let loading = $state(false);
-	let loadingData = $state(true);
-	let error = $state('');
-	let statusMessage = $state('');
-	let visible = $state(false);
-
-	// Field-specific errors for inline validation
-	let errors = $state<{ name?: string; image?: string }>({});
-
-	// Inline rename state (for title bar)
-	let isEditingTitle = $state(false);
-	let editTitleName = $state('');
-	let renamingTitle = $state(false);
-
-	async function fetchNetworks() {
-		try {
-			const envParam = currentEnvId ? `?env=${currentEnvId}` : '';
-			const response = await fetch(`/api/networks${envParam}`);
-			if (response.ok) {
-				availableNetworks = await response.json();
-			}
-		} catch (err) {
-			console.error('Failed to fetch networks:', err);
-		}
-	}
-
-	// Inline title rename functions
-	let titleInputRef: HTMLInputElement | null = null;
-
-	function startEditingTitle() {
-		editTitleName = name;
-		isEditingTitle = true;
-		// Focus after DOM updates
-		setTimeout(() => {
-			titleInputRef?.focus();
-			titleInputRef?.select();
-		}, 0);
-	}
-
-	function cancelEditingTitle() {
-		isEditingTitle = false;
-		editTitleName = '';
-	}
-
-	function saveEditingTitle() {
-		if (!editTitleName.trim() || editTitleName === name) {
-			cancelEditingTitle();
-			return;
-		}
-		// Just update the local name state - the actual rename happens on form submit
-		name = editTitleName.trim();
-		isEditingTitle = false;
-	}
-
-	async function checkScannerSettings() {
-		if (!currentEnvId) {
-			envHasScanning = false;
-			return;
-		}
-		try {
-			const response = await fetch(`/api/settings/scanner?env=${currentEnvId}&settingsOnly=true`);
-			if (response.ok) {
-				const data = await response.json();
-				// Scanner settings are nested under 'settings' key
-				const settings = data.settings || data;
-				envHasScanning = settings.scanner !== 'none';
-			}
-		} catch (err) {
-			console.error('Failed to check scanner settings:', err);
-			envHasScanning = false;
-		}
-	}
-
-	async function fetchAutoUpdateSettings(containerName: string) {
-		try {
-			const envParam = currentEnvId ? `?env=${currentEnvId}` : '';
-			const [autoUpdateResponse] = await Promise.all([
-				fetch(`/api/auto-update/${encodeURIComponent(containerName)}${envParam}`),
-				checkScannerSettings()
-			]);
-			if (autoUpdateResponse.ok) {
-				const data = await autoUpdateResponse.json();
-				autoUpdateEnabled = data.enabled || false;
-				autoUpdateCronExpression = data.cronExpression || '0 3 * * *';
-				vulnerabilityCriteria = data.vulnerabilityCriteria || 'never';
-				// Store original auto-update settings
-				originalAutoUpdate = {
-					enabled: autoUpdateEnabled,
-					cronExpression: autoUpdateCronExpression,
-					vulnerabilityCriteria: vulnerabilityCriteria
-				};
-			}
-		} catch (err) {
-			console.error('Failed to fetch auto-update settings:', err);
-		}
-	}
-
-	async function saveAutoUpdateSettings(containerName: string) {
-		try {
-			const envParam = currentEnvId ? `?env=${currentEnvId}` : '';
-			await fetch(`/api/auto-update/${encodeURIComponent(containerName)}${envParam}`, {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({
-					enabled: autoUpdateEnabled,
-					cronExpression: autoUpdateCronExpression,
-					vulnerabilityCriteria: vulnerabilityCriteria
-				})
-			});
-		} catch (err) {
-			console.error('Failed to save auto-update settings:', err);
-		}
-	}
-
-	async function loadContainerData() {
-		loadingData = true;
-		try {
-			const response = await fetch(appendEnvParam(`/api/containers/${containerId}`, $currentEnvironment?.id));
-			const data = await response.json();
-
-			// Check if API returned an error
-			if (!response.ok || data.error) {
-				throw new Error(data.error || `Failed to fetch container: ${response.status}`);
-			}
-
-			// Parse container data
-			name = data.Name.replace(/^\//, '');
-			image = data.Config.Image;
-			// Preserve command by quoting arguments that contain spaces
-			command = data.Config.Cmd ? data.Config.Cmd.map((arg: string) =>
-				arg.includes(' ') ? `"${arg}"` : arg
-			).join(' ') : '';
-			restartPolicy = data.HostConfig.RestartPolicy?.Name || 'no';
-
-			// Normalize network mode - Docker returns custom network names as NetworkMode
-			// but we only support bridge/host/none in the dropdown
-			const rawNetworkMode = data.HostConfig.NetworkMode || 'bridge';
-			if (['bridge', 'host', 'none', 'default'].includes(rawNetworkMode)) {
-				networkMode = rawNetworkMode === 'default' ? 'bridge' : rawNetworkMode;
-			} else {
-				// Custom network - default to bridge mode (container is already connected via Networks)
-				networkMode = 'bridge';
-			}
-
-			// Parse port mappings
-			const ports = data.HostConfig.PortBindings || {};
-			portMappings = Object.keys(ports).length > 0
-				? Object.entries(ports).map(([containerPort, bindings]: [string, any]) => {
-						const [port, protocol] = containerPort.split('/');
-						return {
-							containerPort: port,
-							hostPort: bindings[0]?.HostPort || '',
-							protocol: protocol || 'tcp'
-						};
-				  })
-				: [{ hostPort: '', containerPort: '', protocol: 'tcp' }];
-
-			// Parse volume mappings
-			const binds = data.HostConfig.Binds || [];
-			volumeMappings = binds.length > 0
-				? binds.map((bind: string) => {
-						const [hostPath, containerPath, mode] = bind.split(':');
-						return {
-							hostPath,
-							containerPath,
-							mode: mode || 'rw'
-						};
-				  })
-				: [{ hostPath: '', containerPath: '', mode: 'rw' }];
-
-			// Parse environment variables
-			const env = data.Config.Env || [];
-			envVars = env.length > 0
-				? env
-						.filter((e: string) => !e.startsWith('PATH='))
-						.map((e: string) => {
-							const [key, ...valueParts] = e.split('=');
-							return { key, value: valueParts.join('=') };
-						})
-				: [{ key: '', value: '' }];
-
-			// Parse labels
-			const containerLabels = data.Config.Labels || {};
-			const labelEntries = Object.entries(containerLabels).filter(
-				([key]) => !key.startsWith('com.docker.')
-			);
-			labels = labelEntries.length > 0
-				? labelEntries.map(([key, value]) => ({ key, value: String(value) }))
-				: [{ key: '', value: '' }];
-
-			// Detect if container belongs to a compose stack
-			const composeProject = containerLabels['com.docker.compose.project'];
-			if (composeProject) {
-				isComposeContainer = true;
-				composeStackName = composeProject;
-			} else {
-				isComposeContainer = false;
-				composeStackName = '';
-			}
-
-			// Parse connected networks
-			const networks = data.NetworkSettings?.Networks || {};
-			selectedNetworks = Object.keys(networks);
-
-			// Fetch available networks and auto-update settings
-			await fetchNetworks();
-			await fetchAutoUpdateSettings(name);
-
-			// Store original config for change detection
-			originalConfig = {
-				name,
-				image,
-				command,
-				restartPolicy,
-				networkMode,
-				portMappings: JSON.parse(JSON.stringify(portMappings)),
-				volumeMappings: JSON.parse(JSON.stringify(volumeMappings)),
-				envVars: JSON.parse(JSON.stringify(envVars)),
-				labels: JSON.parse(JSON.stringify(labels)),
-				selectedNetworks: [...selectedNetworks]
-			};
-		} catch (err) {
-			error = 'Failed to load container data: ' + String(err);
-		} finally {
-			loadingData = false;
-			// Show dialog after data is loaded and a frame to let it render
-			requestAnimationFrame(() => {
-				visible = true;
-				// Focus first input after form renders
-				focusFirstInput();
-			});
-		}
-	}
-
-	function addPortMapping() {
-		portMappings = [...portMappings, { hostPort: '', containerPort: '', protocol: 'tcp' }];
-	}
-
-	function removePortMapping(index: number) {
-		portMappings = portMappings.filter((_, i) => i !== index);
-	}
-
-	function addVolumeMapping() {
-		volumeMappings = [...volumeMappings, { hostPath: '', containerPath: '', mode: 'rw' }];
-	}
-
-	function removeVolumeMapping(index: number) {
-		volumeMappings = volumeMappings.filter((_, i) => i !== index);
-	}
-
-	function addEnvVar() {
-		envVars = [...envVars, { key: '', value: '' }];
-	}
-
-	function removeEnvVar(index: number) {
-		envVars = envVars.filter((_, i) => i !== index);
-	}
-
-	function addLabel() {
-		labels = [...labels, { key: '', value: '' }];
-	}
-
-	function removeLabel(index: number) {
-		labels = labels.filter((_, i) => i !== index);
-	}
-
-	function addNetwork(networkId: string) {
-		if (networkId && !selectedNetworks.includes(networkId)) {
-			selectedNetworks = [...selectedNetworks, networkId];
-		}
-	}
-
-	function removeNetwork(networkId: string) {
-		selectedNetworks = selectedNetworks.filter((n) => n !== networkId);
-	}
-
-	function getDriverBadgeClasses(driver: string): string {
-		const base = 'text-2xs px-1.5 py-0.5 rounded font-medium';
-		switch (driver.toLowerCase()) {
-			case 'bridge':
-				return `${base} bg-emerald-100 text-emerald-700 dark:bg-emerald-900/50 dark:text-emerald-300`;
-			case 'host':
-				return `${base} bg-sky-100 text-sky-700 dark:bg-sky-900/50 dark:text-sky-300`;
-			case 'null':
-			case 'none':
-				return `${base} bg-slate-100 text-slate-600 dark:bg-slate-800 dark:text-slate-400`;
-			case 'overlay':
-				return `${base} bg-violet-100 text-violet-700 dark:bg-violet-900/50 dark:text-violet-300`;
-			case 'macvlan':
-				return `${base} bg-amber-100 text-amber-700 dark:bg-amber-900/50 dark:text-amber-300`;
-			default:
-				return `${base} bg-slate-100 text-slate-600 dark:bg-slate-800 dark:text-slate-400`;
-		}
-	}
-
-	// Check if container configuration has changed
-	function hasContainerConfigChanged(): boolean {
-		if (!originalConfig) return true;
-
-		// Compare simple fields
-		if (name.trim() !== originalConfig.name) return true;
-		if (image.trim() !== originalConfig.image) return true;
-		if (command.trim() !== originalConfig.command) return true;
-		if (restartPolicy !== originalConfig.restartPolicy) return true;
-		if (networkMode !== originalConfig.networkMode) return true;
-
-		// Compare arrays (filter out empty entries for comparison)
-		const currentPorts = portMappings.filter(p => p.containerPort && p.hostPort);
-		const originalPorts = originalConfig.portMappings.filter(p => p.containerPort && p.hostPort);
-		if (JSON.stringify(currentPorts) !== JSON.stringify(originalPorts)) return true;
-
-		const currentVolumes = volumeMappings.filter(v => v.hostPath && v.containerPath);
-		const originalVolumes = originalConfig.volumeMappings.filter(v => v.hostPath && v.containerPath);
-		if (JSON.stringify(currentVolumes) !== JSON.stringify(originalVolumes)) return true;
-
-		const currentEnvs = envVars.filter(e => e.key);
-		const originalEnvs = originalConfig.envVars.filter(e => e.key);
-		if (JSON.stringify(currentEnvs) !== JSON.stringify(originalEnvs)) return true;
-
-		const currentLabels = labels.filter(l => l.key);
-		const originalLabels = originalConfig.labels.filter(l => l.key);
-		if (JSON.stringify(currentLabels) !== JSON.stringify(originalLabels)) return true;
-
-		// Compare networks
-		if (JSON.stringify([...selectedNetworks].sort()) !== JSON.stringify([...originalConfig.selectedNetworks].sort())) return true;
-
-		return false;
-	}
-
-	// Check if auto-update settings have changed
-	function hasAutoUpdateChanged(): boolean {
-		if (!originalAutoUpdate) return true;
-		return (
-			autoUpdateEnabled !== originalAutoUpdate.enabled ||
-			autoUpdateCronExpression !== originalAutoUpdate.cronExpression ||
-			vulnerabilityCriteria !== originalAutoUpdate.vulnerabilityCriteria
-		);
-	}
-
-	// Serialize current form state for comparison (excluding name for rename detection)
-	function serializeConfigWithoutName() {
-		return JSON.stringify({
-			image: image.trim(),
-			command: command.trim(),
-			restartPolicy,
-			networkMode,
-			portMappings: portMappings.filter(p => p.containerPort && p.hostPort),
-			volumeMappings: volumeMappings.filter(v => v.hostPath && v.containerPath),
-			envVars: envVars.filter(e => e.key),
-			labels: labels.filter(l => l.key),
-			selectedNetworks: [...selectedNetworks].sort()
-		});
-	}
-
-	// Serialize original config without name
-	function serializeOriginalConfigWithoutName() {
-		if (!originalConfig) return null;
-		return JSON.stringify({
-			image: originalConfig.image,
-			command: originalConfig.command,
-			restartPolicy: originalConfig.restartPolicy,
-			networkMode: originalConfig.networkMode,
-			portMappings: originalConfig.portMappings.filter(p => p.containerPort && p.hostPort),
-			volumeMappings: originalConfig.volumeMappings.filter(v => v.hostPath && v.containerPath),
-			envVars: originalConfig.envVars.filter(e => e.key),
-			labels: originalConfig.labels.filter(l => l.key),
-			selectedNetworks: [...originalConfig.selectedNetworks].sort()
-		});
-	}
-
-	// Check if ONLY the container name changed (no other config)
-	function hasOnlyNameChanged(): boolean {
-		if (!originalConfig) return false;
-		if (name.trim() === originalConfig.name) return false; // Name didn't change
-
-		// Compare everything except name
-		return serializeConfigWithoutName() === serializeOriginalConfigWithoutName();
-	}
-
-	// Check if config changes other than name occurred
-	function hasConfigChangedBesidesName(): boolean {
-		if (!originalConfig) return false;
-		return serializeConfigWithoutName() !== serializeOriginalConfigWithoutName();
-	}
-
-	// Derived state for warnings
-	let showComposeRenameWarning = $derived(isComposeContainer && hasOnlyNameChanged());
-	let showComposeConfigWarning = $derived(isComposeContainer && hasConfigChangedBesidesName());
-
-	async function handleSubmit(e: Event) {
-		e.preventDefault();
-		error = '';
-		errors = {};
-		statusMessage = '';
-
-		// Validate required fields
-		let hasErrors = false;
-		if (!name.trim()) {
-			errors.name = 'Container name is required';
-			hasErrors = true;
-		}
-
-		if (!image.trim()) {
-			errors.image = 'Image name is required';
-			hasErrors = true;
-		}
-
-		if (hasErrors) {
-			return;
-		}
-
-		loading = true;
-
-		const containerConfigChanged = hasContainerConfigChanged();
-		const autoUpdateChanged = hasAutoUpdateChanged();
-
-		// If nothing changed, just close
-		if (!containerConfigChanged && !autoUpdateChanged) {
-			onClose();
-			loading = false;
-			return;
-		}
-
-		try {
-			// If only name changed, use the rename endpoint (preserves labels, no restart)
-			if (hasOnlyNameChanged()) {
-				statusMessage = 'Renaming container...';
-
-				const response = await fetch(appendEnvParam(
-					`/api/containers/${containerId}/rename`,
-					$currentEnvironment?.id
-				), {
-					method: 'POST',
-					headers: { 'Content-Type': 'application/json' },
-					body: JSON.stringify({ name: name.trim() })
-				});
-
-				const result = await response.json();
-
-				if (!response.ok) {
-					error = result.error || 'Failed to rename container';
-					loading = false;
-					return;
-				}
-
-				statusMessage = 'Container renamed successfully!';
-
-				// Save auto-update settings if changed (use new name)
-				if (autoUpdateChanged) {
-					await saveAutoUpdateSettings(name.trim());
-				}
-
-				await new Promise(resolve => setTimeout(resolve, 500));
-				onSuccess();
-				onClose();
-				loading = false;
-				return;
-			}
-
-			// Full update required - recreate container
-			if (containerConfigChanged) {
-				statusMessage = 'Updating container...';
-
-				// Build ports object
-				const ports: any = {};
-				portMappings
-					.filter((p) => p.containerPort && p.hostPort)
-					.forEach((p) => {
-						const key = `${p.containerPort}/${p.protocol}`;
-						ports[key] = { HostPort: String(p.hostPort) };
-					});
-
-				// Build volume binds
-				const volumeBinds = volumeMappings
-					.filter((v) => v.hostPath && v.containerPath)
-					.map((v) => `${v.hostPath}:${v.containerPath}:${v.mode}`);
-
-				// Build env array
-				const env = envVars
-					.filter((e) => e.key && e.value)
-					.map((e) => `${e.key}=${e.value}`);
-
-				// Build labels object
-				const labelsObj: any = {};
-				labels
-					.filter((l) => l.key && l.value)
-					.forEach((l) => {
-						labelsObj[l.key] = l.value;
-					});
-
-				// Build command array - parse shell command properly respecting quotes
-				const cmd = command.trim() ? parseShellCommand(command.trim()) : undefined;
-
-				const payload = {
-					name: name.trim(),
-					image: image.trim(),
-					ports: Object.keys(ports).length > 0 ? ports : undefined,
-					volumeBinds: volumeBinds.length > 0 ? volumeBinds : undefined,
-					env: env.length > 0 ? env : undefined,
-					labels: Object.keys(labelsObj).length > 0 ? labelsObj : undefined,
-					cmd,
-					restartPolicy,
-					networkMode,
-					networks: selectedNetworks.length > 0 ? selectedNetworks : undefined,
-					startAfterUpdate
-				};
-
-				const response = await fetch(appendEnvParam(`/api/containers/${containerId}/update`, $currentEnvironment?.id), {
-					method: 'POST',
-					headers: { 'Content-Type': 'application/json' },
-					body: JSON.stringify(payload)
-				});
-
-				const result = await response.json();
-
-				if (!response.ok) {
-					error = result.error || 'Failed to update container';
-					if (result.details) {
-						error += ': ' + result.details;
-					}
-					return;
-				}
-
-				statusMessage = 'Container updated successfully!';
-			}
-
-			// Save auto-update settings if changed
-			if (autoUpdateChanged) {
-				if (!containerConfigChanged) {
-					statusMessage = 'Saving auto-update settings...';
-				}
-				await saveAutoUpdateSettings(name.trim());
-				if (!containerConfigChanged) {
-					statusMessage = 'Auto-update settings saved!';
-				}
-			}
-
-			// Brief delay to show success message
-			await new Promise(resolve => setTimeout(resolve, 500));
-
-			onSuccess();
-			onClose();
-		} catch (err) {
-			error = 'Failed to update container: ' + String(err);
-		} finally {
-			loading = false;
-		}
-	}
-
-	function handleClose() {
-		onClose();
-	}
-
-	$effect(() => {
-		if (open && containerId) {
-			visible = false;
-			loadingData = true;
-			statusMessage = '';
-			error = '';
-			loadContainerData();
-			fetchConfigSets();
-			selectedConfigSetId = '';
-		} else if (!open) {
-			// Reset states when closed
-			loadingData = true;
-			visible = false;
-		}
-	});
-</script>
-
-<Dialog.Root bind:open onOpenChange={(isOpen) => isOpen && focusFirstInput()}>
-	<Dialog.Content class="max-w-4xl w-[56rem] max-h-[90vh] p-0 flex flex-col overflow-hidden" style="min-height: 85vh; height: 85vh;">
-		<Dialog.Header class="px-5 py-4 border-b bg-muted/30 shrink-0 sticky top-0 z-10">
-			<Dialog.Title class="text-base font-semibold flex items-center gap-1">
-				Edit container
-				{#if isEditingTitle}
-					<span class="ml-1">-</span>
-					<input
-						type="text"
-						bind:value={editTitleName}
-						bind:this={titleInputRef}
-						class="text-muted-foreground font-normal bg-muted border border-input rounded px-2 py-0.5 text-sm outline-none focus:ring-1 focus:ring-ring"
-						onkeydown={(e) => {
-							if (e.key === 'Enter') saveEditingTitle();
-							if (e.key === 'Escape') cancelEditingTitle();
-						}}
-					/>
-					<button
-						type="button"
-						onclick={saveEditingTitle}
-						title="Save"
-						class="p-0.5 rounded hover:bg-muted transition-colors"
-					>
-						<Check class="w-3 h-3 text-green-500 hover:text-green-600" />
-					</button>
-					<button
-						type="button"
-						onclick={cancelEditingTitle}
-						title="Cancel"
-						class="p-0.5 rounded hover:bg-muted transition-colors"
-					>
-						<X class="w-3 h-3 text-muted-foreground hover:text-foreground" />
-					</button>
-				{:else if name}
-					<span class="font-normal text-muted-foreground ml-1">- {name}</span>
-					<button
-						type="button"
-						onclick={startEditingTitle}
-						title="Rename container"
-						class="p-0.5 rounded hover:bg-muted transition-colors ml-0.5"
-					>
-						<Pencil class="w-3 h-3 text-muted-foreground hover:text-foreground" />
-					</button>
-				{/if}
-			</Dialog.Title>
-		</Dialog.Header>
-
-		{#if loadingData}
-			<div class="flex-1 flex items-center justify-center text-muted-foreground text-sm" style="min-height: calc(85vh - 120px);">
-				<Loader2 class="w-5 h-5 animate-spin mr-2" />
-				Loading container data...
-			</div>
-		{:else}
-			<div class="px-5 py-4 space-y-5 flex-1 overflow-y-auto">
-				<!-- Config Set Selector -->
-				{#if configSets.length > 0}
-					<div class="space-y-2">
-						<div class="flex items-center gap-2 pb-2 border-b">
-							<Settings2 class="w-4 h-4 text-muted-foreground" />
-							<h3 class="text-sm font-semibold text-foreground">Apply config set</h3>
-						</div>
-						<div class="flex gap-2 items-end">
-							<div class="flex-1">
-								<Select.Root type="single" value={selectedConfigSetId} onValueChange={applyConfigSet}>
-									<Select.Trigger class="w-full h-9">
-										<span>{selectedConfigSetId ? configSets.find(c => c.id === parseInt(selectedConfigSetId))?.name : 'Select a config set to merge values...'}</span>
-									</Select.Trigger>
-									<Select.Content>
-										{#each configSets as configSet}
-											<Select.Item value={String(configSet.id)} label={configSet.name}>
-												<div class="flex flex-col">
-													<span>{configSet.name}</span>
-													{#if configSet.description}
-														<span class="text-xs text-muted-foreground">{configSet.description}</span>
-													{/if}
-												</div>
-											</Select.Item>
-										{/each}
-									</Select.Content>
-								</Select.Root>
-							</div>
-						</div>
-						{#if selectedConfigSetId}
-							{@const selectedSet = configSets.find(c => c.id === parseInt(selectedConfigSetId))}
-							{#if selectedSet?.description}
-								<p class="text-xs text-muted-foreground">{selectedSet.description}</p>
-							{/if}
-						{/if}
-						<p class="text-xs text-muted-foreground">Note: Values from the config set will be merged with existing settings. Existing keys won't be overwritten.</p>
-					</div>
-				{/if}
-
-				<!-- Compose Container Warnings -->
-				{#if showComposeConfigWarning}
-					<div class="bg-destructive/10 border border-destructive/30 rounded-lg p-3 flex items-start gap-3">
-						<AlertTriangle class="w-5 h-5 text-destructive shrink-0 mt-0.5" />
-						<div class="text-sm">
-							<p class="font-medium text-destructive">
-								This container belongs to stack "{composeStackName}"
-							</p>
-							<p class="text-muted-foreground mt-1">
-								Modifying settings will remove this container from the stack. The container will be recreated and lose its stack association. To avoid this, edit the stack's compose file instead.
-							</p>
-						</div>
-					</div>
-				{:else if showComposeRenameWarning}
-					<div class="bg-sky-500/10 border border-sky-500/30 rounded-lg p-3 flex items-start gap-3">
-						<Info class="w-5 h-5 text-sky-500 shrink-0 mt-0.5" />
-						<div class="text-sm">
-							<p class="font-medium text-sky-600 dark:text-sky-400">
-								Renaming container from stack "{composeStackName}"
-							</p>
-							<p class="text-muted-foreground mt-1">
-								The container will stay in the stack, but the compose file will be out of sync. Running <code class="text-xs bg-muted px-1 py-0.5 rounded">docker compose up</code> may recreate it with the original name.
-							</p>
-						</div>
-					</div>
-				{:else if isComposeContainer}
-					<div class="bg-muted/50 border rounded-lg p-3 flex items-start gap-3">
-						<Layers class="w-5 h-5 text-muted-foreground shrink-0 mt-0.5" />
-						<div class="text-sm">
-							<p class="font-medium text-foreground">
-								Stack container: {composeStackName}
-							</p>
-							<p class="text-muted-foreground mt-1">
-								This container is managed by a Docker Compose stack.
-							</p>
-						</div>
-					</div>
-				{/if}
-
-				<!-- Basic Settings -->
-				<div class="space-y-3">
-					<div class="flex items-center gap-2 pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Basic settings</h3>
-					</div>
-
-					<div class="grid grid-cols-2 gap-3">
-						<div class="space-y-1.5">
-							<Label for="name" class="text-xs font-medium">Container name *</Label>
-							<Input
-								id="name"
-								bind:value={name}
-								placeholder="my-container"
-								required
-								class="h-9 {errors.name ? 'border-destructive focus-visible:ring-destructive' : ''}"
-								oninput={() => errors.name = undefined}
-							/>
-							{#if errors.name}
-								<p class="text-xs text-destructive">{errors.name}</p>
-							{/if}
-						</div>
-						<div class="space-y-1.5">
-							<Label for="image" class="text-xs font-medium">Image *</Label>
-							<Input
-								id="image"
-								bind:value={image}
-								placeholder="nginx:latest"
-								required
-								class="h-9 {errors.image ? 'border-destructive focus-visible:ring-destructive' : ''}"
-								oninput={() => errors.image = undefined}
-							/>
-							{#if errors.image}
-								<p class="text-xs text-destructive">{errors.image}</p>
-							{/if}
-						</div>
-					</div>
-
-					<div class="space-y-1.5">
-						<Label for="command" class="text-xs font-medium">Command (optional)</Label>
-						<Input id="command" bind:value={command} placeholder="/bin/sh -c 'echo hello'" class="h-9" />
-					</div>
-
-					<div class="grid grid-cols-2 gap-3">
-						<div class="space-y-1.5">
-							<Label for="restartPolicy" class="text-xs font-medium">Restart policy</Label>
-							<Select.Root type="single" bind:value={restartPolicy}>
-								<Select.Trigger class="w-full h-9">
-									<span class="flex items-center">
-										{#if restartPolicy === 'no'}
-											<Ban class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-										{:else if restartPolicy === 'always'}
-											<RotateCw class="w-3.5 h-3.5 mr-2 text-green-500" />
-										{:else if restartPolicy === 'on-failure'}
-											<AlertTriangle class="w-3.5 h-3.5 mr-2 text-amber-500" />
-										{:else}
-											<PauseCircle class="w-3.5 h-3.5 mr-2 text-blue-500" />
-										{/if}
-										{restartPolicy === 'no' ? 'No' : restartPolicy === 'always' ? 'Always' : restartPolicy === 'on-failure' ? 'On failure' : 'Unless stopped'}
-									</span>
-								</Select.Trigger>
-								<Select.Content>
-									<Select.Item value="no">
-										{#snippet children()}
-											<Ban class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-											No
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="always">
-										{#snippet children()}
-											<RotateCw class="w-3.5 h-3.5 mr-2 text-green-500" />
-											Always
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="on-failure">
-										{#snippet children()}
-											<AlertTriangle class="w-3.5 h-3.5 mr-2 text-amber-500" />
-											On failure
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="unless-stopped">
-										{#snippet children()}
-											<PauseCircle class="w-3.5 h-3.5 mr-2 text-blue-500" />
-											Unless stopped
-										{/snippet}
-									</Select.Item>
-								</Select.Content>
-							</Select.Root>
-						</div>
-
-						<div class="space-y-1.5">
-							<Label for="networkMode" class="text-xs font-medium">Network mode</Label>
-							<Select.Root type="single" bind:value={networkMode}>
-								<Select.Trigger class="w-full h-9">
-									<span class="flex items-center">
-										{#if networkMode === 'bridge'}
-											<Share2 class="w-3.5 h-3.5 mr-2 text-emerald-500" />
-										{:else if networkMode === 'host'}
-											<Server class="w-3.5 h-3.5 mr-2 text-sky-500" />
-										{:else}
-											<CircleOff class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-										{/if}
-										{networkMode === 'bridge' ? 'Bridge' : networkMode === 'host' ? 'Host' : 'None'}
-									</span>
-								</Select.Trigger>
-								<Select.Content>
-									<Select.Item value="bridge">
-										{#snippet children()}
-											<Share2 class="w-3.5 h-3.5 mr-2 text-emerald-500" />
-											Bridge
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="host">
-										{#snippet children()}
-											<Server class="w-3.5 h-3.5 mr-2 text-sky-500" />
-											Host
-										{/snippet}
-									</Select.Item>
-									<Select.Item value="none">
-										{#snippet children()}
-											<CircleOff class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
-											None
-										{/snippet}
-									</Select.Item>
-								</Select.Content>
-							</Select.Root>
-						</div>
-					</div>
-
-					<div class="flex items-center space-x-2 pt-1">
-						<Checkbox id="startAfterUpdate" bind:checked={startAfterUpdate} />
-						<Label for="startAfterUpdate" class="text-xs font-normal">Start container after update</Label>
-					</div>
-				</div>
-
-				<!-- Networks -->
-				{#if availableNetworks.length > 0}
-					<div class="space-y-2">
-						<div class="flex justify-between items-center pb-2 border-b">
-							<div class="flex items-center gap-2">
-								<Network class="w-4 h-4 text-muted-foreground" />
-								<h3 class="text-sm font-semibold text-foreground">Networks</h3>
-							</div>
-						</div>
-
-						<div class="space-y-2">
-							<Select.Root type="single" value="" onValueChange={addNetwork}>
-								<Select.Trigger class="w-full h-9">
-									<span class="text-muted-foreground">Select network to add...</span>
-								</Select.Trigger>
-								<Select.Content>
-									{#each availableNetworks.filter(n => !selectedNetworks.includes(n.name) && !['bridge', 'host', 'none'].includes(n.name)) as network}
-										<Select.Item value={network.name}>
-											{#snippet children()}
-												<div class="flex items-center justify-between w-full">
-													<span>{network.name}</span>
-													<span class={getDriverBadgeClasses(network.driver)}>{network.driver}</span>
-												</div>
-											{/snippet}
-										</Select.Item>
-									{/each}
-								</Select.Content>
-							</Select.Root>
-
-							{#if selectedNetworks.length > 0}
-								<div class="flex flex-wrap gap-2 pt-1">
-									{#each selectedNetworks as networkName}
-										{@const network = availableNetworks.find(n => n.name === networkName)}
-										<Badge variant="secondary" class="flex items-center gap-1.5 pr-1">
-											{networkName}
-											{#if network}
-												<span class={getDriverBadgeClasses(network.driver)}>{network.driver}</span>
-											{/if}
-											<button
-												type="button"
-												onclick={() => removeNetwork(networkName)}
-												class="ml-0.5 hover:bg-destructive/20 rounded p-0.5"
-											>
-												<X class="w-3 h-3" />
-											</button>
-										</Badge>
-									{/each}
-								</div>
-							{/if}
-							<p class="text-xs text-muted-foreground">Container will be connected to selected networks in addition to the network mode above</p>
-						</div>
-					</div>
-				{/if}
-
-				<!-- Port Mappings -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Port mappings</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addPortMapping} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each portMappings as mapping, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Host</span>
-									<Input bind:value={mapping.hostPort} type="number" class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Container</span>
-									<Input bind:value={mapping.containerPort} type="number" class="h-9" />
-								</div>
-								<div class="relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1 z-10">Protocol</span>
-									<Select.Root type="single" bind:value={mapping.protocol}>
-										<Select.Trigger class="w-20 h-9">
-											<span>{mapping.protocol.toUpperCase()}</span>
-										</Select.Trigger>
-										<Select.Content>
-											<Select.Item value="tcp" label="TCP" />
-											<Select.Item value="udp" label="UDP" />
-										</Select.Content>
-									</Select.Root>
-								</div>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removePortMapping(index)}
-									disabled={portMappings.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Volume Mappings -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Volume mappings</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addVolumeMapping} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each volumeMappings as mapping, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Host path</span>
-									<Input bind:value={mapping.hostPath} class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Container path</span>
-									<Input bind:value={mapping.containerPath} class="h-9" />
-								</div>
-								<div class="relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1 z-10">Mode</span>
-									<Select.Root type="single" bind:value={mapping.mode}>
-										<Select.Trigger class="w-16 h-9">
-											<span>{mapping.mode.toUpperCase()}</span>
-										</Select.Trigger>
-										<Select.Content>
-											<Select.Item value="rw" label="RW" />
-											<Select.Item value="ro" label="RO" />
-										</Select.Content>
-									</Select.Root>
-								</div>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removeVolumeMapping(index)}
-									disabled={volumeMappings.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Environment Variables -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Environment variables</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addEnvVar} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each envVars as envVar, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Key</span>
-									<Input bind:value={envVar.key} class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Value</span>
-									<Input bind:value={envVar.value} class="h-9" />
-								</div>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removeEnvVar(index)}
-									disabled={envVars.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Labels -->
-				<div class="space-y-2">
-					<div class="flex justify-between items-center pb-2 border-b">
-						<h3 class="text-sm font-semibold text-foreground">Labels</h3>
-						<Button type="button" size="sm" variant="ghost" onclick={addLabel} class="h-7 text-xs">
-							<Plus class="w-3.5 h-3.5 mr-1" />
-							Add
-						</Button>
-					</div>
-
-					<div class="space-y-2">
-						{#each labels as label, index}
-							<div class="flex gap-2 items-center">
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Key</span>
-									<Input bind:value={label.key} class="h-9" />
-								</div>
-								<div class="flex-1 relative">
-									<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Value</span>
-									<Input bind:value={label.value} class="h-9" />
-								</div>
-								<Button
-									type="button"
-									size="icon"
-									variant="ghost"
-									onclick={() => removeLabel(index)}
-									disabled={labels.length === 1}
-									class="h-9 w-9 text-muted-foreground hover:text-destructive"
-								>
-									<Trash2 class="w-4 h-4" />
-								</Button>
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Auto-update Settings -->
-				<div class="space-y-3">
-					<div class="flex items-center gap-2 pb-2 border-b">
-						<CircleArrowUp class="w-4 h-4 text-muted-foreground" />
-						<h3 class="text-sm font-semibold text-foreground">Auto-update</h3>
-					</div>
-
-				<AutoUpdateSettings
-					bind:enabled={autoUpdateEnabled}
-					bind:cronExpression={autoUpdateCronExpression}
-					bind:vulnerabilityCriteria={vulnerabilityCriteria}
-				/>
-				</div>
-
-				{#if statusMessage}
-					<div class="px-3 py-2 text-xs text-primary bg-primary/10 rounded-md">
-						{statusMessage}
-					</div>
-				{/if}
-
-				{#if error}
-					<div class="px-3 py-2 text-xs text-destructive bg-destructive/10 rounded-md">
-						{error}
-					</div>
-				{/if}
-
-			</div>
-			<div class="flex justify-end gap-2 px-5 py-3 border-t bg-muted/30 shrink-0">
-				<Button type="button" variant="outline" onclick={handleClose} disabled={loading} size="sm">
-					Cancel
-				</Button>
-				<Button type="button" variant="secondary" disabled={loading} size="sm" onclick={handleSubmit}>
-					{#if loading}
-						<Loader2 class="w-4 h-4 mr-1 animate-spin" />
-						Updating...
-					{:else}
-						Update container
-					{/if}
-				</Button>
-			</div>
-		{/if}
-	</Dialog.Content>
-</Dialog.Root>
diff --git a/routes/profile/MfaSetupModal.svelte b/routes/profile/MfaSetupModal.svelte
deleted file mode 100644
index c41370d..0000000
--- a/routes/profile/MfaSetupModal.svelte
+++ /dev/null
@@ -1,117 +0,0 @@
-<script lang="ts">
-	import { Button } from '$lib/components/ui/button';
-	import * as Dialog from '$lib/components/ui/dialog';
-	import { Label } from '$lib/components/ui/label';
-	import { Input } from '$lib/components/ui/input';
-	import { QrCode, RefreshCw, ShieldCheck, TriangleAlert } from 'lucide-svelte';
-	import * as Alert from '$lib/components/ui/alert';
-	import { focusFirstInput } from '$lib/utils';
-
-	interface Props {
-		open: boolean;
-		qrCode: string;
-		secret: string;
-		userId: number;
-		onClose: () => void;
-		onSuccess: () => void;
-	}
-
-	let { open = $bindable(), qrCode, secret, userId, onClose, onSuccess }: Props = $props();
-
-	let token = $state('');
-	let loading = $state(false);
-	let error = $state('');
-
-	function resetForm() {
-		token = '';
-		error = '';
-	}
-
-	async function verifyAndEnableMfa() {
-		if (!token) {
-			error = 'Please enter the verification code';
-			return;
-		}
-
-		loading = true;
-		error = '';
-
-		try {
-			const response = await fetch(`/api/users/${userId}/mfa`, {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({ action: 'verify', token })
-			});
-
-			if (response.ok) {
-				onSuccess();
-				onClose();
-			} else {
-				const data = await response.json();
-				error = data.error || 'Invalid verification code';
-			}
-		} catch (e) {
-			error = 'Failed to verify MFA';
-		} finally {
-			loading = false;
-		}
-	}
-
-</script>
-
-<Dialog.Root bind:open onOpenChange={(o) => { if (o) { resetForm(); focusFirstInput(); } else onClose(); }}>
-	<Dialog.Content class="max-w-md">
-		<Dialog.Header>
-			<Dialog.Title class="flex items-center gap-2">
-				<QrCode class="w-5 h-5" />
-				Setup two-factor authentication
-			</Dialog.Title>
-		</Dialog.Header>
-		<div class="space-y-4">
-			{#if error}
-				<Alert.Root variant="destructive">
-					<TriangleAlert class="h-4 w-4" />
-					<Alert.Description>{error}</Alert.Description>
-				</Alert.Root>
-			{/if}
-
-			<p class="text-sm text-muted-foreground">
-				Scan this QR code with your authenticator app (Google Authenticator, Authy, etc.)
-			</p>
-
-			{#if qrCode}
-				<div class="flex justify-center p-4 bg-white rounded-lg">
-					<img src={qrCode} alt="MFA QR Code" class="w-48 h-48" />
-				</div>
-			{/if}
-
-			<div class="space-y-2">
-				<Label class="text-xs text-muted-foreground">Or enter this code manually:</Label>
-				<code class="block p-2 bg-muted rounded text-sm font-mono break-all">{secret}</code>
-			</div>
-
-			<div class="space-y-2">
-				<Label>Verification code</Label>
-				<Input
-					bind:value={token}
-					placeholder="Enter 6-digit code"
-					maxlength={6}
-				/>
-				<p class="text-xs text-muted-foreground">
-					Enter the code from your authenticator app to verify setup
-				</p>
-			</div>
-		</div>
-		<Dialog.Footer>
-			<Button variant="outline" onclick={onClose}>Cancel</Button>
-			<Button onclick={verifyAndEnableMfa} disabled={loading || !token}>
-				{#if loading}
-					<RefreshCw class="w-4 h-4 mr-1 animate-spin" />
-				{:else}
-					<ShieldCheck class="w-4 h-4 mr-1" />
-				{/if}
-				Enable MFA
-			</Button>
-		</Dialog.Footer>
-	</Dialog.Content>
-</Dialog.Root>
diff --git a/routes/stacks/StackModal.svelte b/routes/stacks/StackModal.svelte
deleted file mode 100644
index 8ed7b7c..0000000
--- a/routes/stacks/StackModal.svelte
+++ /dev/null
@@ -1,740 +0,0 @@
-<script lang="ts">
-	import { onMount } from 'svelte';
-	import * as Dialog from '$lib/components/ui/dialog';
-	import { Button } from '$lib/components/ui/button';
-	import { Input } from '$lib/components/ui/input';
-	import { Label } from '$lib/components/ui/label';
-	import CodeEditor, { type VariableMarker } from '$lib/components/CodeEditor.svelte';
-	import StackEnvVarsPanel from '$lib/components/StackEnvVarsPanel.svelte';
-	import { type EnvVar, type ValidationResult } from '$lib/components/StackEnvVarsEditor.svelte';
-	import { Layers, Save, Play, Code, GitGraph, Loader2, AlertCircle, X, Sun, Moon, TriangleAlert, ChevronsLeft, ChevronsRight, Variable } from 'lucide-svelte';
-	import { currentEnvironment, appendEnvParam } from '$lib/stores/environment';
-	import { focusFirstInput } from '$lib/utils';
-	import * as Alert from '$lib/components/ui/alert';
-	import ComposeGraphViewer from './ComposeGraphViewer.svelte';
-
-	interface Props {
-		open: boolean;
-		mode: 'create' | 'edit';
-		stackName?: string; // Required for edit mode, optional for create
-		onClose: () => void;
-		onSuccess: () => void; // Called after create or save
-	}
-
-	let { open = $bindable(), mode, stackName = '', onClose, onSuccess }: Props = $props();
-
-	// Form state
-	let newStackName = $state('');
-	let loading = $state(false);
-	let saving = $state(false);
-	let error = $state<string | null>(null);
-	let loadError = $state<string | null>(null);
-	let errors = $state<{ stackName?: string; compose?: string }>({});
-	let composeContent = $state('');
-	let originalContent = $state('');
-	let activeTab = $state<'editor' | 'graph'>('editor');
-	let showConfirmClose = $state(false);
-	let editorTheme = $state<'light' | 'dark'>('dark');
-
-	// Environment variables state
-	let envVars = $state<EnvVar[]>([]);
-	let originalEnvVars = $state<EnvVar[]>([]);
-	let envValidation = $state<ValidationResult | null>(null);
-	let validating = $state(false);
-	let existingSecretKeys = $state<Set<string>>(new Set());
-
-	// CodeEditor reference for explicit marker updates
-	let codeEditorRef: CodeEditor | null = $state(null);
-
-	// ComposeGraphViewer reference for resize on panel toggle
-	let graphViewerRef: ComposeGraphViewer | null = $state(null);
-
-	// Debounce timer for validation
-	let validateTimer: ReturnType<typeof setTimeout> | null = null;
-
-	const defaultCompose = `version: "3.8"
-
-services:
-  app:
-    image: nginx:alpine
-    ports:
-      - "8080:80"
-    environment:
-      - APP_ENV=\${APP_ENV:-production}
-    volumes:
-      - ./html:/usr/share/nginx/html:ro
-    restart: unless-stopped
-
-# Add more services as needed
-# networks:
-#   default:
-#     driver: bridge
-`;
-
-	// Count of defined environment variables (with non-empty keys)
-	const envVarCount = $derived(envVars.filter(v => v.key.trim()).length);
-
-	// Build a lookup map from envVars for quick access
-	const envVarMap = $derived.by(() => {
-		const map = new Map<string, { value: string; isSecret: boolean }>();
-		for (const v of envVars) {
-			if (v.key.trim()) {
-				map.set(v.key.trim(), { value: v.value, isSecret: v.isSecret });
-			}
-		}
-		return map;
-	});
-
-	// Compute variable markers for the code editor (with values for overlay)
-	const variableMarkers = $derived.by<VariableMarker[]>(() => {
-		if (!envValidation) return [];
-
-		const markers: VariableMarker[] = [];
-
-		// Add missing required variables
-		for (const name of envValidation.missing) {
-			const env = envVarMap.get(name);
-			markers.push({
-				name,
-				type: 'missing',
-				value: env?.value,
-				isSecret: env?.isSecret
-			});
-		}
-
-		// Add defined required variables
-		for (const name of envValidation.required) {
-			if (!envValidation.missing.includes(name)) {
-				const env = envVarMap.get(name);
-				markers.push({
-					name,
-					type: 'required',
-					value: env?.value,
-					isSecret: env?.isSecret
-				});
-			}
-		}
-
-		// Add optional variables
-		for (const name of envValidation.optional) {
-			const env = envVarMap.get(name);
-			markers.push({
-				name,
-				type: 'optional',
-				value: env?.value,
-				isSecret: env?.isSecret
-			});
-		}
-
-		return markers;
-	});
-
-	// Check for compose changes
-	const hasComposeChanges = $derived(composeContent !== originalContent);
-
-	// Stable callback for compose content changes - avoids stale closure issues
-	function handleComposeChange(value: string) {
-		composeContent = value;
-		debouncedValidate();
-	}
-
-	// Debounced validation to avoid too many API calls while typing
-	function debouncedValidate() {
-		if (validateTimer) clearTimeout(validateTimer);
-		validateTimer = setTimeout(() => {
-			validateEnvVars();
-		}, 500);
-	}
-
-	// Explicitly push markers to the editor
-	function updateEditorMarkers() {
-		if (!codeEditorRef) return;
-		codeEditorRef.updateVariableMarkers(variableMarkers);
-	}
-
-	// Check for env var changes (compare by serializing)
-	const hasEnvVarChanges = $derived.by(() => {
-		const current = JSON.stringify(envVars.filter(v => v.key));
-		const original = JSON.stringify(originalEnvVars);
-		return current !== original;
-	});
-
-	const hasChanges = $derived(hasComposeChanges || hasEnvVarChanges);
-
-	// Display title
-	const displayName = $derived(mode === 'edit' ? stackName : (newStackName || 'New stack'));
-
-	onMount(() => {
-		// Follow app theme from localStorage
-		const appTheme = localStorage.getItem('theme');
-		if (appTheme === 'dark' || appTheme === 'light') {
-			editorTheme = appTheme;
-		} else {
-			// Fallback to system preference
-			editorTheme = window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light';
-		}
-	});
-
-	async function loadComposeFile() {
-		if (mode !== 'edit' || !stackName) return;
-
-		loading = true;
-		loadError = null;
-		error = null;
-
-		try {
-			const envId = $currentEnvironment?.id ?? null;
-
-			// Load compose file
-			const response = await fetch(`/api/stacks/${encodeURIComponent(stackName)}/compose`);
-			const data = await response.json();
-
-			if (!response.ok) {
-				throw new Error(data.error || 'Failed to load compose file');
-			}
-
-			composeContent = data.content;
-			originalContent = data.content;
-
-			// Load environment variables
-			const envResponse = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/env`, envId));
-			if (envResponse.ok) {
-				const envData = await envResponse.json();
-				envVars = envData.variables || [];
-				originalEnvVars = JSON.parse(JSON.stringify(envData.variables || []));
-				// Track existing secret keys (secrets loaded from DB cannot have visibility toggled)
-				existingSecretKeys = new Set(
-					envVars.filter(v => v.isSecret && v.key.trim()).map(v => v.key.trim())
-				);
-			}
-		} catch (e: any) {
-			loadError = e.message;
-		} finally {
-			loading = false;
-		}
-	}
-
-	async function validateEnvVars() {
-		const content = composeContent || defaultCompose;
-		if (!content.trim()) return;
-
-		validating = true;
-		try {
-			const envId = $currentEnvironment?.id ?? null;
-			// Use 'new' as placeholder stack name for new stacks
-			const stackNameForValidation = mode === 'edit' ? stackName : (newStackName.trim() || 'new');
-			// Pass current UI env vars for validation
-			const currentVars = envVars.filter(v => v.key.trim()).map(v => v.key.trim());
-			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(stackNameForValidation)}/env/validate`, envId), {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({ compose: content, variables: currentVars })
-			});
-
-			if (response.ok) {
-				envValidation = await response.json();
-				// Explicitly update markers in the editor after validation
-				// Use setTimeout to ensure derived variableMarkers has updated
-				setTimeout(() => updateEditorMarkers(), 0);
-			}
-		} catch (e) {
-			console.error('Failed to validate env vars:', e);
-		} finally {
-			validating = false;
-		}
-	}
-
-	function toggleEditorTheme() {
-		editorTheme = editorTheme === 'light' ? 'dark' : 'light';
-		localStorage.setItem('dockhand-editor-theme', editorTheme);
-	}
-
-	function handleGraphContentChange(newContent: string) {
-		composeContent = newContent;
-	}
-
-	async function handleCreate(start: boolean = false) {
-		errors = {};
-		let hasErrors = false;
-
-		if (!newStackName.trim()) {
-			errors.stackName = 'Stack name is required';
-			hasErrors = true;
-		}
-
-		const content = composeContent || defaultCompose;
-		if (!content.trim()) {
-			errors.compose = 'Compose file content is required';
-			hasErrors = true;
-		}
-
-		if (hasErrors) return;
-
-		saving = true;
-		error = null;
-
-		try {
-			const envId = $currentEnvironment?.id ?? null;
-
-			// Create the stack
-			const response = await fetch(appendEnvParam('/api/stacks', envId), {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({
-					name: newStackName.trim(),
-					compose: content,
-					start
-				})
-			});
-
-			if (!response.ok) {
-				const data = await response.json();
-				throw new Error(data.error || 'Failed to create stack');
-			}
-
-			// Save environment variables if any are defined
-			const definedVars = envVars.filter(v => v.key.trim());
-			if (definedVars.length > 0) {
-				const envResponse = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(newStackName.trim())}/env`, envId), {
-					method: 'PUT',
-					headers: { 'Content-Type': 'application/json' },
-					body: JSON.stringify({
-						variables: definedVars.map(v => ({
-							key: v.key.trim(),
-							value: v.value,
-							isSecret: v.isSecret
-						}))
-					})
-				});
-
-				if (!envResponse.ok) {
-					console.error('Failed to save environment variables');
-				}
-			}
-
-			onSuccess();
-			handleClose();
-		} catch (e: any) {
-			error = e.message;
-		} finally {
-			saving = false;
-		}
-	}
-
-	async function handleSave(restart = false) {
-		errors = {};
-
-		if (!composeContent.trim()) {
-			errors.compose = 'Compose file content cannot be empty';
-			return;
-		}
-
-		saving = true;
-		error = null;
-
-		try {
-			const envId = $currentEnvironment?.id ?? null;
-
-			// Save compose file
-			const response = await fetch(
-				appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/compose`, envId),
-				{
-					method: 'PUT',
-					headers: { 'Content-Type': 'application/json' },
-					body: JSON.stringify({
-						content: composeContent,
-						restart
-					})
-				}
-			);
-
-			const data = await response.json();
-
-			if (!response.ok) {
-				throw new Error(data.error || 'Failed to save compose file');
-			}
-
-			// Save environment variables if any are defined
-			const definedVars = envVars.filter(v => v.key.trim());
-			if (definedVars.length > 0 || originalEnvVars.length > 0) {
-				const envResponse = await fetch(
-					appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/env`, envId),
-					{
-						method: 'PUT',
-						headers: { 'Content-Type': 'application/json' },
-						body: JSON.stringify({
-							variables: definedVars.map(v => ({
-								key: v.key.trim(),
-								value: v.value,
-								isSecret: v.isSecret
-							}))
-						})
-					}
-				);
-
-				if (!envResponse.ok) {
-					console.error('Failed to save environment variables');
-				}
-			}
-
-			originalContent = composeContent;
-			originalEnvVars = JSON.parse(JSON.stringify(definedVars));
-			onSuccess();
-
-			if (!restart) {
-				// Show success briefly then close
-				setTimeout(() => handleClose(), 500);
-			} else {
-				handleClose();
-			}
-		} catch (e: any) {
-			error = e.message;
-		} finally {
-			saving = false;
-		}
-	}
-
-	function tryClose() {
-		if (hasChanges) {
-			showConfirmClose = true;
-		} else {
-			handleClose();
-		}
-	}
-
-	function handleClose() {
-		// Clear any pending validation timer
-		if (validateTimer) {
-			clearTimeout(validateTimer);
-			validateTimer = null;
-		}
-		// Reset all state
-		newStackName = '';
-		error = null;
-		loadError = null;
-		errors = {};
-		composeContent = '';
-		originalContent = '';
-		envVars = [];
-		originalEnvVars = [];
-		envValidation = null;
-		existingSecretKeys = new Set();
-		activeTab = 'editor';
-		showConfirmClose = false;
-		codeEditorRef = null;
-		onClose();
-	}
-
-	function discardAndClose() {
-		showConfirmClose = false;
-		handleClose();
-	}
-
-	// Initialize when dialog opens - ONLY ONCE per open
-	let hasInitialized = $state(false);
-	$effect(() => {
-		if (open && !hasInitialized) {
-			hasInitialized = true;
-			if (mode === 'edit' && stackName) {
-				loadComposeFile().then(() => {
-					// Auto-validate after loading
-					validateEnvVars();
-				});
-			} else if (mode === 'create') {
-				// Set default compose content for create mode
-				composeContent = defaultCompose;
-				originalContent = defaultCompose; // Track original for change detection
-				loading = false;
-				// Auto-validate default compose
-				validateEnvVars();
-			}
-		} else if (!open) {
-			hasInitialized = false; // Reset when modal closes
-		}
-	});
-
-	// Re-validate when envVars change (adding/removing variables affects missing/defined status)
-	$effect(() => {
-		// Track envVars changes (this triggers on any modification to envVars array)
-		const vars = envVars;
-		if (!open || !envValidation) return;
-
-		// Debounce to avoid too many API calls while typing
-		const timeout = setTimeout(() => {
-			validateEnvVars();
-		}, 300);
-
-		return () => clearTimeout(timeout);
-	});
-</script>
-
-<Dialog.Root
-	bind:open
-	onOpenChange={(isOpen) => {
-		if (isOpen) {
-			focusFirstInput();
-		} else {
-			// Prevent closing if there are unsaved changes - show confirmation instead
-			if (hasChanges) {
-				// Re-open the dialog and show confirmation
-				open = true;
-				showConfirmClose = true;
-			}
-			// If no changes, let it close naturally
-		}
-	}}
->
-	<Dialog.Content class="max-w-7xl w-[95vw] h-[90vh] flex flex-col p-0 gap-0 shadow-xl border-zinc-200 dark:border-zinc-700" showCloseButton={false}>
-		<Dialog.Header class="px-5 py-3 border-b border-zinc-200 dark:border-zinc-700 flex-shrink-0 bg-zinc-50 dark:bg-zinc-800">
-			<div class="flex items-center justify-between">
-				<div class="flex items-center gap-3">
-					<div class="flex items-center gap-2">
-						<div class="p-1.5 rounded-md bg-zinc-200 dark:bg-zinc-700">
-							<Layers class="w-4 h-4 text-zinc-600 dark:text-zinc-300" />
-						</div>
-						<div>
-							<Dialog.Title class="text-sm font-semibold text-zinc-800 dark:text-zinc-100">
-								{#if mode === 'create'}
-									Create compose stack
-								{:else}
-									{stackName}
-								{/if}
-							</Dialog.Title>
-							<Dialog.Description class="text-xs text-zinc-500 dark:text-zinc-400">
-								{#if mode === 'create'}
-									Create a new Docker Compose stack
-								{:else}
-									Edit compose file and view stack structure
-								{/if}
-							</Dialog.Description>
-						</div>
-					</div>
-
-					<!-- View toggle -->
-					<div class="flex items-center gap-0.5 bg-zinc-200 dark:bg-zinc-700 rounded-md p-0.5 ml-3">
-						<button
-							class="flex items-center gap-1.5 px-2.5 py-1 rounded text-xs transition-colors {activeTab === 'editor' ? 'bg-white dark:bg-zinc-900 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
-							onclick={() => activeTab = 'editor'}
-						>
-							<Code class="w-3.5 h-3.5" />
-							Editor
-						</button>
-						<button
-							class="flex items-center gap-1.5 px-2.5 py-1 rounded text-xs transition-colors {activeTab === 'graph' ? 'bg-white dark:bg-zinc-900 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
-							onclick={() => activeTab = 'graph'}
-						>
-							<GitGraph class="w-3.5 h-3.5" />
-							Graph
-						</button>
-					</div>
-				</div>
-
-				<div class="flex items-center gap-2">
-					<!-- Theme toggle (only in editor mode) -->
-					{#if activeTab === 'editor'}
-						<button
-							onclick={toggleEditorTheme}
-							class="p-1.5 rounded-md text-zinc-400 dark:text-zinc-500 hover:text-zinc-600 dark:hover:text-zinc-300 hover:bg-zinc-200 dark:hover:bg-zinc-700 transition-colors"
-							title={editorTheme === 'light' ? 'Switch to dark theme' : 'Switch to light theme'}
-						>
-							{#if editorTheme === 'light'}
-								<Moon class="w-4 h-4" />
-							{:else}
-								<Sun class="w-4 h-4" />
-							{/if}
-						</button>
-					{/if}
-
-					<!-- Close button -->
-					<button
-						onclick={tryClose}
-						class="p-1.5 rounded-md text-zinc-400 dark:text-zinc-500 hover:text-zinc-600 dark:hover:text-zinc-300 hover:bg-zinc-200 dark:hover:bg-zinc-700 transition-colors"
-					>
-						<X class="w-4 h-4" />
-					</button>
-				</div>
-			</div>
-		</Dialog.Header>
-
-		<div class="flex-1 overflow-hidden flex flex-col min-h-0">
-			{#if error}
-				<Alert.Root variant="destructive" class="mx-6 mt-4">
-					<TriangleAlert class="h-4 w-4" />
-					<Alert.Description>{error}</Alert.Description>
-				</Alert.Root>
-			{/if}
-
-			{#if errors.compose}
-				<Alert.Root variant="destructive" class="mx-6 mt-4">
-					<TriangleAlert class="h-4 w-4" />
-					<Alert.Description>{errors.compose}</Alert.Description>
-				</Alert.Root>
-			{/if}
-
-			{#if mode === 'edit' && loading}
-				<div class="flex-1 flex items-center justify-center">
-					<div class="flex items-center gap-3 text-zinc-400 dark:text-zinc-500">
-						<Loader2 class="w-5 h-5 animate-spin" />
-						<span>Loading compose file...</span>
-					</div>
-				</div>
-			{:else if mode === 'edit' && loadError}
-				<div class="flex-1 flex items-center justify-center p-6">
-					<div class="text-center max-w-md">
-						<div class="w-12 h-12 rounded-full bg-amber-500/10 flex items-center justify-center mx-auto mb-4">
-							<AlertCircle class="w-6 h-6 text-amber-400" />
-						</div>
-						<h3 class="text-lg font-medium mb-2">Could not load compose file</h3>
-						<p class="text-sm text-zinc-400 dark:text-zinc-500 mb-4">{loadError}</p>
-						<p class="text-xs text-zinc-500 dark:text-zinc-400">
-							This stack may have been created outside of Dockhand or the compose file may have been moved.
-						</p>
-					</div>
-				</div>
-			{:else}
-				<!-- Stack name input (create mode only) -->
-				{#if mode === 'create'}
-					<div class="px-6 py-4 border-b border-zinc-200 dark:border-zinc-700">
-						<div class="max-w-md space-y-1">
-							<Label for="stack-name">Stack name</Label>
-							<Input
-								id="stack-name"
-								bind:value={newStackName}
-								placeholder="my-stack"
-								class={errors.stackName ? 'border-destructive focus-visible:ring-destructive' : ''}
-								oninput={() => errors.stackName = undefined}
-							/>
-							{#if errors.stackName}
-								<p class="text-xs text-destructive">{errors.stackName}</p>
-							{/if}
-						</div>
-					</div>
-				{/if}
-
-				<!-- Content area -->
-				<div class="flex-1 min-h-0 flex">
-					{#if activeTab === 'editor'}
-						<!-- Editor tab: Code editor + Env panel side by side -->
-						<div class="w-[60%] flex-shrink-0 border-r border-zinc-200 dark:border-zinc-700 flex flex-col min-w-0">
-							{#if open}
-								<div class="flex-1 p-3 min-h-0">
-									<CodeEditor
-										bind:this={codeEditorRef}
-										value={composeContent}
-										language="yaml"
-										theme={editorTheme}
-										onchange={handleComposeChange}
-										variableMarkers={variableMarkers}
-										class="h-full rounded-md overflow-hidden border border-zinc-200 dark:border-zinc-700"
-									/>
-								</div>
-							{/if}
-						</div>
-						<!-- Environment variables panel -->
-						<div class="flex-1 min-w-0 flex flex-col overflow-hidden bg-zinc-50 dark:bg-zinc-800/50">
-							<div class="flex items-center gap-1.5 px-3 py-1.5 border-b border-zinc-200 dark:border-zinc-700 text-xs font-medium text-zinc-600 dark:text-zinc-300">
-								<Variable class="w-3.5 h-3.5" />
-								Environment variables
-							</div>
-							<div class="flex-1 min-h-0 overflow-hidden">
-								<StackEnvVarsPanel
-									bind:variables={envVars}
-									validation={envValidation}
-									existingSecretKeys={mode === 'edit' ? existingSecretKeys : new Set()}
-									onchange={() => validateEnvVars()}
-								/>
-							</div>
-						</div>
-					{:else if activeTab === 'graph'}
-						<!-- Graph tab: Full width -->
-						<ComposeGraphViewer
-							bind:this={graphViewerRef}
-							composeContent={composeContent || defaultCompose}
-							class="h-full flex-1"
-							onContentChange={handleGraphContentChange}
-						/>
-					{/if}
-				</div>
-			{/if}
-		</div>
-
-		<!-- Footer -->
-		<div class="px-5 py-2.5 border-t border-zinc-200 dark:border-zinc-700 flex items-center justify-between flex-shrink-0 bg-zinc-50 dark:bg-zinc-800">
-			<div class="text-xs text-zinc-500 dark:text-zinc-400">
-				{#if hasChanges}
-					<span class="text-amber-600 dark:text-amber-500">Unsaved changes</span>
-				{:else}
-					No changes
-				{/if}
-			</div>
-
-			<div class="flex items-center gap-2">
-				<Button variant="outline" onclick={tryClose} disabled={saving}>
-					Cancel
-				</Button>
-
-				{#if mode === 'create'}
-					<!-- Create mode buttons -->
-					<Button variant="outline" onclick={() => handleCreate(false)} disabled={saving}>
-						{#if saving}
-							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
-							Creating...
-						{:else}
-							<Save class="w-4 h-4 mr-2" />
-							Create
-						{/if}
-					</Button>
-					<Button onclick={() => handleCreate(true)} disabled={saving}>
-						{#if saving}
-							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
-							Starting...
-						{:else}
-							<Play class="w-4 h-4 mr-2" />
-							Create & Start
-						{/if}
-					</Button>
-				{:else}
-					<!-- Edit mode buttons -->
-					<Button variant="outline" onclick={() => handleSave(false)} disabled={saving || !hasChanges || loading || !!loadError}>
-						{#if saving}
-							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
-							Saving...
-						{:else}
-							<Save class="w-4 h-4 mr-2" />
-							Save
-						{/if}
-					</Button>
-					<Button onclick={() => handleSave(true)} disabled={saving || !hasChanges || loading || !!loadError}>
-						{#if saving}
-							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
-							Applying...
-						{:else}
-							<Play class="w-4 h-4 mr-2" />
-							Save & apply
-						{/if}
-					</Button>
-				{/if}
-			</div>
-		</div>
-	</Dialog.Content>
-</Dialog.Root>
-
-<!-- Unsaved changes confirmation dialog -->
-<Dialog.Root bind:open={showConfirmClose}>
-	<Dialog.Content class="max-w-sm">
-		<Dialog.Header>
-			<Dialog.Title>Unsaved changes</Dialog.Title>
-			<Dialog.Description>
-				You have unsaved changes. Are you sure you want to close without saving?
-			</Dialog.Description>
-		</Dialog.Header>
-		<div class="flex justify-end gap-1.5 mt-4">
-			<Button variant="outline" size="sm" onclick={() => showConfirmClose = false}>
-				Continue editing
-			</Button>
-			<Button variant="destructive" size="sm" onclick={discardAndClose}>
-				Discard changes
-			</Button>
-		</div>
-	</Dialog.Content>
-</Dialog.Root>
diff --git a/routes/terminal/+page.svelte b/routes/terminal/+page.svelte
deleted file mode 100644
index 4dd3fc2..0000000
--- a/routes/terminal/+page.svelte
+++ /dev/null
@@ -1,349 +0,0 @@
-<script lang="ts">
-	import { onMount, onDestroy } from 'svelte';
-	import { page } from '$app/stores';
-	import { Button } from '$lib/components/ui/button';
-	import { Input } from '$lib/components/ui/input';
-	import { Label } from '$lib/components/ui/label';
-	import * as Select from '$lib/components/ui/select';
-	import { Search, ChevronDown, Terminal as TerminalIcon, Unplug, RefreshCw, Trash2, Copy, Shell, User } from 'lucide-svelte';
-	import PageHeader from '$lib/components/PageHeader.svelte';
-	import type { ContainerInfo } from '$lib/types';
-	import { currentEnvironment, environments, appendEnvParam } from '$lib/stores/environment';
-	import Terminal from './Terminal.svelte';
-	import { NoEnvironment } from '$lib/components/ui/empty-state';
-
-	// Track if we've handled the initial container from URL
-	let initialContainerHandled = $state(false);
-
-	let containers = $state<ContainerInfo[]>([]);
-	let selectedContainer = $state<ContainerInfo | null>(null);
-	let envId = $state<number | null>(null);
-
-	// Terminal component reference
-	let terminalComponent: ReturnType<typeof Terminal> | undefined;
-	let connected = $state(false);
-
-	// Shell/user options
-	let selectedShell = $state('/bin/bash');
-	let selectedUser = $state('root');
-	let terminalFontSize = $state(14);
-
-	const shellOptions = [
-		{ value: '/bin/bash', label: 'Bash' },
-		{ value: '/bin/sh', label: 'Shell (sh)' },
-		{ value: '/bin/zsh', label: 'Zsh' },
-		{ value: '/bin/ash', label: 'Ash (Alpine)' }
-	];
-
-	const userOptions = [
-		{ value: 'root', label: 'root' },
-		{ value: 'nobody', label: 'nobody' },
-		{ value: '', label: 'Container default' }
-	];
-
-	const fontSizeOptions = [10, 12, 14, 16, 18];
-
-	// Searchable dropdown state
-	let searchQuery = $state('');
-	let dropdownOpen = $state(false);
-
-	// Subscribe to environment changes
-	currentEnvironment.subscribe((env) => {
-		envId = env?.id ?? null;
-		if (env) {
-			fetchContainers();
-		}
-	});
-
-	// Filtered containers based on search
-	let filteredContainers = $derived(() => {
-		if (!searchQuery.trim()) return containers;
-		const query = searchQuery.toLowerCase();
-		return containers.filter(c =>
-			c.name.toLowerCase().includes(query) ||
-			c.image.toLowerCase().includes(query)
-		);
-	});
-
-	async function fetchContainers() {
-		try {
-			const response = await fetch(appendEnvParam('/api/containers', envId));
-			const allContainers = await response.json();
-			// Only show running containers
-			containers = allContainers.filter((c: ContainerInfo) => c.state === 'running');
-
-			// If selected container is no longer running, clear selection
-			if (selectedContainer && !containers.find((c) => c.id === selectedContainer?.id)) {
-				clearSelection();
-			}
-		} catch (error) {
-			console.error('Failed to fetch containers:', error);
-		}
-	}
-
-	function selectContainer(container: ContainerInfo) {
-		// Disconnect from previous container
-		if (selectedContainer && terminalComponent) {
-			terminalComponent.dispose();
-		}
-		selectedContainer = container;
-		searchQuery = '';
-		dropdownOpen = false;
-	}
-
-	function clearSelection() {
-		if (terminalComponent) {
-			terminalComponent.dispose();
-		}
-		selectedContainer = null;
-		searchQuery = '';
-		connected = false;
-	}
-
-	function handleInputFocus() {
-		dropdownOpen = true;
-	}
-
-	function handleInputBlur(e: FocusEvent) {
-		setTimeout(() => {
-			dropdownOpen = false;
-		}, 200);
-	}
-
-	function handleInputKeydown(e: KeyboardEvent) {
-		if (e.key === 'Enter') {
-			const filtered = filteredContainers();
-			if (filtered.length > 0) {
-				selectContainer(filtered[0]);
-			}
-		}
-	}
-
-	// Change font size
-	function changeFontSize(newSize: number) {
-		terminalFontSize = newSize;
-		terminalComponent?.setFontSize(newSize);
-	}
-
-	// Handle window resize
-	function handleResize() {
-		terminalComponent?.fit();
-	}
-
-	onMount(async () => {
-		await fetchContainers();
-
-		// Check for container ID in URL query parameter
-		const urlContainerId = $page.url.searchParams.get('container');
-		if (urlContainerId && !initialContainerHandled) {
-			initialContainerHandled = true;
-			const container = containers.find(c => c.id === urlContainerId || c.id.startsWith(urlContainerId));
-			if (container) {
-				selectContainer(container);
-			}
-		}
-
-		const containerInterval = setInterval(fetchContainers, 10000);
-
-		// Poll connected state from terminal component
-		const connectedPollInterval = setInterval(() => {
-			if (terminalComponent) {
-				connected = terminalComponent.getConnected();
-			}
-		}, 500);
-
-		window.addEventListener('resize', handleResize);
-
-		return () => {
-			clearInterval(containerInterval);
-			clearInterval(connectedPollInterval);
-		};
-	});
-
-	onDestroy(() => {
-		window.removeEventListener('resize', handleResize);
-		terminalComponent?.dispose();
-	});
-</script>
-
-{#if $environments.length === 0 || !$currentEnvironment}
-	<div class="flex flex-col flex-1 min-h-0 h-full">
-		<PageHeader icon={TerminalIcon} title="Shell" class="h-9 mb-3" />
-		<NoEnvironment />
-	</div>
-{:else}
-<div class="flex flex-col flex-1 min-h-0 h-full gap-3">
-	<!-- Header with container selector -->
-	<div class="flex items-center gap-4 flex-wrap">
-		<PageHeader icon={TerminalIcon} title="Shell" />
-		<div class="relative flex-1 max-w-md min-w-[200px]">
-			<!-- Search input - always visible, shows selected container or placeholder -->
-			<div class="relative">
-				<Search class="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
-				<Input
-					type="text"
-					placeholder={selectedContainer ? selectedContainer.name : "Search running containers..."}
-					bind:value={searchQuery}
-					onfocus={handleInputFocus}
-					onblur={handleInputBlur}
-					onkeydown={handleInputKeydown}
-					class="pl-10 pr-10 h-9 {selectedContainer && !searchQuery ? 'text-foreground' : ''}"
-				/>
-				<ChevronDown class="absolute right-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
-			</div>
-
-			<!-- Dropdown -->
-			{#if dropdownOpen}
-				<div class="absolute top-full left-0 right-0 mt-1 border rounded-md bg-popover shadow-lg z-50 max-h-64 overflow-auto">
-					{#if filteredContainers().length === 0}
-						<div class="px-3 py-2 text-sm text-muted-foreground">
-							{containers.length === 0 ? 'No running containers' : 'No matches found'}
-						</div>
-					{:else}
-						{#each filteredContainers() as container}
-							<button
-								type="button"
-								onclick={() => selectContainer(container)}
-								class="w-full px-3 py-2 text-left text-sm hover:bg-muted transition-colors flex items-center gap-2 {selectedContainer?.id === container.id ? 'bg-muted' : ''}"
-							>
-								<span class="font-medium truncate">{container.name}</span>
-								<span class="text-muted-foreground text-xs truncate">({container.image})</span>
-								{#if selectedContainer?.id === container.id}
-									<span class="ml-auto text-xs text-primary">connected</span>
-								{/if}
-							</button>
-						{/each}
-					{/if}
-				</div>
-			{/if}
-		</div>
-
-		{#if selectedContainer}
-			<Button size="sm" variant="ghost" onclick={clearSelection} class="h-9 px-3 text-sm text-muted-foreground hover:text-foreground">
-				<Unplug class="w-4 h-4 mr-1.5" />
-				Disconnect
-			</Button>
-		{/if}
-
-		{#if !selectedContainer}
-			<div class="flex items-center gap-2">
-				<Label class="text-sm text-muted-foreground">Shell:</Label>
-				<Select.Root type="single" bind:value={selectedShell}>
-					<Select.Trigger class="h-9 w-36">
-						<Shell class="w-4 h-4 mr-2 text-muted-foreground" />
-						<span>{shellOptions.find(o => o.value === selectedShell)?.label || 'Select'}</span>
-					</Select.Trigger>
-					<Select.Content>
-						{#each shellOptions as option}
-							<Select.Item value={option.value} label={option.label}>
-								<Shell class="w-4 h-4 mr-2 text-muted-foreground" />
-								{option.label}
-							</Select.Item>
-						{/each}
-					</Select.Content>
-				</Select.Root>
-			</div>
-			<div class="flex items-center gap-2">
-				<Label class="text-sm text-muted-foreground">User:</Label>
-				<Select.Root type="single" bind:value={selectedUser}>
-					<Select.Trigger class="h-9 w-40">
-						<User class="w-4 h-4 mr-2 text-muted-foreground" />
-						<span>{userOptions.find(o => o.value === selectedUser)?.label || 'Select'}</span>
-					</Select.Trigger>
-					<Select.Content>
-						{#each userOptions as option}
-							<Select.Item value={option.value} label={option.label}>
-								<User class="w-4 h-4 mr-2 text-muted-foreground" />
-								{option.label}
-							</Select.Item>
-						{/each}
-					</Select.Content>
-				</Select.Root>
-			</div>
-		{/if}
-	</div>
-
-	<!-- Shell output - full height -->
-	<div class="flex-1 min-h-0 border rounded-lg bg-zinc-950 overflow-hidden flex flex-col">
-		{#if !selectedContainer}
-			<div class="flex items-center justify-center h-full text-muted-foreground">
-				<div class="text-center">
-					<TerminalIcon class="w-12 h-12 mx-auto mb-3 opacity-50" />
-					<p>Select a container to open shell</p>
-				</div>
-			</div>
-		{:else}
-			<!-- Header bar inside black area -->
-			<div class="flex items-center justify-between px-3 py-1.5 border-b border-zinc-800 bg-zinc-900/50 shrink-0">
-				<div class="flex items-center gap-2">
-					{#if connected}
-						<span class="inline-flex items-center gap-1 text-xs text-green-500">
-							<span class="w-1.5 h-1.5 rounded-full bg-green-500 animate-pulse"></span>
-							Connected
-						</span>
-					{:else}
-						<span class="text-xs text-zinc-500">Disconnected</span>
-					{/if}
-				</div>
-				<div class="flex items-center gap-3">
-					<Select.Root type="single" value={String(terminalFontSize)} onValueChange={(v) => changeFontSize(Number(v))}>
-						<Select.Trigger class="!h-5 !py-0 w-14 bg-zinc-800 border-zinc-700 text-xs text-zinc-300 px-1.5 [&_svg]:size-3">
-							<span>{terminalFontSize}px</span>
-						</Select.Trigger>
-						<Select.Content>
-							{#each fontSizeOptions as size}
-								<Select.Item value={String(size)} label="{size}px" class="pe-2 [&>span:first-child]:hidden">{size}px</Select.Item>
-							{/each}
-						</Select.Content>
-					</Select.Root>
-					<button
-						onclick={() => terminalComponent?.copyOutput()}
-						class="p-1 rounded hover:bg-zinc-800 transition-colors"
-						title="Copy output"
-					>
-						<Copy class="w-3 h-3 text-zinc-500 hover:text-zinc-300" />
-					</button>
-					<button
-						onclick={() => terminalComponent?.clear()}
-						class="p-1 rounded hover:bg-zinc-800 transition-colors"
-						title="Clear (Cmd+L)"
-					>
-						<Trash2 class="w-3 h-3 text-zinc-500 hover:text-zinc-300" />
-					</button>
-					<button
-						onclick={() => terminalComponent?.reconnect()}
-						class="p-1 rounded hover:bg-zinc-800 transition-colors"
-						title="Reconnect"
-					>
-						<RefreshCw class="w-3 h-3 text-zinc-500 hover:text-zinc-300" />
-					</button>
-				</div>
-			</div>
-			<div class="flex-1 min-h-0 w-full">
-				{#key selectedContainer.id}
-					<Terminal
-						bind:this={terminalComponent}
-						containerId={selectedContainer.id}
-						containerName={selectedContainer.name}
-						shell={selectedShell}
-						user={selectedUser}
-						{envId}
-						fontSize={terminalFontSize}
-					/>
-				{/key}
-			</div>
-		{/if}
-	</div>
-</div>
-{/if}
-
-<style>
-	:global(.xterm) {
-		height: 100%;
-		padding: 8px;
-	}
-
-	:global(.xterm-viewport) {
-		overflow-y: auto !important;
-	}
-</style>
diff --git a/scripts/build-subprocesses.ts b/scripts/build-subprocesses.ts
new file mode 100644
index 0000000..35958e5
--- /dev/null
+++ b/scripts/build-subprocesses.ts
@@ -0,0 +1,31 @@
+/**
+ * Build subprocess scripts as standalone bundles for production.
+ *
+ * Subprocesses run via Bun.spawn and need all dependencies bundled
+ * since they can't access the SvelteKit build output's chunked modules.
+ */
+
+const subprocesses = ['metrics-subprocess', 'event-subprocess'];
+
+console.log('[build-subprocesses] Bundling subprocess scripts...');
+
+for (const name of subprocesses) {
+	const result = await Bun.build({
+		entrypoints: [`./src/lib/server/subprocesses/${name}.ts`],
+		outdir: './build/subprocesses',
+		target: 'bun',
+		minify: false
+	});
+
+	if (!result.success) {
+		console.error(`[build-subprocesses] Failed to bundle ${name}:`);
+		for (const log of result.logs) {
+			console.error(log);
+		}
+		process.exit(1);
+	}
+
+	console.log(`[build-subprocesses] Bundled ${name}.js`);
+}
+
+console.log('[build-subprocesses] Done');
diff --git a/scripts/emergency/backup-db.sh b/scripts/emergency/backup-db.sh
new file mode 100755
index 0000000..bde5e45
--- /dev/null
+++ b/scripts/emergency/backup-db.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Emergency script to backup the database
+# Automatically detects database type (SQLite or PostgreSQL)
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/backup-db.sh [output_dir]
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/backup-db.sh /app/data/backups
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/backup-db.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/backup-db.sh" "$@"
+fi
diff --git a/scripts/emergency/clear-sessions.sh b/scripts/emergency/clear-sessions.sh
new file mode 100755
index 0000000..efe7e21
--- /dev/null
+++ b/scripts/emergency/clear-sessions.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Emergency script to clear all user sessions
+# Automatically detects database type (SQLite or PostgreSQL)
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/clear-sessions.sh
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/clear-sessions.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/clear-sessions.sh" "$@"
+fi
diff --git a/scripts/emergency/create-admin.sh b/scripts/emergency/create-admin.sh
new file mode 100755
index 0000000..35b94fc
--- /dev/null
+++ b/scripts/emergency/create-admin.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Emergency script to create an admin user
+# Automatically detects database type (SQLite or PostgreSQL)
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/create-admin.sh
+#
+# Default credentials: admin / admin123
+# CHANGE THE PASSWORD IMMEDIATELY after logging in!
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/create-admin.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/create-admin.sh" "$@"
+fi
diff --git a/scripts/emergency/disable-auth.sh b/scripts/emergency/disable-auth.sh
new file mode 100755
index 0000000..c9d25a2
--- /dev/null
+++ b/scripts/emergency/disable-auth.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Emergency script to disable authentication
+# Automatically detects database type (SQLite or PostgreSQL)
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/disable-auth.sh
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/disable-auth.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/disable-auth.sh" "$@"
+fi
diff --git a/scripts/emergency/export-stacks.sh b/scripts/emergency/export-stacks.sh
new file mode 100755
index 0000000..04c3095
--- /dev/null
+++ b/scripts/emergency/export-stacks.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+#
+# Emergency script to export all compose stacks
+# Exports docker-compose.yml files from the stacks directory
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/export-stacks.sh [output_dir]
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/export-stacks.sh /tmp/stacks-backup
+#
+# Default output: /app/data/stacks-export
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Export Compose Stacks"
+echo "========================================"
+echo ""
+
+# Default paths
+STACKS_DIR="${DOCKHAND_STACKS:-/home/dockhand/.dockhand/stacks}"
+OUTPUT_DIR="${1:-/app/data/stacks-export}"
+
+# Check if running locally (not in Docker)
+if [ ! -d "$STACKS_DIR" ] && [ -d "$HOME/.dockhand/stacks" ]; then
+    STACKS_DIR="$HOME/.dockhand/stacks"
+fi
+
+if [ ! -d "$STACKS_DIR" ]; then
+    echo "Error: Stacks directory not found at $STACKS_DIR"
+    exit 1
+fi
+
+# Count stacks
+STACK_COUNT=$(find "$STACKS_DIR" -maxdepth 1 -type d ! -path "$STACKS_DIR" 2>/dev/null | wc -l | tr -d ' ')
+
+echo "This script will export all compose stacks."
+echo ""
+echo "Stacks directory: $STACKS_DIR"
+echo "Output directory: $OUTPUT_DIR"
+echo "Stacks found: $STACK_COUNT"
+echo ""
+
+if [ "$STACK_COUNT" -eq "0" ]; then
+    echo "No stacks found to export."
+    exit 0
+fi
+
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+
+# Create output directory
+mkdir -p "$OUTPUT_DIR"
+
+echo "Exporting stacks..."
+echo ""
+
+# Export each stack
+find "$STACKS_DIR" -maxdepth 1 -type d ! -path "$STACKS_DIR" | while read stack_dir; do
+    STACK_NAME=$(basename "$stack_dir")
+    COMPOSE_FILE="$stack_dir/docker-compose.yml"
+
+    if [ -f "$COMPOSE_FILE" ]; then
+        mkdir -p "$OUTPUT_DIR/$STACK_NAME"
+        cp "$COMPOSE_FILE" "$OUTPUT_DIR/$STACK_NAME/"
+
+        # Also copy .env file if exists
+        if [ -f "$stack_dir/.env" ]; then
+            cp "$stack_dir/.env" "$OUTPUT_DIR/$STACK_NAME/"
+        fi
+
+        echo "  Exported: $STACK_NAME"
+    fi
+done
+
+echo ""
+echo "Export complete!"
+echo "Stacks exported to: $OUTPUT_DIR"
+echo ""
+echo "To copy from Docker container to host:"
+echo "  docker cp dockhand:$OUTPUT_DIR ./stacks-backup"
diff --git a/scripts/emergency/list-users.sh b/scripts/emergency/list-users.sh
new file mode 100755
index 0000000..b68e901
--- /dev/null
+++ b/scripts/emergency/list-users.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Emergency script to list all users
+# Automatically detects database type (SQLite or PostgreSQL)
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/list-users.sh
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/list-users.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/list-users.sh" "$@"
+fi
diff --git a/scripts/emergency/postgres/backup-db.sh b/scripts/emergency/postgres/backup-db.sh
new file mode 100755
index 0000000..ccc490f
--- /dev/null
+++ b/scripts/emergency/postgres/backup-db.sh
@@ -0,0 +1,101 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to backup the database
+# Creates a timestamped dump of the database
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/backup-db.sh [output_dir]
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/backup-db.sh /app/data/backups
+#
+# Default output: /app/data
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Backup Database (PostgreSQL)"
+echo "========================================"
+echo ""
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+OUTPUT_DIR="${1:-/app/data}"
+
+# Parse DATABASE_URL
+# Format: postgres://user:password@host:port/database
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+# Extract credentials
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+# Generate backup filename with timestamp
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+BACKUP_FILE="$OUTPUT_DIR/dockhand_backup_$TIMESTAMP.sql"
+
+echo "This script will create a backup of the database."
+echo ""
+echo "Host: $DB_HOST:$DB_PORT"
+echo "Database: $DB_NAME"
+echo "Backup: $BACKUP_FILE"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+
+# Create output directory if needed
+mkdir -p "$OUTPUT_DIR"
+
+echo "Creating database backup..."
+
+# Use pg_dump to create backup
+export PGPASSWORD="$DB_PASS"
+if command -v pg_dump >/dev/null 2>&1; then
+    pg_dump -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -F p -f "$BACKUP_FILE"
+else
+    echo "Error: pg_dump not found"
+    echo "Install PostgreSQL client tools to use this script"
+    exit 1
+fi
+
+if [ $? -eq 0 ] && [ -f "$BACKUP_FILE" ]; then
+    SIZE=$(ls -lh "$BACKUP_FILE" | awk '{print $5}')
+    echo ""
+    echo "Backup created successfully!"
+    echo "Size: $SIZE"
+    echo ""
+    echo "To copy from Docker container to host:"
+    echo "  docker cp dockhand:$BACKUP_FILE ./dockhand_backup_$TIMESTAMP.sql"
+else
+    echo "Error: Failed to create backup"
+    exit 1
+fi
diff --git a/scripts/emergency/postgres/clear-sessions.sh b/scripts/emergency/postgres/clear-sessions.sh
new file mode 100755
index 0000000..3621bc4
--- /dev/null
+++ b/scripts/emergency/postgres/clear-sessions.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to clear all user sessions
+# Use this to force all users to re-login
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/clear-sessions.sh
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Clear All Sessions (PostgreSQL)"
+echo "========================================"
+echo ""
+echo "This script will clear all user sessions,"
+echo "forcing all users to log in again."
+echo ""
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+# Parse DATABASE_URL
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+export PGPASSWORD="$DB_PASS"
+
+COUNT=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT COUNT(*) FROM sessions;" 2>/dev/null | tr -d ' ')
+
+echo "Database: $DB_HOST:$DB_PORT/$DB_NAME"
+echo "Active sessions: $COUNT"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+echo "Clearing all user sessions..."
+psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "DELETE FROM sessions;"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Cleared $COUNT session(s) successfully."
+    echo "All users will need to log in again."
+else
+    echo "Error: Failed to clear sessions"
+    exit 1
+fi
diff --git a/scripts/emergency/postgres/create-admin.sh b/scripts/emergency/postgres/create-admin.sh
new file mode 100755
index 0000000..528a534
--- /dev/null
+++ b/scripts/emergency/postgres/create-admin.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to create an admin user
+# Use this if you're locked out of Dockhand and need to create a new admin
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/create-admin.sh
+#
+# Default credentials: admin / admin123
+# CHANGE THE PASSWORD IMMEDIATELY after logging in!
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Create Admin User (PostgreSQL)"
+echo "========================================"
+echo ""
+echo "This script will create an admin user with:"
+echo "  Username: admin"
+echo "  Password: admin123"
+echo ""
+echo "If user 'admin' already exists, password will"
+echo "be reset and admin privileges restored."
+echo ""
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+# Parse DATABASE_URL
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+export PGPASSWORD="$DB_PASS"
+
+echo "Database: $DB_HOST:$DB_PORT/$DB_NAME"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+# Username and password
+USERNAME="admin"
+# Password: admin123
+# This is an argon2id hash of "admin123" - generated with default argon2 settings
+PASSWORD_HASH='$argon2id$v=19$m=65536,t=3,p=4$Jq4am2SfyYKmc0PAHe+yzg$cq/27vK/Qg2eZb/jMDy0ExLDhOG+58cKAximxpG5Dss'
+
+echo ""
+echo "Creating admin user..."
+
+# Check if admin user already exists
+EXISTING=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT COUNT(*) FROM users WHERE username='$USERNAME';" 2>/dev/null | tr -d ' ')
+
+if [ "$EXISTING" -gt "0" ]; then
+    echo "User '$USERNAME' already exists."
+    echo "Resetting password and ensuring active status..."
+    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "UPDATE users SET password_hash='$PASSWORD_HASH', is_active=true WHERE username='$USERNAME';"
+    USER_ID=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT id FROM users WHERE username='$USERNAME';" 2>/dev/null | tr -d ' ')
+else
+    echo "Creating new admin user..."
+    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "INSERT INTO users (username, password_hash, is_active, auth_provider, created_at, updated_at) VALUES ('$USERNAME', '$PASSWORD_HASH', true, 'local', NOW(), NOW());"
+    USER_ID=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT id FROM users WHERE username='$USERNAME';" 2>/dev/null | tr -d ' ')
+    echo "Admin user created successfully."
+fi
+
+# Get the Admin role ID (it's a system role)
+ADMIN_ROLE_ID=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT id FROM roles WHERE name='Admin';" 2>/dev/null | tr -d ' ')
+
+if [ -z "$ADMIN_ROLE_ID" ]; then
+    echo "Warning: Admin role not found in database."
+    echo "The user was created but may not have admin privileges."
+    echo "Please check Settings > Auth > Roles after logging in."
+else
+    # Check if user already has Admin role
+    HAS_ROLE=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT COUNT(*) FROM user_roles WHERE user_id=$USER_ID AND role_id=$ADMIN_ROLE_ID;" 2>/dev/null | tr -d ' ')
+
+    if [ "$HAS_ROLE" -eq "0" ]; then
+        echo "Assigning Admin role..."
+        psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "INSERT INTO user_roles (user_id, role_id, created_at) VALUES ($USER_ID, $ADMIN_ROLE_ID, NOW());"
+        echo "Admin role assigned."
+    else
+        echo "User already has Admin role."
+    fi
+fi
+
+echo ""
+echo "Credentials:"
+echo "  Username: admin"
+echo "  Password: admin123"
+echo ""
+echo "WARNING: Change the password immediately after logging in!"
diff --git a/scripts/emergency/postgres/disable-auth.sh b/scripts/emergency/postgres/disable-auth.sh
new file mode 100755
index 0000000..bf3f562
--- /dev/null
+++ b/scripts/emergency/postgres/disable-auth.sh
@@ -0,0 +1,74 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to disable authentication
+# Use this if you're locked out of Dockhand
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/disable-auth.sh
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Disable Authentication (PostgreSQL)"
+echo "========================================"
+echo ""
+echo "This script will disable authentication,"
+echo "allowing access to Dockhand without login."
+echo ""
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+# Parse DATABASE_URL
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+export PGPASSWORD="$DB_PASS"
+
+echo "Database: $DB_HOST:$DB_PORT/$DB_NAME"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+echo "Disabling authentication..."
+psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "UPDATE auth_settings SET auth_enabled = false WHERE id = 1;"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Authentication disabled successfully."
+    echo "You can now access Dockhand without logging in."
+    echo ""
+    echo "Remember to re-enable authentication in Settings after regaining access."
+else
+    echo "Error: Failed to disable authentication"
+    exit 1
+fi
diff --git a/scripts/emergency/postgres/list-users.sh b/scripts/emergency/postgres/list-users.sh
new file mode 100755
index 0000000..9ec1d1f
--- /dev/null
+++ b/scripts/emergency/postgres/list-users.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to list all users
+# Shows username, admin status, active status, and last login
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/list-users.sh
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - List Users (PostgreSQL)"
+echo "========================================"
+echo ""
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+# Parse DATABASE_URL
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+export PGPASSWORD="$DB_PASS"
+
+# Get user count
+USER_COUNT=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT COUNT(*) FROM users;" 2>/dev/null | tr -d ' ')
+
+if [ "$USER_COUNT" -eq "0" ]; then
+    echo "No users found."
+    exit 0
+fi
+
+# Get Admin role ID for checking admin status
+ADMIN_ROLE_ID=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT id FROM roles WHERE name='Admin';" 2>/dev/null | tr -d ' ')
+
+# Print header
+printf "%-4s %-20s %-8s %-8s %-6s %s\n" "ID" "Username" "Admin" "Active" "MFA" "Last Login"
+printf "%-4s %-20s %-8s %-8s %-6s %s\n" "----" "--------------------" "--------" "--------" "------" "-------------------"
+
+# List users (check admin status via user_roles table)
+psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -A -F '|' -c "SELECT id, username, is_active, mfa_enabled, COALESCE(last_login::text, 'Never') FROM users ORDER BY id;" 2>/dev/null | while IFS='|' read id username is_active mfa_enabled last_login; do
+    # Check if user has Admin role
+    if [ -n "$ADMIN_ROLE_ID" ]; then
+        HAS_ADMIN=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT COUNT(*) FROM user_roles WHERE user_id=$id AND role_id=$ADMIN_ROLE_ID;" 2>/dev/null | tr -d ' ')
+        if [ "$HAS_ADMIN" -gt "0" ]; then
+            admin_str="Yes"
+        else
+            admin_str="No"
+        fi
+    else
+        admin_str="N/A"
+    fi
+
+    # Convert boolean values (PostgreSQL returns t/f)
+    if [ "$is_active" = "t" ]; then
+        active_str="Yes"
+    else
+        active_str="No"
+    fi
+
+    if [ "$mfa_enabled" = "t" ]; then
+        mfa_str="Yes"
+    else
+        mfa_str="No"
+    fi
+
+    printf "%-4s %-20s %-8s %-8s %-6s %s\n" "$id" "$username" "$admin_str" "$active_str" "$mfa_str" "$last_login"
+done
+
+echo ""
+echo "Total: $USER_COUNT user(s)"
+
+# Show session count
+SESSION_COUNT=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT COUNT(*) FROM sessions;" 2>/dev/null | tr -d ' ')
+echo "Active sessions: $SESSION_COUNT"
diff --git a/scripts/emergency/postgres/reset-db.sh b/scripts/emergency/postgres/reset-db.sh
new file mode 100755
index 0000000..7fd8d98
--- /dev/null
+++ b/scripts/emergency/postgres/reset-db.sh
@@ -0,0 +1,118 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to factory reset the database
+# WARNING: This will DELETE ALL DATA including users, settings, and activity logs!
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/reset-db.sh
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Factory Reset Database (PostgreSQL)"
+echo "========================================"
+echo ""
+echo "WARNING: This will DELETE ALL DATA!"
+echo ""
+echo "This includes:"
+echo "  - All users and their settings"
+echo "  - All sessions"
+echo "  - Authentication settings"
+echo "  - Activity logs"
+echo "  - Environment configurations"
+echo "  - OIDC/SSO settings"
+echo ""
+echo "The database tables will be truncated."
+echo ""
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+# Parse DATABASE_URL
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+export PGPASSWORD="$DB_PASS"
+
+echo "Database: $DB_HOST:$DB_PORT/$DB_NAME"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+echo "Creating backup before reset..."
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+BACKUP_FILE="/app/data/dockhand_backup_pre_reset_$TIMESTAMP.sql"
+if command -v pg_dump >/dev/null 2>&1; then
+    pg_dump -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -F p -f "$BACKUP_FILE" 2>/dev/null || true
+    if [ -f "$BACKUP_FILE" ]; then
+        echo "Backup saved to: $BACKUP_FILE"
+    fi
+fi
+
+echo ""
+echo "Truncating all tables..."
+
+# Truncate all tables in the correct order (respecting foreign keys)
+psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" <<EOF
+TRUNCATE TABLE
+    sessions,
+    user_roles,
+    dashboard_preferences,
+    audit_logs,
+    container_events,
+    vulnerability_scans,
+    stack_sources,
+    git_stacks,
+    git_repositories,
+    git_credentials,
+    host_metrics,
+    stack_events,
+    environment_notifications,
+    auto_update_settings,
+    users,
+    roles,
+    oidc_config,
+    ldap_config,
+    auth_settings,
+    notification_settings,
+    config_sets,
+    registries,
+    environments,
+    settings
+CASCADE;
+EOF
+
+echo ""
+echo "Database reset successfully."
+echo ""
+echo "Restart Dockhand to recreate default data:"
+echo "  docker restart dockhand"
diff --git a/scripts/emergency/postgres/reset-password.sh b/scripts/emergency/postgres/reset-password.sh
new file mode 100755
index 0000000..baa4f5f
--- /dev/null
+++ b/scripts/emergency/postgres/reset-password.sh
@@ -0,0 +1,139 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to reset a user's password
+# Use this if a user is locked out and needs a password reset
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/reset-password.sh <username> <new_password>
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/reset-password.sh admin MyNewPassword123
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Reset User Password (PostgreSQL)"
+echo "========================================"
+echo ""
+
+# Check arguments
+if [ -z "$1" ] || [ -z "$2" ]; then
+    echo "Usage: $0 <username> <new_password>"
+    echo ""
+    echo "Example:"
+    echo "  $0 admin MyNewPassword123"
+    exit 1
+fi
+
+USERNAME="$1"
+NEW_PASSWORD="$2"
+
+# Validate password length
+if [ ${#NEW_PASSWORD} -lt 8 ]; then
+    echo "Error: Password must be at least 8 characters"
+    exit 1
+fi
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+# Parse DATABASE_URL
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+export PGPASSWORD="$DB_PASS"
+
+# Check if user exists
+EXISTING=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT COUNT(*) FROM users WHERE username='$USERNAME';" 2>/dev/null | tr -d ' ')
+
+if [ "$EXISTING" -eq "0" ]; then
+    echo "Error: User '$USERNAME' not found"
+    echo ""
+    echo "Available users:"
+    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT username FROM users;" 2>/dev/null | while read user; do
+        user=$(echo "$user" | tr -d ' ')
+        if [ -n "$user" ]; then
+            echo "  - $user"
+        fi
+    done
+    exit 1
+fi
+
+echo "This script will reset the password for user '$USERNAME'."
+echo ""
+echo "Database: $DB_HOST:$DB_PORT/$DB_NAME"
+echo "Username: $USERNAME"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+# Generate password hash using node (argon2 is available in the app)
+echo ""
+echo "Generating password hash..."
+
+# Check if node and argon2 are available
+if command -v node >/dev/null 2>&1; then
+    # Try to use argon2 from node_modules
+    PASSWORD_HASH=$(node -e "
+        try {
+            const argon2 = require('argon2');
+            argon2.hash('$NEW_PASSWORD').then(h => console.log(h)).catch(e => process.exit(1));
+        } catch(e) {
+            process.exit(1);
+        }
+    " 2>/dev/null)
+
+    if [ -z "$PASSWORD_HASH" ]; then
+        echo "Error: Could not generate password hash (argon2 not available)"
+        echo "This script requires Node.js with argon2 module"
+        exit 1
+    fi
+else
+    echo "Error: Node.js is required to generate password hash"
+    exit 1
+fi
+
+echo "Resetting password for user '$USERNAME'..."
+psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "UPDATE users SET password_hash='$PASSWORD_HASH', updated_at=NOW() WHERE username='$USERNAME';"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Password reset successfully for user '$USERNAME'"
+    echo ""
+    # Invalidate sessions
+    USER_ID=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c "SELECT id FROM users WHERE username='$USERNAME';" 2>/dev/null | tr -d ' ')
+    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "DELETE FROM sessions WHERE user_id=$USER_ID;" 2>/dev/null || true
+    echo "All existing sessions have been invalidated."
+    echo "The user can now log in with the new password."
+else
+    echo "Error: Failed to reset password"
+    exit 1
+fi
diff --git a/scripts/emergency/postgres/restore-db.sh b/scripts/emergency/postgres/restore-db.sh
new file mode 100755
index 0000000..8676a8f
--- /dev/null
+++ b/scripts/emergency/postgres/restore-db.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# PostgreSQL: Emergency script to restore the database from a backup
+# WARNING: This will overwrite the current database!
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/restore-db.sh <backup_file>
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/postgres/restore-db.sh /app/data/dockhand_backup_20240115_120000.sql
+#
+# To copy backup into container first:
+#   docker cp ./dockhand_backup.sql dockhand:/app/data/
+#
+# Requires: DATABASE_URL environment variable
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Restore Database (PostgreSQL)"
+echo "========================================"
+echo ""
+
+# Check argument
+if [ -z "$1" ]; then
+    echo "Usage: $0 <backup_file>"
+    echo ""
+    echo "Example:"
+    echo "  $0 /app/data/dockhand_backup_20240115_120000.sql"
+    echo ""
+    echo "To copy backup into container first:"
+    echo "  docker cp ./dockhand_backup.sql dockhand:/app/data/"
+    exit 1
+fi
+
+BACKUP_FILE="$1"
+
+# Check DATABASE_URL
+if [ -z "$DATABASE_URL" ]; then
+    echo "Error: DATABASE_URL environment variable not set"
+    echo ""
+    echo "Example: DATABASE_URL=postgres://user:pass@host:5432/dockhand"
+    exit 1
+fi
+
+# Parse DATABASE_URL
+DB_URL="$DATABASE_URL"
+DB_URL="${DB_URL#postgres://}"
+DB_URL="${DB_URL#postgresql://}"
+
+DB_USER="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PASS="${DB_URL%%@*}"
+DB_URL="${DB_URL#*@}"
+DB_HOST="${DB_URL%%:*}"
+DB_URL="${DB_URL#*:}"
+DB_PORT="${DB_URL%%/*}"
+DB_NAME="${DB_URL#*/}"
+DB_NAME="${DB_NAME%%\?*}"
+
+export PGPASSWORD="$DB_PASS"
+
+# Check if backup file exists
+if [ ! -f "$BACKUP_FILE" ]; then
+    echo "Error: Backup file not found: $BACKUP_FILE"
+    exit 1
+fi
+
+# Get backup file size
+BACKUP_SIZE=$(ls -lh "$BACKUP_FILE" | awk '{print $5}')
+
+echo "WARNING: This will overwrite the current database!"
+echo ""
+echo "Database: $DB_HOST:$DB_PORT/$DB_NAME"
+echo "Backup to restore: $BACKUP_FILE ($BACKUP_SIZE)"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+# Create backup of current database before restoring
+echo ""
+echo "Creating backup of current database..."
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+PRE_RESTORE_BACKUP="/app/data/dockhand_pre_restore_$TIMESTAMP.sql"
+if command -v pg_dump >/dev/null 2>&1; then
+    pg_dump -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -F p -f "$PRE_RESTORE_BACKUP" 2>/dev/null || true
+    if [ -f "$PRE_RESTORE_BACKUP" ]; then
+        echo "Current database backed up to: $PRE_RESTORE_BACKUP"
+    fi
+fi
+
+echo ""
+echo "Restoring database..."
+
+# Drop and recreate all tables by running the backup
+psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -f "$BACKUP_FILE"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Database restored successfully!"
+    echo ""
+    echo "Restart Dockhand to apply changes:"
+    echo "  docker restart dockhand"
+else
+    echo "Error: Failed to restore database"
+    exit 1
+fi
diff --git a/scripts/emergency/reset-db.sh b/scripts/emergency/reset-db.sh
new file mode 100755
index 0000000..cc88591
--- /dev/null
+++ b/scripts/emergency/reset-db.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# Emergency script to factory reset the database
+# Automatically detects database type (SQLite or PostgreSQL)
+# WARNING: This will DELETE ALL DATA!
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/reset-db.sh
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/reset-db.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/reset-db.sh" "$@"
+fi
diff --git a/scripts/emergency/reset-password.sh b/scripts/emergency/reset-password.sh
new file mode 100755
index 0000000..a41fad9
--- /dev/null
+++ b/scripts/emergency/reset-password.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Emergency script to reset a user's password
+# Automatically detects database type (SQLite or PostgreSQL)
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/reset-password.sh <username> <new_password>
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/reset-password.sh admin MyNewPassword123
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/reset-password.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/reset-password.sh" "$@"
+fi
diff --git a/scripts/emergency/restore-db.sh b/scripts/emergency/restore-db.sh
new file mode 100755
index 0000000..db0575e
--- /dev/null
+++ b/scripts/emergency/restore-db.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Emergency script to restore the database from a backup
+# Automatically detects database type (SQLite or PostgreSQL)
+# WARNING: This will overwrite the current database!
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/restore-db.sh <backup_file>
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/restore-db.sh /app/data/dockhand_backup_20240115_120000.db
+#
+
+SCRIPT_DIR="$(dirname "$0")"
+
+# Detect database type
+if [ -n "$DATABASE_URL" ] && (echo "$DATABASE_URL" | grep -qE '^postgres(ql)?://'); then
+    exec "$SCRIPT_DIR/postgres/restore-db.sh" "$@"
+else
+    exec "$SCRIPT_DIR/sqlite/restore-db.sh" "$@"
+fi
diff --git a/scripts/emergency/sqlite/backup-db.sh b/scripts/emergency/sqlite/backup-db.sh
new file mode 100755
index 0000000..7242ef9
--- /dev/null
+++ b/scripts/emergency/sqlite/backup-db.sh
@@ -0,0 +1,88 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to backup the database
+# Creates a timestamped copy of the database file
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/backup-db.sh [output_dir]
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/backup-db.sh /app/data/backups
+#
+# Default output: /app/data (same directory as database)
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Backup Database (SQLite)"
+echo "========================================"
+echo ""
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+OUTPUT_DIR="${1:-$(dirname "$DB_PATH")}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+    OUTPUT_DIR="${1:-./data/db}"
+fi
+
+if [ ! -f "$DB_PATH" ]; then
+    echo "Error: Database not found at $DB_PATH"
+    echo "Set DOCKHAND_DB environment variable to specify the database path"
+    exit 1
+fi
+
+# Generate backup filename with timestamp
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+BACKUP_FILE="$OUTPUT_DIR/dockhand_backup_$TIMESTAMP.db"
+
+# Get database size
+DB_SIZE=$(ls -lh "$DB_PATH" | awk '{print $5}')
+
+echo "This script will create a backup of the database."
+echo ""
+echo "Source: $DB_PATH ($DB_SIZE)"
+echo "Backup: $BACKUP_FILE"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+
+# Create output directory if needed
+mkdir -p "$OUTPUT_DIR"
+
+echo "Creating database backup..."
+
+# Use sqlite3 backup command for safe backup (handles WAL mode)
+if command -v sqlite3 >/dev/null 2>&1; then
+    sqlite3 "$DB_PATH" ".backup '$BACKUP_FILE'"
+else
+    # Fallback to file copy if sqlite3 not available
+    cp "$DB_PATH" "$BACKUP_FILE"
+fi
+
+if [ $? -eq 0 ] && [ -f "$BACKUP_FILE" ]; then
+    SIZE=$(ls -lh "$BACKUP_FILE" | awk '{print $5}')
+    echo ""
+    echo "Backup created successfully!"
+    echo "Size: $SIZE"
+    echo ""
+    echo "To copy from Docker container to host:"
+    echo "  docker cp dockhand:$BACKUP_FILE ./dockhand_backup_$TIMESTAMP.db"
+else
+    echo "Error: Failed to create backup"
+    exit 1
+fi
diff --git a/scripts/emergency/sqlite/clear-sessions.sh b/scripts/emergency/sqlite/clear-sessions.sh
new file mode 100755
index 0000000..914c8ed
--- /dev/null
+++ b/scripts/emergency/sqlite/clear-sessions.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to clear all user sessions
+# Use this to force all users to re-login
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/clear-sessions.sh
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Clear All Sessions (SQLite)"
+echo "========================================"
+echo ""
+echo "This script will clear all user sessions,"
+echo "forcing all users to log in again."
+echo ""
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+fi
+
+if [ ! -f "$DB_PATH" ]; then
+    echo "Error: Database not found at $DB_PATH"
+    echo "Set DOCKHAND_DB environment variable to specify the database path"
+    exit 1
+fi
+
+COUNT=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM sessions;")
+
+echo "Database: $DB_PATH"
+echo "Active sessions: $COUNT"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+echo "Clearing all user sessions..."
+sqlite3 "$DB_PATH" "DELETE FROM sessions;"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Cleared $COUNT session(s) successfully."
+    echo "All users will need to log in again."
+else
+    echo "Error: Failed to clear sessions"
+    exit 1
+fi
diff --git a/scripts/emergency/sqlite/create-admin.sh b/scripts/emergency/sqlite/create-admin.sh
new file mode 100755
index 0000000..91ff9c7
--- /dev/null
+++ b/scripts/emergency/sqlite/create-admin.sh
@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to create an admin user
+# Use this if you're locked out of Dockhand and need to create a new admin
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/create-admin.sh
+#
+# Default credentials: admin / admin123
+# CHANGE THE PASSWORD IMMEDIATELY after logging in!
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Create Admin User (SQLite)"
+echo "========================================"
+echo ""
+echo "This script will create an admin user with:"
+echo "  Username: admin"
+echo "  Password: admin123"
+echo ""
+echo "If user 'admin' already exists, password will"
+echo "be reset and admin privileges restored."
+echo ""
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+fi
+
+if [ ! -f "$DB_PATH" ]; then
+    echo "Error: Database not found at $DB_PATH"
+    echo "Set DOCKHAND_DB environment variable to specify the database path"
+    exit 1
+fi
+
+echo "Database: $DB_PATH"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+# Username and password
+USERNAME="admin"
+# Password: admin123
+# This is an argon2id hash of "admin123" - generated with default argon2 settings
+PASSWORD_HASH='$argon2id$v=19$m=65536,t=3,p=4$Jq4am2SfyYKmc0PAHe+yzg$cq/27vK/Qg2eZb/jMDy0ExLDhOG+58cKAximxpG5Dss'
+
+echo ""
+echo "Creating admin user..."
+
+# Check if admin user already exists
+EXISTING=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM users WHERE username='$USERNAME';")
+
+if [ "$EXISTING" -gt "0" ]; then
+    echo "User '$USERNAME' already exists."
+    echo "Resetting password and ensuring active status..."
+    sqlite3 "$DB_PATH" "UPDATE users SET password_hash='$PASSWORD_HASH', is_active=1 WHERE username='$USERNAME';"
+    USER_ID=$(sqlite3 "$DB_PATH" "SELECT id FROM users WHERE username='$USERNAME';")
+else
+    echo "Creating new admin user..."
+    sqlite3 "$DB_PATH" "INSERT INTO users (username, password_hash, is_active, auth_provider, created_at, updated_at) VALUES ('$USERNAME', '$PASSWORD_HASH', 1, 'local', datetime('now'), datetime('now'));"
+    USER_ID=$(sqlite3 "$DB_PATH" "SELECT id FROM users WHERE username='$USERNAME';")
+    echo "Admin user created successfully."
+fi
+
+# Get the Admin role ID (it's a system role)
+ADMIN_ROLE_ID=$(sqlite3 "$DB_PATH" "SELECT id FROM roles WHERE name='Admin';")
+
+if [ -z "$ADMIN_ROLE_ID" ]; then
+    echo "Warning: Admin role not found in database."
+    echo "The user was created but may not have admin privileges."
+    echo "Please check Settings > Auth > Roles after logging in."
+else
+    # Check if user already has Admin role
+    HAS_ROLE=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM user_roles WHERE user_id=$USER_ID AND role_id=$ADMIN_ROLE_ID;")
+
+    if [ "$HAS_ROLE" -eq "0" ]; then
+        echo "Assigning Admin role..."
+        sqlite3 "$DB_PATH" "INSERT INTO user_roles (user_id, role_id, created_at) VALUES ($USER_ID, $ADMIN_ROLE_ID, datetime('now'));"
+        echo "Admin role assigned."
+    else
+        echo "User already has Admin role."
+    fi
+fi
+
+echo ""
+echo "Credentials:"
+echo "  Username: admin"
+echo "  Password: admin123"
+echo ""
+echo "WARNING: Change the password immediately after logging in!"
diff --git a/scripts/emergency/sqlite/disable-auth.sh b/scripts/emergency/sqlite/disable-auth.sh
new file mode 100755
index 0000000..1ebcc49
--- /dev/null
+++ b/scripts/emergency/sqlite/disable-auth.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to disable authentication
+# Use this if you're locked out of Dockhand
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/disable-auth.sh
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Disable Authentication (SQLite)"
+echo "========================================"
+echo ""
+echo "This script will disable authentication,"
+echo "allowing access to Dockhand without login."
+echo ""
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+fi
+
+if [ ! -f "$DB_PATH" ]; then
+    echo "Error: Database not found at $DB_PATH"
+    echo "Set DOCKHAND_DB environment variable to specify the database path"
+    exit 1
+fi
+
+echo "Database: $DB_PATH"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+echo "Disabling authentication..."
+sqlite3 "$DB_PATH" "UPDATE auth_settings SET auth_enabled = 0 WHERE id = 1;"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Authentication disabled successfully."
+    echo "You can now access Dockhand without logging in."
+    echo ""
+    echo "Remember to re-enable authentication in Settings after regaining access."
+else
+    echo "Error: Failed to disable authentication"
+    exit 1
+fi
diff --git a/scripts/emergency/sqlite/list-users.sh b/scripts/emergency/sqlite/list-users.sh
new file mode 100755
index 0000000..9df5c25
--- /dev/null
+++ b/scripts/emergency/sqlite/list-users.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to list all users
+# Shows username, admin status, active status, and last login
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/list-users.sh
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - List Users (SQLite)"
+echo "========================================"
+echo ""
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+fi
+
+if [ ! -f "$DB_PATH" ]; then
+    echo "Error: Database not found at $DB_PATH"
+    echo "Set DOCKHAND_DB environment variable to specify the database path"
+    exit 1
+fi
+
+# Get user count
+USER_COUNT=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM users;")
+
+if [ "$USER_COUNT" -eq "0" ]; then
+    echo "No users found."
+    exit 0
+fi
+
+# Get Admin role ID for checking admin status
+ADMIN_ROLE_ID=$(sqlite3 "$DB_PATH" "SELECT id FROM roles WHERE name='Admin';" 2>/dev/null || echo "")
+
+# Print header
+printf "%-4s %-20s %-8s %-8s %-6s %s\n" "ID" "Username" "Admin" "Active" "MFA" "Last Login"
+printf "%-4s %-20s %-8s %-8s %-6s %s\n" "----" "--------------------" "--------" "--------" "------" "-------------------"
+
+# List users (check admin status via user_roles table)
+sqlite3 -separator '|' "$DB_PATH" "SELECT id, username, is_active, mfa_enabled, COALESCE(last_login, 'Never') FROM users ORDER BY id;" | while IFS='|' read id username is_active mfa_enabled last_login; do
+    # Check if user has Admin role
+    if [ -n "$ADMIN_ROLE_ID" ]; then
+        HAS_ADMIN=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM user_roles WHERE user_id=$id AND role_id=$ADMIN_ROLE_ID;")
+        if [ "$HAS_ADMIN" -gt "0" ]; then
+            admin_str="Yes"
+        else
+            admin_str="No"
+        fi
+    else
+        admin_str="N/A"
+    fi
+
+    if [ "$is_active" = "1" ]; then
+        active_str="Yes"
+    else
+        active_str="No"
+    fi
+
+    if [ "$mfa_enabled" = "1" ]; then
+        mfa_str="Yes"
+    else
+        mfa_str="No"
+    fi
+
+    printf "%-4s %-20s %-8s %-8s %-6s %s\n" "$id" "$username" "$admin_str" "$active_str" "$mfa_str" "$last_login"
+done
+
+echo ""
+echo "Total: $USER_COUNT user(s)"
+
+# Show session count
+SESSION_COUNT=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM sessions;")
+echo "Active sessions: $SESSION_COUNT"
diff --git a/scripts/emergency/sqlite/reset-db.sh b/scripts/emergency/sqlite/reset-db.sh
new file mode 100755
index 0000000..d53532b
--- /dev/null
+++ b/scripts/emergency/sqlite/reset-db.sh
@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to factory reset the database
+# WARNING: This will DELETE ALL DATA including users, settings, and activity logs!
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/reset-db.sh
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Factory Reset Database (SQLite)"
+echo "========================================"
+echo ""
+echo "WARNING: This will DELETE ALL DATA!"
+echo ""
+echo "This includes:"
+echo "  - All users and their settings"
+echo "  - All sessions"
+echo "  - Authentication settings"
+echo "  - Activity logs"
+echo "  - Environment configurations"
+echo "  - OIDC/SSO settings"
+echo ""
+echo "The database will be recreated on next startup."
+echo ""
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+fi
+
+if [ ! -f "$DB_PATH" ]; then
+    echo "Error: Database not found at $DB_PATH"
+    echo "Nothing to reset."
+    exit 0
+fi
+
+echo "Database: $DB_PATH"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+echo ""
+echo "Creating backup before reset..."
+BACKUP_FILE="${DB_PATH}.backup.$(date +%Y%m%d_%H%M%S)"
+cp "$DB_PATH" "$BACKUP_FILE"
+echo "Backup saved to: $BACKUP_FILE"
+
+echo ""
+echo "Deleting database..."
+rm -f "$DB_PATH"
+rm -f "${DB_PATH}-wal"
+rm -f "${DB_PATH}-shm"
+
+echo ""
+echo "Database deleted successfully."
+echo ""
+echo "Restart Dockhand to recreate a fresh database:"
+echo "  docker restart dockhand"
diff --git a/scripts/emergency/sqlite/reset-password.sh b/scripts/emergency/sqlite/reset-password.sh
new file mode 100755
index 0000000..9a38214
--- /dev/null
+++ b/scripts/emergency/sqlite/reset-password.sh
@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to reset a user's password
+# Use this if a user is locked out and needs a password reset
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/reset-password.sh <username> <new_password>
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/reset-password.sh admin MyNewPassword123
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Reset User Password (SQLite)"
+echo "========================================"
+echo ""
+
+# Check arguments
+if [ -z "$1" ] || [ -z "$2" ]; then
+    echo "Usage: $0 <username> <new_password>"
+    echo ""
+    echo "Example:"
+    echo "  $0 admin MyNewPassword123"
+    exit 1
+fi
+
+USERNAME="$1"
+NEW_PASSWORD="$2"
+
+# Validate password length
+if [ ${#NEW_PASSWORD} -lt 8 ]; then
+    echo "Error: Password must be at least 8 characters"
+    exit 1
+fi
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+fi
+
+if [ ! -f "$DB_PATH" ]; then
+    echo "Error: Database not found at $DB_PATH"
+    echo "Set DOCKHAND_DB environment variable to specify the database path"
+    exit 1
+fi
+
+# Check if user exists
+EXISTING=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM users WHERE username='$USERNAME';")
+
+if [ "$EXISTING" -eq "0" ]; then
+    echo "Error: User '$USERNAME' not found"
+    echo ""
+    echo "Available users:"
+    sqlite3 "$DB_PATH" "SELECT username FROM users;" | while read user; do
+        echo "  - $user"
+    done
+    exit 1
+fi
+
+echo "This script will reset the password for user '$USERNAME'."
+echo ""
+echo "Database: $DB_PATH"
+echo "Username: $USERNAME"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+# Generate password hash using node (argon2 is available in the app)
+echo ""
+echo "Generating password hash..."
+
+# Check if node and argon2 are available
+if command -v node >/dev/null 2>&1; then
+    # Try to use argon2 from node_modules
+    PASSWORD_HASH=$(node -e "
+        try {
+            const argon2 = require('argon2');
+            argon2.hash('$NEW_PASSWORD').then(h => console.log(h)).catch(e => process.exit(1));
+        } catch(e) {
+            process.exit(1);
+        }
+    " 2>/dev/null)
+
+    if [ -z "$PASSWORD_HASH" ]; then
+        echo "Error: Could not generate password hash (argon2 not available)"
+        echo "This script requires Node.js with argon2 module"
+        exit 1
+    fi
+else
+    echo "Error: Node.js is required to generate password hash"
+    exit 1
+fi
+
+echo "Resetting password for user '$USERNAME'..."
+sqlite3 "$DB_PATH" "UPDATE users SET password_hash='$PASSWORD_HASH', updated_at=datetime('now') WHERE username='$USERNAME';"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Password reset successfully for user '$USERNAME'"
+    echo ""
+    # Invalidate sessions
+    USER_ID=$(sqlite3 "$DB_PATH" "SELECT id FROM users WHERE username='$USERNAME';")
+    sqlite3 "$DB_PATH" "DELETE FROM sessions WHERE user_id=$USER_ID;" 2>/dev/null || true
+    echo "All existing sessions have been invalidated."
+    echo "The user can now log in with the new password."
+else
+    echo "Error: Failed to reset password"
+    exit 1
+fi
diff --git a/scripts/emergency/sqlite/restore-db.sh b/scripts/emergency/sqlite/restore-db.sh
new file mode 100755
index 0000000..96aa9e6
--- /dev/null
+++ b/scripts/emergency/sqlite/restore-db.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+#
+# SQLite: Emergency script to restore the database from a backup
+# WARNING: This will overwrite the current database!
+#
+# Usage:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/restore-db.sh <backup_file>
+#
+# Example:
+#   docker exec -it dockhand /app/scripts/emergency/sqlite/restore-db.sh /app/data/dockhand_backup_20240115_120000.db
+#
+# To copy backup into container first:
+#   docker cp ./dockhand_backup.db dockhand:/app/data/
+#
+
+set -e
+
+echo "========================================"
+echo "  Dockhand - Restore Database (SQLite)"
+echo "========================================"
+echo ""
+
+# Check argument
+if [ -z "$1" ]; then
+    echo "Usage: $0 <backup_file>"
+    echo ""
+    echo "Example:"
+    echo "  $0 /app/data/dockhand_backup_20240115_120000.db"
+    echo ""
+    echo "To copy backup into container first:"
+    echo "  docker cp ./dockhand_backup.db dockhand:/app/data/"
+    exit 1
+fi
+
+BACKUP_FILE="$1"
+
+# Default database path
+DB_PATH="${DOCKHAND_DB:-/app/data/db/dockhand.db}"
+
+# Check if running locally (not in Docker)
+if [ ! -f "$DB_PATH" ] && [ -f "./data/db/dockhand.db" ]; then
+    DB_PATH="./data/db/dockhand.db"
+fi
+
+# Check if backup file exists
+if [ ! -f "$BACKUP_FILE" ]; then
+    echo "Error: Backup file not found: $BACKUP_FILE"
+    exit 1
+fi
+
+# Verify it's a valid SQLite database
+if ! sqlite3 "$BACKUP_FILE" "SELECT 1;" >/dev/null 2>&1; then
+    echo "Error: File is not a valid SQLite database: $BACKUP_FILE"
+    exit 1
+fi
+
+# Get backup file size
+BACKUP_SIZE=$(ls -lh "$BACKUP_FILE" | awk '{print $5}')
+
+echo "WARNING: This will overwrite the current database!"
+echo ""
+echo "Current database: $DB_PATH"
+echo "Backup to restore: $BACKUP_FILE ($BACKUP_SIZE)"
+echo ""
+printf "Continue? [y/N]: "
+read CONFIRM
+
+case "$CONFIRM" in
+    [yY]|[yY][eE][sS])
+        ;;
+    *)
+        echo "Aborted."
+        exit 0
+        ;;
+esac
+
+# Create backup of current database before restoring
+if [ -f "$DB_PATH" ]; then
+    TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+    PRE_RESTORE_BACKUP="${DB_PATH}.pre-restore.$TIMESTAMP"
+    echo ""
+    echo "Creating backup of current database..."
+    cp "$DB_PATH" "$PRE_RESTORE_BACKUP"
+    echo "Current database backed up to: $PRE_RESTORE_BACKUP"
+fi
+
+echo ""
+echo "Restoring database..."
+
+# Remove WAL files if they exist
+rm -f "${DB_PATH}-wal"
+rm -f "${DB_PATH}-shm"
+
+# Copy backup to database location
+cp "$BACKUP_FILE" "$DB_PATH"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "Database restored successfully!"
+    echo ""
+    echo "Restart Dockhand to apply changes:"
+    echo "  docker restart dockhand"
+else
+    echo "Error: Failed to restore database"
+    exit 1
+fi
diff --git a/scripts/generate-changelog-page.ts b/scripts/generate-changelog-page.ts
new file mode 100644
index 0000000..6ab60d1
--- /dev/null
+++ b/scripts/generate-changelog-page.ts
@@ -0,0 +1,164 @@
+#!/usr/bin/env bun
+/**
+ * Generate changelog section in webpage/index.html from src/lib/data/changelog.json
+ * This ensures a single source of truth for release information
+ */
+
+import { readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+
+const ROOT_DIR = join(import.meta.dir, '..');
+const CHANGELOG_PATH = join(ROOT_DIR, 'src/lib/data/changelog.json');
+const INDEX_PATH = join(ROOT_DIR, 'webpage/index.html');
+
+interface ChangelogEntry {
+	version: string;
+	date: string;
+	changes: Array<{ type: 'feature' | 'fix'; text: string }>;
+	imageTag: string;
+}
+
+// SVG icons for change types
+const FEATURE_SVG = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="m12 3-1.912 5.813a2 2 0 0 1-1.275 1.275L3 12l5.813 1.912a2 2 0 0 1 1.275 1.275L12 21l1.912-5.813a2 2 0 0 1 1.275-1.275L21 12l-5.813-1.912a2 2 0 0 1-1.275-1.275L12 3Z"/><path d="M5 3v4"/><path d="M19 17v4"/><path d="M3 5h4"/><path d="M17 19h4"/></svg>`;
+
+const FIX_SVG = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect width="8" height="14" x="8" y="6" rx="4"/><path d="m19 7-3 2"/><path d="m5 7 3 2"/><path d="m19 19-3-2"/><path d="m5 19 3-2"/><path d="M20 13h-4"/><path d="M4 13h4"/><path d="m10 4 1 2"/><path d="m14 4-1 2"/></svg>`;
+
+const TOGGLE_SVG = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="6 9 12 15 18 9"/></svg>`;
+
+const COPY_SVG = `<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect width="14" height="14" x="8" y="8" rx="2" ry="2"/><path d="M4 16c-1.1 0-2-.9-2-2V4c0-1.1.9-2 2-2h10c1.1 0 2 .9 2 2"/></svg>`;
+
+function formatDate(dateStr: string): string {
+	const date = new Date(dateStr);
+	return date.toLocaleDateString('en-US', {
+		year: 'numeric',
+		month: 'long',
+		day: 'numeric'
+	});
+}
+
+function generateChangeItem(change: { type: 'feature' | 'fix'; text: string }): string {
+	const pillClass = change.type === 'feature' ? 'changelog-pill-feature' : 'changelog-pill-fix';
+	const svg = change.type === 'feature' ? FEATURE_SVG : FIX_SVG;
+	const label = change.type === 'feature' ? 'New' : 'Fix';
+	return `                            <li><span class="changelog-pill ${pillClass}">${svg}${label}</span>${change.text}</li>`;
+}
+
+function generateLatestEntry(entry: ChangelogEntry): string {
+	const changes = entry.changes.map(generateChangeItem).join('\n');
+	const version = entry.version.startsWith('v') ? entry.version : `v${entry.version}`;
+
+	return `                <!-- ${version} -->
+                <div class="changelog-entry">
+                    <div class="changelog-header">
+                        <div class="changelog-version">
+                            <h3>${version}</h3>
+                            <span class="changelog-badge">Latest</span>
+                        </div>
+                        <span class="changelog-date">${formatDate(entry.date)}</span>
+                    </div>
+                    <ul class="changelog-changes">
+${changes}
+                    </ul>
+                    <div class="changelog-image-tag">
+                        <span>Docker image:</span>
+                        <code>${entry.imageTag}</code>
+                        <button class="copy-btn" onclick="copyDockerImage(this, '${entry.imageTag}')" title="Copy to clipboard">${COPY_SVG}</button>
+                        <span style="color: var(--text-muted); margin: 0 0.25rem;">or</span>
+                        <code>fnsys/dockhand:latest</code>
+                        <button class="copy-btn" onclick="copyDockerImage(this, 'fnsys/dockhand:latest')" title="Copy to clipboard">${COPY_SVG}</button>
+                    </div>
+                </div>`;
+}
+
+function generateCollapsibleEntry(entry: ChangelogEntry): string {
+	const changes = entry.changes.map(generateChangeItem).join('\n');
+	const version = entry.version.startsWith('v') ? entry.version : `v${entry.version}`;
+
+	return `                <!-- ${version} (collapsible) -->
+                <div class="changelog-entry collapsible" data-version="${version}">
+                    <div class="changelog-header">
+                        <div class="changelog-version">
+                            <h3>${version}</h3>
+                            <span class="changelog-toggle">${TOGGLE_SVG}</span>
+                        </div>
+                        <span class="changelog-date">${formatDate(entry.date)}</span>
+                    </div>
+                    <div class="changelog-content">
+                        <ul class="changelog-changes">
+${changes}
+                        </ul>
+                        <div class="changelog-image-tag">
+                            <span>Docker image:</span>
+                            <code>${entry.imageTag}</code>
+                            <button class="copy-btn" onclick="copyDockerImage(this, '${entry.imageTag}')" title="Copy to clipboard">${COPY_SVG}</button>
+                        </div>
+                    </div>
+                </div>`;
+}
+
+function generateChangelogSection(entries: ChangelogEntry[]): string {
+	if (entries.length === 0) {
+		return '';
+	}
+
+	const [latest, ...rest] = entries;
+	const latestHtml = generateLatestEntry(latest);
+	const restHtml = rest.map(generateCollapsibleEntry).join('\n');
+
+	return `    <!-- Changelog Section -->
+    <section class="changelog" id="changelog">
+        <div class="changelog-container">
+            <div class="section-header">
+                <div class="section-label">Changelog</div>
+                <h2 class="section-title">Release history</h2>
+                <p class="section-subtitle">Track our progress and see what's new in each version. <span style="color: #fbbf24; white-space: nowrap;">Spoiler: it gets better every time.</span></p>
+            </div>
+            <div class="changelog-list">
+${latestHtml}
+${restHtml}
+            </div>
+        </div>
+    </section>`;
+}
+
+// Read changelog.json
+console.log('Reading changelog from:', CHANGELOG_PATH);
+const changelog: ChangelogEntry[] = JSON.parse(readFileSync(CHANGELOG_PATH, 'utf-8'));
+console.log(`Found ${changelog.length} changelog entries`);
+
+// Read index.html
+console.log('Reading index.html from:', INDEX_PATH);
+let indexHtml = readFileSync(INDEX_PATH, 'utf-8');
+
+// Generate new changelog section
+const newChangelogSection = generateChangelogSection(changelog);
+
+// Replace changelog section using regex
+// Match from "<!-- Changelog Section -->" to the closing "</section>" before "<!-- CTA -->"
+const changelogRegex = /    <!-- Changelog Section -->[\s\S]*?<\/section>(?=\s*\n\s*<!-- CTA -->)/;
+
+if (!changelogRegex.test(indexHtml)) {
+	console.error('ERROR: Could not find changelog section in index.html');
+	console.error('Looking for pattern: <!-- Changelog Section --> ... </section> followed by <!-- CTA -->');
+	process.exit(1);
+}
+
+indexHtml = indexHtml.replace(changelogRegex, newChangelogSection);
+
+// Also update softwareVersion in JSON-LD schema
+if (changelog.length > 0) {
+	const latestVersion = changelog[0].version;
+	// Match "softwareVersion": "X.X" or "softwareVersion": "X.X.X"
+	const versionRegex = /"softwareVersion":\s*"[\d.]+"/;
+	if (versionRegex.test(indexHtml)) {
+		indexHtml = indexHtml.replace(versionRegex, `"softwareVersion": "${latestVersion}"`);
+		console.log(`Updated softwareVersion to: ${latestVersion}`);
+	}
+}
+
+// Write back to index.html
+writeFileSync(INDEX_PATH, indexHtml);
+console.log('');
+console.log('Generated changelog in webpage/index.html');
+console.log(`  - Latest version: v${changelog[0]?.version || 'unknown'}`);
+console.log(`  - Total entries: ${changelog.length}`);
diff --git a/scripts/generate-legal-pages.ts b/scripts/generate-legal-pages.ts
new file mode 100644
index 0000000..5056190
--- /dev/null
+++ b/scripts/generate-legal-pages.ts
@@ -0,0 +1,137 @@
+#!/usr/bin/env bun
+/**
+ * Generate static HTML pages for License and Privacy from .txt files
+ * This ensures a single source of truth for legal documents
+ */
+
+import { readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+
+const ROOT_DIR = join(import.meta.dir, '..');
+const WEBPAGE_DIR = join(ROOT_DIR, 'webpage');
+
+function escapeHtml(text: string): string {
+	return text
+		.replace(/&/g, '&amp;')
+		.replace(/</g, '&lt;')
+		.replace(/>/g, '&gt;');
+}
+
+function generateHtmlPage(title: string, content: string): string {
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>${title} - Dockhand</title>
+    <link rel="icon" type="image/png" href="images/favicon.png">
+    <style>
+        * {
+            margin: 0;
+            padding: 0;
+            box-sizing: border-box;
+        }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+            background: #0a0a0f;
+            color: #e0e0e0;
+            line-height: 1.6;
+            min-height: 100vh;
+        }
+        .container {
+            max-width: 900px;
+            margin: 0 auto;
+            padding: 2rem;
+        }
+        header {
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            padding: 1rem 0;
+            margin-bottom: 2rem;
+            border-bottom: 1px solid rgba(255,255,255,0.1);
+        }
+        .logo-img {
+            height: 40px;
+        }
+        .back-link {
+            color: #60a5fa;
+            text-decoration: none;
+            font-size: 0.9rem;
+        }
+        .back-link:hover {
+            text-decoration: underline;
+        }
+        h1 {
+            font-size: 1.75rem;
+            margin-bottom: 1.5rem;
+            color: #fff;
+        }
+        .content {
+            background: rgba(255,255,255,0.03);
+            border: 1px solid rgba(255,255,255,0.1);
+            border-radius: 8px;
+            padding: 2rem;
+        }
+        pre {
+            font-family: 'SF Mono', Monaco, 'Cascadia Code', monospace;
+            font-size: 0.8rem;
+            white-space: pre-wrap;
+            word-wrap: break-word;
+            color: #c0c0c0;
+        }
+        footer {
+            margin-top: 3rem;
+            padding-top: 1.5rem;
+            border-top: 1px solid rgba(255,255,255,0.1);
+            text-align: center;
+            font-size: 0.85rem;
+            color: #888;
+        }
+        footer a {
+            color: #60a5fa;
+            text-decoration: none;
+        }
+        footer a:hover {
+            text-decoration: underline;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <header>
+            <a href="index.html">
+                <img src="images/logo-dark.webp" alt="Dockhand" class="logo-img">
+            </a>
+            <a href="index.html" class="back-link">&larr; Back to home</a>
+        </header>
+
+        <h1>${title}</h1>
+
+        <div class="content">
+            <pre>${escapeHtml(content)}</pre>
+        </div>
+
+        <footer>
+            <p>&copy; 2025-2026 Finsys / Jarek Krochmalski &middot; <a href="https://dockhand.pro">https://dockhand.pro</a></p>
+        </footer>
+    </div>
+</body>
+</html>`;
+}
+
+// Read the source files
+const licenseContent = readFileSync(join(ROOT_DIR, 'LICENSE.txt'), 'utf-8');
+const privacyContent = readFileSync(join(ROOT_DIR, 'PRIVACY.txt'), 'utf-8');
+
+// Generate HTML pages
+const licenseHtml = generateHtmlPage('License Terms and Conditions', licenseContent);
+const privacyHtml = generateHtmlPage('Privacy Policy', privacyContent);
+
+// Write to webpage directory
+writeFileSync(join(WEBPAGE_DIR, 'license.html'), licenseHtml);
+writeFileSync(join(WEBPAGE_DIR, 'privacy.html'), privacyHtml);
+
+console.log('Generated legal pages:');
+console.log('  - webpage/license.html');
+console.log('  - webpage/privacy.html');
diff --git a/scripts/patch-build.ts b/scripts/patch-build.ts
new file mode 100644
index 0000000..df1b85a
--- /dev/null
+++ b/scripts/patch-build.ts
@@ -0,0 +1,604 @@
+/**
+ * Post-build script to fix svelte-adapter-bun WebSocket issue
+ * The adapter calls server.websocket() which doesn't exist in SvelteKit.
+ *
+ * IMPORTANT: Terminal WebSocket logic is shared with vite.config.ts
+ * Core functions like resolveDockerTarget are defined in:
+ *   src/lib/server/ws-terminal-shared.ts
+ *
+ * When updating WebSocket terminal handling, update the shared module
+ * and this file will use the same logic at build time.
+ */
+
+import { join } from 'node:path';
+
+const BUILD_DIR = join(import.meta.dir, '../build');
+
+async function patchHandler() {
+	const handlerPath = join(BUILD_DIR, 'handler.js');
+	const handlerFile = Bun.file(handlerPath);
+
+	if (!await handlerFile.exists()) {
+		console.error('handler.js not found');
+		process.exit(1);
+	}
+
+	let content = await handlerFile.text();
+
+	// Replace broken server.websocket() call
+	content = content.replace(
+		'const websocket = server.websocket();',
+		'const websocket = null;'
+	);
+
+	// Add WebSocket upgrade detection before ssr handler
+	const ssrIndex = content.indexOf('var ssr = async (request, bunServer) => {');
+	if (ssrIndex > -1) {
+		const upgradeCode = `
+var handleUpgrade = (request, bunServer) => {
+	const url = new URL(request.url);
+	const isUpgrade = request.headers.get('connection')?.toLowerCase().includes('upgrade') &&
+		request.headers.get('upgrade')?.toLowerCase() === 'websocket';
+	if (!isUpgrade) return null;
+
+	// Handle terminal exec WebSocket
+	if (url.pathname.includes('/api/containers/') && url.pathname.includes('/exec')) {
+		const pathParts = url.pathname.split('/');
+		const containerIdIndex = pathParts.indexOf('containers') + 1;
+		const containerId = pathParts[containerIdIndex];
+		const shell = url.searchParams.get('shell') || '/bin/sh';
+		const user = url.searchParams.get('user') || 'root';
+		const envId = url.searchParams.get('envId') ? parseInt(url.searchParams.get('envId'), 10) : undefined;
+		if (bunServer.upgrade(request, { data: { type: 'terminal', containerId, shell, user, envId } })) {
+			return new Response(null, { status: 101 });
+		}
+	}
+
+	// Handle terminal attach WebSocket
+	if (url.pathname.includes('/api/containers/') && url.pathname.includes('/attach')) {
+		const pathParts = url.pathname.split('/');
+		const containerIdIndex = pathParts.indexOf('containers') + 1;
+		const containerId = pathParts[containerIdIndex];
+		const envId = url.searchParams.get('envId') ? parseInt(url.searchParams.get('envId'), 10) : undefined;
+		if (bunServer.upgrade(request, { data: { type: 'terminal', mode: 'attach', containerId, envId } })) {
+			return new Response(null, { status: 101 });
+		}
+	}
+
+	// Handle Hawser Edge WebSocket
+	if (url.pathname === '/api/hawser/connect') {
+		if (bunServer.upgrade(request, { data: { type: 'hawser' } })) {
+			return new Response(null, { status: 101 });
+		}
+	}
+
+	return null;
+};
+`;
+		content = content.slice(0, ssrIndex) + upgradeCode + content.slice(ssrIndex);
+	}
+
+	// Modify handler to check for upgrade first
+	content = content.replace(
+		'return ssr(request, server2);',
+		'const upgradeResponse = handleUpgrade(request, server2); if (upgradeResponse) return upgradeResponse; return ssr(request, server2);'
+	);
+
+	await Bun.write(handlerPath, content);
+	console.log('✓ Patched handler.js');
+}
+
+async function patchIndex() {
+	const indexPath = join(BUILD_DIR, 'index.js');
+	const indexFile = Bun.file(indexPath);
+
+	if (!await indexFile.exists()) {
+		console.error('index.js not found');
+		process.exit(1);
+	}
+
+	let content = await indexFile.text();
+
+	const wsHandler = `
+import { existsSync as _existsSync } from 'fs';
+import { homedir as _homedir } from 'os';
+import { Database as _Database } from 'bun:sqlite';
+import { SQL as _SQL } from 'bun';
+import { join as _join } from 'path';
+
+// Database connection (supports both SQLite and PostgreSQL)
+let _db = null;
+let _isPostgres = false;
+function _getDb() {
+	if (!_db) {
+		const dbUrl = process.env.DATABASE_URL;
+		if (dbUrl && (dbUrl.startsWith('postgres://') || dbUrl.startsWith('postgresql://'))) {
+			_db = new _SQL(dbUrl);
+			_isPostgres = true;
+		} else {
+			const _dbPath = _join(process.cwd(), 'data', 'db', 'dockhand.db');
+			if (_existsSync(_dbPath)) {
+				_db = new _Database(_dbPath);
+			}
+		}
+	}
+	return _db;
+}
+
+async function _getEnvironment(id) {
+	const db = _getDb();
+	if (!db) return null;
+	let row;
+	if (_isPostgres) {
+		const result = await db.unsafe('SELECT * FROM environments WHERE id = $1', [id]);
+		row = result[0];
+	} else {
+		row = db.prepare('SELECT * FROM environments WHERE id = ?').get(id);
+	}
+	return row ? { ...row, is_local: Boolean(row.is_local), connection_type: row.connection_type, hawser_token: row.hawser_token } : null;
+}
+
+function detectDockerSocket() {
+	if (process.env.DOCKER_SOCKET && _existsSync(process.env.DOCKER_SOCKET)) return process.env.DOCKER_SOCKET;
+	if (process.env.DOCKER_HOST?.startsWith('unix://')) {
+		const p = process.env.DOCKER_HOST.replace('unix://', '');
+		if (_existsSync(p)) return p;
+	}
+	for (const s of ['/var/run/docker.sock', _homedir() + '/.docker/run/docker.sock', _homedir() + '/.orbstack/run/docker.sock', '/run/docker.sock']) {
+		if (_existsSync(s)) return s;
+	}
+	return '/var/run/docker.sock';
+}
+const dockerSocketPath = detectDockerSocket();
+console.log('Detected Docker socket at:', dockerSocketPath);
+
+const dockerStreams = new Map();
+let _wsConnCounter = 0;
+
+async function _getDockerTarget(envId) {
+	if (!envId) return { type: 'unix', socket: dockerSocketPath };
+	const env = await _getEnvironment(envId);
+	if (!env) return { type: 'unix', socket: dockerSocketPath };
+	// Check for socket connection type (local Unix socket)
+	if (env.is_local || env.connection_type === 'socket' || !env.connection_type) {
+		return { type: 'unix', socket: env.socket_path || dockerSocketPath };
+	}
+	if (env.connection_type === 'hawser-edge') return { type: 'hawser-edge', environmentId: envId };
+	return { type: 'tcp', host: env.host, port: env.port || 2375, hawserToken: env.connection_type === 'hawser-standard' ? env.hawser_token : undefined };
+}
+
+async function createExec(containerId, cmd, user, target) {
+	const headers = { 'Content-Type': 'application/json' };
+	const fetchOpts = {
+		method: 'POST',
+		headers,
+		body: JSON.stringify({ AttachStdin: true, AttachStdout: true, AttachStderr: true, Tty: true, Cmd: cmd, User: user })
+	};
+	let url;
+	if (target.type === 'unix') {
+		url = 'http://localhost/containers/' + containerId + '/exec';
+		fetchOpts.unix = target.socket;
+	} else {
+		url = 'http://' + target.host + ':' + target.port + '/containers/' + containerId + '/exec';
+		if (target.hawserToken) headers['X-Hawser-Token'] = target.hawserToken;
+	}
+	const res = await fetch(url, fetchOpts);
+	if (!res.ok) throw new Error('Failed to create exec: ' + (await res.text()));
+	return res.json();
+}
+
+async function resizeExec(execId, cols, rows, target) {
+	try {
+		const fetchOpts = { method: 'POST' };
+		let url;
+		if (target.type === 'unix') {
+			url = 'http://localhost/exec/' + execId + '/resize?h=' + rows + '&w=' + cols;
+			fetchOpts.unix = target.socket;
+		} else {
+			url = 'http://' + target.host + ':' + target.port + '/exec/' + execId + '/resize?h=' + rows + '&w=' + cols;
+			if (target.hawserToken) fetchOpts.headers = { 'X-Hawser-Token': target.hawserToken };
+		}
+		await fetch(url, fetchOpts);
+	} catch {}
+}
+
+// ============ Hawser Edge Support ============
+// Global edge connections map (shared with hawser.ts via globalThis)
+if (!globalThis.__hawserEdgeConnections) globalThis.__hawserEdgeConnections = new Map();
+const _edgeConnections = globalThis.__hawserEdgeConnections;
+
+// Map WebSocket to environmentId for quick lookup
+const _wsToEnvId = new Map();
+
+// Edge exec sessions (execId -> frontend WebSocket)
+const _edgeExecSessions = new Map();
+
+// Validate Hawser token against database
+async function _validateHawserToken(token) {
+	const db = _getDb();
+	if (!db) return { valid: false };
+	let tokens;
+	if (_isPostgres) {
+		tokens = await db.unsafe('SELECT * FROM hawser_tokens WHERE is_active = true');
+	} else {
+		tokens = db.prepare('SELECT * FROM hawser_tokens WHERE is_active = 1').all();
+	}
+	for (const t of tokens) {
+		try {
+			const isValid = await Bun.password.verify(token, t.token);
+			if (isValid) {
+				if (_isPostgres) {
+					await db.unsafe('UPDATE hawser_tokens SET last_used = NOW() WHERE id = $1', [t.id]);
+				} else {
+					db.prepare('UPDATE hawser_tokens SET last_used = datetime(\\'now\\') WHERE id = ?').run(t.id);
+				}
+				return { valid: true, environmentId: t.environment_id, tokenId: t.id };
+			}
+		} catch {}
+	}
+	return { valid: false };
+}
+
+// Update environment status in database
+async function _updateEnvStatus(envId, conn) {
+	const db = _getDb();
+	if (!db) return;
+	try {
+		if (conn) {
+			if (_isPostgres) {
+				await db.unsafe('UPDATE environments SET hawser_last_seen = NOW(), hawser_agent_id = $1, hawser_agent_name = $2, hawser_version = $3, hawser_capabilities = $4 WHERE id = $5',
+					[conn.agentId, conn.agentName, conn.agentVersion, JSON.stringify(conn.capabilities || []), envId]);
+			} else {
+				db.prepare('UPDATE environments SET hawser_last_seen = datetime(\\'now\\'), hawser_agent_id = ?, hawser_agent_name = ?, hawser_version = ?, hawser_capabilities = ? WHERE id = ?')
+					.run(conn.agentId, conn.agentName, conn.agentVersion, JSON.stringify(conn.capabilities || []), envId);
+			}
+		} else {
+			if (_isPostgres) {
+				await db.unsafe('UPDATE environments SET hawser_last_seen = NOW() WHERE id = $1', [envId]);
+			} else {
+				db.prepare('UPDATE environments SET hawser_last_seen = datetime(\\'now\\') WHERE id = ?').run(envId);
+			}
+		}
+	} catch {}
+}
+
+// Handle Hawser Edge protocol messages
+async function _handleHawserMessage(ws, msg) {
+	if (msg.type === 'hello') {
+		console.log('[Hawser] Hello from agent:', msg.agentName, '(' + msg.agentId + ')');
+		const validation = await _validateHawserToken(msg.token);
+		if (!validation.valid) {
+			console.log('[Hawser] Invalid token');
+			ws.send(JSON.stringify({ type: 'error', error: 'Invalid token' }));
+			ws.close();
+			return;
+		}
+		const envId = validation.environmentId;
+		const existing = _edgeConnections.get(envId);
+		if (existing) {
+			const pendingCount = existing.pendingRequests.size;
+			const streamCount = existing.pendingStreamRequests.size;
+			console.log('[Hawser] Replacing existing connection for env', envId, '- rejecting', pendingCount, 'pending requests and', streamCount, 'stream requests');
+			// Reject all pending requests before closing
+			for (const [requestId, pending] of existing.pendingRequests) {
+				clearTimeout(pending.timeout);
+				pending.reject(new Error('Connection replaced by new agent'));
+			}
+			for (const [requestId, pending] of existing.pendingStreamRequests) {
+				pending.onEnd?.('Connection replaced by new agent');
+			}
+			existing.pendingRequests.clear();
+			existing.pendingStreamRequests.clear();
+			existing.ws.close(1000, 'Replaced');
+			_wsToEnvId.delete(existing.ws);
+		}
+		const conn = {
+			ws, environmentId: envId, agentId: msg.agentId, agentName: msg.agentName,
+			agentVersion: msg.version || 'unknown', dockerVersion: msg.dockerVersion || 'unknown',
+			hostname: msg.hostname || 'unknown', capabilities: msg.capabilities || [],
+			connectedAt: new Date(), lastHeartbeat: new Date(),
+			pendingRequests: new Map(), pendingStreamRequests: new Map(),
+			pingInterval: null
+		};
+		_edgeConnections.set(envId, conn);
+		_wsToEnvId.set(ws, envId);
+		await _updateEnvStatus(envId, conn);
+		ws.send(JSON.stringify({ type: 'welcome', environmentId: envId, message: 'Connected to Dockhand' }));
+		// Start server-side ping interval to keep connection alive through Traefik/proxies (5s)
+		conn.pingInterval = setInterval(() => {
+			try { ws.send(JSON.stringify({ type: 'ping', timestamp: Date.now() })); }
+			catch { if (conn.pingInterval) { clearInterval(conn.pingInterval); conn.pingInterval = null; } }
+		}, 5000);
+		console.log('[Hawser] Agent', msg.agentName, 'connected for env', envId);
+	} else if (msg.type === 'ping') {
+		const envId = _wsToEnvId.get(ws);
+		if (envId) { const c = _edgeConnections.get(envId); if (c) c.lastHeartbeat = new Date(); }
+		ws.send(JSON.stringify({ type: 'pong', timestamp: Date.now() }));
+	} else if (msg.type === 'pong') {
+		const envId = _wsToEnvId.get(ws);
+		if (envId) { const c = _edgeConnections.get(envId); if (c) c.lastHeartbeat = new Date(); }
+	} else if (msg.type === 'response') {
+		const envId = _wsToEnvId.get(ws);
+		if (!envId) {
+			console.warn('[Hawser] Response from unknown WebSocket, requestId=' + msg.requestId);
+			return;
+		}
+		const conn = _edgeConnections.get(envId);
+		if (conn) {
+			const pending = conn.pendingRequests.get(msg.requestId);
+			if (pending) {
+				clearTimeout(pending.timeout);
+				conn.pendingRequests.delete(msg.requestId);
+				pending.resolve({ statusCode: msg.statusCode, headers: msg.headers || {}, body: msg.body || '', isBinary: msg.isBinary || false });
+			} else {
+				console.warn('[Hawser] Response for unknown request ' + msg.requestId + ' on env ' + envId);
+			}
+		}
+	} else if (msg.type === 'stream') {
+		const envId = _wsToEnvId.get(ws);
+		if (!envId) {
+			console.warn('[Hawser] Stream data from unknown WebSocket, requestId=' + msg.requestId);
+			return;
+		}
+		const conn = _edgeConnections.get(envId);
+		if (conn?.pendingStreamRequests) {
+			const pending = conn.pendingStreamRequests.get(msg.requestId);
+			if (pending) {
+				pending.onData(msg.data, msg.stream);
+			} else {
+				console.warn('[Hawser] Stream data for unknown request ' + msg.requestId + ' on env ' + envId);
+			}
+		}
+	} else if (msg.type === 'stream_end') {
+		const envId = _wsToEnvId.get(ws);
+		if (!envId) {
+			console.warn('[Hawser] Stream end from unknown WebSocket, requestId=' + msg.requestId);
+			return;
+		}
+		const conn = _edgeConnections.get(envId);
+		if (conn?.pendingStreamRequests) {
+			const pending = conn.pendingStreamRequests.get(msg.requestId);
+			if (pending) {
+				conn.pendingStreamRequests.delete(msg.requestId);
+				pending.onEnd(msg.reason);
+			} else {
+				console.warn('[Hawser] Stream end for unknown request ' + msg.requestId + ' on env ' + envId);
+			}
+		}
+	} else if (msg.type === 'exec_ready') {
+		const session = _edgeExecSessions.get(msg.execId);
+		if (session?.ws?.readyState === 1) console.log('[Hawser] Exec ready:', msg.execId);
+	} else if (msg.type === 'exec_output') {
+		const session = _edgeExecSessions.get(msg.execId);
+		if (session?.ws?.readyState === 1) {
+			const data = Buffer.from(msg.data, 'base64').toString('utf-8');
+			session.ws.send(JSON.stringify({ type: 'output', data }));
+		}
+	} else if (msg.type === 'exec_end') {
+		const session = _edgeExecSessions.get(msg.execId);
+		if (session) {
+			console.log('[Hawser] Exec ended:', msg.execId);
+			if (session.ws?.readyState === 1) { session.ws.send(JSON.stringify({ type: 'exit' })); session.ws.close(); }
+			_edgeExecSessions.delete(msg.execId);
+		}
+	} else if (msg.type === 'container_event') {
+		const envId = _wsToEnvId.get(ws);
+		if (envId && msg.event) {
+			// Call the global handler registered by hawser.ts
+			if (globalThis.__hawserHandleContainerEvent) {
+				globalThis.__hawserHandleContainerEvent(envId, msg.event).catch((err) => {
+					console.error('[Hawser] Error handling container event:', err);
+				});
+			}
+		}
+	} else if (msg.type === 'metrics') {
+		// Metrics from agent - save to database for dashboard graphs
+		const envId = _wsToEnvId.get(ws);
+		if (envId && msg.metrics) {
+			if (globalThis.__hawserHandleMetrics) {
+				globalThis.__hawserHandleMetrics(envId, msg.metrics).catch((err) => {
+					console.error('[Hawser] Error saving metrics:', err);
+				});
+			}
+		}
+	}
+}
+
+// Expose send function for hawser.ts module
+globalThis.__hawserSendMessage = (envId, message) => {
+	const conn = _edgeConnections.get(envId);
+	if (!conn?.ws) return false;
+	try { conn.ws.send(message); return true; } catch { return false; }
+};
+
+// ============ Combined WebSocket Handler ============
+const combinedWebsocket = {
+	async open(ws) {
+		const connType = ws.data?.type;
+
+		// Hawser Edge connection - wait for hello message
+		if (connType === 'hawser') {
+			console.log('[Hawser] New connection pending authentication');
+			return;
+		}
+
+		// Terminal connection
+		const connId = 'ws-' + (++_wsConnCounter);
+		ws.data = ws.data || {};
+		ws.data.connId = connId;
+		const { containerId, shell, user, envId, mode } = ws.data;
+		if (!containerId) { ws.send(JSON.stringify({ type: 'error', message: 'No container ID' })); ws.close(); return; }
+		const target = await _getDockerTarget(envId);
+		const isAttach = mode === 'attach';
+		console.log('[WS] Open:', connId, containerId, 'mode:', mode || 'exec', 'target:', target.type);
+
+		// Handle Hawser Edge terminal
+		if (target.type === 'hawser-edge') {
+			const conn = _edgeConnections.get(target.environmentId);
+			if (!conn) { ws.send(JSON.stringify({ type: 'error', message: 'Edge agent not connected' })); ws.close(); return; }
+			const execId = crypto.randomUUID();
+			_edgeExecSessions.set(execId, { ws, execId, environmentId: target.environmentId });
+			ws.data.edgeExecId = execId;
+			if (isAttach) {
+				conn.ws.send(JSON.stringify({ type: 'attach', containerId, attachId: execId }));
+			} else {
+				conn.ws.send(JSON.stringify({ type: 'exec_start', execId, containerId, cmd: shell || '/bin/sh', user: user || 'root', cols: 120, rows: 30 }));
+			}
+			return;
+		}
+
+		try {
+			let execId;
+			let httpRequest;
+			
+			if (isAttach) {
+				// Attach directly to container streams
+				execId = crypto.randomUUID();
+				const tokenHeader = target.type === 'tcp' && target.hawserToken ? 'X-Hawser-Token: ' + target.hawserToken + '\\r\\n' : '';
+				httpRequest = 'POST /containers/' + containerId + '/attach?stream=1&stdout=1&stderr=1&stdin=1 HTTP/1.1\\r\\nHost: localhost\\r\\nContent-Type: application/json\\r\\n' + tokenHeader + 'Connection: Upgrade\\r\\nUpgrade: tcp\\r\\nContent-Length: 0\\r\\n\\r\\n';
+			} else {
+				// Create exec instance for shell
+				const exec = await createExec(containerId, [shell || '/bin/sh'], user || 'root', target);
+				execId = exec.Id;
+				const body = JSON.stringify({ Detach: false, Tty: true });
+				const tokenHeader = target.type === 'tcp' && target.hawserToken ? 'X-Hawser-Token: ' + target.hawserToken + '\\r\\n' : '';
+				httpRequest = 'POST /exec/' + execId + '/start HTTP/1.1\\r\\nHost: localhost\\r\\nContent-Type: application/json\\r\\n' + tokenHeader + 'Connection: Upgrade\\r\\nUpgrade: tcp\\r\\nContent-Length: ' + body.length + '\\r\\n\\r\\n' + body;
+			}
+			
+			let dockerStream;
+			let headersStripped = false;
+			let isChunked = false;
+			const socketHandler = {
+				data(socket, data) {
+					if (ws.readyState === 1) {
+						let text = new TextDecoder().decode(data);
+						if (!headersStripped) {
+							if (text.toLowerCase().includes('transfer-encoding: chunked')) isChunked = true;
+							const i = text.indexOf('\\r\\n\\r\\n');
+							if (i > -1) { text = text.slice(i + 4); headersStripped = true; }
+							else if (text.startsWith('HTTP/')) return;
+						}
+						if (isChunked && text) text = text.replace(/^[0-9a-fA-F]+\\r\\n/gm, '').replace(/\\r\\n$/g, '');
+						if (text) ws.send(JSON.stringify({ type: 'output', data: text }));
+					}
+				},
+				close() { if (ws.readyState === 1) { ws.send(JSON.stringify({ type: 'exit' })); ws.close(); } },
+				error() {},
+				open(socket) {
+					socket.write(httpRequest);
+				}
+			};
+			if (target.type === 'unix') {
+				dockerStream = await Bun.connect({ unix: target.socket, socket: socketHandler });
+			} else {
+				dockerStream = await Bun.connect({ hostname: target.host, port: target.port, socket: socketHandler });
+			}
+			dockerStreams.set(connId, { stream: dockerStream, execId, target });
+		} catch (e) { ws.send(JSON.stringify({ type: 'error', message: e.message })); ws.close(); }
+	},
+	async message(ws, message) {
+		const connType = ws.data?.type;
+
+		// Hawser Edge message
+		if (connType === 'hawser') {
+			try {
+				let msgStr = typeof message === 'string' ? message : message instanceof ArrayBuffer ? new TextDecoder().decode(message) : Buffer.isBuffer(message) ? message.toString('utf-8') : new TextDecoder().decode(new Uint8Array(message));
+				const msg = JSON.parse(msgStr);
+				await _handleHawserMessage(ws, msg);
+			} catch (e) {
+				console.error('[Hawser] Error:', e.message);
+				ws.send(JSON.stringify({ type: 'error', error: e.message }));
+			}
+			return;
+		}
+
+		// Edge exec session input
+		const edgeExecId = ws.data?.edgeExecId;
+		if (edgeExecId) {
+			const session = _edgeExecSessions.get(edgeExecId);
+			if (session) {
+				const conn = _edgeConnections.get(session.environmentId);
+				if (conn) {
+					try {
+						const msg = JSON.parse(message.toString());
+						if (msg.type === 'input') conn.ws.send(JSON.stringify({ type: 'exec_input', execId: edgeExecId, data: Buffer.from(msg.data).toString('base64') }));
+						else if (msg.type === 'resize') conn.ws.send(JSON.stringify({ type: 'exec_resize', execId: edgeExecId, cols: msg.cols, rows: msg.rows }));
+					} catch {}
+				}
+			}
+			return;
+		}
+
+		// Terminal message
+		const connId = ws.data?.connId;
+		if (!connId) return;
+		const d = dockerStreams.get(connId);
+		if (!d) return;
+		try {
+			const msg = JSON.parse(message.toString());
+			if (msg.type === 'input' && d.stream) d.stream.write(msg.data);
+			else if (msg.type === 'resize' && d.execId) resizeExec(d.execId, msg.cols, msg.rows, d.target);
+		} catch { if (d.stream) d.stream.write(message); }
+	},
+	close(ws) {
+		const connType = ws.data?.type;
+
+		// Hawser Edge disconnection
+		if (connType === 'hawser') {
+			const envId = _wsToEnvId.get(ws);
+			if (envId) {
+				const conn = _edgeConnections.get(envId);
+				if (conn) {
+					console.log('[Hawser] Agent disconnected:', conn.agentId);
+					// Clear server-side ping interval
+					if (conn.pingInterval) { clearInterval(conn.pingInterval); conn.pingInterval = null; }
+					for (const [, p] of conn.pendingRequests) { clearTimeout(p.timeout); p.reject(new Error('Connection closed')); }
+					for (const [, p] of conn.pendingStreamRequests) { p.onEnd('Connection closed'); }
+					_edgeConnections.delete(envId);
+					_updateEnvStatus(envId, null);
+				}
+				_wsToEnvId.delete(ws);
+			}
+			return;
+		}
+
+		// Edge exec session close
+		const edgeExecId = ws.data?.edgeExecId;
+		if (edgeExecId) {
+			const session = _edgeExecSessions.get(edgeExecId);
+			if (session) {
+				const conn = _edgeConnections.get(session.environmentId);
+				if (conn) conn.ws.send(JSON.stringify({ type: 'exec_end', execId: edgeExecId, reason: 'user_closed' }));
+				_edgeExecSessions.delete(edgeExecId);
+			}
+			return;
+		}
+
+		// Terminal close
+		const connId = ws.data?.connId;
+		if (!connId) return;
+		const d = dockerStreams.get(connId);
+		if (d?.stream) d.stream.end();
+		dockerStreams.delete(connId);
+	}
+};
+`;
+
+	const insertPoint = content.indexOf('var path = env(');
+	if (insertPoint > -1) {
+		content = content.slice(0, insertPoint) + wsHandler + content.slice(insertPoint);
+	}
+
+	content = content.replace(
+		'var { fetch: handlerFetch, websocket } = getHandler();',
+		'var { fetch: handlerFetch, websocket: _ } = getHandler(); var websocket = combinedWebsocket;'
+	);
+
+	await Bun.write(indexPath, content);
+	console.log('✓ Patched index.js');
+}
+
+console.log('Patching build...');
+await patchHandler();
+await patchIndex();
+console.log('✓ Done');
diff --git a/src/LICENSE.txt b/src/LICENSE.txt
new file mode 100644
index 0000000..86472ee
--- /dev/null
+++ b/src/LICENSE.txt
@@ -0,0 +1,128 @@
+Business Source License 1.1
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+-----------------------------------------------------------------------------
+
+Parameters
+
+Licensor:             Finsys / Jarek Krochmalski
+
+Licensed Work:        Dockhand
+                      The Licensed Work is (c) 2025-2026 Finsys / Jarek Krochmalski.
+
+Additional Use Grant: You may use the Licensed Work for any purpose, including
+                      production use, provided that you do not offer the Licensed
+                      Work, or any derivative work of the Licensed Work, to third
+                      parties as a commercial hosted service, managed service, or
+                      software-as-a-service (SaaS) offering where the primary value
+                      proposition to users is Docker container management
+                      functionality substantially similar to the Licensed Work.
+
+                      For clarity, the following uses are explicitly permitted
+                      without any restriction:
+
+                      (a) Personal use, including home labs and hobby projects
+                      (b) Internal business use within your organization, regardless
+                          of the number of Docker environments managed
+                      (c) Use by non-profit organizations and charitable entities
+                      (d) Educational, academic, and research purposes
+                      (e) Evaluation, testing, development, and demonstration purposes
+                      (f) Embedding or integrating the Licensed Work into internal
+                          tools or platforms that are not offered commercially to
+                          third parties
+                      (g) Use by managed service providers (MSPs) to manage Docker
+                          infrastructure on behalf of their clients, provided the
+                          MSP does not offer Dockhand itself as the service
+
+Change Date:          January 1, 2029
+
+Change License:       Apache License, Version 2.0
+
+-----------------------------------------------------------------------------
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License's text to license
+your works, and to refer to it using the trademark "Business Source License",
+as long as you comply with the Covenants of Licensor below.
+
+-----------------------------------------------------------------------------
+
+Covenants of Licensor
+
+In consideration of the right to use this License's text and the "Business
+Source License" name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where "compatible" means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text "None".
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.
+
+-----------------------------------------------------------------------------
+
+Notice
+
+The Business Source License (this document, or the "License") is not an Open
+Source license. However, the Licensed Work will eventually be made available
+under an Open Source License, as stated in this License.
+
+-----------------------------------------------------------------------------
+
+For licensing inquiries, commercial licensing, or enterprise features:
+
+  Website: https://dockhand.io
+
+-----------------------------------------------------------------------------
diff --git a/app.css b/src/app.css
similarity index 100%
rename from app.css
rename to src/app.css
diff --git a/app.d.ts b/src/app.d.ts
similarity index 100%
rename from app.d.ts
rename to src/app.d.ts
diff --git a/app.html b/src/app.html
similarity index 99%
rename from app.html
rename to src/app.html
index 5f6ec02..d96ece1 100644
--- a/app.html
+++ b/src/app.html
@@ -13,5 +13,3 @@
 		<div style="display: contents">%sveltekit.body%</div>
 	</body>
 </html>
-
-
diff --git a/hooks.server.ts b/src/hooks.server.ts
similarity index 92%
rename from hooks.server.ts
rename to src/hooks.server.ts
index 0e07423..c5bb24f 100644
--- a/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -4,6 +4,7 @@ import { startScheduler } from '$lib/server/scheduler';
 import { isAuthEnabled, validateSession } from '$lib/server/auth';
 import { setServerStartTime } from '$lib/server/uptime';
 import { checkLicenseExpiry, getHostname } from '$lib/server/license';
+import { initCryptoFallback } from '$lib/server/crypto-fallback';
 import type { HandleServerError, Handle } from '@sveltejs/kit';
 import { redirect } from '@sveltejs/kit';
 
@@ -20,6 +21,9 @@ let initialized = false;
 
 if (!initialized) {
 	try {
+		// Initialize crypto fallback first (detects old kernels and logs status)
+		initCryptoFallback();
+
 		setServerStartTime(); // Track when server started
 		initDatabase();
 		// Log hostname for license validation (set by entrypoint in Docker, or os.hostname() outside)
@@ -68,11 +72,16 @@ const PUBLIC_PATHS = [
 	'/api/auth/oidc',
 	'/api/license',
 	'/api/changelog',
-	'/api/dependencies'
+	'/api/dependencies',
+	'/api/health'
 ];
 
 // Check if path is public
 function isPublicPath(pathname: string): boolean {
+	// Webhook endpoints have their own auth (signature/secret verification)
+	if (pathname.match(/^\/api\/git\/stacks\/\d+\/webhook$/)) return true;
+	if (pathname.match(/^\/api\/git\/webhook\/\d+$/)) return true;
+
 	return PUBLIC_PATHS.some(path => pathname === path || pathname.startsWith(path + '/'));
 }
 
diff --git a/images/logo.webp b/src/images/logo.webp
similarity index 100%
rename from images/logo.webp
rename to src/images/logo.webp
diff --git a/lib/actions/column-resize.ts b/src/lib/actions/column-resize.ts
similarity index 100%
rename from lib/actions/column-resize.ts
rename to src/lib/actions/column-resize.ts
diff --git a/lib/assets/favicon.svg b/src/lib/assets/favicon.svg
similarity index 100%
rename from lib/assets/favicon.svg
rename to src/lib/assets/favicon.svg
diff --git a/lib/components/AvatarCropper.svelte b/src/lib/components/AvatarCropper.svelte
similarity index 100%
rename from lib/components/AvatarCropper.svelte
rename to src/lib/components/AvatarCropper.svelte
diff --git a/lib/components/BatchOperationModal.svelte b/src/lib/components/BatchOperationModal.svelte
similarity index 100%
rename from lib/components/BatchOperationModal.svelte
rename to src/lib/components/BatchOperationModal.svelte
diff --git a/lib/components/CodeEditor.svelte b/src/lib/components/CodeEditor.svelte
similarity index 84%
rename from lib/components/CodeEditor.svelte
rename to src/lib/components/CodeEditor.svelte
index f49406f..0e76cb9 100644
--- a/lib/components/CodeEditor.svelte
+++ b/src/lib/components/CodeEditor.svelte
@@ -2,12 +2,54 @@
 	import { onMount, onDestroy } from 'svelte';
 	import { EditorState, StateField, StateEffect, RangeSet } from '@codemirror/state';
 	import { EditorView, keymap, lineNumbers, highlightActiveLine, highlightActiveLineGutter, gutter, GutterMarker, Decoration, WidgetType, type DecorationSet } from '@codemirror/view';
+	// Note: Secret masking was removed - secrets are now excluded from the raw editor entirely
+	// and are only stored in the database (never written to .env file)
 	import { defaultKeymap, history, historyKeymap, indentWithTab } from '@codemirror/commands';
-	import { syntaxHighlighting, defaultHighlightStyle, indentOnInput, bracketMatching } from '@codemirror/language';
+	import { syntaxHighlighting, defaultHighlightStyle, indentOnInput, bracketMatching, StreamLanguage, type StreamParser } from '@codemirror/language';
 	import { searchKeymap, highlightSelectionMatches } from '@codemirror/search';
 	import { autocompletion, completionKeymap, closeBrackets, closeBracketsKeymap, type CompletionContext, type CompletionResult } from '@codemirror/autocomplete';
 	import { oneDarkHighlightStyle } from '@codemirror/theme-one-dark';
 
+	// Simple dotenv/env file language parser
+	const dotenvParser: StreamParser<{ inValue: boolean }> = {
+		startState() {
+			return { inValue: false };
+		},
+		token(stream, state) {
+			// Start of line
+			if (stream.sol()) {
+				state.inValue = false;
+				// Skip leading whitespace
+				stream.eatSpace();
+				// Comment line
+				if (stream.peek() === '#') {
+					stream.skipToEnd();
+					return 'comment';
+				}
+			}
+			// If in value part, consume the rest
+			if (state.inValue) {
+				stream.skipToEnd();
+				return 'string';
+			}
+			// Variable name before =
+			if (stream.match(/^[a-zA-Z_][a-zA-Z0-9_]*/)) {
+				if (stream.peek() === '=') {
+					return 'variableName.definition';
+				}
+				return 'variableName';
+			}
+			// Equals sign - switch to value mode
+			if (stream.eat('=')) {
+				state.inValue = true;
+				return 'operator';
+			}
+			// Skip anything else
+			stream.next();
+			return null;
+		}
+	};
+
 	// Docker Compose keywords for autocomplete
 	const COMPOSE_TOP_LEVEL = ['services', 'networks', 'volumes', 'configs', 'secrets', 'name', 'version'];
 
@@ -172,7 +214,10 @@
 		variableMarkers?: VariableMarker[];
 	}
 
-	let { value = '', language = 'yaml', readonly = false, theme = 'dark', onchange, class: className = '', variableMarkers = [] }: Props = $props();
+	let { value = '', language = 'yaml', readonly = false, theme = 'dark', onchange, class: className = '', variableMarkers: variableMarkersProp = [] }: Props = $props();
+
+	// Keep markers reactive - destructured props with defaults lose reactivity
+	const variableMarkers = $derived(variableMarkersProp);
 
 	let container: HTMLDivElement;
 	let view: EditorView | null = null;
@@ -180,6 +225,9 @@
 	// Mutable ref for callback - allows updating without recreating editor
 	let onchangeRef: ((value: string) => void) | undefined = onchange;
 
+	// Flag to suppress onchange during programmatic value sync
+	let isSyncingExternalValue = false;
+
 	// Keep callback ref updated when prop changes
 	$effect(() => {
 		onchangeRef = onchange;
@@ -453,6 +501,9 @@
 			case 'sh':
 				// No dedicated shell/dockerfile support, use basic highlighting
 				return [];
+			case 'dotenv':
+			case 'env':
+				return StreamLanguage.define(dotenvParser);
 			default:
 				return [];
 		}
@@ -542,6 +593,13 @@
 	// Track if we're initialized (prevents multiple createEditor calls)
 	let initialized = false;
 
+	// Debounce timer for marker updates (prevents flicker during fast typing)
+	let markerUpdateTimer: ReturnType<typeof setTimeout> | null = null;
+	const MARKER_UPDATE_DEBOUNCE_MS = 300;
+
+	// Track last applied markers to avoid redundant updates
+	let lastAppliedMarkersJson = '';
+
 	function createEditor() {
 		if (!container || view || initialized) return;
 		initialized = true;
@@ -551,12 +609,14 @@
 			: [dockhandLight, syntaxHighlighting(defaultHighlightStyle)];
 
 		// Build autocompletion config - add Docker Compose completions for YAML
+		// Note: activateOnTyping can interfere with key repeat, so we disable it
+		// Users can still trigger autocomplete manually with Ctrl+Space
 		const autocompletionConfig = language === 'yaml'
 			? autocompletion({
 				override: [composeCompletions, composeValueCompletions],
-				activateOnTyping: true
+				activateOnTyping: false
 			})
-			: autocompletion();
+			: autocompletion({ activateOnTyping: false });
 
 		const extensions = [
 			lineNumbers(),
@@ -594,18 +654,26 @@
 			extensions
 		});
 
-		// Custom transaction handler - this is SYNCHRONOUS and more reliable than updateListener
+		// Custom transaction handler - applies transactions synchronously but defers callback
 		// Based on the Svelte Playground pattern: https://svelte.dev/playground/91649ba3e0ce4122b3b34f3a95a00104
 		const dispatchTransactions = (trs: readonly import('@codemirror/state').Transaction[]) => {
 			if (!view) return;
 
-			// Apply all transactions
+			// Apply all transactions synchronously (required by CodeMirror)
 			view.update(trs);
 
 			// Check if any transaction changed the document
+			// Skip onchange during programmatic value sync (only fire for user edits)
 			const lastChangingTr = trs.findLast(tr => tr.docChanged);
-			if (lastChangingTr && onchangeRef) {
-				onchangeRef(lastChangingTr.newDoc.toString());
+			if (lastChangingTr && onchangeRef && !isSyncingExternalValue) {
+				// Defer callback to next microtask to avoid blocking input handling
+				// This allows key repeat to work properly
+				const newContent = lastChangingTr.newDoc.toString();
+				queueMicrotask(() => {
+					if (onchangeRef) {
+						onchangeRef(newContent);
+					}
+				});
 			}
 		};
 
@@ -615,7 +683,6 @@
 			dispatchTransactions
 		});
 
-
 		// Push initial markers if provided
 		if (variableMarkers.length > 0) {
 			view.dispatch({
@@ -625,11 +692,16 @@
 	}
 
 	function destroyEditor() {
+		if (markerUpdateTimer) {
+			clearTimeout(markerUpdateTimer);
+			markerUpdateTimer = null;
+		}
 		if (view) {
 			view.destroy();
 			view = null;
 		}
 		initialized = false;
+		lastAppliedMarkersJson = '';
 	}
 
 	// Get current editor content
@@ -656,11 +728,35 @@
 	}
 
 	// Update variable markers - this is the key method for parent to call
-	export function updateVariableMarkers(markers: VariableMarker[]) {
-		if (view) {
-			view.dispatch({
-				effects: updateMarkersEffect.of(markers)
-			});
+	// Debounced to prevent flicker during fast typing
+	export function updateVariableMarkers(markers: VariableMarker[], immediate = false) {
+		if (!view) return;
+
+		// Check if markers actually changed (compare by content, not reference)
+		const newJson = JSON.stringify(markers);
+		if (newJson === lastAppliedMarkersJson) {
+			return; // No change, skip update
+		}
+
+		// Clear any pending update
+		if (markerUpdateTimer) {
+			clearTimeout(markerUpdateTimer);
+			markerUpdateTimer = null;
+		}
+
+		const applyUpdate = () => {
+			if (view) {
+				lastAppliedMarkersJson = newJson;
+				view.dispatch({
+					effects: updateMarkersEffect.of(markers)
+				});
+			}
+		};
+
+		if (immediate) {
+			applyUpdate();
+		} else {
+			markerUpdateTimer = setTimeout(applyUpdate, MARKER_UPDATE_DEBOUNCE_MS);
 		}
 	}
 
@@ -693,12 +789,29 @@
 	});
 
 	// Update markers when prop changes (backup mechanism, parent should also call updateVariableMarkers)
+	// Uses the debounced update to prevent flicker during fast typing
 	$effect(() => {
 		const markers = variableMarkers;
 		if (view && markers) {
-			view.dispatch({
-				effects: updateMarkersEffect.of(markers)
-			});
+			updateVariableMarkers(markers);
+		}
+	});
+
+	// Sync external value changes to the editor (e.g., when parent clears the content)
+	$effect(() => {
+		const externalValue = value;
+		if (view) {
+			const currentContent = view.state.doc.toString();
+			// Only update if the external value differs from editor content
+			// This prevents feedback loops from editor changes
+			if (externalValue !== currentContent) {
+				// Suppress onchange during programmatic sync - only user edits should trigger it
+				isSyncingExternalValue = true;
+				view.dispatch({
+					changes: { from: 0, to: currentContent.length, insert: externalValue }
+				});
+				isSyncingExternalValue = false;
+			}
 		}
 	});
 </script>
@@ -706,7 +819,6 @@
 <div
 	bind:this={container}
 	class="h-full w-full overflow-hidden {className}"
-	onkeydown={(e) => e.stopPropagation()}
 ></div>
 
 <style>
diff --git a/lib/components/ColumnSettingsPopover.svelte b/src/lib/components/ColumnSettingsPopover.svelte
similarity index 100%
rename from lib/components/ColumnSettingsPopover.svelte
rename to src/lib/components/ColumnSettingsPopover.svelte
diff --git a/lib/components/CommandPalette.svelte b/src/lib/components/CommandPalette.svelte
similarity index 100%
rename from lib/components/CommandPalette.svelte
rename to src/lib/components/CommandPalette.svelte
diff --git a/lib/components/ConfirmPopover.svelte b/src/lib/components/ConfirmPopover.svelte
similarity index 97%
rename from lib/components/ConfirmPopover.svelte
rename to src/lib/components/ConfirmPopover.svelte
index ace900f..9fe0c28 100644
--- a/lib/components/ConfirmPopover.svelte
+++ b/src/lib/components/ConfirmPopover.svelte
@@ -61,7 +61,6 @@
 	});
 
 	function handleConfirm() {
-		console.log('[ConfirmPopover] handleConfirm called, onConfirm:', typeof onConfirm);
 		onConfirm();
 		open = false;
 		onOpenChange(false);
diff --git a/lib/components/ExecutionLogViewer.svelte b/src/lib/components/ExecutionLogViewer.svelte
similarity index 100%
rename from lib/components/ExecutionLogViewer.svelte
rename to src/lib/components/ExecutionLogViewer.svelte
diff --git a/lib/components/MultiSelectFilter.svelte b/src/lib/components/MultiSelectFilter.svelte
similarity index 100%
rename from lib/components/MultiSelectFilter.svelte
rename to src/lib/components/MultiSelectFilter.svelte
diff --git a/lib/components/PageHeader.svelte b/src/lib/components/PageHeader.svelte
similarity index 100%
rename from lib/components/PageHeader.svelte
rename to src/lib/components/PageHeader.svelte
diff --git a/lib/components/PasswordStrengthIndicator.svelte b/src/lib/components/PasswordStrengthIndicator.svelte
similarity index 100%
rename from lib/components/PasswordStrengthIndicator.svelte
rename to src/lib/components/PasswordStrengthIndicator.svelte
diff --git a/lib/components/PullTab.svelte b/src/lib/components/PullTab.svelte
similarity index 97%
rename from lib/components/PullTab.svelte
rename to src/lib/components/PullTab.svelte
index 6854f39..83091be 100644
--- a/lib/components/PullTab.svelte
+++ b/src/lib/components/PullTab.svelte
@@ -46,6 +46,8 @@
 	let status = $state<PullStatus>('idle');
 	let image = $state(initialImageName);
 	let duration = $state(0);
+	// Track whether image was set from initial prop vs typed by user
+	let hasAutoStarted = $state(false);
 
 	// Notify parent of status changes
 	$effect(() => {
@@ -82,8 +84,10 @@
 		onImageChange?.(image);
 	});
 
+	// Auto-start only once for prefilled images, not when user is typing
 	$effect(() => {
-		if (autoStart && image && status === 'idle') {
+		if (autoStart && initialImageName && image === initialImageName && status === 'idle' && !hasAutoStarted) {
+			hasAutoStarted = true;
 			startPull();
 		}
 	});
@@ -133,6 +137,7 @@
 		layerOrder = 0;
 		outputLines = [];
 		duration = 0;
+		hasAutoStarted = false;
 	}
 
 	export function getImage() {
diff --git a/lib/components/PushTab.svelte b/src/lib/components/PushTab.svelte
similarity index 100%
rename from lib/components/PushTab.svelte
rename to src/lib/components/PushTab.svelte
diff --git a/lib/components/ScanTab.svelte b/src/lib/components/ScanTab.svelte
similarity index 100%
rename from lib/components/ScanTab.svelte
rename to src/lib/components/ScanTab.svelte
diff --git a/lib/components/ScannerSeverityPills.svelte b/src/lib/components/ScannerSeverityPills.svelte
similarity index 100%
rename from lib/components/ScannerSeverityPills.svelte
rename to src/lib/components/ScannerSeverityPills.svelte
diff --git a/lib/components/Sidebar.svelte b/src/lib/components/Sidebar.svelte
similarity index 100%
rename from lib/components/Sidebar.svelte
rename to src/lib/components/Sidebar.svelte
diff --git a/lib/components/StackEnvVarsEditor.svelte b/src/lib/components/StackEnvVarsEditor.svelte
similarity index 96%
rename from lib/components/StackEnvVarsEditor.svelte
rename to src/lib/components/StackEnvVarsEditor.svelte
index 76bb626..e0e4ff3 100644
--- a/lib/components/StackEnvVarsEditor.svelte
+++ b/src/lib/components/StackEnvVarsEditor.svelte
@@ -27,6 +27,7 @@
 		sources?: Record<string, 'file' | 'override'>; // Key -> source mapping
 		placeholder?: { key: string; value: string };
 		existingSecretKeys?: Set<string>; // Keys of secrets loaded from DB (can't toggle visibility)
+		onchange?: () => void;
 	}
 
 	let {
@@ -36,7 +37,8 @@
 		showSource = false,
 		sources = {},
 		placeholder = { key: 'VARIABLE_NAME', value: 'value' },
-		existingSecretKeys = new Set<string>()
+		existingSecretKeys = new Set<string>(),
+		onchange
 	}: Props = $props();
 
 	// Check if a variable is an existing secret that was loaded from DB
@@ -46,14 +48,17 @@
 
 	function addVariable() {
 		variables = [...variables, { key: '', value: '', isSecret: false }];
+		onchange?.();
 	}
 
 	function removeVariable(index: number) {
 		variables = variables.filter((_, i) => i !== index);
+		onchange?.();
 	}
 
 	function toggleSecret(index: number) {
 		variables[index].isSecret = !variables[index].isSecret;
+		onchange?.();
 	}
 
 	// Check if a variable key is missing (required but not defined)
@@ -99,7 +104,7 @@
 <div class="space-y-3">
 	<!-- Variables List -->
 	<div class="space-y-3">
-		{#each variables as variable, index}
+		{#each variables as variable, index (`${index}-${variable.key}`)}
 			{@const source = getSource(variable.key)}
 			{@const isVarRequired = isRequired(variable.key)}
 			{@const isVarOptional = isOptional(variable.key)}
@@ -163,6 +168,7 @@
 					<Input
 						bind:value={variable.key}
 						disabled={readonly}
+						oninput={() => onchange?.()}
 						class="h-9 font-mono text-xs"
 					/>
 				</div>
@@ -174,6 +180,7 @@
 						bind:value={variable.value}
 						type={variable.isSecret ? 'password' : 'text'}
 						disabled={readonly}
+						oninput={() => onchange?.()}
 						class="h-9 font-mono text-xs"
 					/>
 				</div>
diff --git a/src/lib/components/StackEnvVarsPanel.svelte b/src/lib/components/StackEnvVarsPanel.svelte
new file mode 100644
index 0000000..df98404
--- /dev/null
+++ b/src/lib/components/StackEnvVarsPanel.svelte
@@ -0,0 +1,463 @@
+<script lang="ts">
+	import { tick } from 'svelte';
+	import { Button } from '$lib/components/ui/button';
+	import StackEnvVarsEditor, { type EnvVar, type ValidationResult } from '$lib/components/StackEnvVarsEditor.svelte';
+	import CodeEditor from '$lib/components/CodeEditor.svelte';
+	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
+	import { Plus, Info, Upload, Trash2, List, FileText, AlertTriangle, ShieldAlert } from 'lucide-svelte';
+	import * as Tooltip from '$lib/components/ui/tooltip';
+
+	interface Props {
+		variables: EnvVar[]; // Bindable - ALL variables (secrets + non-secrets)
+		rawContent: string; // Bindable - raw .env file content (comments preserved, no secrets)
+		validation?: ValidationResult | null;
+		readonly?: boolean;
+		showSource?: boolean;
+		sources?: Record<string, 'file' | 'override'>;
+		placeholder?: { key: string; value: string };
+		infoText?: string;
+		existingSecretKeys?: Set<string>;
+		theme?: 'light' | 'dark';
+		class?: string;
+		onchange?: () => void;
+	}
+
+	let {
+		variables = $bindable([]),
+		rawContent = $bindable(''),
+		validation = null,
+		readonly = false,
+		showSource = false,
+		sources = {},
+		placeholder = { key: 'VARIABLE_NAME', value: 'value' },
+		infoText,
+		existingSecretKeys = new Set<string>(),
+		theme = 'dark',
+		class: className = '',
+		onchange
+	}: Props = $props();
+
+	const STORAGE_KEY_VIEW_MODE = 'dockhand-env-vars-view-mode';
+
+	let fileInputRef: HTMLInputElement;
+	let viewMode = $state<'form' | 'text'>(
+		(typeof localStorage !== 'undefined' && localStorage.getItem(STORAGE_KEY_VIEW_MODE) as 'form' | 'text') || 'form'
+	);
+	let confirmClearOpen = $state(false);
+	let contentAreaRef: HTMLDivElement;
+	let parseWarnings = $state<string[]>([]);
+
+	// Count of secrets (for display in hint)
+	const secretCount = $derived(variables.filter(v => v.isSecret && v.key.trim()).length);
+
+	/**
+	 * Sync variables with rawContent after initial load.
+	 * Pass the loaded data directly to avoid timing issues with bindable props.
+	 * Merges: secrets from loadedVars (DB) + non-secrets from loadedRaw (file).
+	 */
+	export function syncAfterLoad(loadedVars: EnvVar[], loadedRaw: string) {
+		if (!loadedRaw.trim()) {
+			// No raw content - just use the loaded variables as-is
+			variables = loadedVars;
+			rawContent = '';
+			return;
+		}
+
+		const { vars: rawVars } = parseRawContent(loadedRaw);
+
+		// Secrets come from loadedVars (DB), non-secrets come from loadedRaw (file)
+		const secrets = loadedVars.filter(v => v.isSecret);
+
+		// Also keep non-secrets from loadedVars that aren't in raw (new vars added before first save)
+		const rawKeys = new Set(rawVars.map(v => v.key));
+		const newNonSecrets = loadedVars.filter(v => !v.isSecret && v.key.trim() && !rawKeys.has(v.key));
+
+		// Set both at once to avoid any intermediate states
+		variables = [...rawVars, ...newNonSecrets, ...secrets];
+		rawContent = loadedRaw;
+	}
+
+	/**
+	 * Parse raw content to extract non-secret variables.
+	 */
+	function parseRawContent(content: string): { vars: EnvVar[], warnings: string[] } {
+		const result: EnvVar[] = [];
+		const warnings: string[] = [];
+		let lineNum = 0;
+
+		for (const line of content.split('\n')) {
+			lineNum++;
+			const trimmed = line.trim();
+			if (!trimmed || trimmed.startsWith('#')) continue;
+
+			const eqIndex = trimmed.indexOf('=');
+			if (eqIndex === -1) {
+				warnings.push(`Line ${lineNum}: "${trimmed.slice(0, 30)}${trimmed.length > 30 ? '...' : ''}" (no = found)`);
+				continue;
+			}
+
+			const key = trimmed.slice(0, eqIndex).trim();
+			let value = trimmed.slice(eqIndex + 1);
+
+			if ((value.startsWith('"') && value.endsWith('"')) ||
+			    (value.startsWith("'") && value.endsWith("'"))) {
+				value = value.slice(1, -1);
+			}
+
+			if (key) {
+				if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(key)) {
+					warnings.push(`Line ${lineNum}: "${key}" (invalid variable name)`);
+					continue;
+				}
+				result.push({ key, value, isSecret: false });
+			}
+		}
+
+		return { vars: result, warnings };
+	}
+
+	/**
+	 * Sync variables (non-secrets) TO rawContent.
+	 * Preserves comments and formatting. Secrets are excluded.
+	 */
+	function syncVariablesToRaw() {
+		const nonSecretVars = variables.filter(v => v.key.trim() && !v.isSecret);
+
+		// If no raw content exists, generate fresh
+		if (!rawContent.trim()) {
+			if (nonSecretVars.length > 0) {
+				rawContent = nonSecretVars.map(v => `${v.key.trim()}=${v.value}`).join('\n') + '\n';
+			}
+			return;
+		}
+
+		// Update existing raw content - preserve comments, update/add/remove variables
+		const varMap = new Map(nonSecretVars.map(v => [v.key.trim(), v]));
+		const usedKeys = new Set<string>();
+		const lines = rawContent.split('\n');
+		const resultLines: string[] = [];
+
+		for (const line of lines) {
+			const trimmed = line.trim();
+
+			// Keep comments and blank lines
+			if (!trimmed || trimmed.startsWith('#')) {
+				resultLines.push(line);
+				continue;
+			}
+
+			// Check if this is a variable line
+			const eqIndex = trimmed.indexOf('=');
+			if (eqIndex > 0) {
+				const key = trimmed.slice(0, eqIndex).trim();
+				if (/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(key)) {
+					const varData = varMap.get(key);
+					if (varData) {
+						// Update value
+						resultLines.push(`${key}=${varData.value}`);
+						usedKeys.add(key);
+					}
+					// If not in varMap, variable was deleted - skip line
+					continue;
+				}
+			}
+
+			resultLines.push(line);
+		}
+
+		// Append new variables
+		for (const v of nonSecretVars) {
+			if (!usedKeys.has(v.key.trim())) {
+				resultLines.push(`${v.key.trim()}=${v.value}`);
+			}
+		}
+
+		let result = resultLines.join('\n');
+		if (result && !result.endsWith('\n')) {
+			result += '\n';
+		}
+		rawContent = result;
+	}
+
+	/**
+	 * Sync rawContent TO variables.
+	 * Parses raw content for non-secrets, preserves existing secrets.
+	 */
+	function syncRawToVariables() {
+		const { vars, warnings } = parseRawContent(rawContent);
+		parseWarnings = warnings;
+
+		// Preserve existing secrets (they're not in rawContent)
+		const existingSecrets = variables.filter(v => v.isSecret);
+
+		// Merge: non-secrets from raw + existing secrets
+		variables = [...vars, ...existingSecrets];
+	}
+
+	/**
+	 * Call before saving. Ensures variables and rawContent are in sync.
+	 * Always syncs variables→raw to get proper .env content for disk.
+	 */
+	export function prepareForSave(): { rawContent: string; variables: EnvVar[] } {
+		// If in text view, first sync raw→variables to capture edits
+		if (viewMode === 'text') {
+			syncRawToVariables();
+		}
+		// Then sync variables→raw to ensure rawContent is up to date
+		syncVariablesToRaw();
+
+		return {
+			rawContent,
+			variables: variables.filter(v => v.key.trim())
+		};
+	}
+
+	function handleTextChange(value: string) {
+		rawContent = value;
+		syncRawToVariables(); // Sync to variables so parent's envVars updates (for compose decorations)
+		onchange?.();
+	}
+
+	function handleViewModeChange(newMode: 'form' | 'text') {
+		if (newMode === 'text' && viewMode === 'form') {
+			// Form → Text: sync variables to raw (preserves comments)
+			syncVariablesToRaw();
+		} else if (newMode === 'form' && viewMode === 'text') {
+			// Text → Form: sync raw to variables (preserves secrets)
+			syncRawToVariables();
+		}
+
+		viewMode = newMode;
+		localStorage.setItem(STORAGE_KEY_VIEW_MODE, newMode);
+	}
+
+	async function addEnvVariable() {
+		variables = [...variables, { key: '', value: '', isSecret: false }];
+		onchange?.();
+		await tick();
+		if (contentAreaRef) {
+			contentAreaRef.scrollTop = contentAreaRef.scrollHeight;
+		}
+	}
+
+	async function addMissingVariable(key: string) {
+		variables = [...variables, { key, value: '', isSecret: false }];
+		onchange?.();
+		await tick();
+		if (contentAreaRef) {
+			contentAreaRef.scrollTop = contentAreaRef.scrollHeight;
+		}
+	}
+
+	function handleLoadFromFile() {
+		fileInputRef?.click();
+	}
+
+	function handleFileSelect(event: Event) {
+		const input = event.target as HTMLInputElement;
+		const file = input.files?.[0];
+		if (!file) return;
+
+		const reader = new FileReader();
+		reader.onload = (e) => {
+			rawContent = e.target?.result as string;
+			// Parse and merge with existing secrets
+			syncRawToVariables();
+			// Switch to text view to show loaded content
+			viewMode = 'text';
+			localStorage.setItem(STORAGE_KEY_VIEW_MODE, 'text');
+			onchange?.();
+		};
+		reader.readAsText(file);
+		input.value = '';
+	}
+
+	function clearAll() {
+		rawContent = '';
+		variables = [];
+		onchange?.();
+	}
+
+	const hasContent = $derived(!!rawContent?.trim() || variables.some(v => v.key.trim()));
+</script>
+
+<div class="flex flex-col h-full {className}">
+	<!-- Header -->
+	<div class="px-4 py-2.5 border-b border-zinc-200 dark:border-zinc-700 flex flex-col gap-1.5">
+		<!-- Header row: title + info + view toggle + validation pills + actions -->
+		<div class="flex items-center gap-2 justify-between">
+			<div class="flex items-center gap-2 flex-wrap min-w-0">
+				<span class="text-xs text-zinc-500 dark:text-zinc-400 shrink-0">Environment variables</span>
+			{#if infoText}
+				<Tooltip.Root>
+					<Tooltip.Trigger>
+						<Info class="w-3.5 h-3.5 text-blue-400 shrink-0" />
+					</Tooltip.Trigger>
+					<Tooltip.Portal>
+						<Tooltip.Content side="bottom" sideOffset={8} class="max-w-xs w-64 bg-white dark:bg-zinc-900 text-zinc-900 dark:text-zinc-100 border-zinc-200 dark:border-zinc-700">
+							<p class="text-xs text-left">{infoText}</p>
+						</Tooltip.Content>
+					</Tooltip.Portal>
+				</Tooltip.Root>
+			{/if}
+			<!-- View mode toggle -->
+			<div class="flex items-center gap-0.5 bg-zinc-100 dark:bg-zinc-800 rounded p-0.5 shrink-0">
+				<button
+					type="button"
+					class="flex items-center gap-1 px-1.5 py-0.5 rounded text-2xs transition-colors {viewMode === 'form' ? 'bg-white dark:bg-zinc-700 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
+					onclick={() => handleViewModeChange('form')}
+					title="Form view"
+				>
+					<List class="w-3 h-3" />
+				</button>
+				<button
+					type="button"
+					class="flex items-center gap-1 px-1.5 py-0.5 rounded text-2xs transition-colors {viewMode === 'text' ? 'bg-white dark:bg-zinc-700 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
+					onclick={() => handleViewModeChange('text')}
+					title="Text view (raw .env file)"
+				>
+					<FileText class="w-3 h-3" />
+				</button>
+			</div>
+			<!-- Validation status pills -->
+			{#if validation}
+				<div class="flex gap-1 flex-wrap">
+					{#if validation.missing.length > 0}
+						<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-red-100 text-red-700 dark:bg-red-900/30 dark:text-red-300">
+							{validation.missing.length} missing
+						</span>
+					{/if}
+					{#if validation.required.length > 0}
+						<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-green-100 text-green-700 dark:bg-green-900/30 dark:text-green-300">
+							{validation.required.length - validation.missing.length} defined
+						</span>
+					{/if}
+					{#if validation.optional.length > 0}
+						<span class="inline-flex items-center px-1.5 py-0.5 rounded text-2xs font-medium bg-blue-100 text-blue-700 dark:bg-blue-900/30 dark:text-blue-300">
+							{validation.optional.length} optional
+						</span>
+					{/if}
+				</div>
+			{/if}
+			</div>
+			<!-- Actions - right-aligned -->
+			{#if !readonly}
+				<div class="flex items-center gap-1 shrink-0">
+					<Button type="button" size="sm" variant="ghost" onclick={handleLoadFromFile} class="h-6 text-xs px-2">
+						<Upload class="w-3.5 h-3.5 mr-1" />
+						Load
+					</Button>
+					{#if viewMode === 'form'}
+						<Button type="button" size="sm" variant="ghost" onclick={addEnvVariable} class="h-6 text-xs px-2">
+							<Plus class="w-3.5 h-3.5 mr-1" />
+							Add
+						</Button>
+					{/if}
+					<ConfirmPopover
+						bind:open={confirmClearOpen}
+						title="Clear all variables?"
+						action="clear"
+						itemType="environment variables"
+						confirmText="Clear all"
+						onConfirm={clearAll}
+						onOpenChange={(o) => confirmClearOpen = o}
+					>
+						{#snippet children({ open })}
+							<Button
+								type="button"
+								size="sm"
+								variant="ghost"
+								class="h-6 text-xs px-2 {hasContent ? 'text-destructive hover:text-destructive' : 'text-muted-foreground/50 cursor-not-allowed'}"
+								disabled={!hasContent}
+							>
+								<Trash2 class="w-3.5 h-3.5 mr-1" />
+								Clear
+							</Button>
+						{/snippet}
+					</ConfirmPopover>
+				</div>
+				<input
+					bind:this={fileInputRef}
+					type="file"
+					accept=".env,.env.*,text/plain"
+					class="hidden"
+					onchange={handleFileSelect}
+				/>
+			{/if}
+		</div>
+		<!-- Help text -->
+		{#if viewMode === 'form'}
+			<div class="flex flex-wrap gap-x-3 gap-y-0.5 text-2xs text-zinc-400 dark:text-zinc-500 font-mono">
+				<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR}`}</span> required</span>
+				<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:-default}`}</span> optional</span>
+				<span><span class="text-zinc-500 dark:text-zinc-400">${`{VAR:?error}`}</span> required w/ error</span>
+			</div>
+		{:else if secretCount > 0}
+			<!-- Text view hint about secrets (only shown when secrets exist) -->
+			<div class="flex items-start gap-2 px-2.5 py-2 rounded bg-amber-50 dark:bg-amber-900/20 border border-amber-200 dark:border-amber-800/50">
+				<ShieldAlert class="w-4 h-4 text-amber-500 shrink-0 mt-0.5" />
+				<div class="text-xs text-amber-700 dark:text-amber-300">
+					<span class="font-medium">{secretCount} secret{secretCount === 1 ? '' : 's'} not shown.</span>
+					<span class="text-amber-600 dark:text-amber-400">Secrets are never written to disk and are injected via shell environment when the stack starts.</span>
+				</div>
+			</div>
+		{/if}
+		<!-- Parse warnings (form mode only) -->
+		{#if viewMode === 'form' && parseWarnings.length > 0}
+			<div class="flex items-start gap-2 px-2 py-1.5 rounded bg-amber-50 dark:bg-amber-900/20 border border-amber-200 dark:border-amber-800/50">
+				<AlertTriangle class="w-3.5 h-3.5 text-amber-500 shrink-0 mt-0.5" />
+				<div class="text-2xs text-amber-700 dark:text-amber-300">
+					<span class="font-medium">Some lines couldn't be parsed:</span>
+					<ul class="mt-0.5 list-disc list-inside">
+						{#each parseWarnings.slice(0, 3) as warning}
+							<li>{warning}</li>
+						{/each}
+						{#if parseWarnings.length > 3}
+							<li>...and {parseWarnings.length - 3} more</li>
+						{/if}
+					</ul>
+					<p class="mt-1 text-amber-600 dark:text-amber-400">Switch to text view to edit these lines.</p>
+				</div>
+			</div>
+		{/if}
+		<!-- Add missing variables (form mode only) -->
+		{#if viewMode === 'form' && validation && validation.missing.length > 0 && !readonly}
+			<div class="flex flex-wrap gap-1 items-center">
+				<span class="text-xs text-muted-foreground mr-1">Add missing:</span>
+				{#each validation.missing as missing}
+					<button
+						type="button"
+						onclick={() => addMissingVariable(missing)}
+						class="text-xs px-1.5 py-0.5 rounded bg-red-100 text-red-700 hover:bg-red-200 dark:bg-red-900/30 dark:text-red-300 dark:hover:bg-red-900/50 transition-colors"
+					>
+						{missing}
+					</button>
+				{/each}
+			</div>
+		{/if}
+	</div>
+	<!-- Content area -->
+	<div bind:this={contentAreaRef} class="flex-1 overflow-auto px-4 py-3">
+		{#if viewMode === 'form'}
+			<StackEnvVarsEditor
+				bind:variables
+				{validation}
+				{readonly}
+				{showSource}
+				{sources}
+				{placeholder}
+				{existingSecretKeys}
+				{onchange}
+			/>
+		{:else}
+			<CodeEditor
+				value={rawContent}
+				language="dotenv"
+				theme={theme}
+				readonly={readonly}
+				onchange={handleTextChange}
+				class="h-full min-h-[200px] rounded-md overflow-hidden border border-zinc-200 dark:border-zinc-700"
+			/>
+		{/if}
+	</div>
+</div>
diff --git a/lib/components/ThemeSelector.svelte b/src/lib/components/ThemeSelector.svelte
similarity index 100%
rename from lib/components/ThemeSelector.svelte
rename to src/lib/components/ThemeSelector.svelte
diff --git a/lib/components/TimezoneSelector.svelte b/src/lib/components/TimezoneSelector.svelte
similarity index 98%
rename from lib/components/TimezoneSelector.svelte
rename to src/lib/components/TimezoneSelector.svelte
index bb28fe4..0866fdd 100644
--- a/lib/components/TimezoneSelector.svelte
+++ b/src/lib/components/TimezoneSelector.svelte
@@ -111,7 +111,7 @@
 			</Button>
 		{/snippet}
 	</Popover.Trigger>
-	<Popover.Content class="w-[350px] p-0" align="start">
+	<Popover.Content class="w-[350px] p-0 z-[200]" align="start">
 		<Command.Root shouldFilter={false}>
 			<Command.Input bind:value={searchQuery} placeholder="Search timezone..." />
 			<Command.List class="max-h-[300px]">
diff --git a/lib/components/UpdateContainerRow.svelte b/src/lib/components/UpdateContainerRow.svelte
similarity index 100%
rename from lib/components/UpdateContainerRow.svelte
rename to src/lib/components/UpdateContainerRow.svelte
diff --git a/lib/components/UpdateStepIndicator.svelte b/src/lib/components/UpdateStepIndicator.svelte
similarity index 100%
rename from lib/components/UpdateStepIndicator.svelte
rename to src/lib/components/UpdateStepIndicator.svelte
diff --git a/lib/components/UpdateSummaryStats.svelte b/src/lib/components/UpdateSummaryStats.svelte
similarity index 100%
rename from lib/components/UpdateSummaryStats.svelte
rename to src/lib/components/UpdateSummaryStats.svelte
diff --git a/lib/components/VulnerabilityCriteriaBadge.svelte b/src/lib/components/VulnerabilityCriteriaBadge.svelte
similarity index 100%
rename from lib/components/VulnerabilityCriteriaBadge.svelte
rename to src/lib/components/VulnerabilityCriteriaBadge.svelte
diff --git a/lib/components/VulnerabilityCriteriaSelector.svelte b/src/lib/components/VulnerabilityCriteriaSelector.svelte
similarity index 100%
rename from lib/components/VulnerabilityCriteriaSelector.svelte
rename to src/lib/components/VulnerabilityCriteriaSelector.svelte
diff --git a/lib/components/WhatsNewModal.svelte b/src/lib/components/WhatsNewModal.svelte
similarity index 100%
rename from lib/components/WhatsNewModal.svelte
rename to src/lib/components/WhatsNewModal.svelte
diff --git a/lib/components/app-sidebar.svelte b/src/lib/components/app-sidebar.svelte
similarity index 100%
rename from lib/components/app-sidebar.svelte
rename to src/lib/components/app-sidebar.svelte
diff --git a/lib/components/cron-editor.svelte b/src/lib/components/cron-editor.svelte
similarity index 100%
rename from lib/components/cron-editor.svelte
rename to src/lib/components/cron-editor.svelte
diff --git a/lib/components/data-grid/DataGrid.svelte b/src/lib/components/data-grid/DataGrid.svelte
similarity index 84%
rename from lib/components/data-grid/DataGrid.svelte
rename to src/lib/components/data-grid/DataGrid.svelte
index 6c76fc2..6b9cf3b 100644
--- a/lib/components/data-grid/DataGrid.svelte
+++ b/src/lib/components/data-grid/DataGrid.svelte
@@ -67,6 +67,7 @@
 		cell?: Snippet<[ColumnConfig, T, DataGridRowState]>;
 		emptyState?: Snippet;
 		loadingState?: Snippet;
+		footer?: Snippet;
 	}
 
 	let {
@@ -100,7 +101,8 @@
 		headerCell,
 		cell,
 		emptyState,
-		loadingState
+		loadingState,
+		footer
 	}: Props = $props();
 
 	// Column configuration
@@ -112,14 +114,16 @@
 	// Grid preferences (reactive)
 	const gridPrefs = $derived($gridPreferencesStore);
 
-	// Get ordered visible columns from preferences
+	// Get ordered visible columns from preferences (excluding fixed columns)
 	const orderedColumns = $derived.by(() => {
 		const prefs = gridPrefs[gridId];
 		if (!prefs?.columns?.length) {
 			// Default: all configurable columns visible
 			return columnConfigs.filter((c) => !c.fixed).map((c) => c.id);
 		}
-		return prefs.columns.filter((c) => c.visible).map((c) => c.id);
+		// Filter out fixed columns - they're rendered separately via fixedStartCols/fixedEndCols
+		const fixedIds = new Set([...fixedStartCols, ...fixedEndCols]);
+		return prefs.columns.filter((c) => c.visible && !fixedIds.has(c.id)).map((c) => c.id);
 	});
 
 	// Identify visible grow columns (columns with grow: true that are currently visible)
@@ -152,6 +156,9 @@
 	// RAF throttling for performance
 	let resizeRAF: number | null = null;
 	let scrollRAF: number | null = null;
+	let visibleRangeRAF: number | null = null;
+	let containerResizeRAF: number | null = null;
+	let loadMorePending = false;
 
 	// Helper to get base width for a column (without grow calculation)
 	function getBaseWidth(colId: string): number {
@@ -346,20 +353,58 @@
 
 	// Virtual scroll calculations
 	const totalHeight = $derived(virtualScroll ? data.length * rowHeight : 0);
+
+	// Memoization state for visibleData to prevent creating new arrays on every scroll
+	let prevStartIndex = -1;
+	let prevEndIndex = -1;
+	let prevDataRef: T[] | null = null;
+	let cachedVisibleData: T[] = [];
+
+	// Memoized startIndex/endIndex/visibleData calculation
 	const startIndex = $derived(virtualScroll ? Math.max(0, Math.floor(scrollTop / rowHeight) - bufferRows) : 0);
 	const endIndex = $derived(
 		virtualScroll ? Math.min(data.length, Math.ceil((scrollTop + containerHeight) / rowHeight) + bufferRows) : data.length
 	);
-	const visibleData = $derived(virtualScroll ? data.slice(startIndex, endIndex) : data);
+
+	// Memoized visibleData - only create new array when bounds or data actually change
+	const visibleData = $derived.by(() => {
+		if (!virtualScroll) return data;
+
+		// If data reference changed, we must reslice
+		const dataChanged = data !== prevDataRef;
+
+		// Only create new array if bounds or data actually changed
+		if (!dataChanged && startIndex === prevStartIndex && endIndex === prevEndIndex && cachedVisibleData.length > 0) {
+			return cachedVisibleData;
+		}
+
+		prevStartIndex = startIndex;
+		prevEndIndex = endIndex;
+		prevDataRef = data;
+		cachedVisibleData = data.slice(startIndex, endIndex);
+		return cachedVisibleData;
+	});
+
 	const offsetY = $derived(virtualScroll ? startIndex * rowHeight : 0);
 
-	// Notify parent of visible range changes
+	// Notify parent of visible range changes (throttled via RAF)
 	$effect(() => {
 		if (virtualScroll && onVisibleRangeChange && data.length > 0) {
-			// Calculate actual visible range (without buffer)
-			const visibleStart = Math.max(1, Math.floor(scrollTop / rowHeight) + 1);
-			const visibleEnd = Math.min(data.length, Math.ceil((scrollTop + containerHeight) / rowHeight));
-			onVisibleRangeChange(visibleStart, Math.max(visibleEnd, visibleStart), data.length);
+			// Capture values for RAF callback
+			const st = scrollTop;
+			const ch = containerHeight;
+			const len = data.length;
+			const rh = rowHeight;
+			const cb = onVisibleRangeChange;
+
+			if (visibleRangeRAF) cancelAnimationFrame(visibleRangeRAF);
+			visibleRangeRAF = requestAnimationFrame(() => {
+				visibleRangeRAF = null;
+				// Calculate actual visible range (without buffer)
+				const visibleStart = Math.max(1, Math.floor(st / rh) + 1);
+				const visibleEnd = Math.min(len, Math.ceil((st + ch) / rh));
+				cb(visibleStart, Math.max(visibleEnd, visibleStart), len);
+			});
 		}
 	});
 
@@ -376,11 +421,14 @@
 			// Update container height on scroll (in case of resize)
 			containerHeight = target.clientHeight;
 
-			// Infinite scroll trigger
-			if (hasMore && onLoadMore) {
+			// Infinite scroll trigger (with guard to prevent repeated calls)
+			if (hasMore && onLoadMore && !loadMorePending) {
 				const scrollBottom = target.scrollHeight - target.scrollTop - target.clientHeight;
 				if (scrollBottom < loadMoreThreshold) {
+					loadMorePending = true;
 					onLoadMore();
+					// Reset after a short delay to allow the next load
+					setTimeout(() => { loadMorePending = false; }, 100);
 				}
 			}
 		});
@@ -398,12 +446,17 @@
 			}
 
 			const resizeObserver = new ResizeObserver((entries) => {
-				for (const entry of entries) {
-					scrollContainerWidth = entry.contentRect.width;
-					if (virtualScroll) {
-						containerHeight = entry.contentRect.height;
+				// Throttle with RAF to prevent "ResizeObserver loop" warnings
+				if (containerResizeRAF) return;
+				containerResizeRAF = requestAnimationFrame(() => {
+					containerResizeRAF = null;
+					for (const entry of entries) {
+						scrollContainerWidth = entry.contentRect.width;
+						if (virtualScroll) {
+							containerHeight = entry.contentRect.height;
+						}
 					}
-				}
+				});
 			});
 			resizeObserver.observe(scrollContainer);
 
@@ -417,6 +470,8 @@
 	onDestroy(() => {
 		if (resizeRAF) cancelAnimationFrame(resizeRAF);
 		if (scrollRAF) cancelAnimationFrame(scrollRAF);
+		if (visibleRangeRAF) cancelAnimationFrame(visibleRangeRAF);
+		if (containerResizeRAF) cancelAnimationFrame(containerResizeRAF);
 	});
 
 	// Set context for child components
@@ -440,15 +495,47 @@
 		highlightedKey
 	});
 
-	// Helper to get row state
+	// Row state cache to prevent creating new objects on every scroll
+	// Use $derived to track dependencies synchronously (unlike $effect which is async)
+	let rowStateCache = new WeakMap<object, DataGridRowState>();
+
+	// Track cache invalidation keys - when these change, cache is stale
+	let cachedSelectedKeysRef: Set<unknown> | null = null;
+	let cachedExpandedKeysRef: Set<unknown> | null = null;
+	let cachedHighlightedKeyRef: unknown = undefined;
+
+	// Helper to get row state (memoized via WeakMap)
+	// Cache is invalidated synchronously when selection/expansion changes
 	function getRowState(item: T, index: number): DataGridRowState {
-		return {
+		const actualIndex = virtualScroll ? startIndex + index : index;
+
+		// Check if cache needs to be cleared (synchronous check)
+		if (selectedKeys !== cachedSelectedKeysRef ||
+			expandedKeys !== cachedExpandedKeysRef ||
+			highlightedKey !== cachedHighlightedKeyRef) {
+			rowStateCache = new WeakMap();
+			cachedSelectedKeysRef = selectedKeys;
+			cachedExpandedKeysRef = expandedKeys;
+			cachedHighlightedKeyRef = highlightedKey;
+		}
+
+		// Try to get cached state
+		const cached = rowStateCache.get(item as object);
+		if (cached && cached.index === actualIndex) {
+			return cached;
+		}
+
+		// Create new state object and cache it
+		const state: DataGridRowState = {
 			isSelected: isSelected(item[keyField]),
 			isHighlighted: highlightedKey === item[keyField],
 			isSelectable: isItemSelectable(item),
 			isExpanded: isExpanded(item[keyField]),
-			index: virtualScroll ? startIndex + index : index
+			index: actualIndex
 		};
+
+		rowStateCache.set(item as object, state);
+		return state;
 	}
 
 	// Helper to check if column is resizable
@@ -672,7 +759,7 @@
 										e.stopPropagation();
 										toggleSelection(item[keyField]);
 									}}
-									class="flex items-center justify-center transition-colors cursor-pointer {rowState.isSelected ? 'opacity-100' : 'opacity-0 group-hover:opacity-40 hover:!opacity-100'}"
+									class="flex items-center justify-center w-full h-full min-h-[24px] transition-colors cursor-pointer {rowState.isSelected ? 'opacity-100' : 'opacity-0 group-hover:opacity-40 hover:!opacity-100'}"
 								>
 									{#if rowState.isSelected}
 										<CheckSquare class="w-3.5 h-3.5 text-muted-foreground" />
@@ -781,7 +868,7 @@
 										<button
 											type="button"
 											onclick={(e) => { e.stopPropagation(); toggleSelection(item[keyField]); }}
-											class="flex items-center justify-center transition-colors cursor-pointer {rowState.isSelected ? 'opacity-100' : 'opacity-0 group-hover:opacity-40 hover:!opacity-100'}"
+											class="flex items-center justify-center w-full h-full min-h-[24px] transition-colors cursor-pointer {rowState.isSelected ? 'opacity-100' : 'opacity-0 group-hover:opacity-40 hover:!opacity-100'}"
 										>
 											{#if rowState.isSelected}
 												<CheckSquare class="w-3.5 h-3.5 text-muted-foreground" />
@@ -841,6 +928,10 @@
 				{#if totalHeight - offsetY - (visibleData.length * rowHeight) > 0}
 					<tr><td colspan={fixedStartCols.length + orderedColumns.length + fixedEndCols.length} style="height: {totalHeight - offsetY - (visibleData.length * rowHeight)}px; padding: 0; border: none;"></td></tr>
 				{/if}
+				<!-- Footer (rendered at the bottom of virtual scroll) -->
+				{#if footer}
+					<tr><td colspan={fixedStartCols.length + orderedColumns.length + fixedEndCols.length} class="p-0 border-none">{@render footer()}</td></tr>
+				{/if}
 			</tbody>
 		</table>
 	{:else}
diff --git a/lib/components/data-grid/context.ts b/src/lib/components/data-grid/context.ts
similarity index 100%
rename from lib/components/data-grid/context.ts
rename to src/lib/components/data-grid/context.ts
diff --git a/lib/components/data-grid/index.ts b/src/lib/components/data-grid/index.ts
similarity index 100%
rename from lib/components/data-grid/index.ts
rename to src/lib/components/data-grid/index.ts
diff --git a/lib/components/data-grid/types.ts b/src/lib/components/data-grid/types.ts
similarity index 100%
rename from lib/components/data-grid/types.ts
rename to src/lib/components/data-grid/types.ts
diff --git a/lib/components/host-info.svelte b/src/lib/components/host-info.svelte
similarity index 100%
rename from lib/components/host-info.svelte
rename to src/lib/components/host-info.svelte
diff --git a/lib/components/icon-picker.svelte b/src/lib/components/icon-picker.svelte
similarity index 96%
rename from lib/components/icon-picker.svelte
rename to src/lib/components/icon-picker.svelte
index 0ea4a53..d38b23e 100644
--- a/lib/components/icon-picker.svelte
+++ b/src/lib/components/icon-picker.svelte
@@ -37,7 +37,7 @@
 			<CurrentIcon class="h-4 w-4" />
 		</Button>
 	</Popover.Trigger>
-	<Popover.Content class="w-80 p-3" align="start">
+	<Popover.Content class="w-80 p-3 z-[200]" align="start">
 		<div class="space-y-3">
 			<Input
 				bind:value={searchQuery}
diff --git a/lib/components/main-content.svelte b/src/lib/components/main-content.svelte
similarity index 100%
rename from lib/components/main-content.svelte
rename to src/lib/components/main-content.svelte
diff --git a/lib/components/permission-guard.svelte b/src/lib/components/permission-guard.svelte
similarity index 100%
rename from lib/components/permission-guard.svelte
rename to src/lib/components/permission-guard.svelte
diff --git a/lib/components/theme-toggle.svelte b/src/lib/components/theme-toggle.svelte
similarity index 100%
rename from lib/components/theme-toggle.svelte
rename to src/lib/components/theme-toggle.svelte
diff --git a/lib/components/ui/accordion/accordion-content.svelte b/src/lib/components/ui/accordion/accordion-content.svelte
similarity index 100%
rename from lib/components/ui/accordion/accordion-content.svelte
rename to src/lib/components/ui/accordion/accordion-content.svelte
diff --git a/lib/components/ui/accordion/accordion-item.svelte b/src/lib/components/ui/accordion/accordion-item.svelte
similarity index 100%
rename from lib/components/ui/accordion/accordion-item.svelte
rename to src/lib/components/ui/accordion/accordion-item.svelte
diff --git a/lib/components/ui/accordion/accordion-trigger.svelte b/src/lib/components/ui/accordion/accordion-trigger.svelte
similarity index 100%
rename from lib/components/ui/accordion/accordion-trigger.svelte
rename to src/lib/components/ui/accordion/accordion-trigger.svelte
diff --git a/lib/components/ui/accordion/accordion.svelte b/src/lib/components/ui/accordion/accordion.svelte
similarity index 100%
rename from lib/components/ui/accordion/accordion.svelte
rename to src/lib/components/ui/accordion/accordion.svelte
diff --git a/lib/components/ui/accordion/index.ts b/src/lib/components/ui/accordion/index.ts
similarity index 100%
rename from lib/components/ui/accordion/index.ts
rename to src/lib/components/ui/accordion/index.ts
diff --git a/lib/components/ui/alert/alert-description.svelte b/src/lib/components/ui/alert/alert-description.svelte
similarity index 100%
rename from lib/components/ui/alert/alert-description.svelte
rename to src/lib/components/ui/alert/alert-description.svelte
diff --git a/lib/components/ui/alert/alert-title.svelte b/src/lib/components/ui/alert/alert-title.svelte
similarity index 100%
rename from lib/components/ui/alert/alert-title.svelte
rename to src/lib/components/ui/alert/alert-title.svelte
diff --git a/lib/components/ui/alert/alert.svelte b/src/lib/components/ui/alert/alert.svelte
similarity index 100%
rename from lib/components/ui/alert/alert.svelte
rename to src/lib/components/ui/alert/alert.svelte
diff --git a/lib/components/ui/alert/index.ts b/src/lib/components/ui/alert/index.ts
similarity index 100%
rename from lib/components/ui/alert/index.ts
rename to src/lib/components/ui/alert/index.ts
diff --git a/lib/components/ui/avatar/avatar-fallback.svelte b/src/lib/components/ui/avatar/avatar-fallback.svelte
similarity index 100%
rename from lib/components/ui/avatar/avatar-fallback.svelte
rename to src/lib/components/ui/avatar/avatar-fallback.svelte
diff --git a/lib/components/ui/avatar/avatar-image.svelte b/src/lib/components/ui/avatar/avatar-image.svelte
similarity index 100%
rename from lib/components/ui/avatar/avatar-image.svelte
rename to src/lib/components/ui/avatar/avatar-image.svelte
diff --git a/lib/components/ui/avatar/avatar.svelte b/src/lib/components/ui/avatar/avatar.svelte
similarity index 100%
rename from lib/components/ui/avatar/avatar.svelte
rename to src/lib/components/ui/avatar/avatar.svelte
diff --git a/lib/components/ui/avatar/index.ts b/src/lib/components/ui/avatar/index.ts
similarity index 100%
rename from lib/components/ui/avatar/index.ts
rename to src/lib/components/ui/avatar/index.ts
diff --git a/lib/components/ui/badge/badge.svelte b/src/lib/components/ui/badge/badge.svelte
similarity index 100%
rename from lib/components/ui/badge/badge.svelte
rename to src/lib/components/ui/badge/badge.svelte
diff --git a/lib/components/ui/badge/index.ts b/src/lib/components/ui/badge/index.ts
similarity index 100%
rename from lib/components/ui/badge/index.ts
rename to src/lib/components/ui/badge/index.ts
diff --git a/lib/components/ui/button/button.svelte b/src/lib/components/ui/button/button.svelte
similarity index 100%
rename from lib/components/ui/button/button.svelte
rename to src/lib/components/ui/button/button.svelte
diff --git a/lib/components/ui/button/index.ts b/src/lib/components/ui/button/index.ts
similarity index 100%
rename from lib/components/ui/button/index.ts
rename to src/lib/components/ui/button/index.ts
diff --git a/lib/components/ui/calendar/calendar-caption.svelte b/src/lib/components/ui/calendar/calendar-caption.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-caption.svelte
rename to src/lib/components/ui/calendar/calendar-caption.svelte
diff --git a/lib/components/ui/calendar/calendar-cell.svelte b/src/lib/components/ui/calendar/calendar-cell.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-cell.svelte
rename to src/lib/components/ui/calendar/calendar-cell.svelte
diff --git a/lib/components/ui/calendar/calendar-day.svelte b/src/lib/components/ui/calendar/calendar-day.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-day.svelte
rename to src/lib/components/ui/calendar/calendar-day.svelte
diff --git a/lib/components/ui/calendar/calendar-grid-body.svelte b/src/lib/components/ui/calendar/calendar-grid-body.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-grid-body.svelte
rename to src/lib/components/ui/calendar/calendar-grid-body.svelte
diff --git a/lib/components/ui/calendar/calendar-grid-head.svelte b/src/lib/components/ui/calendar/calendar-grid-head.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-grid-head.svelte
rename to src/lib/components/ui/calendar/calendar-grid-head.svelte
diff --git a/lib/components/ui/calendar/calendar-grid-row.svelte b/src/lib/components/ui/calendar/calendar-grid-row.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-grid-row.svelte
rename to src/lib/components/ui/calendar/calendar-grid-row.svelte
diff --git a/lib/components/ui/calendar/calendar-grid.svelte b/src/lib/components/ui/calendar/calendar-grid.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-grid.svelte
rename to src/lib/components/ui/calendar/calendar-grid.svelte
diff --git a/lib/components/ui/calendar/calendar-head-cell.svelte b/src/lib/components/ui/calendar/calendar-head-cell.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-head-cell.svelte
rename to src/lib/components/ui/calendar/calendar-head-cell.svelte
diff --git a/lib/components/ui/calendar/calendar-header.svelte b/src/lib/components/ui/calendar/calendar-header.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-header.svelte
rename to src/lib/components/ui/calendar/calendar-header.svelte
diff --git a/lib/components/ui/calendar/calendar-heading.svelte b/src/lib/components/ui/calendar/calendar-heading.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-heading.svelte
rename to src/lib/components/ui/calendar/calendar-heading.svelte
diff --git a/lib/components/ui/calendar/calendar-month-select.svelte b/src/lib/components/ui/calendar/calendar-month-select.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-month-select.svelte
rename to src/lib/components/ui/calendar/calendar-month-select.svelte
diff --git a/lib/components/ui/calendar/calendar-month.svelte b/src/lib/components/ui/calendar/calendar-month.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-month.svelte
rename to src/lib/components/ui/calendar/calendar-month.svelte
diff --git a/lib/components/ui/calendar/calendar-months.svelte b/src/lib/components/ui/calendar/calendar-months.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-months.svelte
rename to src/lib/components/ui/calendar/calendar-months.svelte
diff --git a/lib/components/ui/calendar/calendar-nav.svelte b/src/lib/components/ui/calendar/calendar-nav.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-nav.svelte
rename to src/lib/components/ui/calendar/calendar-nav.svelte
diff --git a/lib/components/ui/calendar/calendar-next-button.svelte b/src/lib/components/ui/calendar/calendar-next-button.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-next-button.svelte
rename to src/lib/components/ui/calendar/calendar-next-button.svelte
diff --git a/lib/components/ui/calendar/calendar-prev-button.svelte b/src/lib/components/ui/calendar/calendar-prev-button.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-prev-button.svelte
rename to src/lib/components/ui/calendar/calendar-prev-button.svelte
diff --git a/lib/components/ui/calendar/calendar-year-select.svelte b/src/lib/components/ui/calendar/calendar-year-select.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar-year-select.svelte
rename to src/lib/components/ui/calendar/calendar-year-select.svelte
diff --git a/lib/components/ui/calendar/calendar.svelte b/src/lib/components/ui/calendar/calendar.svelte
similarity index 100%
rename from lib/components/ui/calendar/calendar.svelte
rename to src/lib/components/ui/calendar/calendar.svelte
diff --git a/lib/components/ui/calendar/index.ts b/src/lib/components/ui/calendar/index.ts
similarity index 100%
rename from lib/components/ui/calendar/index.ts
rename to src/lib/components/ui/calendar/index.ts
diff --git a/lib/components/ui/card/card-action.svelte b/src/lib/components/ui/card/card-action.svelte
similarity index 100%
rename from lib/components/ui/card/card-action.svelte
rename to src/lib/components/ui/card/card-action.svelte
diff --git a/lib/components/ui/card/card-content.svelte b/src/lib/components/ui/card/card-content.svelte
similarity index 100%
rename from lib/components/ui/card/card-content.svelte
rename to src/lib/components/ui/card/card-content.svelte
diff --git a/lib/components/ui/card/card-description.svelte b/src/lib/components/ui/card/card-description.svelte
similarity index 100%
rename from lib/components/ui/card/card-description.svelte
rename to src/lib/components/ui/card/card-description.svelte
diff --git a/lib/components/ui/card/card-footer.svelte b/src/lib/components/ui/card/card-footer.svelte
similarity index 100%
rename from lib/components/ui/card/card-footer.svelte
rename to src/lib/components/ui/card/card-footer.svelte
diff --git a/lib/components/ui/card/card-header.svelte b/src/lib/components/ui/card/card-header.svelte
similarity index 100%
rename from lib/components/ui/card/card-header.svelte
rename to src/lib/components/ui/card/card-header.svelte
diff --git a/lib/components/ui/card/card-title.svelte b/src/lib/components/ui/card/card-title.svelte
similarity index 100%
rename from lib/components/ui/card/card-title.svelte
rename to src/lib/components/ui/card/card-title.svelte
diff --git a/lib/components/ui/card/card.svelte b/src/lib/components/ui/card/card.svelte
similarity index 100%
rename from lib/components/ui/card/card.svelte
rename to src/lib/components/ui/card/card.svelte
diff --git a/lib/components/ui/card/index.ts b/src/lib/components/ui/card/index.ts
similarity index 100%
rename from lib/components/ui/card/index.ts
rename to src/lib/components/ui/card/index.ts
diff --git a/lib/components/ui/checkbox/checkbox.svelte b/src/lib/components/ui/checkbox/checkbox.svelte
similarity index 100%
rename from lib/components/ui/checkbox/checkbox.svelte
rename to src/lib/components/ui/checkbox/checkbox.svelte
diff --git a/lib/components/ui/checkbox/index.ts b/src/lib/components/ui/checkbox/index.ts
similarity index 100%
rename from lib/components/ui/checkbox/index.ts
rename to src/lib/components/ui/checkbox/index.ts
diff --git a/lib/components/ui/command/command-dialog.svelte b/src/lib/components/ui/command/command-dialog.svelte
similarity index 100%
rename from lib/components/ui/command/command-dialog.svelte
rename to src/lib/components/ui/command/command-dialog.svelte
diff --git a/lib/components/ui/command/command-empty.svelte b/src/lib/components/ui/command/command-empty.svelte
similarity index 100%
rename from lib/components/ui/command/command-empty.svelte
rename to src/lib/components/ui/command/command-empty.svelte
diff --git a/lib/components/ui/command/command-group.svelte b/src/lib/components/ui/command/command-group.svelte
similarity index 100%
rename from lib/components/ui/command/command-group.svelte
rename to src/lib/components/ui/command/command-group.svelte
diff --git a/lib/components/ui/command/command-input.svelte b/src/lib/components/ui/command/command-input.svelte
similarity index 100%
rename from lib/components/ui/command/command-input.svelte
rename to src/lib/components/ui/command/command-input.svelte
diff --git a/lib/components/ui/command/command-item.svelte b/src/lib/components/ui/command/command-item.svelte
similarity index 100%
rename from lib/components/ui/command/command-item.svelte
rename to src/lib/components/ui/command/command-item.svelte
diff --git a/lib/components/ui/command/command-link-item.svelte b/src/lib/components/ui/command/command-link-item.svelte
similarity index 100%
rename from lib/components/ui/command/command-link-item.svelte
rename to src/lib/components/ui/command/command-link-item.svelte
diff --git a/lib/components/ui/command/command-list.svelte b/src/lib/components/ui/command/command-list.svelte
similarity index 100%
rename from lib/components/ui/command/command-list.svelte
rename to src/lib/components/ui/command/command-list.svelte
diff --git a/lib/components/ui/command/command-loading.svelte b/src/lib/components/ui/command/command-loading.svelte
similarity index 100%
rename from lib/components/ui/command/command-loading.svelte
rename to src/lib/components/ui/command/command-loading.svelte
diff --git a/lib/components/ui/command/command-separator.svelte b/src/lib/components/ui/command/command-separator.svelte
similarity index 100%
rename from lib/components/ui/command/command-separator.svelte
rename to src/lib/components/ui/command/command-separator.svelte
diff --git a/lib/components/ui/command/command-shortcut.svelte b/src/lib/components/ui/command/command-shortcut.svelte
similarity index 100%
rename from lib/components/ui/command/command-shortcut.svelte
rename to src/lib/components/ui/command/command-shortcut.svelte
diff --git a/lib/components/ui/command/command.svelte b/src/lib/components/ui/command/command.svelte
similarity index 100%
rename from lib/components/ui/command/command.svelte
rename to src/lib/components/ui/command/command.svelte
diff --git a/lib/components/ui/command/index.ts b/src/lib/components/ui/command/index.ts
similarity index 100%
rename from lib/components/ui/command/index.ts
rename to src/lib/components/ui/command/index.ts
diff --git a/lib/components/ui/date-picker/date-picker.svelte b/src/lib/components/ui/date-picker/date-picker.svelte
similarity index 97%
rename from lib/components/ui/date-picker/date-picker.svelte
rename to src/lib/components/ui/date-picker/date-picker.svelte
index 091a806..b98b5d0 100644
--- a/lib/components/ui/date-picker/date-picker.svelte
+++ b/src/lib/components/ui/date-picker/date-picker.svelte
@@ -62,7 +62,7 @@
 			<span class="text-xs">{placeholder}</span>
 		{/if}
 	</Popover.Trigger>
-	<Popover.Content class="w-auto p-0" align="start">
+	<Popover.Content class="w-auto p-0 z-[200]" align="start">
 		<Calendar
 			type="single"
 			value={dateValue}
diff --git a/lib/components/ui/date-picker/index.ts b/src/lib/components/ui/date-picker/index.ts
similarity index 100%
rename from lib/components/ui/date-picker/index.ts
rename to src/lib/components/ui/date-picker/index.ts
diff --git a/lib/components/ui/dialog/dialog-close.svelte b/src/lib/components/ui/dialog/dialog-close.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog-close.svelte
rename to src/lib/components/ui/dialog/dialog-close.svelte
diff --git a/lib/components/ui/dialog/dialog-content.svelte b/src/lib/components/ui/dialog/dialog-content.svelte
similarity index 89%
rename from lib/components/ui/dialog/dialog-content.svelte
rename to src/lib/components/ui/dialog/dialog-content.svelte
index 90b8d4c..a56372f 100644
--- a/lib/components/ui/dialog/dialog-content.svelte
+++ b/src/lib/components/ui/dialog/dialog-content.svelte
@@ -27,7 +27,7 @@
 		bind:ref
 		data-slot="dialog-content"
 		class={cn(
-			"bg-background fixed start-[50%] top-[50%] z-50 grid w-full max-w-[calc(100%-2rem)] translate-x-[-50%] translate-y-[-50%] gap-4 rounded-lg border p-6 shadow-lg",
+			"bg-background fixed start-[50%] top-[50%] z-[150] grid w-full max-w-[calc(100%-2rem)] translate-x-[-50%] translate-y-[-50%] gap-4 rounded-lg border p-6 shadow-lg",
 			!className?.includes('max-w-') && "sm:max-w-lg",
 			className
 		)}
diff --git a/lib/components/ui/dialog/dialog-description.svelte b/src/lib/components/ui/dialog/dialog-description.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog-description.svelte
rename to src/lib/components/ui/dialog/dialog-description.svelte
diff --git a/lib/components/ui/dialog/dialog-footer.svelte b/src/lib/components/ui/dialog/dialog-footer.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog-footer.svelte
rename to src/lib/components/ui/dialog/dialog-footer.svelte
diff --git a/lib/components/ui/dialog/dialog-header.svelte b/src/lib/components/ui/dialog/dialog-header.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog-header.svelte
rename to src/lib/components/ui/dialog/dialog-header.svelte
diff --git a/lib/components/ui/dialog/dialog-overlay.svelte b/src/lib/components/ui/dialog/dialog-overlay.svelte
similarity index 93%
rename from lib/components/ui/dialog/dialog-overlay.svelte
rename to src/lib/components/ui/dialog/dialog-overlay.svelte
index f81ad83..d6ea16a 100644
--- a/lib/components/ui/dialog/dialog-overlay.svelte
+++ b/src/lib/components/ui/dialog/dialog-overlay.svelte
@@ -13,7 +13,7 @@
 	bind:ref
 	data-slot="dialog-overlay"
 	class={cn(
-		"data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 fixed inset-0 z-50 bg-black/50",
+		"data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 fixed inset-0 z-[150] bg-black/50",
 		className
 	)}
 	{...restProps}
diff --git a/lib/components/ui/dialog/dialog-portal.svelte b/src/lib/components/ui/dialog/dialog-portal.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog-portal.svelte
rename to src/lib/components/ui/dialog/dialog-portal.svelte
diff --git a/lib/components/ui/dialog/dialog-title.svelte b/src/lib/components/ui/dialog/dialog-title.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog-title.svelte
rename to src/lib/components/ui/dialog/dialog-title.svelte
diff --git a/lib/components/ui/dialog/dialog-trigger.svelte b/src/lib/components/ui/dialog/dialog-trigger.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog-trigger.svelte
rename to src/lib/components/ui/dialog/dialog-trigger.svelte
diff --git a/lib/components/ui/dialog/dialog.svelte b/src/lib/components/ui/dialog/dialog.svelte
similarity index 100%
rename from lib/components/ui/dialog/dialog.svelte
rename to src/lib/components/ui/dialog/dialog.svelte
diff --git a/lib/components/ui/dialog/index.ts b/src/lib/components/ui/dialog/index.ts
similarity index 100%
rename from lib/components/ui/dialog/index.ts
rename to src/lib/components/ui/dialog/index.ts
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-checkbox-group.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-checkbox-group.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-checkbox-group.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-checkbox-group.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-checkbox-item.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-checkbox-item.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-checkbox-item.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-checkbox-item.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-content.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-content.svelte
similarity index 89%
rename from lib/components/ui/dropdown-menu/dropdown-menu-content.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-content.svelte
index ab63976..341acdf 100644
--- a/lib/components/ui/dropdown-menu/dropdown-menu-content.svelte
+++ b/src/lib/components/ui/dropdown-menu/dropdown-menu-content.svelte
@@ -21,7 +21,7 @@
 		data-slot="dropdown-menu-content"
 		{sideOffset}
 		class={cn(
-			"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 max-h-(--bits-dropdown-menu-content-available-height) origin-(--bits-dropdown-menu-content-transform-origin) z-50 min-w-[8rem] overflow-y-auto overflow-x-hidden rounded-md border p-1 shadow-md outline-none",
+			"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 max-h-(--bits-dropdown-menu-content-available-height) origin-(--bits-dropdown-menu-content-transform-origin) z-[200] min-w-[8rem] overflow-y-auto overflow-x-hidden rounded-md border p-1 shadow-md outline-none",
 			className
 		)}
 		{...restProps}
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-group-heading.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-group-heading.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-group-heading.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-group-heading.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-group.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-group.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-group.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-group.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-item.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-item.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-item.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-item.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-label.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-label.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-label.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-label.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-portal.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-portal.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-portal.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-portal.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-radio-group.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-radio-group.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-radio-group.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-radio-group.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-radio-item.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-radio-item.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-radio-item.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-radio-item.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-separator.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-separator.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-separator.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-separator.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-shortcut.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-shortcut.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-shortcut.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-shortcut.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-sub-content.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-sub-content.svelte
similarity index 86%
rename from lib/components/ui/dropdown-menu/dropdown-menu-sub-content.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-sub-content.svelte
index d0eea9c..4951456 100644
--- a/lib/components/ui/dropdown-menu/dropdown-menu-sub-content.svelte
+++ b/src/lib/components/ui/dropdown-menu/dropdown-menu-sub-content.svelte
@@ -13,7 +13,7 @@
 	bind:ref
 	data-slot="dropdown-menu-sub-content"
 	class={cn(
-		"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 origin-(--bits-dropdown-menu-content-transform-origin) z-50 min-w-[8rem] overflow-hidden rounded-md border p-1 shadow-lg",
+		"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 origin-(--bits-dropdown-menu-content-transform-origin) z-[200] min-w-[8rem] overflow-hidden rounded-md border p-1 shadow-lg",
 		className
 	)}
 	{...restProps}
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-sub-trigger.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-sub-trigger.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-sub-trigger.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-sub-trigger.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-sub.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-sub.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-sub.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-sub.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu-trigger.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu-trigger.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu-trigger.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu-trigger.svelte
diff --git a/lib/components/ui/dropdown-menu/dropdown-menu.svelte b/src/lib/components/ui/dropdown-menu/dropdown-menu.svelte
similarity index 100%
rename from lib/components/ui/dropdown-menu/dropdown-menu.svelte
rename to src/lib/components/ui/dropdown-menu/dropdown-menu.svelte
diff --git a/lib/components/ui/dropdown-menu/index.ts b/src/lib/components/ui/dropdown-menu/index.ts
similarity index 100%
rename from lib/components/ui/dropdown-menu/index.ts
rename to src/lib/components/ui/dropdown-menu/index.ts
diff --git a/lib/components/ui/empty-state/empty-state.svelte b/src/lib/components/ui/empty-state/empty-state.svelte
similarity index 100%
rename from lib/components/ui/empty-state/empty-state.svelte
rename to src/lib/components/ui/empty-state/empty-state.svelte
diff --git a/lib/components/ui/empty-state/index.ts b/src/lib/components/ui/empty-state/index.ts
similarity index 100%
rename from lib/components/ui/empty-state/index.ts
rename to src/lib/components/ui/empty-state/index.ts
diff --git a/lib/components/ui/empty-state/no-environment.svelte b/src/lib/components/ui/empty-state/no-environment.svelte
similarity index 100%
rename from lib/components/ui/empty-state/no-environment.svelte
rename to src/lib/components/ui/empty-state/no-environment.svelte
diff --git a/src/lib/components/ui/error-dialog/error-dialog.svelte b/src/lib/components/ui/error-dialog/error-dialog.svelte
new file mode 100644
index 0000000..e17c750
--- /dev/null
+++ b/src/lib/components/ui/error-dialog/error-dialog.svelte
@@ -0,0 +1,183 @@
+<script lang="ts">
+	import * as Dialog from '$lib/components/ui/dialog';
+	import { Button } from '$lib/components/ui/button';
+	import { AlertCircle, Copy, Check, AlertTriangle, CheckCircle2, XCircle } from 'lucide-svelte';
+
+	interface Props {
+		open: boolean;
+		title: string;
+		message: string;
+		details?: string;
+		onClose: () => void;
+	}
+
+	let { open = $bindable(), title, message, details, onClose }: Props = $props();
+	let copied = $state(false);
+
+	interface ParsedOutput {
+		warnings: string[];
+		steps: { action: string; status: 'creating' | 'created' | 'starting' | 'started' | 'error' }[];
+		error: string | null;
+		raw: string;
+		parsed: boolean;
+	}
+
+	// Parse docker compose output into structured format
+	function parseDockerOutput(text: string): ParsedOutput {
+		const result: ParsedOutput = {
+			warnings: [],
+			steps: [],
+			error: null,
+			raw: text,
+			parsed: false
+		};
+
+		try {
+			const lines = text.split('\n').map(l => l.trim()).filter(Boolean);
+
+			for (const line of lines) {
+				// Parse time="..." level=warning msg="..."
+				const warningMatch = line.match(/time="[^"]*"\s+level=warning\s+msg="([^"]+)"/);
+				if (warningMatch) {
+					result.warnings.push(warningMatch[1]);
+					result.parsed = true;
+					continue;
+				}
+
+				// Parse container/network steps: "Network foo Creating" or "Container foo-1 Created"
+				const stepMatch = line.match(/^\s*(Network|Container|Volume)\s+(\S+)\s+(Creating|Created|Starting|Started|Stopping|Stopped|Removing|Removed)\s*$/i);
+				if (stepMatch) {
+					const [, type, name, status] = stepMatch;
+					const normalizedStatus = status.toLowerCase() as any;
+					result.steps.push({
+						action: `${type} ${name}`,
+						status: normalizedStatus
+					});
+					result.parsed = true;
+					continue;
+				}
+
+				// Parse error lines
+				if (line.startsWith('Error') || line.includes('error') || line.includes('failed')) {
+					result.error = result.error ? `${result.error}\n${line}` : line;
+					result.parsed = true;
+					continue;
+				}
+			}
+
+			// If we parsed something but have no clear error, check for remaining unparsed content
+			if (result.parsed && !result.error) {
+				const unparsed = lines.filter(line => {
+					if (line.match(/time="[^"]*"\s+level=warning/)) return false;
+					if (line.match(/^\s*(Network|Container|Volume)\s+\S+\s+(Creating|Created|Starting|Started|Stopping|Stopped|Removing|Removed)\s*$/i)) return false;
+					return true;
+				});
+				if (unparsed.length > 0) {
+					result.error = unparsed.join('\n');
+				}
+			}
+		} catch {
+			// Parsing failed, will show raw message
+		}
+
+		return result;
+	}
+
+	const parsed = $derived(parseDockerOutput(message));
+
+	async function copyError() {
+		const text = details ? `${message}\n\n${details}` : message;
+		await navigator.clipboard.writeText(text);
+		copied = true;
+		setTimeout(() => (copied = false), 2000);
+	}
+
+	function handleClose() {
+		open = false;
+		onClose();
+	}
+</script>
+
+<Dialog.Root bind:open onOpenChange={(o) => !o && handleClose()}>
+	<Dialog.Content class="max-w-2xl">
+		<Dialog.Header>
+			<Dialog.Title class="flex items-center gap-2 text-destructive">
+				<AlertCircle class="w-5 h-5" />
+				{title}
+			</Dialog.Title>
+		</Dialog.Header>
+		<div class="space-y-3 max-h-[60vh] overflow-y-auto">
+			{#if parsed.parsed}
+				<!-- Parsed docker compose output -->
+				{#if parsed.warnings.length > 0}
+					<div class="space-y-1">
+						{#each parsed.warnings as warning}
+							<div class="flex items-start gap-2 text-xs text-amber-600 dark:text-amber-400 bg-amber-50 dark:bg-amber-900/20 border border-amber-200 dark:border-amber-800/50 px-2.5 py-1.5 rounded-md">
+								<AlertTriangle class="w-3.5 h-3.5 shrink-0 mt-0.5" />
+								<span>{warning}</span>
+							</div>
+						{/each}
+					</div>
+				{/if}
+
+				{#if parsed.steps.length > 0}
+					<div class="bg-zinc-100 dark:bg-zinc-800 border border-zinc-200 dark:border-zinc-700 rounded-md p-2.5 space-y-1">
+						{#each parsed.steps as step}
+							<div class="flex items-center gap-2 text-xs font-mono">
+								{#if step.status === 'created' || step.status === 'started' || step.status === 'removed' || step.status === 'stopped'}
+									<CheckCircle2 class="w-3.5 h-3.5 text-green-500" />
+								{:else if step.status === 'error'}
+									<XCircle class="w-3.5 h-3.5 text-red-500" />
+								{:else}
+									<div class="w-3.5 h-3.5 rounded-full border-2 border-zinc-400"></div>
+								{/if}
+								<span class="text-zinc-600 dark:text-zinc-300">{step.action}</span>
+								<span class="text-zinc-400 dark:text-zinc-500 capitalize">{step.status}</span>
+							</div>
+						{/each}
+					</div>
+				{/if}
+
+				{#if parsed.error}
+					<div class="bg-zinc-100 dark:bg-zinc-800 border border-zinc-200 dark:border-zinc-700 rounded-md p-3 relative group">
+						<button
+							onclick={copyError}
+							class="absolute top-2 right-2 p-1 rounded text-zinc-400 hover:text-zinc-600 dark:text-zinc-500 dark:hover:text-zinc-300 hover:bg-zinc-200 dark:hover:bg-zinc-700 transition-opacity"
+							title="Copy error"
+						>
+							{#if copied}
+								<Check class="w-3.5 h-3.5" />
+							{:else}
+								<Copy class="w-3.5 h-3.5" />
+							{/if}
+						</button>
+						<pre class="text-sm text-zinc-700 dark:text-zinc-300 whitespace-pre-wrap break-words font-mono pr-6">{parsed.error}</pre>
+					</div>
+				{/if}
+			{:else}
+				<!-- Fallback to raw message -->
+				<div class="relative group">
+					<button
+						onclick={copyError}
+						class="absolute top-1 right-1 p-1 rounded text-zinc-400 hover:text-zinc-600 dark:text-zinc-500 dark:hover:text-zinc-300 hover:bg-zinc-100 dark:hover:bg-zinc-700 opacity-0 group-hover:opacity-100 transition-opacity"
+						title="Copy error"
+					>
+						{#if copied}
+							<Check class="w-3.5 h-3.5" />
+						{:else}
+							<Copy class="w-3.5 h-3.5" />
+						{/if}
+					</button>
+					<pre class="text-sm whitespace-pre-wrap font-sans pr-6">{message}</pre>
+				</div>
+			{/if}
+
+			{#if details}
+				<pre class="text-xs bg-zinc-100 dark:bg-zinc-800 p-3 rounded-md overflow-auto max-h-64 whitespace-pre-wrap break-all">{details}</pre>
+			{/if}
+		</div>
+		<Dialog.Footer class="flex gap-2 sm:justify-end">
+			<Button onclick={handleClose}>OK</Button>
+		</Dialog.Footer>
+	</Dialog.Content>
+</Dialog.Root>
diff --git a/src/lib/components/ui/error-dialog/index.ts b/src/lib/components/ui/error-dialog/index.ts
new file mode 100644
index 0000000..7a28cca
--- /dev/null
+++ b/src/lib/components/ui/error-dialog/index.ts
@@ -0,0 +1,3 @@
+import ErrorDialog from './error-dialog.svelte';
+
+export { ErrorDialog };
diff --git a/lib/components/ui/input/index.ts b/src/lib/components/ui/input/index.ts
similarity index 100%
rename from lib/components/ui/input/index.ts
rename to src/lib/components/ui/input/index.ts
diff --git a/lib/components/ui/input/input.svelte b/src/lib/components/ui/input/input.svelte
similarity index 100%
rename from lib/components/ui/input/input.svelte
rename to src/lib/components/ui/input/input.svelte
diff --git a/lib/components/ui/label/index.ts b/src/lib/components/ui/label/index.ts
similarity index 100%
rename from lib/components/ui/label/index.ts
rename to src/lib/components/ui/label/index.ts
diff --git a/lib/components/ui/label/label.svelte b/src/lib/components/ui/label/label.svelte
similarity index 100%
rename from lib/components/ui/label/label.svelte
rename to src/lib/components/ui/label/label.svelte
diff --git a/lib/components/ui/popover/index.ts b/src/lib/components/ui/popover/index.ts
similarity index 100%
rename from lib/components/ui/popover/index.ts
rename to src/lib/components/ui/popover/index.ts
diff --git a/lib/components/ui/popover/popover-content.svelte b/src/lib/components/ui/popover/popover-content.svelte
similarity index 90%
rename from lib/components/ui/popover/popover-content.svelte
rename to src/lib/components/ui/popover/popover-content.svelte
index 1a979cd..f09f3fc 100644
--- a/lib/components/ui/popover/popover-content.svelte
+++ b/src/lib/components/ui/popover/popover-content.svelte
@@ -21,7 +21,7 @@
 		{sideOffset}
 		{align}
 		class={cn(
-			"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 origin-(--bits-popover-content-transform-origin) outline-hidden z-50 w-72 rounded-md border p-4 shadow-md",
+			"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 origin-(--bits-popover-content-transform-origin) outline-hidden z-[200] w-72 rounded-md border p-4 shadow-md",
 			className
 		)}
 		{...restProps}
diff --git a/lib/components/ui/popover/popover-trigger.svelte b/src/lib/components/ui/popover/popover-trigger.svelte
similarity index 100%
rename from lib/components/ui/popover/popover-trigger.svelte
rename to src/lib/components/ui/popover/popover-trigger.svelte
diff --git a/lib/components/ui/progress/index.ts b/src/lib/components/ui/progress/index.ts
similarity index 100%
rename from lib/components/ui/progress/index.ts
rename to src/lib/components/ui/progress/index.ts
diff --git a/lib/components/ui/progress/progress.svelte b/src/lib/components/ui/progress/progress.svelte
similarity index 100%
rename from lib/components/ui/progress/progress.svelte
rename to src/lib/components/ui/progress/progress.svelte
diff --git a/lib/components/ui/select/index.ts b/src/lib/components/ui/select/index.ts
similarity index 100%
rename from lib/components/ui/select/index.ts
rename to src/lib/components/ui/select/index.ts
diff --git a/lib/components/ui/select/select-content.svelte b/src/lib/components/ui/select/select-content.svelte
similarity index 85%
rename from lib/components/ui/select/select-content.svelte
rename to src/lib/components/ui/select/select-content.svelte
index 1a96d3c..193ee42 100644
--- a/lib/components/ui/select/select-content.svelte
+++ b/src/lib/components/ui/select/select-content.svelte
@@ -24,7 +24,7 @@
 		{preventScroll}
 		data-slot="select-content"
 		class={cn(
-			"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 max-h-(--bits-select-content-available-height) origin-(--bits-select-content-transform-origin) relative z-50 min-w-[8rem] overflow-y-auto overflow-x-hidden rounded-md border shadow-md data-[side=bottom]:translate-y-1 data-[side=left]:-translate-x-1 data-[side=right]:translate-x-1 data-[side=top]:-translate-y-1",
+			"bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 max-h-(--bits-select-content-available-height) origin-(--bits-select-content-transform-origin) relative z-[200] min-w-[8rem] overflow-y-auto overflow-x-hidden rounded-md border shadow-md data-[side=bottom]:translate-y-1 data-[side=left]:-translate-x-1 data-[side=right]:translate-x-1 data-[side=top]:-translate-y-1",
 			className
 		)}
 		{...restProps}
diff --git a/lib/components/ui/select/select-group-heading.svelte b/src/lib/components/ui/select/select-group-heading.svelte
similarity index 100%
rename from lib/components/ui/select/select-group-heading.svelte
rename to src/lib/components/ui/select/select-group-heading.svelte
diff --git a/lib/components/ui/select/select-group.svelte b/src/lib/components/ui/select/select-group.svelte
similarity index 100%
rename from lib/components/ui/select/select-group.svelte
rename to src/lib/components/ui/select/select-group.svelte
diff --git a/lib/components/ui/select/select-item.svelte b/src/lib/components/ui/select/select-item.svelte
similarity index 100%
rename from lib/components/ui/select/select-item.svelte
rename to src/lib/components/ui/select/select-item.svelte
diff --git a/lib/components/ui/select/select-label.svelte b/src/lib/components/ui/select/select-label.svelte
similarity index 100%
rename from lib/components/ui/select/select-label.svelte
rename to src/lib/components/ui/select/select-label.svelte
diff --git a/lib/components/ui/select/select-scroll-down-button.svelte b/src/lib/components/ui/select/select-scroll-down-button.svelte
similarity index 100%
rename from lib/components/ui/select/select-scroll-down-button.svelte
rename to src/lib/components/ui/select/select-scroll-down-button.svelte
diff --git a/lib/components/ui/select/select-scroll-up-button.svelte b/src/lib/components/ui/select/select-scroll-up-button.svelte
similarity index 100%
rename from lib/components/ui/select/select-scroll-up-button.svelte
rename to src/lib/components/ui/select/select-scroll-up-button.svelte
diff --git a/lib/components/ui/select/select-separator.svelte b/src/lib/components/ui/select/select-separator.svelte
similarity index 100%
rename from lib/components/ui/select/select-separator.svelte
rename to src/lib/components/ui/select/select-separator.svelte
diff --git a/lib/components/ui/select/select-trigger.svelte b/src/lib/components/ui/select/select-trigger.svelte
similarity index 100%
rename from lib/components/ui/select/select-trigger.svelte
rename to src/lib/components/ui/select/select-trigger.svelte
diff --git a/lib/components/ui/separator/index.ts b/src/lib/components/ui/separator/index.ts
similarity index 100%
rename from lib/components/ui/separator/index.ts
rename to src/lib/components/ui/separator/index.ts
diff --git a/lib/components/ui/separator/separator.svelte b/src/lib/components/ui/separator/separator.svelte
similarity index 100%
rename from lib/components/ui/separator/separator.svelte
rename to src/lib/components/ui/separator/separator.svelte
diff --git a/lib/components/ui/sheet/index.ts b/src/lib/components/ui/sheet/index.ts
similarity index 100%
rename from lib/components/ui/sheet/index.ts
rename to src/lib/components/ui/sheet/index.ts
diff --git a/lib/components/ui/sheet/sheet-close.svelte b/src/lib/components/ui/sheet/sheet-close.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-close.svelte
rename to src/lib/components/ui/sheet/sheet-close.svelte
diff --git a/lib/components/ui/sheet/sheet-content.svelte b/src/lib/components/ui/sheet/sheet-content.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-content.svelte
rename to src/lib/components/ui/sheet/sheet-content.svelte
diff --git a/lib/components/ui/sheet/sheet-description.svelte b/src/lib/components/ui/sheet/sheet-description.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-description.svelte
rename to src/lib/components/ui/sheet/sheet-description.svelte
diff --git a/lib/components/ui/sheet/sheet-footer.svelte b/src/lib/components/ui/sheet/sheet-footer.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-footer.svelte
rename to src/lib/components/ui/sheet/sheet-footer.svelte
diff --git a/lib/components/ui/sheet/sheet-header.svelte b/src/lib/components/ui/sheet/sheet-header.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-header.svelte
rename to src/lib/components/ui/sheet/sheet-header.svelte
diff --git a/lib/components/ui/sheet/sheet-overlay.svelte b/src/lib/components/ui/sheet/sheet-overlay.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-overlay.svelte
rename to src/lib/components/ui/sheet/sheet-overlay.svelte
diff --git a/lib/components/ui/sheet/sheet-title.svelte b/src/lib/components/ui/sheet/sheet-title.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-title.svelte
rename to src/lib/components/ui/sheet/sheet-title.svelte
diff --git a/lib/components/ui/sheet/sheet-trigger.svelte b/src/lib/components/ui/sheet/sheet-trigger.svelte
similarity index 100%
rename from lib/components/ui/sheet/sheet-trigger.svelte
rename to src/lib/components/ui/sheet/sheet-trigger.svelte
diff --git a/lib/components/ui/sidebar/constants.ts b/src/lib/components/ui/sidebar/constants.ts
similarity index 100%
rename from lib/components/ui/sidebar/constants.ts
rename to src/lib/components/ui/sidebar/constants.ts
diff --git a/lib/components/ui/sidebar/context.svelte.ts b/src/lib/components/ui/sidebar/context.svelte.ts
similarity index 100%
rename from lib/components/ui/sidebar/context.svelte.ts
rename to src/lib/components/ui/sidebar/context.svelte.ts
diff --git a/lib/components/ui/sidebar/index.ts b/src/lib/components/ui/sidebar/index.ts
similarity index 100%
rename from lib/components/ui/sidebar/index.ts
rename to src/lib/components/ui/sidebar/index.ts
diff --git a/lib/components/ui/sidebar/sidebar-content.svelte b/src/lib/components/ui/sidebar/sidebar-content.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-content.svelte
rename to src/lib/components/ui/sidebar/sidebar-content.svelte
diff --git a/lib/components/ui/sidebar/sidebar-footer.svelte b/src/lib/components/ui/sidebar/sidebar-footer.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-footer.svelte
rename to src/lib/components/ui/sidebar/sidebar-footer.svelte
diff --git a/lib/components/ui/sidebar/sidebar-group-action.svelte b/src/lib/components/ui/sidebar/sidebar-group-action.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-group-action.svelte
rename to src/lib/components/ui/sidebar/sidebar-group-action.svelte
diff --git a/lib/components/ui/sidebar/sidebar-group-content.svelte b/src/lib/components/ui/sidebar/sidebar-group-content.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-group-content.svelte
rename to src/lib/components/ui/sidebar/sidebar-group-content.svelte
diff --git a/lib/components/ui/sidebar/sidebar-group-label.svelte b/src/lib/components/ui/sidebar/sidebar-group-label.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-group-label.svelte
rename to src/lib/components/ui/sidebar/sidebar-group-label.svelte
diff --git a/lib/components/ui/sidebar/sidebar-group.svelte b/src/lib/components/ui/sidebar/sidebar-group.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-group.svelte
rename to src/lib/components/ui/sidebar/sidebar-group.svelte
diff --git a/lib/components/ui/sidebar/sidebar-header.svelte b/src/lib/components/ui/sidebar/sidebar-header.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-header.svelte
rename to src/lib/components/ui/sidebar/sidebar-header.svelte
diff --git a/lib/components/ui/sidebar/sidebar-input.svelte b/src/lib/components/ui/sidebar/sidebar-input.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-input.svelte
rename to src/lib/components/ui/sidebar/sidebar-input.svelte
diff --git a/lib/components/ui/sidebar/sidebar-inset.svelte b/src/lib/components/ui/sidebar/sidebar-inset.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-inset.svelte
rename to src/lib/components/ui/sidebar/sidebar-inset.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-action.svelte b/src/lib/components/ui/sidebar/sidebar-menu-action.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-action.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-action.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-badge.svelte b/src/lib/components/ui/sidebar/sidebar-menu-badge.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-badge.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-badge.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-button.svelte b/src/lib/components/ui/sidebar/sidebar-menu-button.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-button.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-button.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-item.svelte b/src/lib/components/ui/sidebar/sidebar-menu-item.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-item.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-item.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-skeleton.svelte b/src/lib/components/ui/sidebar/sidebar-menu-skeleton.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-skeleton.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-skeleton.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-sub-button.svelte b/src/lib/components/ui/sidebar/sidebar-menu-sub-button.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-sub-button.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-sub-button.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-sub-item.svelte b/src/lib/components/ui/sidebar/sidebar-menu-sub-item.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-sub-item.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-sub-item.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu-sub.svelte b/src/lib/components/ui/sidebar/sidebar-menu-sub.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu-sub.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu-sub.svelte
diff --git a/lib/components/ui/sidebar/sidebar-menu.svelte b/src/lib/components/ui/sidebar/sidebar-menu.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-menu.svelte
rename to src/lib/components/ui/sidebar/sidebar-menu.svelte
diff --git a/lib/components/ui/sidebar/sidebar-provider.svelte b/src/lib/components/ui/sidebar/sidebar-provider.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-provider.svelte
rename to src/lib/components/ui/sidebar/sidebar-provider.svelte
diff --git a/lib/components/ui/sidebar/sidebar-rail.svelte b/src/lib/components/ui/sidebar/sidebar-rail.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-rail.svelte
rename to src/lib/components/ui/sidebar/sidebar-rail.svelte
diff --git a/lib/components/ui/sidebar/sidebar-separator.svelte b/src/lib/components/ui/sidebar/sidebar-separator.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-separator.svelte
rename to src/lib/components/ui/sidebar/sidebar-separator.svelte
diff --git a/lib/components/ui/sidebar/sidebar-trigger.svelte b/src/lib/components/ui/sidebar/sidebar-trigger.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar-trigger.svelte
rename to src/lib/components/ui/sidebar/sidebar-trigger.svelte
diff --git a/lib/components/ui/sidebar/sidebar.svelte b/src/lib/components/ui/sidebar/sidebar.svelte
similarity index 100%
rename from lib/components/ui/sidebar/sidebar.svelte
rename to src/lib/components/ui/sidebar/sidebar.svelte
diff --git a/lib/components/ui/skeleton/index.ts b/src/lib/components/ui/skeleton/index.ts
similarity index 100%
rename from lib/components/ui/skeleton/index.ts
rename to src/lib/components/ui/skeleton/index.ts
diff --git a/lib/components/ui/skeleton/skeleton.svelte b/src/lib/components/ui/skeleton/skeleton.svelte
similarity index 100%
rename from lib/components/ui/skeleton/skeleton.svelte
rename to src/lib/components/ui/skeleton/skeleton.svelte
diff --git a/lib/components/ui/sonner/index.ts b/src/lib/components/ui/sonner/index.ts
similarity index 100%
rename from lib/components/ui/sonner/index.ts
rename to src/lib/components/ui/sonner/index.ts
diff --git a/lib/components/ui/sonner/sonner.svelte b/src/lib/components/ui/sonner/sonner.svelte
similarity index 100%
rename from lib/components/ui/sonner/sonner.svelte
rename to src/lib/components/ui/sonner/sonner.svelte
diff --git a/lib/components/ui/switch/index.ts b/src/lib/components/ui/switch/index.ts
similarity index 100%
rename from lib/components/ui/switch/index.ts
rename to src/lib/components/ui/switch/index.ts
diff --git a/lib/components/ui/switch/switch.svelte b/src/lib/components/ui/switch/switch.svelte
similarity index 100%
rename from lib/components/ui/switch/switch.svelte
rename to src/lib/components/ui/switch/switch.svelte
diff --git a/lib/components/ui/table/index.ts b/src/lib/components/ui/table/index.ts
similarity index 100%
rename from lib/components/ui/table/index.ts
rename to src/lib/components/ui/table/index.ts
diff --git a/lib/components/ui/table/table-body.svelte b/src/lib/components/ui/table/table-body.svelte
similarity index 100%
rename from lib/components/ui/table/table-body.svelte
rename to src/lib/components/ui/table/table-body.svelte
diff --git a/lib/components/ui/table/table-caption.svelte b/src/lib/components/ui/table/table-caption.svelte
similarity index 100%
rename from lib/components/ui/table/table-caption.svelte
rename to src/lib/components/ui/table/table-caption.svelte
diff --git a/lib/components/ui/table/table-cell.svelte b/src/lib/components/ui/table/table-cell.svelte
similarity index 100%
rename from lib/components/ui/table/table-cell.svelte
rename to src/lib/components/ui/table/table-cell.svelte
diff --git a/lib/components/ui/table/table-footer.svelte b/src/lib/components/ui/table/table-footer.svelte
similarity index 100%
rename from lib/components/ui/table/table-footer.svelte
rename to src/lib/components/ui/table/table-footer.svelte
diff --git a/lib/components/ui/table/table-head.svelte b/src/lib/components/ui/table/table-head.svelte
similarity index 100%
rename from lib/components/ui/table/table-head.svelte
rename to src/lib/components/ui/table/table-head.svelte
diff --git a/lib/components/ui/table/table-header.svelte b/src/lib/components/ui/table/table-header.svelte
similarity index 100%
rename from lib/components/ui/table/table-header.svelte
rename to src/lib/components/ui/table/table-header.svelte
diff --git a/lib/components/ui/table/table-row.svelte b/src/lib/components/ui/table/table-row.svelte
similarity index 100%
rename from lib/components/ui/table/table-row.svelte
rename to src/lib/components/ui/table/table-row.svelte
diff --git a/lib/components/ui/table/table.svelte b/src/lib/components/ui/table/table.svelte
similarity index 100%
rename from lib/components/ui/table/table.svelte
rename to src/lib/components/ui/table/table.svelte
diff --git a/lib/components/ui/tabs/index.ts b/src/lib/components/ui/tabs/index.ts
similarity index 100%
rename from lib/components/ui/tabs/index.ts
rename to src/lib/components/ui/tabs/index.ts
diff --git a/lib/components/ui/tabs/tabs-content.svelte b/src/lib/components/ui/tabs/tabs-content.svelte
similarity index 100%
rename from lib/components/ui/tabs/tabs-content.svelte
rename to src/lib/components/ui/tabs/tabs-content.svelte
diff --git a/lib/components/ui/tabs/tabs-list.svelte b/src/lib/components/ui/tabs/tabs-list.svelte
similarity index 100%
rename from lib/components/ui/tabs/tabs-list.svelte
rename to src/lib/components/ui/tabs/tabs-list.svelte
diff --git a/lib/components/ui/tabs/tabs-trigger.svelte b/src/lib/components/ui/tabs/tabs-trigger.svelte
similarity index 100%
rename from lib/components/ui/tabs/tabs-trigger.svelte
rename to src/lib/components/ui/tabs/tabs-trigger.svelte
diff --git a/lib/components/ui/tabs/tabs.svelte b/src/lib/components/ui/tabs/tabs.svelte
similarity index 100%
rename from lib/components/ui/tabs/tabs.svelte
rename to src/lib/components/ui/tabs/tabs.svelte
diff --git a/lib/components/ui/textarea/index.ts b/src/lib/components/ui/textarea/index.ts
similarity index 100%
rename from lib/components/ui/textarea/index.ts
rename to src/lib/components/ui/textarea/index.ts
diff --git a/lib/components/ui/textarea/textarea.svelte b/src/lib/components/ui/textarea/textarea.svelte
similarity index 100%
rename from lib/components/ui/textarea/textarea.svelte
rename to src/lib/components/ui/textarea/textarea.svelte
diff --git a/lib/components/ui/toggle-pill/index.ts b/src/lib/components/ui/toggle-pill/index.ts
similarity index 100%
rename from lib/components/ui/toggle-pill/index.ts
rename to src/lib/components/ui/toggle-pill/index.ts
diff --git a/lib/components/ui/toggle-pill/toggle-group.svelte b/src/lib/components/ui/toggle-pill/toggle-group.svelte
similarity index 100%
rename from lib/components/ui/toggle-pill/toggle-group.svelte
rename to src/lib/components/ui/toggle-pill/toggle-group.svelte
diff --git a/lib/components/ui/toggle-pill/toggle-pill.svelte b/src/lib/components/ui/toggle-pill/toggle-pill.svelte
similarity index 100%
rename from lib/components/ui/toggle-pill/toggle-pill.svelte
rename to src/lib/components/ui/toggle-pill/toggle-pill.svelte
diff --git a/lib/components/ui/toggle-pill/toggle-switch.svelte b/src/lib/components/ui/toggle-pill/toggle-switch.svelte
similarity index 100%
rename from lib/components/ui/toggle-pill/toggle-switch.svelte
rename to src/lib/components/ui/toggle-pill/toggle-switch.svelte
diff --git a/lib/components/ui/tooltip/index.ts b/src/lib/components/ui/tooltip/index.ts
similarity index 100%
rename from lib/components/ui/tooltip/index.ts
rename to src/lib/components/ui/tooltip/index.ts
diff --git a/lib/components/ui/tooltip/tooltip-content.svelte b/src/lib/components/ui/tooltip/tooltip-content.svelte
similarity index 93%
rename from lib/components/ui/tooltip/tooltip-content.svelte
rename to src/lib/components/ui/tooltip/tooltip-content.svelte
index 63c24df..d1772f2 100644
--- a/lib/components/ui/tooltip/tooltip-content.svelte
+++ b/src/lib/components/ui/tooltip/tooltip-content.svelte
@@ -21,7 +21,7 @@
 	{sideOffset}
 	{side}
 	class={cn(
-		"bg-popover text-popover-foreground border shadow-lg animate-in fade-in-0 zoom-in-95 data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=closed]:zoom-out-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 origin-(--bits-tooltip-content-transform-origin) z-[100] w-fit fixed text-balance rounded-md px-3 py-1.5 text-xs",
+		"bg-popover text-popover-foreground border shadow-lg animate-in fade-in-0 zoom-in-95 data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=closed]:zoom-out-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-end-2 data-[side=right]:slide-in-from-start-2 data-[side=top]:slide-in-from-bottom-2 origin-(--bits-tooltip-content-transform-origin) z-[200] w-fit fixed text-balance rounded-md px-3 py-1.5 text-xs",
 		className
 	)}
 	{...restProps}
diff --git a/lib/components/ui/tooltip/tooltip-trigger.svelte b/src/lib/components/ui/tooltip/tooltip-trigger.svelte
similarity index 100%
rename from lib/components/ui/tooltip/tooltip-trigger.svelte
rename to src/lib/components/ui/tooltip/tooltip-trigger.svelte
diff --git a/lib/config/grid-columns.ts b/src/lib/config/grid-columns.ts
similarity index 96%
rename from lib/config/grid-columns.ts
rename to src/lib/config/grid-columns.ts
index 222c0d7..ef58556 100644
--- a/lib/config/grid-columns.ts
+++ b/src/lib/config/grid-columns.ts
@@ -37,7 +37,8 @@ export const imageTagColumns: ColumnConfig[] = [
 	{ id: 'id', label: 'ID', width: 120, minWidth: 80 },
 	{ id: 'size', label: 'Size', width: 80, minWidth: 60 },
 	{ id: 'created', label: 'Created', width: 140, minWidth: 100 },
-	{ id: 'actions', label: '', fixed: 'end', width: 100, resizable: false }
+	{ id: 'used', label: 'Used by', width: 100, minWidth: 70 },
+	{ id: 'actions', label: '', fixed: 'end', width: 200, resizable: false }
 ];
 
 // Network grid columns
@@ -58,7 +59,8 @@ export const stackColumns: ColumnConfig[] = [
 	{ id: 'expand', label: '', fixed: 'start', width: 24, resizable: false },
 	{ id: 'name', label: 'Name', sortable: true, sortField: 'name', width: 180, minWidth: 100, grow: true },
 	{ id: 'status', label: 'Status', sortable: true, sortField: 'status', width: 120, minWidth: 90 },
-	{ id: 'source', label: 'Source', width: 100, minWidth: 60 },
+	{ id: 'source', label: 'Source', width: 100, minWidth: 100, noTruncate: true },
+	{ id: 'location', label: 'Location', width: 180, minWidth: 100 },
 	{ id: 'containers', label: 'Containers', sortable: true, sortField: 'containers', width: 100, minWidth: 70 },
 	{ id: 'cpu', label: 'CPU', sortable: true, sortField: 'cpu', width: 60, minWidth: 50, align: 'right' },
 	{ id: 'memory', label: 'Memory', sortable: true, sortField: 'memory', width: 70, minWidth: 50, align: 'right' },
diff --git a/lib/data/changelog.json b/src/lib/data/changelog.json
similarity index 62%
rename from lib/data/changelog.json
rename to src/lib/data/changelog.json
index 74b1be9..62eb75b 100644
--- a/lib/data/changelog.json
+++ b/src/lib/data/changelog.json
@@ -1,4 +1,58 @@
 [
+  {
+    "version": "1.0.7",
+    "date": "2026-01-06",
+    "comingSoon": false,
+    "changes": [
+      { "type": "feature", "text": "Adopt stacks created outside Dockhand" },
+      { "type": "feature", "text": "Activity event collection mode (Stream/Poll) and metrics interval settings for reduced CPU usage" },
+      { "type": "feature", "text": "Baseline Docker images for CPUs without AVX support" },
+      { "type": "feature", "text": "Show amber \"Unused\" badge for images not used by any container" },
+      { "type": "feature", "text": "Prune unused button to remove all unused images (not just dangling)" },
+      { "type": "fix", "text": "Stack collision on disk - stacks are now saved in environment folders" },
+      { "type": "fix", "text": "Checkbox selection delay in datagrid" },
+      { "type": "fix", "text": "Crypto fallback for old Linux kernels (<3.17) that lack getrandom() syscall" },
+      { "type": "fix", "text": "Dashboard performance with many environments" },
+      { "type": "fix", "text": "Can't use authenticated custom registry"},
+      { "type": "fix", "text": "mTLS connections failing due to Bun TLS caching bug"}
+    ],
+    "imageTag": "fnsys/dockhand:v1.0.7"
+  },
+  {
+    "version": "1.0.6",
+    "date": "2026-01-03",
+    "changes": [
+      { "type": "fix", "text": "Legacy CPU support (Celeron, Atom) - Bun binary now copied from official image instead of Wolfi package" },
+      { "type": "fix", "text": "Stack modal layouts improved with resizable split panels" },
+      { "type": "fix", "text": "Missing column headers in images overview" }
+    ],
+    "imageTag": "fnsys/dockhand:v1.0.6"
+  },
+  {
+    "version": "1.0.5",
+    "date": "2026-01-01",
+    "changes": [
+      { "type": "feature", "text": "Custom hardened image built from scratch using Wolfi packages, eliminating Alpine vulnerabilities" },
+      { "type": "feature", "text": "Clicking container name opens container details" },
+      { "type": "feature", "text": "Clicking stack name opens stack editor (internal stacks)" },
+      { "type": "feature", "text": "Stack env editor now supports freestyle text entry for pasting env contents" },
+      { "type": "feature", "text": "Stack env vars saved as .env file next to compose, respecting external edits" },
+      { "type": "feature", "text": "Additional container options: ulimits, security options, DNS settings" },
+      { "type": "fix", "text": "DataGrid performance and memory leak on Activity page with thousands of rows" },
+      { "type": "fix", "text": "Webhook endpoints bypass session authentication when auth is enabled" },
+      { "type": "fix", "text": "PUID 1000 conflict with existing dockhand user in container" },
+      { "type": "fix", "text": "Gmail SMTP notification errors" },
+      { "type": "fix", "text": "More detailed error messages when stack fails to start" },
+      { "type": "fix", "text": "Container startup with user: directive in compose" },
+      { "type": "fix", "text": "Stack editor flickering when typing fast" },
+      { "type": "fix", "text": "Container unhealthy notifications not triggering" },
+      { "type": "fix", "text": "tlsSkipVerify not being saved in environment settings" },
+      { "type": "fix", "text": "MFA available to all users without enterprise license" },
+      { "type": "fix", "text": "Socket proxy documentation and examples" },
+      { "type": "fix", "text": "Edit container modal reloading during editing" }
+    ],
+    "imageTag": "fnsys/dockhand:v1.0.5"
+  },
   {
     "version": "1.0.4",
     "date": "2025-12-28",
diff --git a/lib/data/dependencies.json b/src/lib/data/dependencies.json
similarity index 67%
rename from lib/data/dependencies.json
rename to src/lib/data/dependencies.json
index da0d0de..732c300 100644
--- a/lib/data/dependencies.json
+++ b/src/lib/data/dependencies.json
@@ -7,7 +7,7 @@
   },
   {
     "name": "@codemirror/commands",
-    "version": "6.10.0",
+    "version": "6.10.1",
     "license": "MIT",
     "repository": "https://github.com/codemirror/commands"
   },
@@ -59,9 +59,15 @@
     "license": "MIT",
     "repository": "https://github.com/codemirror/lang-xml"
   },
+  {
+    "name": "@codemirror/lang-yaml",
+    "version": "6.1.2",
+    "license": "MIT",
+    "repository": "https://github.com/codemirror/lang-yaml"
+  },
   {
     "name": "@codemirror/language",
-    "version": "6.11.3",
+    "version": "6.12.1",
     "license": "MIT",
     "repository": "https://github.com/codemirror/language"
   },
@@ -79,13 +85,19 @@
   },
   {
     "name": "@codemirror/state",
-    "version": "6.5.2",
+    "version": "6.5.3",
     "license": "MIT",
     "repository": "https://github.com/codemirror/state"
   },
+  {
+    "name": "@codemirror/theme-one-dark",
+    "version": "6.1.3",
+    "license": "MIT",
+    "repository": "https://github.com/codemirror/theme-one-dark"
+  },
   {
     "name": "@codemirror/view",
-    "version": "6.38.8",
+    "version": "6.39.9",
     "license": "MIT",
     "repository": "https://github.com/codemirror/view"
   },
@@ -121,7 +133,7 @@
   },
   {
     "name": "@lezer/common",
-    "version": "1.4.0",
+    "version": "1.5.0",
     "license": "MIT",
     "repository": "https://github.com/lezer-parser/common"
   },
@@ -139,7 +151,7 @@
   },
   {
     "name": "@lezer/html",
-    "version": "1.3.12",
+    "version": "1.3.13",
     "license": "MIT",
     "repository": "https://github.com/lezer-parser/html"
   },
@@ -157,13 +169,13 @@
   },
   {
     "name": "@lezer/lr",
-    "version": "1.4.4",
+    "version": "1.4.7",
     "license": "MIT",
     "repository": "https://github.com/lezer-parser/lr"
   },
   {
     "name": "@lezer/markdown",
-    "version": "1.6.1",
+    "version": "1.6.3",
     "license": "MIT",
     "repository": "https://github.com/lezer-parser/markdown"
   },
@@ -179,6 +191,12 @@
     "license": "MIT",
     "repository": "https://github.com/lezer-parser/xml"
   },
+  {
+    "name": "@lezer/yaml",
+    "version": "1.0.3",
+    "license": "MIT",
+    "repository": "https://github.com/lezer-parser/yaml"
+  },
   {
     "name": "@lucide/lab",
     "version": "0.1.2",
@@ -203,18 +221,6 @@
     "license": "MIT",
     "repository": "https://github.com/sveltejs/acorn-typescript"
   },
-  {
-    "name": "@types/asn1",
-    "version": "0.2.4",
-    "license": "MIT",
-    "repository": "https://github.com/DefinitelyTyped/DefinitelyTyped"
-  },
-  {
-    "name": "@types/better-sqlite3",
-    "version": "7.6.13",
-    "license": "MIT",
-    "repository": "https://github.com/DefinitelyTyped/DefinitelyTyped"
-  },
   {
     "name": "@types/estree",
     "version": "1.0.8",
@@ -223,7 +229,7 @@
   },
   {
     "name": "@types/node",
-    "version": "24.10.1",
+    "version": "25.0.7",
     "license": "MIT",
     "repository": "https://github.com/DefinitelyTyped/DefinitelyTyped"
   },
@@ -257,51 +263,15 @@
     "license": "Apache-2.0",
     "repository": "https://github.com/A11yance/aria-query"
   },
-  {
-    "name": "asn1",
-    "version": "0.2.6",
-    "license": "MIT",
-    "repository": "https://github.com/joyent/node-asn1"
-  },
   {
     "name": "axobject-query",
     "version": "4.1.0",
     "license": "Apache-2.0",
     "repository": "https://github.com/A11yance/axobject-query"
   },
-  {
-    "name": "base64-js",
-    "version": "1.5.1",
-    "license": "MIT",
-    "repository": "https://github.com/beatgammit/base64-js"
-  },
-  {
-    "name": "better-sqlite3",
-    "version": "12.5.0",
-    "license": "MIT",
-    "repository": "https://github.com/WiseLibs/better-sqlite3"
-  },
-  {
-    "name": "bindings",
-    "version": "1.5.0",
-    "license": "MIT",
-    "repository": "https://github.com/TooTallNate/node-bindings"
-  },
-  {
-    "name": "bl",
-    "version": "4.1.0",
-    "license": "MIT",
-    "repository": "https://github.com/rvagg/bl"
-  },
-  {
-    "name": "buffer",
-    "version": "5.7.1",
-    "license": "MIT",
-    "repository": "https://github.com/feross/buffer"
-  },
   {
     "name": "bun-types",
-    "version": "1.3.3",
+    "version": "1.3.5",
     "license": "MIT",
     "repository": "https://github.com/oven-sh/bun"
   },
@@ -311,12 +281,6 @@
     "license": "MIT",
     "repository": "https://github.com/sindresorhus/camelcase"
   },
-  {
-    "name": "chownr",
-    "version": "1.1.4",
-    "license": "ISC",
-    "repository": "https://github.com/isaacs/chownr"
-  },
   {
     "name": "cliui",
     "version": "6.0.0",
@@ -329,6 +293,12 @@
     "license": "MIT",
     "repository": "https://github.com/lukeed/clsx"
   },
+  {
+    "name": "codemirror",
+    "version": "6.0.2",
+    "license": "MIT",
+    "repository": "https://github.com/codemirror/basic-setup"
+  },
   {
     "name": "color-convert",
     "version": "2.0.1",
@@ -359,39 +329,15 @@
     "license": "MIT",
     "repository": "https://github.com/bradymholt/cronstrue"
   },
-  {
-    "name": "debug",
-    "version": "4.4.3",
-    "license": "MIT",
-    "repository": "https://github.com/debug-js/debug"
-  },
   {
     "name": "decamelize",
     "version": "1.2.0",
     "license": "MIT",
     "repository": "https://github.com/sindresorhus/decamelize"
   },
-  {
-    "name": "decompress-response",
-    "version": "6.0.0",
-    "license": "MIT",
-    "repository": "https://github.com/sindresorhus/decompress-response"
-  },
-  {
-    "name": "deep-extend",
-    "version": "0.6.0",
-    "license": "MIT",
-    "repository": "https://github.com/unclechu/node-deep-extend"
-  },
-  {
-    "name": "detect-libc",
-    "version": "2.1.2",
-    "license": "Apache-2.0",
-    "repository": "https://github.com/lovell/detect-libc"
-  },
   {
     "name": "devalue",
-    "version": "5.5.0",
+    "version": "5.6.1",
     "license": "MIT",
     "repository": "https://github.com/sveltejs/devalue"
   },
@@ -403,13 +349,13 @@
   },
   {
     "name": "dockhand",
-    "version": "1.0.3",
+    "version": "1.0.7",
     "license": "UNLICENSED",
     "repository": null
   },
   {
     "name": "drizzle-orm",
-    "version": "0.45.0",
+    "version": "0.45.1",
     "license": "Apache-2.0",
     "repository": "https://github.com/drizzle-team/drizzle-orm"
   },
@@ -419,12 +365,6 @@
     "license": "MIT",
     "repository": "https://github.com/mathiasbynens/emoji-regex"
   },
-  {
-    "name": "end-of-stream",
-    "version": "1.4.5",
-    "license": "MIT",
-    "repository": "https://github.com/mafintosh/end-of-stream"
-  },
   {
     "name": "esm-env",
     "version": "1.2.2",
@@ -437,30 +377,12 @@
     "license": "MIT",
     "repository": "https://github.com/sveltejs/esrap"
   },
-  {
-    "name": "expand-template",
-    "version": "2.0.3",
-    "license": "(MIT OR WTFPL)",
-    "repository": "https://github.com/ralphtheninja/expand-template"
-  },
-  {
-    "name": "file-uri-to-path",
-    "version": "1.0.0",
-    "license": "MIT",
-    "repository": "https://github.com/TooTallNate/file-uri-to-path"
-  },
   {
     "name": "find-up",
     "version": "4.1.0",
     "license": "MIT",
     "repository": "https://github.com/sindresorhus/find-up"
   },
-  {
-    "name": "fs-constants",
-    "version": "1.0.0",
-    "license": "MIT",
-    "repository": "https://github.com/mafintosh/fs-constants"
-  },
   {
     "name": "get-caller-file",
     "version": "2.0.5",
@@ -468,28 +390,10 @@
     "repository": "https://github.com/stefanpenner/get-caller-file"
   },
   {
-    "name": "github-from-package",
-    "version": "0.0.0",
+    "name": "hash-wasm",
+    "version": "4.12.0",
     "license": "MIT",
-    "repository": "https://github.com/substack/github-from-package"
-  },
-  {
-    "name": "ieee754",
-    "version": "1.2.1",
-    "license": "BSD-3-Clause",
-    "repository": "https://github.com/feross/ieee754"
-  },
-  {
-    "name": "inherits",
-    "version": "2.0.4",
-    "license": "ISC",
-    "repository": "https://github.com/isaacs/inherits"
-  },
-  {
-    "name": "ini",
-    "version": "1.3.8",
-    "license": "ISC",
-    "repository": "https://github.com/isaacs/ini"
+    "repository": "https://github.com/Daninet/hash-wasm"
   },
   {
     "name": "is-fullwidth-code-point",
@@ -511,7 +415,7 @@
   },
   {
     "name": "ldapts",
-    "version": "8.0.12",
+    "version": "8.1.3",
     "license": "MIT",
     "repository": "https://github.com/ldapts/ldapts"
   },
@@ -533,54 +437,12 @@
     "license": "MIT",
     "repository": "https://github.com/Rich-Harris/magic-string"
   },
-  {
-    "name": "mimic-response",
-    "version": "3.1.0",
-    "license": "MIT",
-    "repository": "https://github.com/sindresorhus/mimic-response"
-  },
-  {
-    "name": "minimist",
-    "version": "1.2.8",
-    "license": "MIT",
-    "repository": "https://github.com/minimistjs/minimist"
-  },
-  {
-    "name": "mkdirp-classic",
-    "version": "0.5.3",
-    "license": "MIT",
-    "repository": "https://github.com/mafintosh/mkdirp-classic"
-  },
-  {
-    "name": "ms",
-    "version": "2.1.3",
-    "license": "MIT",
-    "repository": "https://github.com/vercel/ms"
-  },
-  {
-    "name": "napi-build-utils",
-    "version": "2.0.0",
-    "license": "MIT",
-    "repository": "https://github.com/inspiredware/napi-build-utils"
-  },
-  {
-    "name": "node-abi",
-    "version": "3.85.0",
-    "license": "MIT",
-    "repository": "https://github.com/electron/node-abi"
-  },
   {
     "name": "nodemailer",
-    "version": "7.0.11",
+    "version": "7.0.12",
     "license": "MIT-0",
     "repository": "https://github.com/nodemailer/nodemailer"
   },
-  {
-    "name": "once",
-    "version": "1.4.0",
-    "license": "ISC",
-    "repository": "https://github.com/isaacs/once"
-  },
   {
     "name": "otpauth",
     "version": "9.4.1",
@@ -619,22 +481,10 @@
   },
   {
     "name": "postgres",
-    "version": "3.4.7",
+    "version": "3.4.8",
     "license": "Unlicense",
     "repository": "https://github.com/porsager/postgres"
   },
-  {
-    "name": "prebuild-install",
-    "version": "7.1.3",
-    "license": "MIT",
-    "repository": "https://github.com/prebuild/prebuild-install"
-  },
-  {
-    "name": "pump",
-    "version": "3.0.3",
-    "license": "MIT",
-    "repository": "https://github.com/mafintosh/pump"
-  },
   {
     "name": "punycode",
     "version": "2.3.1",
@@ -647,18 +497,6 @@
     "license": "MIT",
     "repository": "https://github.com/soldair/node-qrcode"
   },
-  {
-    "name": "rc",
-    "version": "1.2.8",
-    "license": "(BSD-2-Clause OR MIT OR Apache-2.0)",
-    "repository": "https://github.com/dominictarr/rc"
-  },
-  {
-    "name": "readable-stream",
-    "version": "3.6.2",
-    "license": "MIT",
-    "repository": "https://github.com/nodejs/readable-stream"
-  },
   {
     "name": "require-directory",
     "version": "2.1.1",
@@ -677,42 +515,12 @@
     "license": "MIT",
     "repository": "https://github.com/svecosystem/runed"
   },
-  {
-    "name": "safe-buffer",
-    "version": "5.2.1",
-    "license": "MIT",
-    "repository": "https://github.com/feross/safe-buffer"
-  },
-  {
-    "name": "safer-buffer",
-    "version": "2.1.2",
-    "license": "MIT",
-    "repository": "https://github.com/ChALkeR/safer-buffer"
-  },
-  {
-    "name": "semver",
-    "version": "7.7.3",
-    "license": "ISC",
-    "repository": "https://github.com/npm/node-semver"
-  },
   {
     "name": "set-blocking",
     "version": "2.0.0",
     "license": "ISC",
     "repository": "https://github.com/yargs/set-blocking"
   },
-  {
-    "name": "simple-concat",
-    "version": "1.0.1",
-    "license": "MIT",
-    "repository": "https://github.com/feross/simple-concat"
-  },
-  {
-    "name": "simple-get",
-    "version": "4.0.1",
-    "license": "MIT",
-    "repository": "https://github.com/feross/simple-get"
-  },
   {
     "name": "strict-event-emitter-types",
     "version": "2.0.0",
@@ -725,24 +533,12 @@
     "license": "MIT",
     "repository": "https://github.com/sindresorhus/string-width"
   },
-  {
-    "name": "string_decoder",
-    "version": "1.3.0",
-    "license": "MIT",
-    "repository": "https://github.com/nodejs/string_decoder"
-  },
   {
     "name": "strip-ansi",
     "version": "6.0.1",
     "license": "MIT",
     "repository": "https://github.com/chalk/strip-ansi"
   },
-  {
-    "name": "strip-json-comments",
-    "version": "2.0.1",
-    "license": "MIT",
-    "repository": "https://github.com/sindresorhus/strip-json-comments"
-  },
   {
     "name": "style-mod",
     "version": "4.1.3",
@@ -751,13 +547,13 @@
   },
   {
     "name": "svelte",
-    "version": "5.45.5",
+    "version": "5.46.3",
     "license": "MIT",
     "repository": "https://github.com/sveltejs/svelte"
   },
   {
     "name": "svelte-dnd-action",
-    "version": "0.9.68",
+    "version": "0.9.69",
     "license": "MIT",
     "repository": "https://github.com/isaacHagoel/svelte-dnd-action"
   },
@@ -767,48 +563,18 @@
     "license": "MIT",
     "repository": "https://github.com/wobsoriano/svelte-sonner"
   },
-  {
-    "name": "tar-fs",
-    "version": "2.1.4",
-    "license": "MIT",
-    "repository": "https://github.com/mafintosh/tar-fs"
-  },
-  {
-    "name": "tar-stream",
-    "version": "2.2.0",
-    "license": "MIT",
-    "repository": "https://github.com/mafintosh/tar-stream"
-  },
   {
     "name": "tr46",
     "version": "6.0.0",
     "license": "MIT",
     "repository": "https://github.com/jsdom/tr46"
   },
-  {
-    "name": "tunnel-agent",
-    "version": "0.6.0",
-    "license": "Apache-2.0",
-    "repository": "https://github.com/mikeal/tunnel-agent"
-  },
   {
     "name": "undici-types",
     "version": "7.16.0",
     "license": "MIT",
     "repository": "https://github.com/nodejs/undici"
   },
-  {
-    "name": "util-deprecate",
-    "version": "1.0.2",
-    "license": "MIT",
-    "repository": "https://github.com/TooTallNate/util-deprecate"
-  },
-  {
-    "name": "uuid",
-    "version": "13.0.0",
-    "license": "MIT",
-    "repository": "https://github.com/uuidjs/uuid"
-  },
   {
     "name": "w3c-keyname",
     "version": "2.2.8",
@@ -817,7 +583,7 @@
   },
   {
     "name": "webidl-conversions",
-    "version": "8.0.0",
+    "version": "8.0.1",
     "license": "BSD-2-Clause",
     "repository": "https://github.com/jsdom/webidl-conversions"
   },
@@ -839,12 +605,6 @@
     "license": "MIT",
     "repository": "https://github.com/chalk/wrap-ansi"
   },
-  {
-    "name": "wrappy",
-    "version": "1.0.2",
-    "license": "ISC",
-    "repository": "https://github.com/npm/wrappy"
-  },
   {
     "name": "y18n",
     "version": "4.0.3",
diff --git a/lib/hooks/is-mobile.svelte.ts b/src/lib/hooks/is-mobile.svelte.ts
similarity index 100%
rename from lib/hooks/is-mobile.svelte.ts
rename to src/lib/hooks/is-mobile.svelte.ts
diff --git a/lib/index.ts b/src/lib/index.ts
similarity index 100%
rename from lib/index.ts
rename to src/lib/index.ts
diff --git a/lib/server/audit-events.ts b/src/lib/server/audit-events.ts
similarity index 100%
rename from lib/server/audit-events.ts
rename to src/lib/server/audit-events.ts
diff --git a/lib/server/audit.ts b/src/lib/server/audit.ts
similarity index 100%
rename from lib/server/audit.ts
rename to src/lib/server/audit.ts
diff --git a/lib/server/auth.ts b/src/lib/server/auth.ts
similarity index 87%
rename from lib/server/auth.ts
rename to src/lib/server/auth.ts
index dd862bd..708fe86 100644
--- a/lib/server/auth.ts
+++ b/src/lib/server/auth.ts
@@ -9,8 +9,9 @@
  * - SameSite=Strict (CSRF protection)
  */
 
-import { randomBytes } from 'node:crypto';
 import os from 'node:os';
+import { secureRandomBytes, usingFallback } from './crypto-fallback';
+import { argon2id, argon2Verify } from 'hash-wasm';
 import type { Cookies } from '@sveltejs/kit';
 import {
 	getAuthSettings,
@@ -94,27 +95,62 @@ export interface LoginResult {
 }
 
 // ============================================
-// Password Hashing (Argon2id via Bun.password)
+// Password Hashing (Argon2id)
 // ============================================
 
+// Argon2id parameters (matching Bun.password defaults)
+const ARGON2_MEMORY_COST = 65536; // 64 MB in kibibytes
+const ARGON2_TIME_COST = 3;       // 3 iterations
+const ARGON2_PARALLELISM = 1;     // Single-threaded
+const ARGON2_HASH_LENGTH = 32;    // 256-bit output
+const ARGON2_SALT_LENGTH = 16;    // 128-bit salt
+
 /**
- * Hash a password using Argon2id via Bun's native password API
+ * Hash a password using Argon2id
+ *
+ * On modern kernels (>=3.17): Uses Bun's native password API (faster)
+ * On old kernels (<3.17): Uses hash-wasm (WASM-based, no getrandom dependency)
+ *
  * Argon2id is the recommended variant - resistant to both side-channel and GPU attacks
  */
 export async function hashPassword(password: string): Promise<string> {
+	// On old kernels, Bun.password.hash() crashes because it internally uses getrandom()
+	// Use hash-wasm as a fallback which is pure WASM and doesn't depend on the syscall
+	if (usingFallback()) {
+		const salt = secureRandomBytes(ARGON2_SALT_LENGTH);
+		return argon2id({
+			password,
+			salt,
+			iterations: ARGON2_TIME_COST,
+			parallelism: ARGON2_PARALLELISM,
+			memorySize: ARGON2_MEMORY_COST,
+			hashLength: ARGON2_HASH_LENGTH,
+			outputType: 'encoded'  // Returns PHC format: $argon2id$v=19$m=65536,t=3,p=1$...
+		});
+	}
+
+	// Modern kernels: use Bun's native implementation (faster)
 	return Bun.password.hash(password, {
 		algorithm: 'argon2id',
-		memoryCost: 65536, // 64 MB
-		timeCost: 3        // 3 iterations
+		memoryCost: ARGON2_MEMORY_COST,
+		timeCost: ARGON2_TIME_COST
 	});
 }
 
 /**
  * Verify a password against a hash
  * Uses constant-time comparison internally
+ *
+ * Both Bun.password and hash-wasm use the same PHC format, so hashes are compatible
  */
 export async function verifyPassword(password: string, hash: string): Promise<boolean> {
 	try {
+		// On old kernels, use hash-wasm for verification
+		if (usingFallback()) {
+			return await argon2Verify({ password, hash });
+		}
+
+		// Modern kernels: use Bun's native implementation
 		return await Bun.password.verify(password, hash);
 	} catch {
 		return false;
@@ -130,7 +166,7 @@ export async function verifyPassword(password: string, hash: string): Promise<bo
  * 32 bytes = 256 bits of entropy
  */
 function generateSessionToken(): string {
-	return randomBytes(32).toString('base64url');
+	return secureRandomBytes(32).toString('base64url');
 }
 
 /**
@@ -411,7 +447,7 @@ export async function authenticateLocal(
 
 	if (!user) {
 		// Use constant time to prevent timing attacks
-		await Bun.password.hash('dummy', { algorithm: 'argon2id' });
+		await hashPassword('dummy');
 		return { success: false, error: 'Invalid username or password' };
 	}
 
@@ -747,12 +783,70 @@ function getAttributeValue(entry: any, attribute: string): string | undefined {
 }
 
 // ============================================
-// MFA (TOTP)
+// MFA (TOTP) with Backup Codes
 // ============================================
 
 import * as OTPAuth from 'otpauth';
 import * as QRCode from 'qrcode';
 
+// MFA data stored in mfaSecret field as JSON
+interface MfaData {
+	secret: string;           // TOTP secret (base32)
+	backupCodes: string[];    // Hashed backup codes (unused ones)
+}
+
+/**
+ * Generate 10 random backup codes (8 characters each, alphanumeric)
+ */
+function generateBackupCodes(): string[] {
+	const codes: string[] = [];
+	const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'; // Removed confusable chars: 0, O, 1, I
+	for (let i = 0; i < 10; i++) {
+		let code = '';
+		for (let j = 0; j < 8; j++) {
+			code += chars.charAt(Math.floor(Math.random() * chars.length));
+		}
+		codes.push(code);
+	}
+	return codes;
+}
+
+/**
+ * Hash a backup code for storage
+ */
+async function hashBackupCode(code: string): Promise<string> {
+	// Normalize: uppercase, remove spaces and dashes
+	const normalized = code.toUpperCase().replace(/[\s-]/g, '');
+	const hasher = new Bun.CryptoHasher('sha256');
+	hasher.update(normalized);
+	return hasher.digest('hex');
+}
+
+/**
+ * Parse MFA data from database field
+ */
+function parseMfaData(mfaSecret: string | null | undefined): MfaData | null {
+	if (!mfaSecret) return null;
+
+	try {
+		// Try parsing as JSON first (new format)
+		const parsed = JSON.parse(mfaSecret);
+		if (parsed && typeof parsed.secret === 'string') {
+			return {
+				secret: parsed.secret,
+				backupCodes: parsed.backupCodes || []
+			};
+		}
+	} catch {
+		// Legacy format: plain base32 secret string
+		return {
+			secret: mfaSecret,
+			backupCodes: []
+		};
+	}
+	return null;
+}
+
 /**
  * Generate MFA secret and QR code for setup
  */
@@ -787,18 +881,24 @@ export async function generateMfaSetup(userId: number): Promise<{
 		margin: 2
 	});
 
-	// Store secret temporarily (user must verify before it's enabled)
-	await updateUser(userId, { mfaSecret: secretBase32 });
+	// Store secret temporarily as JSON (user must verify before it's enabled)
+	// Backup codes will be generated after verification
+	const mfaData: MfaData = { secret: secretBase32, backupCodes: [] };
+	await updateUser(userId, { mfaSecret: JSON.stringify(mfaData) });
 
 	return { secret: secretBase32, qrDataUrl };
 }
 
 /**
  * Verify MFA token and enable MFA if valid
+ * Returns backup codes on success (shown only once)
  */
-export async function verifyAndEnableMfa(userId: number, token: string): Promise<boolean> {
+export async function verifyAndEnableMfa(userId: number, token: string): Promise<{ success: false } | { success: true; backupCodes: string[] }> {
 	const user = await getUser(userId);
-	if (!user || !user.mfaSecret) return false;
+	if (!user || !user.mfaSecret) return { success: false };
+
+	const mfaData = parseMfaData(user.mfaSecret);
+	if (!mfaData) return { success: false };
 
 	const totp = new OTPAuth.TOTP({
 		issuer: 'Dockhand',
@@ -806,35 +906,74 @@ export async function verifyAndEnableMfa(userId: number, token: string): Promise
 		algorithm: 'SHA1',
 		digits: 6,
 		period: 30,
-		secret: OTPAuth.Secret.fromBase32(user.mfaSecret)
+		secret: OTPAuth.Secret.fromBase32(mfaData.secret)
 	});
 
 	const delta = totp.validate({ token, window: 1 });
-	if (delta === null) return false;
+	if (delta === null) return { success: false };
 
-	// Enable MFA
-	await updateUser(userId, { mfaEnabled: true });
-	return true;
+	// Generate backup codes
+	const plainBackupCodes = generateBackupCodes();
+	const hashedBackupCodes = await Promise.all(plainBackupCodes.map(hashBackupCode));
+
+	// Update MFA data with hashed backup codes and enable MFA
+	const updatedMfaData: MfaData = {
+		secret: mfaData.secret,
+		backupCodes: hashedBackupCodes
+	};
+	await updateUser(userId, {
+		mfaEnabled: true,
+		mfaSecret: JSON.stringify(updatedMfaData)
+	});
+
+	// Return plain backup codes (shown only once)
+	return { success: true, backupCodes: plainBackupCodes };
 }
 
 /**
- * Verify MFA token during login
+ * Verify MFA token during login (accepts TOTP code or backup code)
  */
 export async function verifyMfaToken(userId: number, token: string): Promise<boolean> {
 	const user = await getUser(userId);
 	if (!user || !user.mfaEnabled || !user.mfaSecret) return false;
 
+	const mfaData = parseMfaData(user.mfaSecret);
+	if (!mfaData) return false;
+
+	// First, try TOTP verification
 	const totp = new OTPAuth.TOTP({
 		issuer: 'Dockhand',
 		label: user.username,
 		algorithm: 'SHA1',
 		digits: 6,
 		period: 30,
-		secret: OTPAuth.Secret.fromBase32(user.mfaSecret)
+		secret: OTPAuth.Secret.fromBase32(mfaData.secret)
 	});
 
 	const delta = totp.validate({ token, window: 1 });
-	return delta !== null;
+	if (delta !== null) return true;
+
+	// If TOTP fails, try backup code
+	if (mfaData.backupCodes && mfaData.backupCodes.length > 0) {
+		const hashedInput = await hashBackupCode(token);
+		const codeIndex = mfaData.backupCodes.indexOf(hashedInput);
+
+		if (codeIndex !== -1) {
+			// Remove used backup code
+			const updatedBackupCodes = [...mfaData.backupCodes];
+			updatedBackupCodes.splice(codeIndex, 1);
+
+			const updatedMfaData: MfaData = {
+				secret: mfaData.secret,
+				backupCodes: updatedBackupCodes
+			};
+			await updateUser(userId, { mfaSecret: JSON.stringify(updatedMfaData) });
+
+			return true;
+		}
+	}
+
+	return false;
 }
 
 /**
@@ -1024,7 +1163,7 @@ async function getOidcDiscovery(issuerUrl: string): Promise<OidcDiscoveryDocumen
  * Generate PKCE code verifier and challenge
  */
 function generatePkce(): { codeVerifier: string; codeChallenge: string } {
-	const codeVerifier = randomBytes(32).toString('base64url');
+	const codeVerifier = secureRandomBytes(32).toString('base64url');
 	const hasher = new Bun.CryptoHasher('sha256');
 	hasher.update(codeVerifier);
 	const codeChallenge = hasher.digest('base64url') as string;
@@ -1047,8 +1186,8 @@ export async function buildOidcAuthorizationUrl(
 		const discovery = await getOidcDiscovery(config.issuerUrl);
 
 		// Generate state, nonce, and PKCE
-		const state = randomBytes(32).toString('base64url');
-		const nonce = randomBytes(16).toString('base64url');
+		const state = secureRandomBytes(32).toString('base64url');
+		const nonce = secureRandomBytes(16).toString('base64url');
 		const { codeVerifier, codeChallenge } = generatePkce();
 
 		// Store state for callback verification (expires in 10 minutes)
diff --git a/lib/server/authorize.ts b/src/lib/server/authorize.ts
similarity index 100%
rename from lib/server/authorize.ts
rename to src/lib/server/authorize.ts
diff --git a/src/lib/server/crypto-fallback.ts b/src/lib/server/crypto-fallback.ts
new file mode 100644
index 0000000..3d4afb4
--- /dev/null
+++ b/src/lib/server/crypto-fallback.ts
@@ -0,0 +1,199 @@
+/**
+ * Crypto Fallback for Old Linux Kernels
+ *
+ * The getrandom() syscall was added in Linux 3.17. On older kernels (like 3.10.x),
+ * Bun's built-in crypto functions will fail with "getrandom() failed to provide entropy".
+ *
+ * This module provides fallback implementations that read from /dev/urandom directly
+ * when running on kernels older than 3.17.
+ */
+
+import { existsSync, openSync, readSync, closeSync } from 'node:fs';
+import os from 'node:os';
+
+// Cache kernel version check result
+let needsFallback: boolean | null = null;
+let fallbackInitialized = false;
+
+/**
+ * Parse Linux kernel version string (e.g., "3.10.108" -> { major: 3, minor: 10, patch: 108 })
+ */
+function parseKernelVersion(release: string): { major: number; minor: number; patch: number } | null {
+	const match = release.match(/^(\d+)\.(\d+)\.(\d+)/);
+	if (!match) return null;
+	return {
+		major: parseInt(match[1], 10),
+		minor: parseInt(match[2], 10),
+		patch: parseInt(match[3], 10)
+	};
+}
+
+/**
+ * Check if kernel version is older than 3.17 (when getrandom() was added)
+ */
+function isOldKernel(): boolean {
+	const release = os.release();
+	const version = parseKernelVersion(release);
+
+	if (!version) {
+		// Can't parse version, assume modern kernel
+		return false;
+	}
+
+	// getrandom() was added in Linux 3.17
+	if (version.major < 3) return true;
+	if (version.major === 3 && version.minor < 17) return true;
+
+	return false;
+}
+
+/**
+ * Check if we're on Linux (only Linux has kernel version concerns)
+ */
+function isLinux(): boolean {
+	return os.platform() === 'linux';
+}
+
+/**
+ * Determine if we need to use the fallback (cached)
+ */
+function checkNeedsFallback(): boolean {
+	if (needsFallback !== null) return needsFallback;
+
+	if (!isLinux()) {
+		needsFallback = false;
+		return false;
+	}
+
+	const oldKernel = isOldKernel();
+	if (oldKernel) {
+		console.log(`[Crypto] Detected old Linux kernel (${os.release()}), using /dev/urandom fallback`);
+		needsFallback = true;
+	} else {
+		needsFallback = false;
+	}
+
+	return needsFallback;
+}
+
+/**
+ * Read random bytes from /dev/urandom (synchronous)
+ */
+function readFromUrandom(size: number): Buffer {
+	const buffer = Buffer.alloc(size);
+	const fd = openSync('/dev/urandom', 'r');
+	try {
+		readSync(fd, buffer, 0, size, null);
+	} finally {
+		closeSync(fd);
+	}
+	return buffer;
+}
+
+/**
+ * Initialize the crypto fallback - call this early at startup
+ * Returns true if fallback is needed, false otherwise
+ */
+export function initCryptoFallback(): boolean {
+	if (fallbackInitialized) return needsFallback ?? false;
+
+	const release = os.release();
+	const platform = os.platform();
+	const useFallback = checkNeedsFallback();
+
+	if (useFallback) {
+		console.log(`[Crypto] Kernel: ${release} (old kernel detected, using /dev/urandom fallback)`);
+
+		// Verify /dev/urandom exists
+		if (!existsSync('/dev/urandom')) {
+			console.error('[Crypto] FATAL: /dev/urandom not found, cannot provide entropy');
+			throw new Error('/dev/urandom not available');
+		}
+
+		// Test that we can read from it
+		try {
+			const testBytes = readFromUrandom(8);
+			if (testBytes.length !== 8) {
+				throw new Error('Failed to read expected bytes');
+			}
+			console.log('[Crypto] /dev/urandom fallback initialized successfully');
+		} catch (err) {
+			console.error('[Crypto] FATAL: Failed to read from /dev/urandom:', err);
+			throw err;
+		}
+	} else {
+		console.log(`[Crypto] Kernel: ${platform === 'linux' ? release : platform} (using native crypto)`);
+	}
+
+	fallbackInitialized = true;
+	return useFallback;
+}
+
+/**
+ * Generate cryptographically secure random bytes
+ * Uses /dev/urandom on old kernels, native crypto otherwise
+ */
+export function secureRandomBytes(size: number): Buffer {
+	if (checkNeedsFallback()) {
+		return readFromUrandom(size);
+	}
+
+	// Use native crypto on modern kernels
+	const { randomBytes } = require('node:crypto');
+	return randomBytes(size);
+}
+
+/**
+ * Fill a Uint8Array with cryptographically secure random values
+ * Compatible with crypto.getRandomValues() API
+ */
+export function secureGetRandomValues<T extends ArrayBufferView>(array: T): T {
+	if (checkNeedsFallback()) {
+		const bytes = readFromUrandom(array.byteLength);
+		const target = new Uint8Array(array.buffer, array.byteOffset, array.byteLength);
+		target.set(bytes);
+		return array;
+	}
+
+	// Use native crypto on modern kernels
+	return crypto.getRandomValues(array);
+}
+
+/**
+ * Generate a random UUID (v4)
+ * Compatible with crypto.randomUUID() API
+ */
+export function secureRandomUUID(): string {
+	if (checkNeedsFallback()) {
+		// Generate 16 random bytes
+		const bytes = readFromUrandom(16);
+
+		// Set version (4) and variant (RFC 4122)
+		bytes[6] = (bytes[6] & 0x0f) | 0x40; // Version 4
+		bytes[8] = (bytes[8] & 0x3f) | 0x80; // Variant 10
+
+		// Convert to UUID string
+		const hex = bytes.toString('hex');
+		return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
+	}
+
+	// Use native crypto on modern kernels
+	return crypto.randomUUID();
+}
+
+/**
+ * Check if running on an old kernel that needs the fallback
+ */
+export function usingFallback(): boolean {
+	return checkNeedsFallback();
+}
+
+/**
+ * Get kernel version info (useful for diagnostics)
+ */
+export function getKernelInfo(): { release: string; needsFallback: boolean } {
+	return {
+		release: os.release(),
+		needsFallback: checkNeedsFallback()
+	};
+}
diff --git a/lib/server/db.ts b/src/lib/server/db.ts
similarity index 95%
rename from lib/server/db.ts
rename to src/lib/server/db.ts
index fd2225c..cc2971b 100644
--- a/lib/server/db.ts
+++ b/src/lib/server/db.ts
@@ -125,6 +125,11 @@ export async function getEnvironment(id: number): Promise<Environment | undefine
 	return results[0];
 }
 
+export async function getEnvironmentByName(name: string): Promise<Environment | undefined> {
+	const results = await db.select().from(environments).where(eq(environments.name, name));
+	return results[0];
+}
+
 export async function createEnvironment(env: Omit<Environment, 'id' | 'createdAt' | 'updatedAt'>): Promise<Environment> {
 	const result = await db.insert(environments).values({
 		name: env.name,
@@ -156,6 +161,7 @@ export async function updateEnvironment(id: number, env: Partial<Environment>):
 	if (env.tlsCa !== undefined) updateData.tlsCa = env.tlsCa;
 	if (env.tlsCert !== undefined) updateData.tlsCert = env.tlsCert;
 	if (env.tlsKey !== undefined) updateData.tlsKey = env.tlsKey;
+	if (env.tlsSkipVerify !== undefined) updateData.tlsSkipVerify = env.tlsSkipVerify;
 	if (env.icon !== undefined) updateData.icon = env.icon;
 	if (env.socketPath !== undefined) updateData.socketPath = env.socketPath;
 	if (env.collectActivity !== undefined) updateData.collectActivity = env.collectActivity;
@@ -808,6 +814,7 @@ export interface SmtpConfig {
 	from_email: string;
 	from_name?: string;
 	to_emails: string[];
+	skipTlsVerify?: boolean; // Skip TLS certificate verification (useful for self-signed certs)
 }
 
 export interface AppriseConfig {
@@ -2485,6 +2492,8 @@ export interface StackSourceData {
 	sourceType: StackSourceType;
 	gitRepositoryId: number | null;
 	gitStackId: number | null;
+	composePath: string | null;
+	envPath: string | null;
 	createdAt: string;
 	updatedAt: string;
 }
@@ -2525,9 +2534,10 @@ export async function getStackSource(stackName: string, environmentId?: number |
 
 export async function getStackSources(environmentId?: number | null): Promise<StackSourceWithRepo[]> {
 	let results;
-	if (environmentId !== undefined) {
+	if (environmentId !== undefined && environmentId !== null) {
+		// Only get stacks for the specific environment
 		results = await db.select().from(stackSources)
-			.where(or(eq(stackSources.environmentId, environmentId), isNull(stackSources.environmentId)))
+			.where(eq(stackSources.environmentId, environmentId))
 			.orderBy(asc(stackSources.stackName));
 	} else {
 		results = await db.select().from(stackSources).orderBy(asc(stackSources.stackName));
@@ -2561,6 +2571,8 @@ export async function upsertStackSource(data: {
 	sourceType: StackSourceType;
 	gitRepositoryId?: number | null;
 	gitStackId?: number | null;
+	composePath?: string | null;
+	envPath?: string | null;
 }): Promise<StackSourceData> {
 	const existing = await getStackSource(data.stackName, data.environmentId);
 
@@ -2570,6 +2582,8 @@ export async function upsertStackSource(data: {
 				sourceType: data.sourceType,
 				gitRepositoryId: data.gitRepositoryId || null,
 				gitStackId: data.gitStackId || null,
+				composePath: data.composePath ?? null,
+				envPath: data.envPath ?? null,
 				updatedAt: new Date().toISOString()
 			})
 			.where(eq(stackSources.id, existing.id));
@@ -2580,12 +2594,33 @@ export async function upsertStackSource(data: {
 			environmentId: data.environmentId ?? null,
 			sourceType: data.sourceType,
 			gitRepositoryId: data.gitRepositoryId || null,
-			gitStackId: data.gitStackId || null
+			gitStackId: data.gitStackId || null,
+			composePath: data.composePath ?? null,
+			envPath: data.envPath ?? null
 		});
 		return getStackSource(data.stackName, data.environmentId) as Promise<StackSourceData>;
 	}
 }
 
+export async function updateStackSource(
+	stackName: string,
+	environmentId: number | null,
+	updates: { composePath?: string | null; envPath?: string | null }
+): Promise<boolean> {
+	const existing = await getStackSource(stackName, environmentId);
+	if (!existing) return false;
+
+	await db.update(stackSources)
+		.set({
+			composePath: updates.composePath !== undefined ? updates.composePath : existing.composePath,
+			envPath: updates.envPath !== undefined ? updates.envPath : existing.envPath,
+			updatedAt: new Date().toISOString()
+		})
+		.where(eq(stackSources.id, existing.id));
+
+	return true;
+}
+
 export async function deleteStackSource(stackName: string, environmentId?: number | null): Promise<boolean> {
 	// Delete matching record (either with specific envId or NULL)
 	await db.delete(stackSources)
@@ -3081,10 +3116,8 @@ export interface ContainerEventResult {
 }
 
 export async function logContainerEvent(data: ContainerEventCreateData): Promise<ContainerEventData> {
-	// Timestamp is always a string with nanosecond precision (stored as text in both SQLite and PostgreSQL)
-	// For PostgreSQL, we convert to Date since the schema uses native timestamp type
-	const timestamp = isPostgres ? new Date(data.timestamp) : data.timestamp;
-
+	// Timestamp is already an ISO-8601 string from event-subprocess
+	// Both SQLite and PostgreSQL schemas use mode: 'string' so we pass it directly
 	const result = await db.insert(containerEvents).values({
 		environmentId: data.environmentId ?? null,
 		containerId: data.containerId,
@@ -3092,7 +3125,7 @@ export async function logContainerEvent(data: ContainerEventCreateData): Promise
 		image: data.image ?? null,
 		action: data.action,
 		actorAttributes: data.actorAttributes ? JSON.stringify(data.actorAttributes) : null,
-		timestamp
+		timestamp: data.timestamp
 	}).returning();
 
 	return getContainerEvent(result[0].id) as Promise<ContainerEventData>;
@@ -3894,6 +3927,73 @@ export async function setEventCleanupEnabled(enabled: boolean): Promise<void> {
 	}
 }
 
+// =============================================================================
+// EXTERNAL STACK PATHS
+// =============================================================================
+
+const EXTERNAL_STACK_PATHS_KEY = 'external_stack_paths';
+
+export async function getExternalStackPaths(): Promise<string[]> {
+	const result = await db.select().from(settings).where(eq(settings.key, EXTERNAL_STACK_PATHS_KEY));
+	if (result[0]) {
+		try {
+			const parsed = JSON.parse(result[0].value);
+			return Array.isArray(parsed) ? parsed : [];
+		} catch {
+			return [];
+		}
+	}
+	return [];
+}
+
+export async function setExternalStackPaths(paths: string[]): Promise<void> {
+	const jsonValue = JSON.stringify(paths);
+	const existing = await db.select().from(settings).where(eq(settings.key, EXTERNAL_STACK_PATHS_KEY));
+	if (existing.length > 0) {
+		await db.update(settings)
+			.set({ value: jsonValue, updatedAt: new Date().toISOString() })
+			.where(eq(settings.key, EXTERNAL_STACK_PATHS_KEY));
+	} else {
+		await db.insert(settings).values({
+			key: EXTERNAL_STACK_PATHS_KEY,
+			value: jsonValue
+		});
+	}
+}
+
+// =============================================================================
+// PRIMARY STACK LOCATION
+// =============================================================================
+
+const PRIMARY_STACK_LOCATION_KEY = 'primary_stack_location';
+
+export async function getPrimaryStackLocation(): Promise<string | null> {
+	const result = await db.select().from(settings).where(eq(settings.key, PRIMARY_STACK_LOCATION_KEY));
+	if (result[0]?.value) {
+		return result[0].value;
+	}
+	return null;
+}
+
+export async function setPrimaryStackLocation(path: string | null): Promise<void> {
+	const existing = await db.select().from(settings).where(eq(settings.key, PRIMARY_STACK_LOCATION_KEY));
+	if (path === null) {
+		// Delete the setting if path is null
+		if (existing.length > 0) {
+			await db.delete(settings).where(eq(settings.key, PRIMARY_STACK_LOCATION_KEY));
+		}
+	} else if (existing.length > 0) {
+		await db.update(settings)
+			.set({ value: path, updatedAt: new Date().toISOString() })
+			.where(eq(settings.key, PRIMARY_STACK_LOCATION_KEY));
+	} else {
+		await db.insert(settings).values({
+			key: PRIMARY_STACK_LOCATION_KEY,
+			value: path
+		});
+	}
+}
+
 // =============================================================================
 // ENVIRONMENT UPDATE CHECK SETTINGS
 // =============================================================================
@@ -3986,6 +4086,66 @@ export async function setDefaultTimezone(timezone: string): Promise<void> {
 	await setSetting('default_timezone', timezone);
 }
 
+// =============================================================================
+// BACKGROUND MONITORING SETTINGS
+// =============================================================================
+
+/**
+ * Get event collection mode ('stream' or 'poll').
+ * Defaults to 'stream' for real-time event streaming.
+ */
+export async function getEventCollectionMode(): Promise<'stream' | 'poll'> {
+	const value = await getSetting('event_collection_mode');
+	return value || 'stream';
+}
+
+/**
+ * Set event collection mode.
+ */
+export async function setEventCollectionMode(mode: 'stream' | 'poll'): Promise<void> {
+	await setSetting('event_collection_mode', mode);
+}
+
+/**
+ * Get event poll interval in milliseconds.
+ * Defaults to 60000ms (60 seconds).
+ */
+export async function getEventPollInterval(): Promise<number> {
+	const value = await getSetting('event_poll_interval');
+	return value || 60000;
+}
+
+/**
+ * Set event poll interval in milliseconds.
+ * Valid range: 30000ms (30s) to 300000ms (5min).
+ */
+export async function setEventPollInterval(interval: number): Promise<void> {
+	if (interval < 30000 || interval > 300000) {
+		throw new Error('Event poll interval must be between 30s and 300s');
+	}
+	await setSetting('event_poll_interval', interval);
+}
+
+/**
+ * Get metrics collection interval in milliseconds.
+ * Defaults to 30000ms (30 seconds) - changed from hardcoded 10s.
+ */
+export async function getMetricsCollectionInterval(): Promise<number> {
+	const value = await getSetting('metrics_collection_interval');
+	return value || 30000;
+}
+
+/**
+ * Set metrics collection interval in milliseconds.
+ * Valid range: 10000ms (10s) to 300000ms (5min).
+ */
+export async function setMetricsCollectionInterval(interval: number): Promise<void> {
+	if (interval < 10000 || interval > 300000) {
+		throw new Error('Metrics collection interval must be between 10s and 300s');
+	}
+	await setSetting('metrics_collection_interval', interval);
+}
+
 // =============================================================================
 // STACK ENVIRONMENT VARIABLES OPERATIONS
 // =============================================================================
@@ -4062,6 +4222,39 @@ export async function getStackEnvVarsAsRecord(
 	return Object.fromEntries(vars.map(v => [v.key, v.value]));
 }
 
+/**
+ * Get only SECRET environment variables as a key-value record (for shell injection).
+ * Returns unmasked real values - used to inject secrets via shell environment at runtime.
+ * These secrets are NEVER written to .env files on disk.
+ * @param stackName - Name of the stack
+ * @param environmentId - Optional environment ID
+ */
+export async function getSecretEnvVarsAsRecord(
+	stackName: string,
+	environmentId?: number | null
+): Promise<Record<string, string>> {
+	const vars = await getStackEnvVars(stackName, environmentId, false);
+	return Object.fromEntries(
+		vars.filter(v => v.isSecret).map(v => [v.key, v.value])
+	);
+}
+
+/**
+ * Get only NON-SECRET environment variables as a key-value record.
+ * Used for .env file operations where secrets should be excluded.
+ * @param stackName - Name of the stack
+ * @param environmentId - Optional environment ID
+ */
+export async function getNonSecretEnvVarsAsRecord(
+	stackName: string,
+	environmentId?: number | null
+): Promise<Record<string, string>> {
+	const vars = await getStackEnvVars(stackName, environmentId, false);
+	return Object.fromEntries(
+		vars.filter(v => !v.isSecret).map(v => [v.key, v.value])
+	);
+}
+
 /**
  * Set/replace all environment variables for a stack.
  * Deletes existing vars and inserts new ones in a transaction-like manner.
diff --git a/lib/server/db/connection.ts b/src/lib/server/db/connection.ts
similarity index 100%
rename from lib/server/db/connection.ts
rename to src/lib/server/db/connection.ts
diff --git a/lib/server/db/drizzle.ts b/src/lib/server/db/drizzle.ts
similarity index 99%
rename from lib/server/db/drizzle.ts
rename to src/lib/server/db/drizzle.ts
index a1e08d3..8eb7eeb 100644
--- a/lib/server/db/drizzle.ts
+++ b/src/lib/server/db/drizzle.ts
@@ -604,21 +604,21 @@ async function initializeDatabase() {
 	logHeader('DATABASE INITIALIZATION');
 
 	if (isPostgres) {
-		// PostgreSQL via Bun.sql
+		// PostgreSQL via postgres-js (more stable than bun:sql for concurrent queries)
 		validatePostgresUrl(config.databaseUrl!);
 
 		logInfo(`Database: PostgreSQL`);
 		logInfo(`Connection: ${maskPassword(config.databaseUrl!)}`);
 
-		const { drizzle } = await import('drizzle-orm/bun-sql');
-		const { SQL } = await import('bun');
+		const { drizzle } = await import('drizzle-orm/postgres-js');
+		const postgres = (await import('postgres')).default;
 
 		// Import PostgreSQL schema
 		schema = await import('./schema/pg-schema.js');
 
 		if (verbose) logStep('Connecting to PostgreSQL...');
 		try {
-			rawClient = new SQL(config.databaseUrl!);
+			rawClient = postgres(config.databaseUrl!);
 			db = drizzle({ client: rawClient, schema });
 			logSuccess('PostgreSQL connection established');
 		} catch (error) {
diff --git a/lib/server/db/schema/index.ts b/src/lib/server/db/schema/index.ts
similarity index 98%
rename from lib/server/db/schema/index.ts
rename to src/lib/server/db/schema/index.ts
index 8f78d85..274531e 100644
--- a/lib/server/db/schema/index.ts
+++ b/src/lib/server/db/schema/index.ts
@@ -181,7 +181,7 @@ export const users = sqliteTable('users', {
 	avatar: text('avatar'),
 	authProvider: text('auth_provider').default('local'), // e.g., 'local', 'oidc:Keycloak', 'ldap:AD'
 	mfaEnabled: integer('mfa_enabled', { mode: 'boolean' }).default(false),
-	mfaSecret: text('mfa_secret'),
+	mfaSecret: text('mfa_secret'), // JSON: { secret: string, backupCodes: string[] }
 	isActive: integer('is_active', { mode: 'boolean' }).default(true),
 	lastLogin: text('last_login'),
 	createdAt: text('created_at').default(sql`CURRENT_TIMESTAMP`),
@@ -332,6 +332,8 @@ export const stackSources = sqliteTable('stack_sources', {
 	sourceType: text('source_type').notNull().default('internal'),
 	gitRepositoryId: integer('git_repository_id').references(() => gitRepositories.id, { onDelete: 'set null' }),
 	gitStackId: integer('git_stack_id').references(() => gitStacks.id, { onDelete: 'set null' }),
+	composePath: text('compose_path'), // Custom path to compose file (for stacks with non-default location)
+	envPath: text('env_path'), // Custom path to .env file (for stacks with non-default location)
 	createdAt: text('created_at').default(sql`CURRENT_TIMESTAMP`),
 	updatedAt: text('updated_at').default(sql`CURRENT_TIMESTAMP`)
 }, (table) => ({
diff --git a/lib/server/db/schema/pg-schema.ts b/src/lib/server/db/schema/pg-schema.ts
similarity index 98%
rename from lib/server/db/schema/pg-schema.ts
rename to src/lib/server/db/schema/pg-schema.ts
index 8533357..2aad1ca 100644
--- a/lib/server/db/schema/pg-schema.ts
+++ b/src/lib/server/db/schema/pg-schema.ts
@@ -184,7 +184,7 @@ export const users = pgTable('users', {
 	avatar: text('avatar'),
 	authProvider: text('auth_provider').default('local'), // e.g., 'local', 'oidc:Keycloak', 'ldap:AD'
 	mfaEnabled: boolean('mfa_enabled').default(false),
-	mfaSecret: text('mfa_secret'),
+	mfaSecret: text('mfa_secret'), // JSON: { secret: string, backupCodes: string[] }
 	isActive: boolean('is_active').default(true),
 	lastLogin: timestamp('last_login', { mode: 'string' }),
 	createdAt: timestamp('created_at', { mode: 'string' }).defaultNow(),
@@ -335,6 +335,8 @@ export const stackSources = pgTable('stack_sources', {
 	sourceType: text('source_type').notNull().default('internal'),
 	gitRepositoryId: integer('git_repository_id').references(() => gitRepositories.id, { onDelete: 'set null' }),
 	gitStackId: integer('git_stack_id').references(() => gitStacks.id, { onDelete: 'set null' }),
+	composePath: text('compose_path'), // Custom path to compose file (for stacks with non-default location)
+	envPath: text('env_path'), // Custom path to .env file (for stacks with non-default location)
 	createdAt: timestamp('created_at', { mode: 'string' }).defaultNow(),
 	updatedAt: timestamp('updated_at', { mode: 'string' }).defaultNow()
 }, (table) => ({
diff --git a/lib/server/docker.ts b/src/lib/server/docker.ts
similarity index 94%
rename from lib/server/docker.ts
rename to src/lib/server/docker.ts
index f16d1d5..fbe94e0 100644
--- a/lib/server/docker.ts
+++ b/src/lib/server/docker.ts
@@ -103,6 +103,7 @@ export interface ContainerInspectResult {
 		Hostname: string;
 		User: string;
 		Tty: boolean;
+		OpenStdin: boolean;
 		Env: string[];
 		Cmd: string[];
 		Image: string;
@@ -469,13 +470,16 @@ export async function dockerFetch(
 				streaming ? 300000 : 30000 // 5 min for streaming, 30s for normal requests
 			);
 			const elapsed = Date.now() - startTime;
-			if (elapsed > 5000) {
+			// Only warn for slow requests, but skip /stats which is expected to be slow (5-10s)
+			if (elapsed > 5000 && !path.includes('/stats')) {
 				console.warn(`[Docker] Edge env ${config.environmentId}: ${method} ${path} took ${elapsed}ms`);
 			}
 			return edgeResponseToResponse(edgeResponse);
-		} catch (error) {
+		} catch (error: any) {
 			const elapsed = Date.now() - startTime;
-			console.error(`[Docker] Edge env ${config.environmentId}: ${method} ${path} failed after ${elapsed}ms:`, error);
+			// Log error message only, not full stack trace
+			const msg = error?.message || String(error);
+			console.error(`[Docker] Edge env ${config.environmentId}: ${method} ${path} failed after ${elapsed}ms: ${msg}`);
 			throw DockerConnectionError.fromError(error);
 		}
 	}
@@ -491,13 +495,16 @@ export async function dockerFetch(
 				...bunOptions
 			});
 			const elapsed = Date.now() - startTime;
-			if (elapsed > 5000) {
+			// Only warn for slow requests, but skip /stats which is expected to be slow (5-10s)
+			if (elapsed > 5000 && !path.includes('/stats')) {
 				console.warn(`[Docker] Socket: ${method} ${path} took ${elapsed}ms`);
 			}
 			return response;
-		} catch (error) {
+		} catch (error: any) {
 			const elapsed = Date.now() - startTime;
-			console.error(`[Docker] Socket: ${method} ${path} failed after ${elapsed}ms:`, error);
+			// Log error message only, not full stack trace
+			const msg = error?.message || String(error);
+			console.error(`[Docker] Socket: ${method} ${path} failed after ${elapsed}ms: ${msg}`);
 			throw DockerConnectionError.fromError(error);
 		}
 	} else {
@@ -516,21 +523,30 @@ export async function dockerFetch(
 		}
 
 		// For HTTPS with TLS certificates, we need to configure TLS
-		// IMPORTANT: Bun requires certificates as Buffer objects, not strings
+		// Pass certificate strings directly to Bun's fetch - no temp files needed
 		if (config.type === 'https') {
 			const tlsOptions: Record<string, unknown> = {};
 
-			// CA certificate - must be array of Buffers for Bun
+			// DISABLE TLS SESSION CACHING: Bun reuses TLS sessions across different hosts,
+			// which causes client certificate mismatches in mTLS scenarios. By setting
+			// sessionTimeout to 0, we force a fresh TLS handshake for every connection.
+			tlsOptions.sessionTimeout = 0;
+
+			// Set explicit servername for SNI - helps isolate TLS contexts per host
+			tlsOptions.servername = config.host;
+
+			// Load CA certificate (just this environment's CA, not composite)
+			// The sessionTimeout=0 should prevent session reuse across hosts
 			if (config.ca) {
-				tlsOptions.ca = [Buffer.from(config.ca)];
+				tlsOptions.ca = [config.ca];
 			}
 
-			// Client certificate and key for mTLS - must be Buffers
+			// Client cert and key for mTLS authentication
 			if (config.cert) {
-				tlsOptions.cert = Buffer.from(config.cert);
+				tlsOptions.cert = [config.cert];
 			}
 			if (config.key) {
-				tlsOptions.key = Buffer.from(config.key);
+				tlsOptions.key = config.key;
 			}
 
 			// Skip verification (self-signed without CA)
@@ -541,8 +557,27 @@ export async function dockerFetch(
 			}
 
 			if (Object.keys(tlsOptions).length > 0) {
-				// @ts-ignore - Bun supports tls options with Buffer certs
+				// @ts-ignore - Bun supports tls options with string certs
 				finalOptions.tls = tlsOptions;
+				// Force new connection for each request to prevent Bun from reusing
+				// a TLS session with wrong client certificates (pool key doesn't include certs)
+				// @ts-ignore - Bun supports keepalive option
+				finalOptions.keepalive = false;
+			}
+
+			// Explicitly close connection to prevent TLS session reuse issues
+			// But only for non-streaming requests (logs, events, exec need keep-alive)
+			if (!streaming) {
+				finalOptions.headers = {
+					...finalOptions.headers,
+					'Connection': 'close'
+				};
+			}
+
+			// Optional verbose TLS debugging
+			if (process.env.DEBUG_TLS) {
+				// @ts-ignore - Bun-specific verbose option
+				finalOptions.verbose = true;
 			}
 		}
 
@@ -550,13 +585,16 @@ export async function dockerFetch(
 		try {
 			const response = await fetch(url, { ...finalOptions, ...bunOptions });
 			const elapsed = Date.now() - startTime;
-			if (elapsed > 5000) {
+			// Only warn for slow requests, but skip /stats which is expected to be slow (5-10s)
+			if (elapsed > 5000 && !path.includes('/stats')) {
 				console.warn(`[Docker] ${config.connectionType || 'direct'} ${config.host}: ${method} ${path} took ${elapsed}ms`);
 			}
 			return response;
-		} catch (error) {
+		} catch (error: any) {
 			const elapsed = Date.now() - startTime;
-			console.error(`[Docker] ${config.connectionType || 'direct'} ${config.host}: ${method} ${path} failed after ${elapsed}ms:`, error);
+			// Log error message only, not full stack trace
+			const msg = error?.message || String(error);
+			console.error(`[Docker] ${config.connectionType || 'direct'} ${config.host}: ${method} ${path} failed after ${elapsed}ms: ${msg}`);
 			throw DockerConnectionError.fromError(error);
 		}
 	}
@@ -624,6 +662,7 @@ export interface ContainerInfo {
 	mounts: Array<{ type: string; source: string; destination: string; mode: string; rw: boolean }>;
 	labels: { [key: string]: string };
 	command: string;
+	attachable?: boolean
 }
 
 export interface ImageInfo {
@@ -645,6 +684,9 @@ export async function listContainers(all = true, envId?: number | null): Promise
 	const restartCounts = new Map<string, number>();
 	const restartingContainers = containers.filter(c => c.State === 'restarting');
 
+	const attachableMap = new Map<string, boolean>();
+	const runningContainers = containers.filter(c => c.State === 'running');
+
 	await Promise.all(
 		restartingContainers.map(async (container) => {
 			try {
@@ -656,6 +698,20 @@ export async function listContainers(all = true, envId?: number | null): Promise
 		})
 	);
 
+	await Promise.all(
+		runningContainers.map(async (container) => {
+			try {
+				const inspect = await inspectContainer(container.Id, envId);
+
+				const attachable = (inspect.Config.Tty && inspect.Config.OpenStdin) || false;
+
+				attachableMap.set(container.Id, attachable);
+			} catch (error) {
+				attachableMap.set(container.Id, false);
+			}
+		})
+	)
+
 	return containers.map((container) => {
 		// Extract network info with IP addresses
 		const networks: { [networkName: string]: { ipAddress: string } } = {};
@@ -677,10 +733,13 @@ export async function listContainers(all = true, envId?: number | null): Promise
 		}));
 
 		// Extract health status from Status string
+		// Docker formats: "(healthy)", "(unhealthy)", "(health: starting)"
 		let health: string | undefined;
-		const healthMatch = container.Status?.match(/\((healthy|unhealthy|starting)\)/i);
+		const healthMatch = container.Status?.match(/\((healthy|unhealthy|health:\s*starting)\)/i);
 		if (healthMatch) {
-			health = healthMatch[1].toLowerCase();
+			const matched = healthMatch[1].toLowerCase();
+			// Normalize "health: starting" to just "starting"
+			health = matched.includes('starting') ? 'starting' : matched;
 		}
 
 		return {
@@ -696,7 +755,8 @@ export async function listContainers(all = true, envId?: number | null): Promise
 			restartCount: restartCounts.get(container.Id) || 0,
 			mounts,
 			labels: container.Labels || {},
-			command: container.Command || ''
+			command: container.Command || '',
+			attachable: attachableMap.get(container.Id) || false
 		};
 	});
 }
@@ -803,6 +863,7 @@ export interface CreateContainerOptions {
 	labels?: { [key: string]: string };
 	cmd?: string[];
 	restartPolicy?: string;
+	restartMaxRetries?: number;
 	networkMode?: string;
 	networks?: string[];
 	user?: string;
@@ -831,7 +892,10 @@ export async function createContainer(options: CreateContainerOptions, envId?: n
 		Labels: options.labels || {},
 		HostConfig: {
 			RestartPolicy: {
-				Name: options.restartPolicy || 'no'
+				Name: options.restartPolicy || 'no',
+				...(options.restartPolicy === 'on-failure' && options.restartMaxRetries !== undefined
+					? { MaximumRetryCount: options.restartMaxRetries }
+					: {})
 			}
 		}
 	};
@@ -888,9 +952,9 @@ export async function createContainer(options: CreateContainerOptions, envId?: n
 	if (options.networks && options.networks.length > 0) {
 		containerConfig.HostConfig.NetworkMode = options.networks[0];
 		containerConfig.NetworkingConfig = {
-			EndpointsConfig: {
-				[options.networks[0]]: {}
-			}
+			EndpointsConfig: Object.fromEntries(
+				options.networks.map(network => [network, {}])
+			)
 		};
 	}
 
@@ -963,21 +1027,6 @@ export async function createContainer(options: CreateContainerOptions, envId?: n
 		envId
 	);
 
-	// Connect to additional networks after container creation
-	if (options.networks && options.networks.length > 1) {
-		for (let i = 1; i < options.networks.length; i++) {
-			await dockerFetch(
-				`/networks/${options.networks[i]}/connect`,
-				{
-					method: 'POST',
-					headers: { 'Content-Type': 'application/json' },
-					body: JSON.stringify({ Container: result.Id })
-				},
-				envId
-			);
-		}
-	}
-
 	return { id: result.Id, start: () => startContainer(result.Id, envId) };
 }
 
@@ -1002,12 +1051,31 @@ export async function updateContainer(id: string, options: CreateContainerOption
 
 // Image operations
 export async function listImages(envId?: number | null): Promise<ImageInfo[]> {
-	const images = await dockerJsonRequest<any[]>('/images/json', {}, envId);
+	// Fetch images and containers in parallel
+	const [images, containers] = await Promise.all([
+		dockerJsonRequest<any[]>('/images/json', {}, envId),
+		dockerJsonRequest<any[]>('/containers/json?all=true', {}, envId).catch(() => [] as any[])
+	]);
+
+	// Build a map of imageId -> container count
+	// Docker may return -1 for Containers field on some hosts, so we compute it ourselves
+	const imageContainerCount = new Map<string, number>();
+	for (const container of containers) {
+		const imageId = container.ImageID || container.Image;
+		if (imageId) {
+			imageContainerCount.set(imageId, (imageContainerCount.get(imageId) || 0) + 1);
+		}
+	}
+
 	return images.map((image) => ({
 		id: image.Id,
+		repoTags: image.RepoTags || [],
 		tags: image.RepoTags || [],
 		size: image.Size,
-		created: image.Created
+		virtualSize: image.VirtualSize || image.Size,
+		created: image.Created,
+		labels: image.Labels || {},
+		containers: imageContainerCount.get(image.Id) || 0
 	}));
 }
 
@@ -1951,7 +2019,10 @@ export async function pruneContainers(envId?: number | null) {
 }
 
 export async function pruneImages(dangling = true, envId?: number | null) {
-	const filters = dangling ? '{"dangling":["true"]}' : '{}';
+	// dangling=true: only remove untagged images (default Docker behavior)
+	// dangling=false: remove ALL unused images including tagged ones
+	// Docker API quirk: to remove all unused, we pass dangling=false filter
+	const filters = dangling ? '{"dangling":["true"]}' : '{"dangling":["false"]}';
 	return dockerJsonRequest(`/images/prune?filters=${encodeURIComponent(filters)}`, { method: 'POST' }, envId);
 }
 
@@ -2050,18 +2121,30 @@ export async function execInContainer(
 }
 
 // Get Docker events as a stream (for SSE)
+// For streaming mode: call with just filters
+// For polling mode: call with since and until to get a finite window of events
 export async function getDockerEvents(
 	filters: Record<string, string[]>,
-	envId?: number | null
+	envId?: number | null,
+	options?: { since?: string; until?: string }
 ): Promise<ReadableStream<Uint8Array> | null> {
 	const filterJson = JSON.stringify(filters);
 
+	// Build query string with optional since/until for polling mode
+	let queryString = `filters=${encodeURIComponent(filterJson)}`;
+	if (options?.since) {
+		queryString += `&since=${encodeURIComponent(options.since)}`;
+	}
+	if (options?.until) {
+		queryString += `&until=${encodeURIComponent(options.until)}`;
+	}
+
 	try {
 		// Note: We use streaming: true to disable Bun's idle timeout for this long-lived connection.
 		// The Docker events API keeps the connection open indefinitely, sending events as they occur.
 		// Without streaming: true, Bun would terminate the connection after ~5 seconds of inactivity.
 		const response = await dockerFetch(
-			`/events?filters=${encodeURIComponent(filterJson)}`,
+			`/events?${queryString}`,
 			{ streaming: true },
 			envId
 		);
@@ -3122,8 +3205,12 @@ async function cleanupStaleVolumeHelpersForEnv(envId?: number | null): Promise<n
 		}
 
 		return removed;
-	} catch (err) {
-		console.warn('Failed to query stale volume helpers:', err);
+	} catch (err: any) {
+		// Don't spam logs for expected failures (e.g., edge agent offline)
+		const msg = err?.message || String(err);
+		if (!msg.includes('not connected') && !msg.includes('offline')) {
+			console.warn('Failed to query stale volume helpers:', msg);
+		}
 		return 0;
 	}
 }
diff --git a/lib/server/event-collector.ts b/src/lib/server/event-collector.ts
similarity index 100%
rename from lib/server/event-collector.ts
rename to src/lib/server/event-collector.ts
diff --git a/lib/server/git.ts b/src/lib/server/git.ts
similarity index 96%
rename from lib/server/git.ts
rename to src/lib/server/git.ts
index 00d8d55..2bb1c64 100644
--- a/lib/server/git.ts
+++ b/src/lib/server/git.ts
@@ -1,5 +1,5 @@
 import { existsSync, mkdirSync, rmSync, chmodSync } from 'node:fs';
-import { join, resolve } from 'node:path';
+import { join, resolve, dirname } from 'node:path';
 import {
 	getGitRepository,
 	getGitCredential,
@@ -58,7 +58,14 @@ async function buildGitEnv(credential: GitCredential | null): Promise<GitEnv> {
 	if (credential?.authType === 'ssh' && credential.sshPrivateKey) {
 		// Create a temporary SSH key file (use absolute path so SSH can find it)
 		const sshKeyPath = resolve(join(GIT_REPOS_DIR, `.ssh-key-${credential.id}`));
-		await Bun.write(sshKeyPath, credential.sshPrivateKey);
+
+		// Ensure SSH key ends with a newline (newer SSH versions are strict about this)
+		let keyContent = credential.sshPrivateKey;
+		if (!keyContent.endsWith('\n')) {
+			keyContent += '\n';
+		}
+
+		await Bun.write(sshKeyPath, keyContent);
 		// Ensure SSH key has correct permissions (0600 = owner read/write only)
 		// Bun.write's mode option doesn't always work reliably, so use chmodSync
 		chmodSync(sshKeyPath, 0o600);
@@ -134,7 +141,9 @@ export interface SyncResult {
 	success: boolean;
 	commit?: string;
 	composeContent?: string;
+	composeDir?: string; // Directory containing the compose file (for copying all files)
 	envFileVars?: Record<string, string>; // Variables from .env file in repo
+	envFileContent?: string; // Raw .env file content (for Hawser deployments)
 	error?: string;
 	updated?: boolean;
 }
@@ -609,16 +618,21 @@ export async function syncGitStack(stackId: number): Promise<SyncResult> {
 		console.log(`${logPrefix} Compose content:`);
 		console.log(composeContent);
 
+		// Determine the compose directory (for copying all files)
+		const composeDir = dirname(composePath);
+		console.log(`${logPrefix} Compose directory:`, composeDir);
+
 		// Read env file if configured (optional - don't fail if missing)
 		let envFileVars: Record<string, string> | undefined;
+		let envFileContent: string | undefined;
 		if (gitStack.envFilePath) {
 			const envFilePath = join(repoPath, gitStack.envFilePath);
 			console.log(`${logPrefix} Looking for env file at:`, envFilePath);
 			if (existsSync(envFilePath)) {
 				try {
 					console.log(`${logPrefix} Reading env file...`);
-					const envContent = await Bun.file(envFilePath).text();
-					envFileVars = parseEnvFileContent(envContent, gitStack.stackName);
+					envFileContent = await Bun.file(envFilePath).text();
+					envFileVars = parseEnvFileContent(envFileContent, gitStack.stackName);
 					console.log(`${logPrefix} Env file parsed, vars count:`, Object.keys(envFileVars).length);
 				} catch (err) {
 					// Log but don't fail - env file is optional
@@ -653,6 +667,7 @@ export async function syncGitStack(stackId: number): Promise<SyncResult> {
 			success: true,
 			commit: currentCommit,
 			composeContent,
+			composeDir,
 			envFileVars,
 			updated
 		};
@@ -719,11 +734,13 @@ export async function deployGitStack(stackId: number, options?: { force?: boolea
 	// This ensures containers pick up new env var values even if compose file didn't change
 	// Note: Without this, docker compose only detects compose file changes, not env var changes
 	console.log(`${logPrefix} Calling deployStack...`);
+	console.log(`${logPrefix} Source directory (composeDir):`, syncResult.composeDir);
 	const result = await deployStack({
 		name: gitStack.stackName,
 		compose: syncResult.composeContent!,
 		envId: gitStack.environmentId,
 		envFileVars: syncResult.envFileVars,
+		sourceDir: syncResult.composeDir, // Copy entire directory from git repo
 		forceRecreate
 	});
 
@@ -917,6 +934,9 @@ export async function deployGitStackWithProgress(
 
 		const composeContent = await Bun.file(composePath).text();
 
+		// Determine the compose directory (for copying all files)
+		const composeDir = dirname(composePath);
+
 		// Read env file if configured (optional - don't fail if missing)
 		let envFileVars: Record<string, string> | undefined;
 		if (gitStack.envFilePath) {
@@ -951,7 +971,8 @@ export async function deployGitStackWithProgress(
 			name: gitStack.stackName,
 			compose: composeContent,
 			envId: gitStack.environmentId,
-			envFileVars
+			envFileVars,
+			sourceDir: composeDir // Copy entire directory from git repo
 		});
 
 		if (result.success) {
diff --git a/lib/server/hawser.ts b/src/lib/server/hawser.ts
similarity index 98%
rename from lib/server/hawser.ts
rename to src/lib/server/hawser.ts
index c3a361a..d113cf8 100644
--- a/lib/server/hawser.ts
+++ b/src/lib/server/hawser.ts
@@ -9,6 +9,8 @@ import { db, hawserTokens, environments, eq } from './db/drizzle.js';
 import { logContainerEvent, saveHostMetric, type ContainerEventAction } from './db.js';
 import { containerEventEmitter } from './event-collector.js';
 import { sendEnvironmentNotification } from './notifications.js';
+import { secureGetRandomValues, secureRandomUUID } from './crypto-fallback.js';
+import { hashPassword, verifyPassword } from './auth.js';
 
 // Protocol constants
 export const HAWSER_PROTOCOL_VERSION = '1.0';
@@ -243,7 +245,7 @@ export async function validateHawserToken(
 	// Check each token (tokens are hashed)
 	for (const t of tokens) {
 		try {
-			const isValid = await Bun.password.verify(token, t.token);
+			const isValid = await verifyPassword(token, t.token);
 			if (isValid) {
 				// Update last used timestamp
 				await db
@@ -292,16 +294,12 @@ export async function generateHawserToken(
 	} else {
 		// Generate a secure random token (32 bytes = 256 bits)
 		const tokenBytes = new Uint8Array(32);
-		crypto.getRandomValues(tokenBytes);
+		secureGetRandomValues(tokenBytes);
 		token = Buffer.from(tokenBytes).toString('base64url');
 	}
 
-	// Hash the token for storage (using Bun's built-in Argon2id)
-	const hashedToken = await Bun.password.hash(token, {
-		algorithm: 'argon2id',
-		memoryCost: 19456,
-		timeCost: 2
-	});
+	// Hash the token for storage (using Argon2id)
+	const hashedToken = await hashPassword(token);
 
 	// Get prefix for identification
 	const tokenPrefix = token.substring(0, 8);
@@ -477,7 +475,7 @@ export async function sendEdgeRequest(
 		throw new Error('Edge agent not connected');
 	}
 
-	const requestId = crypto.randomUUID();
+	const requestId = secureRandomUUID();
 
 	return new Promise((resolve, reject) => {
 		const timeoutHandle = setTimeout(() => {
@@ -614,7 +612,7 @@ export function sendEdgeStreamRequest(
 		return { requestId: '', cancel: () => {} };
 	}
 
-	const requestId = crypto.randomUUID();
+	const requestId = secureRandomUUID();
 
 	// Initialize pendingStreamRequests if not present (can happen in dev mode due to HMR)
 	if (!connection.pendingStreamRequests) {
diff --git a/lib/server/license.ts b/src/lib/server/license.ts
similarity index 100%
rename from lib/server/license.ts
rename to src/lib/server/license.ts
diff --git a/lib/server/notifications.ts b/src/lib/server/notifications.ts
similarity index 99%
rename from lib/server/notifications.ts
rename to src/lib/server/notifications.ts
index 555e239..c83c545 100644
--- a/lib/server/notifications.ts
+++ b/src/lib/server/notifications.ts
@@ -27,6 +27,9 @@ async function sendSmtpNotification(config: SmtpConfig, payload: NotificationPay
 			auth: config.username ? {
 				user: config.username,
 				pass: config.password
+			} : undefined,
+			tls: config.skipTlsVerify ? {
+				rejectUnauthorized: false
 			} : undefined
 		});
 
diff --git a/lib/server/scanner.ts b/src/lib/server/scanner.ts
similarity index 100%
rename from lib/server/scanner.ts
rename to src/lib/server/scanner.ts
diff --git a/lib/server/scheduler/index.ts b/src/lib/server/scheduler/index.ts
similarity index 100%
rename from lib/server/scheduler/index.ts
rename to src/lib/server/scheduler/index.ts
diff --git a/lib/server/scheduler/tasks/container-update.ts b/src/lib/server/scheduler/tasks/container-update.ts
similarity index 100%
rename from lib/server/scheduler/tasks/container-update.ts
rename to src/lib/server/scheduler/tasks/container-update.ts
diff --git a/lib/server/scheduler/tasks/env-update-check.ts b/src/lib/server/scheduler/tasks/env-update-check.ts
similarity index 100%
rename from lib/server/scheduler/tasks/env-update-check.ts
rename to src/lib/server/scheduler/tasks/env-update-check.ts
diff --git a/lib/server/scheduler/tasks/git-stack-sync.ts b/src/lib/server/scheduler/tasks/git-stack-sync.ts
similarity index 100%
rename from lib/server/scheduler/tasks/git-stack-sync.ts
rename to src/lib/server/scheduler/tasks/git-stack-sync.ts
diff --git a/lib/server/scheduler/tasks/system-cleanup.ts b/src/lib/server/scheduler/tasks/system-cleanup.ts
similarity index 100%
rename from lib/server/scheduler/tasks/system-cleanup.ts
rename to src/lib/server/scheduler/tasks/system-cleanup.ts
diff --git a/lib/server/scheduler/tasks/update-utils.ts b/src/lib/server/scheduler/tasks/update-utils.ts
similarity index 100%
rename from lib/server/scheduler/tasks/update-utils.ts
rename to src/lib/server/scheduler/tasks/update-utils.ts
diff --git a/src/lib/server/stack-scanner.ts b/src/lib/server/stack-scanner.ts
new file mode 100644
index 0000000..c185524
--- /dev/null
+++ b/src/lib/server/stack-scanner.ts
@@ -0,0 +1,508 @@
+/**
+ * Stack Scanner Service
+ *
+ * Scans external filesystem paths for Docker Compose files and adopts them as stacks.
+ * Discovered stacks are editable - compose and .env files are modified in their original location.
+ */
+
+import { readdirSync, existsSync, statSync } from 'node:fs';
+import { join, basename, dirname, resolve } from 'node:path';
+import { getExternalStackPaths, getStackSources, upsertStackSource, type StackSourceType } from './db';
+
+// Compose file patterns to detect (in order of priority)
+const COMPOSE_PATTERNS = ['docker-compose.yml', 'docker-compose.yaml', 'compose.yml', 'compose.yaml'];
+
+// Directories to skip during scanning
+const SKIP_DIRECTORIES = ['.git', 'node_modules', '.docker', '__pycache__', '.venv', 'venv'];
+
+// Maximum recursion depth to prevent runaway scanning
+const MAX_DEPTH = 5;
+
+export interface RunningStackInfo {
+	envId: number;
+	envName: string;
+	containerCount: number;
+}
+
+export interface DiscoveredStack {
+	name: string;
+	composePath: string;
+	envPath: string | null;
+	sourceDir: string;
+	serviceCount?: number; // Number of services defined in compose file
+	runningOn?: RunningStackInfo[];
+}
+
+export interface ScanResult {
+	discovered: DiscoveredStack[];
+	adopted: string[];
+	skipped: DiscoveredStack[];
+	errors: { path: string; error: string }[];
+}
+
+/**
+ * Normalize a stack name to be valid (lowercase alphanumeric with hyphens/underscores)
+ */
+function normalizeStackName(name: string): string {
+	return name
+		.toLowerCase()
+		.replace(/[^a-z0-9_-]/g, '-')
+		.replace(/-+/g, '-')
+		.replace(/^-|-$/g, '');
+}
+
+/**
+ * Check if a file looks like a compose file (contains 'services:' key)
+ */
+async function isComposeFile(filePath: string): Promise<boolean> {
+	try {
+		const file = Bun.file(filePath);
+		const content = await file.text();
+		// Basic check for services key - could be more sophisticated
+		return /^services:/m.test(content) || /\nservices:/m.test(content);
+	} catch {
+		return false;
+	}
+}
+
+/**
+ * Count the number of services defined in a compose file
+ * Uses simple regex to count top-level keys under 'services:' section
+ */
+async function countServices(filePath: string): Promise<number> {
+	try {
+		const file = Bun.file(filePath);
+		const content = await file.text();
+
+		// Find the services section and count top-level keys
+		const servicesMatch = content.match(/^services:\s*\n((?:[ \t]+\S[^\n]*\n?)*)/m) ||
+		                      content.match(/\nservices:\s*\n((?:[ \t]+\S[^\n]*\n?)*)/m);
+
+		if (!servicesMatch) return 0;
+
+		const servicesBlock = servicesMatch[1];
+		// Count lines that start with exactly 2 spaces followed by a non-space (service names)
+		const serviceLines = servicesBlock.match(/^  [a-zA-Z0-9_-]+:/gm);
+		return serviceLines?.length || 0;
+	} catch {
+		return 0;
+	}
+}
+
+/**
+ * Scan a single directory path for compose files
+ */
+async function scanPath(basePath: string): Promise<{ stacks: DiscoveredStack[]; errors: { path: string; error: string }[] }> {
+	const discovered: DiscoveredStack[] = [];
+	const errors: { path: string; error: string }[] = [];
+
+	// Resolve to absolute path
+	const absolutePath = resolve(basePath);
+
+	// Verify path exists and is a directory
+	if (!existsSync(absolutePath)) {
+		errors.push({ path: basePath, error: 'Path does not exist' });
+		return { stacks: discovered, errors };
+	}
+
+	try {
+		const stat = statSync(absolutePath);
+		if (!stat.isDirectory()) {
+			errors.push({ path: basePath, error: 'Path is not a directory' });
+			return { stacks: discovered, errors };
+		}
+	} catch (err) {
+		errors.push({ path: basePath, error: 'Cannot access path' });
+		return { stacks: discovered, errors };
+	}
+
+	// Track which directories we've found compose files in (to avoid duplicate scanning)
+	const foundStackDirs = new Set<string>();
+
+	async function scan(currentPath: string, depth: number = 0): Promise<void> {
+		// Limit depth to prevent runaway scanning
+		if (depth > MAX_DEPTH) return;
+
+		let entries;
+		try {
+			entries = readdirSync(currentPath, { withFileTypes: true });
+		} catch (err) {
+			// Skip inaccessible directories
+			return;
+		}
+
+		// First pass: check for compose files in this directory
+		for (const pattern of COMPOSE_PATTERNS) {
+			const composePath = join(currentPath, pattern);
+			if (existsSync(composePath)) {
+				// Found a stack! Stack name = directory name
+				const stackName = normalizeStackName(basename(currentPath));
+				if (stackName) {
+					// Check for .env file
+					const envPath = join(currentPath, '.env');
+					// Count services in compose file
+					const serviceCount = await countServices(composePath);
+					discovered.push({
+						name: stackName,
+						composePath,
+						envPath: existsSync(envPath) ? envPath : null,
+						sourceDir: currentPath,
+						serviceCount
+					});
+					foundStackDirs.add(currentPath);
+				}
+				// Don't continue scanning in this directory - it's a stack
+				return;
+			}
+		}
+
+		// Second pass: check for standalone compose files (*.yml, *.yaml) and recurse into subdirectories
+		for (const entry of entries) {
+			const entryPath = join(currentPath, entry.name);
+
+			if (entry.isDirectory()) {
+				// Skip excluded directories
+				if (SKIP_DIRECTORIES.includes(entry.name)) continue;
+
+				// Skip if we already found a compose file here
+				if (foundStackDirs.has(entryPath)) continue;
+
+				// Recurse into subdirectory
+				await scan(entryPath, depth + 1);
+			} else if (entry.isFile()) {
+				const lowerName = entry.name.toLowerCase();
+
+				// Skip standard compose patterns (already handled above)
+				if (COMPOSE_PATTERNS.includes(entry.name)) continue;
+
+				// Check for standalone compose files (e.g., myapp.yml, myapp.yaml)
+				if (lowerName.endsWith('.yml') || lowerName.endsWith('.yaml')) {
+					// Validate it's actually a compose file
+					if (await isComposeFile(entryPath)) {
+						const stackName = normalizeStackName(
+							entry.name.replace(/\.(yml|yaml)$/i, '')
+						);
+						if (stackName) {
+							// Check for .env file in same directory
+							const envPath = join(currentPath, '.env');
+							// Count services in compose file
+							const serviceCount = await countServices(entryPath);
+							discovered.push({
+								name: stackName,
+								composePath: entryPath,
+								envPath: existsSync(envPath) ? envPath : null,
+								sourceDir: currentPath,
+								serviceCount
+							});
+						}
+					}
+				}
+			}
+		}
+	}
+
+	await scan(absolutePath);
+	return { stacks: discovered, errors };
+}
+
+/**
+ * Adopt a single stack into the database
+ * - Checks if stack already exists (by composePath)
+ * - Creates stackSource record with sourceType: 'internal'
+ * - Does NOT deploy - just registers the stack
+ */
+export async function adoptStack(
+	stack: DiscoveredStack,
+	environmentId: number
+): Promise<{ success: boolean; adoptedName?: string; error?: string }> {
+	// Get all existing stack sources to check for duplicates
+	const existingSources = await getStackSources();
+
+	// Check if already adopted (by composePath)
+	const alreadyAdopted = existingSources.some(
+		(s) => s.composePath === stack.composePath
+	);
+
+	if (alreadyAdopted) {
+		return { success: false, error: 'Already adopted' };
+	}
+
+	// Check for name conflict within the same environment
+	let finalName = stack.name;
+	const existingNames = new Set(
+		existingSources
+			.filter((s) => s.environmentId === environmentId)
+			.map((s) => s.stackName)
+	);
+
+	if (existingNames.has(finalName)) {
+		// Append suffix to make unique
+		let suffix = 1;
+		while (existingNames.has(`${stack.name}-${suffix}`)) {
+			suffix++;
+		}
+		finalName = `${stack.name}-${suffix}`;
+	}
+
+	// Create stack source record - use 'internal' since we know the file paths
+	try {
+		await upsertStackSource({
+			stackName: finalName,
+			environmentId,
+			sourceType: 'internal' as StackSourceType,
+			composePath: stack.composePath,
+			envPath: stack.envPath
+		});
+
+		return { success: true, adoptedName: finalName };
+	} catch (err) {
+		console.error(`[Stack Scanner] Failed to adopt ${stack.name}:`, err);
+		return { success: false, error: err instanceof Error ? err.message : 'Unknown error' };
+	}
+}
+
+/**
+ * Adopt multiple selected stacks into the database
+ */
+export async function adoptSelectedStacks(
+	stacks: DiscoveredStack[],
+	environmentId: number
+): Promise<{ adopted: string[]; failed: { name: string; error: string }[] }> {
+	const adopted: string[] = [];
+	const failed: { name: string; error: string }[] = [];
+
+	for (const stack of stacks) {
+		const result = await adoptStack(stack, environmentId);
+		if (result.success && result.adoptedName) {
+			adopted.push(result.adoptedName);
+		} else {
+			failed.push({ name: stack.name, error: result.error || 'Unknown error' });
+		}
+	}
+
+	return { adopted, failed };
+}
+
+/**
+ * Scan specific paths and return discovered stacks (without adopting)
+ */
+export async function scanPaths(paths: string[]): Promise<ScanResult> {
+	if (paths.length === 0) {
+		return { discovered: [], adopted: [], skipped: [], errors: [] };
+	}
+
+	console.log(`[Stack Scanner] Scanning ${paths.length} path(s)...`);
+
+	const allDiscovered: DiscoveredStack[] = [];
+	const allErrors: { path: string; error: string }[] = [];
+
+	// Scan all paths
+	for (const path of paths) {
+		const { stacks, errors } = await scanPath(path);
+		allDiscovered.push(...stacks);
+		allErrors.push(...errors);
+	}
+
+	console.log(`[Stack Scanner] Found ${allDiscovered.length} compose file(s)`);
+
+	// Check which stacks are already adopted
+	const existingSources = await getStackSources();
+	const alreadyAdopted: DiscoveredStack[] = [];
+	const newStacks: DiscoveredStack[] = [];
+
+	for (const stack of allDiscovered) {
+		const isAdopted = existingSources.some(s => s.composePath === stack.composePath);
+		if (isAdopted) {
+			alreadyAdopted.push(stack);
+		} else {
+			newStacks.push(stack);
+		}
+	}
+
+	return {
+		discovered: newStacks,
+		adopted: [],
+		skipped: alreadyAdopted,
+		errors: allErrors
+	};
+}
+
+/**
+ * Scan all configured external paths and return discovered stacks (without adopting)
+ */
+export async function scanExternalPaths(): Promise<ScanResult> {
+	const paths = await getExternalStackPaths();
+
+	if (paths.length === 0) {
+		return { discovered: [], adopted: [], skipped: [], errors: [] };
+	}
+
+	console.log(`[Stack Scanner] Scanning ${paths.length} external path(s)...`);
+
+	const allDiscovered: DiscoveredStack[] = [];
+	const allErrors: { path: string; error: string }[] = [];
+
+	// Scan all paths
+	for (const path of paths) {
+		const { stacks, errors } = await scanPath(path);
+		allDiscovered.push(...stacks);
+		allErrors.push(...errors);
+	}
+
+	console.log(`[Stack Scanner] Found ${allDiscovered.length} compose file(s)`);
+
+	// Check which stacks are already adopted
+	const existingSources = await getStackSources();
+	const alreadyAdopted: DiscoveredStack[] = [];
+	const newStacks: DiscoveredStack[] = [];
+
+	for (const stack of allDiscovered) {
+		const isAdopted = existingSources.some(s => s.composePath === stack.composePath);
+		if (isAdopted) {
+			alreadyAdopted.push(stack);
+		} else {
+			newStacks.push(stack);
+		}
+	}
+
+	if (alreadyAdopted.length > 0) {
+		console.log(`[Stack Scanner] ${alreadyAdopted.length} stack(s) already adopted`);
+	}
+	if (newStacks.length > 0) {
+		console.log(`[Stack Scanner] ${newStacks.length} new stack(s) available for adoption`);
+	}
+	if (allErrors.length > 0) {
+		console.warn(`[Stack Scanner] ${allErrors.length} error(s) during scanning`);
+	}
+
+	return {
+		discovered: newStacks, // Only return stacks not yet adopted
+		adopted: [], // No auto-adopt anymore
+		skipped: alreadyAdopted,
+		errors: allErrors
+	};
+}
+
+/**
+ * Check if two paths overlap (one is parent/child of the other)
+ */
+function pathsOverlap(path1: string, path2: string): 'parent' | 'child' | 'same' | null {
+	const resolved1 = resolve(path1);
+	const resolved2 = resolve(path2);
+
+	if (resolved1 === resolved2) {
+		return 'same';
+	}
+
+	// Normalize paths with trailing slash for proper prefix matching
+	const normalized1 = resolved1.endsWith('/') ? resolved1 : resolved1 + '/';
+	const normalized2 = resolved2.endsWith('/') ? resolved2 : resolved2 + '/';
+
+	if (normalized2.startsWith(normalized1)) {
+		// path1 is parent of path2
+		return 'parent';
+	}
+
+	if (normalized1.startsWith(normalized2)) {
+		// path1 is child of path2
+		return 'child';
+	}
+
+	return null;
+}
+
+/**
+ * Validate that a path exists, is a directory, and doesn't overlap with existing paths
+ */
+export function validatePath(
+	path: string,
+	existingPaths: string[] = []
+): { valid: boolean; error?: string; resolvedPath?: string } {
+	if (!path || typeof path !== 'string') {
+		return { valid: false, error: 'Path is required' };
+	}
+
+	const resolvedPath = resolve(path.trim());
+
+	if (!existsSync(resolvedPath)) {
+		return { valid: false, error: 'Path does not exist' };
+	}
+
+	try {
+		const stat = statSync(resolvedPath);
+		if (!stat.isDirectory()) {
+			return { valid: false, error: 'Path is not a directory' };
+		}
+	} catch {
+		return { valid: false, error: 'Cannot access path' };
+	}
+
+	// Check for overlapping paths
+	for (const existingPath of existingPaths) {
+		const overlap = pathsOverlap(resolvedPath, existingPath);
+		if (overlap === 'same') {
+			return { valid: false, error: 'This location is already added' };
+		}
+		if (overlap === 'parent') {
+			return { valid: false, error: `This path contains an existing location: ${existingPath}` };
+		}
+		if (overlap === 'child') {
+			return { valid: false, error: `This path is inside an existing location: ${existingPath}` };
+		}
+	}
+
+	return { valid: true, resolvedPath };
+}
+
+/**
+ * Detect which discovered stacks are already running on any environment.
+ * Matches by stack name (com.docker.compose.project label) since paths may differ.
+ */
+export async function detectRunningStacks(
+	discovered: DiscoveredStack[]
+): Promise<DiscoveredStack[]> {
+	if (discovered.length === 0) {
+		return discovered;
+	}
+
+	// Dynamic imports to avoid circular dependencies
+	const { listComposeStacks } = await import('./stacks.js');
+	const { getEnvironments } = await import('./db.js');
+
+	// Get all environments
+	const environments = await getEnvironments();
+
+	if (environments.length === 0) {
+		return discovered;
+	}
+
+	// Build map of stack name -> running info across all environments
+	const runningStacksMap = new Map<string, RunningStackInfo[]>();
+
+	// Query each environment in parallel for running stacks
+	await Promise.all(
+		environments.map(async (env) => {
+			try {
+				const stacks = await listComposeStacks(env.id);
+				for (const stack of stacks) {
+					const existing = runningStacksMap.get(stack.name) || [];
+					existing.push({
+						envId: env.id,
+						envName: env.name,
+						containerCount: stack.containers?.length || 0
+					});
+					runningStacksMap.set(stack.name, existing);
+				}
+			} catch (error) {
+				// Environment might be offline - skip silently
+				console.warn(`[Stack Scanner] Failed to query environment ${env.name}:`, error);
+			}
+		})
+	);
+
+	// Attach running info to discovered stacks by matching name
+	return discovered.map((stack) => ({
+		...stack,
+		runningOn: runningStacksMap.get(stack.name)
+	}));
+}
diff --git a/src/lib/server/stacks.ts b/src/lib/server/stacks.ts
new file mode 100644
index 0000000..ad4dddb
--- /dev/null
+++ b/src/lib/server/stacks.ts
@@ -0,0 +1,1820 @@
+/**
+ * Stack Management Module
+ *
+ * Provides compose-first stack operations for internal, git, and external stacks.
+ * All lifecycle operations use docker compose commands.
+ */
+
+import { existsSync, mkdirSync, rmSync, readdirSync, cpSync, statSync, unlinkSync, renameSync, readFileSync, writeFileSync } from 'node:fs';
+import { join, resolve, dirname } from 'node:path';
+import {
+	getEnvironment,
+	getStackEnvVarsAsRecord,
+	getSecretEnvVarsAsRecord,
+	getNonSecretEnvVarsAsRecord,
+	getStackEnvVars,
+	setStackEnvVars,
+	getStackSource,
+	upsertStackSource,
+	deleteStackSource,
+	getGitStackByName,
+	deleteGitStack,
+	getStackSources,
+	deleteStackEnvVars
+} from './db';
+import { deleteGitStackFiles } from './git';
+
+// =============================================================================
+// TYPES
+// =============================================================================
+
+/**
+ * Stack source types
+ */
+export type StackSourceType = 'internal' | 'git' | 'external';
+
+/**
+ * Stack operation result
+ */
+export interface StackOperationResult {
+	success: boolean;
+	output?: string;
+	error?: string;
+}
+
+/**
+ * Container detail within a stack
+ */
+export interface ContainerDetail {
+	id: string;
+	name: string;
+	service: string;
+	state: string;
+	status: string;
+	health?: string;
+	image: string;
+	ports: Array<{ publicPort: number; privatePort: number; type: string; display: string }>;
+	networks: Array<{ name: string; ipAddress: string }>;
+	volumeCount: number;
+	restartCount: number;
+	created: number;
+}
+
+/**
+ * Compose stack information
+ */
+export interface ComposeStackInfo {
+	name: string;
+	containers: string[];
+	containerDetails: ContainerDetail[];
+	status: 'running' | 'stopped' | 'partial' | 'created';
+	sourceType?: StackSourceType;
+	hasComposeFile?: boolean;
+}
+
+/**
+ * Stack deployment options
+ */
+export interface DeployStackOptions {
+	name: string;
+	compose: string;
+	envId?: number | null;
+	envFileVars?: Record<string, string>;
+	sourceDir?: string; // Directory to copy all files from (for git stacks)
+	forceRecreate?: boolean;
+}
+
+// =============================================================================
+// ERRORS
+// =============================================================================
+
+/**
+ * Error when compose file is missing for a managed stack
+ */
+export class ComposeFileNotFoundError extends Error {
+	public readonly stackName: string;
+
+	constructor(stackName: string) {
+		super(
+			`Compose file not found for stack "${stackName}". ` +
+				`The stack may have been deleted or was created outside of Dockhand.`
+		);
+		this.name = 'ComposeFileNotFoundError';
+		this.stackName = stackName;
+	}
+}
+
+// =============================================================================
+// INTERNAL STATE
+// =============================================================================
+
+// Cache stacks directory
+let _stacksDir: string | null = null;
+
+// Per-stack locking mechanism to prevent race conditions during concurrent operations
+const stackLocks = new Map<string, Promise<void>>();
+
+/**
+ * Execute a function with exclusive lock on a stack.
+ * Prevents race conditions when multiple operations target the same stack.
+ */
+async function withStackLock<T>(stackName: string, fn: () => Promise<T>): Promise<T> {
+	const lockKey = stackName;
+
+	// Wait for any existing lock to release
+	while (stackLocks.has(lockKey)) {
+		await stackLocks.get(lockKey);
+	}
+
+	// Create new lock
+	let releaseLock: () => void;
+	const lockPromise = new Promise<void>((resolve) => {
+		releaseLock = resolve;
+	});
+	stackLocks.set(lockKey, lockPromise);
+
+	try {
+		return await fn();
+	} finally {
+		stackLocks.delete(lockKey);
+		releaseLock!();
+	}
+}
+
+// Timeout configuration for compose operations
+const COMPOSE_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+const COMPOSE_KILL_GRACE_MS = 5000; // 5 seconds grace period before SIGKILL
+
+/**
+ * Read all files from a directory as a map of relative path -> content.
+ * Used to send files to Hawser for remote deployments.
+ */
+async function readDirFilesAsMap(dirPath: string): Promise<Record<string, string>> {
+	const files: Record<string, string> = {};
+
+	async function scanDir(currentPath: string, relativePath: string = ''): Promise<void> {
+		const entries = readdirSync(currentPath, { withFileTypes: true });
+		for (const entry of entries) {
+			const fullPath = join(currentPath, entry.name);
+			const relPath = relativePath ? `${relativePath}/${entry.name}` : entry.name;
+
+			if (entry.isDirectory()) {
+				// Skip .git directory
+				if (entry.name === '.git') continue;
+				await scanDir(fullPath, relPath);
+			} else if (entry.isFile()) {
+				// Read file content
+				const content = await Bun.file(fullPath).text();
+				files[relPath] = content;
+			}
+		}
+	}
+
+	await scanDir(dirPath);
+	return files;
+}
+
+// =============================================================================
+// DEBUG UTILITIES
+// =============================================================================
+
+/**
+ * Mask sensitive values in environment variables for safe logging.
+ * Masks values for keys containing common secret patterns and truncates long values.
+ */
+function maskSecrets(vars: Record<string, string>): Record<string, string> {
+	const masked: Record<string, string> = {};
+	const secretPatterns = /password|secret|token|key|api_key|apikey|auth|credential|private/i;
+	for (const [key, value] of Object.entries(vars)) {
+		if (secretPatterns.test(key)) {
+			masked[key] = '***';
+		} else if (value.length > 50) {
+			// Truncate long values that might be secrets
+			masked[key] = value.substring(0, 10) + '...(truncated)';
+		} else {
+			masked[key] = value;
+		}
+	}
+	return masked;
+}
+
+// =============================================================================
+// UTILITIES
+// =============================================================================
+
+/**
+ * Get the compose stacks directory (always returns absolute path)
+ */
+export function getStacksDir(): string {
+	if (_stacksDir) return _stacksDir;
+	const dataDir = process.env.DATA_DIR || './data';
+	// Resolve to absolute path to avoid issues with relative paths in docker compose
+	_stacksDir = resolve(join(dataDir, 'stacks'));
+	if (!existsSync(_stacksDir)) {
+		mkdirSync(_stacksDir, { recursive: true });
+	}
+	return _stacksDir;
+}
+
+/**
+ * Get stack directory path for a specific environment.
+ * New stacks use: $DATA_DIR/stacks/<envName>/<stackName>/
+ * Legacy stacks (no env): $DATA_DIR/stacks/<stackName>/
+ *
+ * Automatically looks up environment name from database.
+ */
+export async function getStackDir(stackName: string, envId?: number | null): Promise<string> {
+	const stacksDir = getStacksDir();
+	if (envId) {
+		const env = await getEnvironment(envId);
+		if (env) {
+			return join(stacksDir, env.name, stackName);
+		}
+	}
+	// Legacy path for stacks without environment
+	return join(stacksDir, stackName);
+}
+
+/**
+ * Find stack directory, checking paths in order:
+ * 1. New path (envName): $DATA_DIR/stacks/<envName>/<stackName>/
+ * 2. ID-based path (envId): $DATA_DIR/stacks/<envId>/<stackName>/
+ * 3. Legacy path: $DATA_DIR/stacks/<stackName>/
+ *
+ * Automatically looks up environment name from database.
+ * Always checks legacy path for backwards compatibility with pre-env stacks.
+ */
+export async function findStackDir(stackName: string, envId?: number | null): Promise<string | null> {
+	const stacksDir = getStacksDir();
+
+	// Look up environment name if we have an ID
+	if (envId) {
+		const env = await getEnvironment(envId);
+
+		// 1. Check new path (with envName)
+		if (env) {
+			const namePath = join(stacksDir, env.name, stackName);
+			if (existsSync(namePath)) {
+				return namePath;
+			}
+		}
+
+		// 2. Check ID-based path
+		const idPath = join(stacksDir, String(envId), stackName);
+		if (existsSync(idPath)) {
+			return idPath;
+		}
+	}
+
+	// 3. Always check legacy path (stacks created before env-scoping was added)
+	const legacyPath = join(stacksDir, stackName);
+	if (existsSync(legacyPath)) {
+		return legacyPath;
+	}
+
+	return null;
+}
+
+/**
+ * List stacks that have compose files stored locally
+ */
+export function listManagedStacks(): string[] {
+	const stacksDir = getStacksDir();
+	if (!existsSync(stacksDir)) {
+		return [];
+	}
+
+	return readdirSync(stacksDir, { withFileTypes: true })
+		.filter((dirent) => dirent.isDirectory())
+		.filter((dirent) => {
+			const composeYml = join(stacksDir, dirent.name, 'docker-compose.yml');
+			const composeYaml = join(stacksDir, dirent.name, 'docker-compose.yaml');
+			return existsSync(composeYml) || existsSync(composeYaml);
+		})
+		.map((dirent) => dirent.name);
+}
+
+// =============================================================================
+// COMPOSE FILE MANAGEMENT
+// =============================================================================
+
+/**
+ * Result type for getStackComposeFile
+ */
+export interface GetComposeFileResult {
+	success: boolean;
+	content?: string;
+	stackDir?: string;
+	error?: string;
+	needsFileLocation?: boolean;
+	composePath?: string | null;
+	envPath?: string | null;
+	suggestedEnvPath?: string;
+}
+
+/**
+ * Get compose file content for a stack.
+ *
+ * Unified logic for all stacks:
+ * - If composePath is set in DB → use custom path
+ * - If composePath is NULL → use default location (data/stacks/{env}/{name}/)
+ * - If no source record and no files found → return needsFileLocation: true
+ */
+export async function getStackComposeFile(
+	stackName: string,
+	envId?: number | null
+): Promise<GetComposeFileResult> {
+	const source = await getStackSource(stackName, envId);
+
+	// Case 1: Stack not in database = untracked (discovered from Docker but not imported)
+	// User must select the compose file location - don't guess from default location
+	if (!source) {
+		return {
+			success: false,
+			needsFileLocation: true,
+			error: `Select the compose file location for stack "${stackName}"`
+		};
+	}
+
+	// Case 2: Stack has custom composePath set - use it
+	if (source.composePath) {
+		try {
+			if (!existsSync(source.composePath)) {
+				return {
+					success: false,
+					error: `Compose file no longer accessible at ${source.composePath}. The file may have been moved or deleted.`,
+					composePath: source.composePath,
+					envPath: source.envPath
+				};
+			}
+
+			const content = await Bun.file(source.composePath).text();
+			const stackDir = dirname(source.composePath);
+
+			// For custom paths, suggest .env next to compose if envPath not set
+			let suggestedEnvPath: string | undefined;
+			if (source.envPath === null) {
+				suggestedEnvPath = source.composePath.replace(/\/[^/]+$/, '/.env');
+			}
+
+			return {
+				success: true,
+				content,
+				stackDir,
+				composePath: source.composePath,
+				envPath: source.envPath,
+				suggestedEnvPath
+			};
+		} catch (error) {
+			const message = error instanceof Error ? error.message : 'Unknown error';
+			return {
+				success: false,
+				error: `Failed to read compose file: ${message}`,
+				composePath: source.composePath,
+				envPath: source.envPath
+			};
+		}
+	}
+
+	// Case 3: Stack is in DB but no custom path - check default location
+	// This is for stacks created in Dockhand using the default data directory
+	const stackDir = await findStackDir(stackName, envId);
+
+	if (stackDir) {
+		// Check all common compose file names
+		const composeFileNames = ['docker-compose.yml', 'docker-compose.yaml', 'compose.yml', 'compose.yaml'];
+
+		for (const fileName of composeFileNames) {
+			const actualComposePath = join(stackDir, fileName);
+			const file = Bun.file(actualComposePath);
+			if (await file.exists()) {
+				// Check for .env file in the same directory
+				const envFilePath = join(stackDir, '.env');
+				const envExists = existsSync(envFilePath);
+
+				return {
+					success: true,
+					content: await file.text(),
+					stackDir,
+					// Always return the actual resolved paths for display
+					composePath: actualComposePath,
+					envPath: envExists ? envFilePath : null
+				};
+			}
+		}
+	}
+
+	// Case 4: Stack is in DB but compose file not found - need user to specify location
+	return {
+		success: false,
+		needsFileLocation: true,
+		error: `Select the compose file location for stack "${stackName}"`
+	};
+}
+
+/**
+ * Save or create a stack compose file without deploying.
+ * @param name - Stack name
+ * @param content - Compose file content
+ * @param create - If true, creates a new stack (fails if exists). If false, updates existing (fails if not exists).
+ * @param envId - Environment ID for path scoping
+ */
+export async function saveStackComposeFile(
+	name: string,
+	content: string,
+	create = false,
+	envId?: number | null,
+	options?: {
+		composePath?: string;  // Custom compose file path
+		envPath?: string | null;  // Custom env path (null = default, '' = none)
+		moveFromDir?: string;  // Old directory to move all files from when path changes
+		oldComposePath?: string;  // Old compose file path for renaming
+		oldEnvPath?: string;  // Old env file path for renaming
+	}
+): Promise<{ success: boolean; error?: string }> {
+	// Validate stack name - Docker Compose requires lowercase alphanumeric, hyphens, underscores
+	// Must also start with a letter or number
+	if (!/^[a-z0-9][a-z0-9_-]*$/.test(name)) {
+		return {
+			success: false,
+			error: 'Stack name must be lowercase, start with a letter or number, and contain only letters, numbers, hyphens, and underscores'
+		};
+	}
+
+	// Check if this stack has a custom compose path configured, or if one was provided
+	const source = await getStackSource(name, envId);
+	const composePath = options?.composePath || source?.composePath;
+
+	// Handle compose file move/rename when path changes
+	if (options?.oldComposePath && options?.composePath &&
+		options.oldComposePath !== options.composePath &&
+		existsSync(options.oldComposePath)) {
+		const newDir = dirname(options.composePath);
+
+		// Ensure target directory exists
+		if (!existsSync(newDir)) {
+			try {
+				mkdirSync(newDir, { recursive: true });
+			} catch (err: any) {
+				console.warn(`[Stack] Failed to create directory ${newDir}: ${err.message}`);
+			}
+		}
+
+		// Move/rename the compose file to new location
+		try {
+			renameSync(options.oldComposePath, options.composePath);
+			console.log(`[Stack] Moved compose file: ${options.oldComposePath} -> ${options.composePath}`);
+		} catch (renameErr: any) {
+			// If rename fails (e.g., cross-filesystem), try copy+delete
+			if (renameErr.code === 'EXDEV') {
+				try {
+					const data = readFileSync(options.oldComposePath);
+					writeFileSync(options.composePath, data);
+					unlinkSync(options.oldComposePath);
+					console.log(`[Stack] Copied compose file (cross-fs): ${options.oldComposePath} -> ${options.composePath}`);
+				} catch (err: any) {
+					console.warn(`[Stack] Failed to copy compose file: ${err.message}`);
+				}
+			} else {
+				console.warn(`[Stack] Failed to move compose file: ${renameErr.message}`);
+			}
+		}
+	}
+
+	// Handle env file move/rename when path changes
+	if (options?.oldEnvPath && options?.envPath &&
+		options.oldEnvPath !== options.envPath &&
+		existsSync(options.oldEnvPath)) {
+		const newDir = dirname(options.envPath);
+
+		// Ensure target directory exists
+		if (!existsSync(newDir)) {
+			try {
+				mkdirSync(newDir, { recursive: true });
+			} catch (err: any) {
+				console.warn(`[Stack] Failed to create directory ${newDir}: ${err.message}`);
+			}
+		}
+
+		// Move/rename the env file to new location
+		try {
+			renameSync(options.oldEnvPath, options.envPath);
+			console.log(`[Stack] Moved env file: ${options.oldEnvPath} -> ${options.envPath}`);
+		} catch (renameErr: any) {
+			// If rename fails (e.g., cross-filesystem), try copy+delete
+			if (renameErr.code === 'EXDEV') {
+				try {
+					const data = readFileSync(options.oldEnvPath);
+					writeFileSync(options.envPath, data);
+					unlinkSync(options.oldEnvPath);
+					console.log(`[Stack] Copied env file (cross-fs): ${options.oldEnvPath} -> ${options.envPath}`);
+				} catch (err: any) {
+					console.warn(`[Stack] Failed to copy env file: ${err.message}`);
+				}
+			} else {
+				console.warn(`[Stack] Failed to move env file: ${renameErr.message}`);
+			}
+		}
+	}
+
+	// Move all files from old directory to new directory when path changes
+	// Get the new directory from composePath
+	const newDir = options?.composePath ? dirname(options.composePath) : null;
+
+	if (options?.moveFromDir && newDir && options.moveFromDir !== newDir && existsSync(options.moveFromDir)) {
+		try {
+			// Ensure new directory exists
+			if (!existsSync(newDir)) {
+				mkdirSync(newDir, { recursive: true });
+			}
+
+			// Move all files from old directory to new directory
+			const files = readdirSync(options.moveFromDir);
+			for (const file of files) {
+				const oldFilePath = join(options.moveFromDir, file);
+				const newFilePath = join(newDir, file);
+
+				try {
+					// Use rename for atomic move (same filesystem) or copy+delete for cross-filesystem
+					renameSync(oldFilePath, newFilePath);
+					console.log(`[Stack] Moved file: ${oldFilePath} -> ${newFilePath}`);
+				} catch (renameErr: any) {
+					// If rename fails (e.g., cross-filesystem), try copy+delete
+					if (renameErr.code === 'EXDEV') {
+						const stat = statSync(oldFilePath);
+						if (stat.isDirectory()) {
+							// For directories, use recursive copy
+							cpSync(oldFilePath, newFilePath, { recursive: true });
+							rmSync(oldFilePath, { recursive: true, force: true });
+						} else {
+							// For files, read and write
+							const data = readFileSync(oldFilePath);
+							writeFileSync(newFilePath, data);
+							unlinkSync(oldFilePath);
+						}
+						console.log(`[Stack] Copied file (cross-fs): ${oldFilePath} -> ${newFilePath}`);
+					} else {
+						throw renameErr;
+					}
+				}
+			}
+
+			// Remove old directory if it's now empty
+			try {
+				const remaining = readdirSync(options.moveFromDir);
+				if (remaining.length === 0) {
+					rmSync(options.moveFromDir, { recursive: true, force: true });
+					console.log(`[Stack] Removed empty old directory: ${options.moveFromDir}`);
+				}
+			} catch {
+				// Ignore errors when checking/removing old directory
+			}
+		} catch (err: any) {
+			console.warn(`[Stack] Failed to move files from ${options.moveFromDir} to ${newDir}: ${err.message}`);
+			// Continue with save even if move fails - new files will be written anyway
+		}
+	}
+
+	// If a custom composePath is being set (new or update), save it to the database
+	if (options?.composePath || options?.envPath !== undefined) {
+		await upsertStackSource({
+			stackName: name,
+			environmentId: envId ?? null,
+			sourceType: 'internal',
+			composePath: options?.composePath || source?.composePath || null,
+			envPath: options?.envPath !== undefined ? options.envPath : (source?.envPath ?? null)
+		});
+	}
+
+	if (composePath) {
+		// Write directly to the custom compose file path
+		// Ensure parent directory exists for custom paths
+		const parentDir = dirname(composePath);
+		if (!existsSync(parentDir)) {
+			try {
+				mkdirSync(parentDir, { recursive: true });
+			} catch (err: any) {
+				return { success: false, error: `Failed to create directory for compose file: ${err.message}` };
+			}
+		}
+		try {
+			await Bun.write(composePath, content);
+			return { success: true };
+		} catch (err: any) {
+			return { success: false, error: `Failed to save compose file: ${err.message}` };
+		}
+	}
+
+	// For creates, use new path; for updates, find existing path first
+	let stackDir: string;
+	if (create) {
+		stackDir = await getStackDir(name, envId);
+	} else {
+		const existingDir = await findStackDir(name, envId);
+		if (!existingDir) {
+			return { success: false, error: `Stack "${name}" not found` };
+		}
+		stackDir = existingDir;
+	}
+
+	const composeFile = join(stackDir, 'docker-compose.yml');
+	const exists = existsSync(stackDir);
+
+	if (create) {
+		// Creating new stack - if directory exists, it's orphaned (clean it up)
+		if (exists) {
+			try {
+				console.log(`Cleaning up orphaned stack directory: ${stackDir}`);
+				rmSync(stackDir, { recursive: true, force: true });
+			} catch (err: any) {
+				return { success: false, error: `Stack directory exists and cleanup failed: ${err.message}` };
+			}
+		}
+		try {
+			mkdirSync(stackDir, { recursive: true });
+		} catch (err: any) {
+			return { success: false, error: `Failed to create stack directory: ${err.message}` };
+		}
+	}
+
+	try {
+		await Bun.write(composeFile, content);
+		return { success: true };
+	} catch (err: any) {
+		return { success: false, error: `Failed to ${create ? 'create' : 'save'} compose file: ${err.message}` };
+	}
+}
+
+// =============================================================================
+// REGISTRY AUTHENTICATION
+// =============================================================================
+
+/**
+ * Login to all configured Docker registries before running compose commands.
+ * This ensures that `docker compose up` can pull images from private registries.
+ */
+async function loginToRegistries(dockerHost?: string, logPrefix = '[Stack]'): Promise<void> {
+	const { getRegistries } = await import('./db.js');
+	const registries = await getRegistries();
+
+	if (registries.length === 0) {
+		return;
+	}
+
+	const spawnEnv: Record<string, string> = { ...(process.env as Record<string, string>) };
+	if (dockerHost) {
+		spawnEnv.DOCKER_HOST = dockerHost;
+	}
+
+	for (const reg of registries) {
+		if (!reg.username || !reg.password) {
+			continue; // Skip registries without credentials
+		}
+
+		try {
+			// Extract registry host from URL
+			const url = new URL(reg.url);
+			const registryHost = url.host;
+
+			console.log(`${logPrefix} Logging into registry: ${registryHost}`);
+
+			const proc = Bun.spawn(
+				['docker', 'login', '-u', reg.username, '--password-stdin', registryHost],
+				{
+					env: spawnEnv,
+					stdin: 'pipe',
+					stdout: 'pipe',
+					stderr: 'pipe'
+				}
+			);
+
+			// Write password to stdin
+			const writer = proc.stdin.getWriter();
+			await writer.write(new TextEncoder().encode(reg.password));
+			await writer.close();
+
+			const exitCode = await proc.exited;
+
+			if (exitCode === 0) {
+				console.log(`${logPrefix} Successfully logged into ${registryHost}`);
+			} else {
+				const stderr = await new Response(proc.stderr).text();
+				console.error(`${logPrefix} Failed to login to ${registryHost}: ${stderr}`);
+			}
+		} catch (e) {
+			console.error(`${logPrefix} Error logging into registry ${reg.name}:`, e);
+		}
+	}
+}
+
+// =============================================================================
+// COMPOSE COMMAND EXECUTION
+// =============================================================================
+
+interface ComposeCommandOptions {
+	stackName: string;
+	envId?: number | null;
+	forceRecreate?: boolean;
+	removeVolumes?: boolean;
+	stackFiles?: Record<string, string>; // All files to send to Hawser
+}
+
+/**
+ * Execute a docker compose command locally via Bun.spawn.
+ *
+ * @param envVars - Non-secret environment variables (from .env file, passed for backward compat)
+ * @param secretVars - Secret environment variables (injected via shell env, NEVER written to disk)
+ */
+async function executeLocalCompose(
+	operation: 'up' | 'down' | 'stop' | 'start' | 'restart' | 'pull',
+	stackName: string,
+	composeContent: string,
+	dockerHost?: string,
+	envVars?: Record<string, string>,
+	secretVars?: Record<string, string>,
+	forceRecreate?: boolean,
+	removeVolumes?: boolean,
+	envId?: number | null
+): Promise<StackOperationResult> {
+	const logPrefix = `[Stack:${stackName}]`;
+	// For operations that write (up), use getStackDir; for others, try to find existing first
+	const stackDir = operation === 'up'
+		? await getStackDir(stackName, envId)
+		: (await findStackDir(stackName, envId) || await getStackDir(stackName, envId));
+	mkdirSync(stackDir, { recursive: true });
+
+	const composeFile = join(stackDir, 'docker-compose.yml');
+	await Bun.write(composeFile, composeContent);
+
+	// Build spawn environment:
+	// 1. Start with process.env
+	// 2. Add DOCKER_HOST if specified
+	// 3. Add non-secret envVars (for backward compat when .env file doesn't exist)
+	// 4. Add secret envVars (CRITICAL: these are NEVER written to disk, only passed via shell env)
+	const spawnEnv: Record<string, string> = { ...(process.env as Record<string, string>) };
+	if (dockerHost) {
+		spawnEnv.DOCKER_HOST = dockerHost;
+	}
+	// Non-secret vars (backup for when .env file doesn't exist yet)
+	if (envVars) {
+		Object.assign(spawnEnv, envVars);
+	}
+	// SECRET vars: injected via shell environment at runtime (NEVER written to .env file)
+	if (secretVars) {
+		Object.assign(spawnEnv, secretVars);
+	}
+
+	// Build command based on operation
+	const args = ['docker', 'compose', '-p', stackName, '-f', composeFile];
+
+	switch (operation) {
+		case 'up':
+			args.push('up', '-d', '--remove-orphans');
+			if (forceRecreate) args.push('--force-recreate');
+			break;
+		case 'down':
+			args.push('down');
+			if (removeVolumes) args.push('--volumes');
+			break;
+		case 'stop':
+			args.push('stop');
+			break;
+		case 'start':
+			args.push('start');
+			break;
+		case 'restart':
+			args.push('restart');
+			break;
+		case 'pull':
+			args.push('pull');
+			break;
+	}
+
+	console.log(`${logPrefix} ----------------------------------------`);
+	console.log(`${logPrefix} EXECUTE LOCAL COMPOSE`);
+	console.log(`${logPrefix} ----------------------------------------`);
+	console.log(`${logPrefix} Operation:`, operation);
+	console.log(`${logPrefix} Command:`, args.join(' '));
+	console.log(`${logPrefix} Working directory:`, stackDir);
+	console.log(`${logPrefix} Compose file:`, composeFile);
+	console.log(`${logPrefix} DOCKER_HOST:`, dockerHost || '(local socket)');
+	console.log(`${logPrefix} Force recreate:`, forceRecreate ?? false);
+	console.log(`${logPrefix} Remove volumes:`, removeVolumes ?? false);
+	console.log(`${logPrefix} Env vars count:`, envVars ? Object.keys(envVars).length : 0);
+	if (envVars && Object.keys(envVars).length > 0) {
+		console.log(`${logPrefix} Env vars being injected (masked):`, JSON.stringify(maskSecrets(envVars), null, 2));
+	}
+
+	// Login to registries before pulling images
+	if (operation === 'up' || operation === 'pull') {
+		await loginToRegistries(dockerHost, logPrefix);
+	}
+
+	try {
+		console.log(`${logPrefix} Spawning docker compose process...`);
+		const proc = Bun.spawn(args, {
+			cwd: stackDir,
+			env: spawnEnv,
+			stdout: 'pipe',
+			stderr: 'pipe'
+		});
+
+		// Set up timeout with SIGTERM -> SIGKILL escalation
+		let timedOut = false;
+		const timeoutId = setTimeout(() => {
+			timedOut = true;
+			console.log(`${logPrefix} TIMEOUT: Process exceeded ${COMPOSE_TIMEOUT_MS / 1000} seconds, sending SIGTERM`);
+			proc.kill('SIGTERM');
+			// Give process grace period to terminate cleanly before SIGKILL
+			setTimeout(() => {
+				try {
+					proc.kill('SIGKILL');
+					console.log(`${logPrefix} TIMEOUT: Sent SIGKILL after grace period`);
+				} catch {
+					// Process may already be dead
+				}
+			}, COMPOSE_KILL_GRACE_MS);
+		}, COMPOSE_TIMEOUT_MS);
+
+		try {
+			const [stdout, stderr] = await Promise.all([
+				new Response(proc.stdout).text(),
+				new Response(proc.stderr).text()
+			]);
+
+			const code = await proc.exited;
+
+			console.log(`${logPrefix} ----------------------------------------`);
+			console.log(`${logPrefix} COMPOSE PROCESS COMPLETE`);
+			console.log(`${logPrefix} ----------------------------------------`);
+			console.log(`${logPrefix} Exit code:`, code);
+			console.log(`${logPrefix} Timed out:`, timedOut);
+			if (stdout) {
+				console.log(`${logPrefix} STDOUT:`);
+				console.log(stdout);
+			}
+			if (stderr) {
+				console.log(`${logPrefix} STDERR:`);
+				console.log(stderr);
+			}
+
+			if (timedOut) {
+				return {
+					success: false,
+					output: stdout,
+					error: `docker compose ${operation} timed out after ${COMPOSE_TIMEOUT_MS / 1000} seconds`
+				};
+			}
+
+			if (code === 0) {
+				return {
+					success: true,
+					output: stdout || stderr || `Stack "${stackName}" ${operation} completed successfully`
+				};
+			} else {
+				return {
+					success: false,
+					output: stdout,
+					error: stderr || `docker compose ${operation} exited with code ${code}`
+				};
+			}
+		} finally {
+			clearTimeout(timeoutId);
+		}
+	} catch (err: any) {
+		console.log(`${logPrefix} EXCEPTION in executeLocalCompose:`, err.message);
+		return {
+			success: false,
+			output: '',
+			error: `Failed to run docker compose ${operation}: ${err.message}`
+		};
+	}
+}
+
+/**
+ * Execute a docker compose command via Hawser agent.
+ *
+ * @param envVars - Non-secret environment variables (from .env file)
+ * @param secretVars - Secret environment variables (injected via shell env on Hawser, NEVER in .env)
+ */
+async function executeComposeViaHawser(
+	operation: 'up' | 'down' | 'stop' | 'start' | 'restart' | 'pull',
+	stackName: string,
+	composeContent: string,
+	envId: number,
+	envVars?: Record<string, string>,
+	secretVars?: Record<string, string>,
+	forceRecreate?: boolean,
+	removeVolumes?: boolean,
+	stackFiles?: Record<string, string>
+): Promise<StackOperationResult> {
+	const logPrefix = `[Stack:${stackName}]`;
+	// Import dockerFetch dynamically to avoid circular dependency
+	const { dockerFetch } = await import('./docker.js');
+
+	// Merge envVars and secretVars for passing to Hawser
+	// Hawser will inject ALL these as shell environment variables (secrets are NOT written to .env)
+	const allEnvVars = { ...(envVars || {}), ...(secretVars || {}) };
+	const secretCount = secretVars ? Object.keys(secretVars).length : 0;
+
+	console.log(`${logPrefix} ----------------------------------------`);
+	console.log(`${logPrefix} EXECUTE COMPOSE VIA HAWSER`);
+	console.log(`${logPrefix} ----------------------------------------`);
+	console.log(`${logPrefix} Operation:`, operation);
+	console.log(`${logPrefix} Environment ID:`, envId);
+	console.log(`${logPrefix} Force recreate:`, forceRecreate ?? false);
+	console.log(`${logPrefix} Remove volumes:`, removeVolumes ?? false);
+	console.log(`${logPrefix} Non-secret env vars count:`, envVars ? Object.keys(envVars).length : 0);
+	console.log(`${logPrefix} Secret env vars count:`, secretCount);
+	if (allEnvVars && Object.keys(allEnvVars).length > 0) {
+		console.log(`${logPrefix} All env vars being sent (masked):`, JSON.stringify(maskSecrets(allEnvVars), null, 2));
+	}
+	console.log(`${logPrefix} Compose content length:`, composeContent.length, 'chars');
+	console.log(`${logPrefix} Stack files count:`, stackFiles ? Object.keys(stackFiles).length : 0);
+	if (stackFiles && Object.keys(stackFiles).length > 0) {
+		console.log(`${logPrefix} Stack files:`, Object.keys(stackFiles).join(', '));
+	}
+
+	try {
+		// Build files map - include .env file ONLY for non-secret envVars
+		// Secrets are passed separately via allEnvVars and injected via shell env
+		const files: Record<string, string> = { ...(stackFiles || {}) };
+		if (envVars && Object.keys(envVars).length > 0) {
+			if (files['.env']) {
+				// stackFiles already has .env (e.g., from git repo with comments)
+				// Don't overwrite - the envVars are already passed separately for variable substitution
+				console.log(`${logPrefix} Preserving existing .env from stackFiles (${files['.env'].length} chars), envVars passed separately for substitution`);
+			} else {
+				// No .env in stackFiles - generate one from NON-SECRET envVars only
+				const envContent = Object.entries(envVars)
+					.map(([key, value]) => `${key}=${value}`)
+					.join('\n');
+				files['.env'] = envContent;
+				console.log(`${logPrefix} Generated .env file with ${Object.keys(envVars).length} non-secret variables`);
+			}
+		}
+
+		// Fetch registry credentials for Hawser to use for docker login
+		const { getRegistries } = await import('./db.js');
+		const allRegistries = await getRegistries();
+		const registries = allRegistries
+			.filter(r => r.username && r.password)
+			.map(r => ({
+				url: r.url,
+				username: r.username!,
+				password: r.password!
+			}));
+		if (registries.length > 0) {
+			console.log(`${logPrefix} Sending ${registries.length} registry credentials to Hawser`);
+		}
+
+		const body = JSON.stringify({
+			operation,
+			projectName: stackName,
+			composeFile: composeContent,
+			envVars: allEnvVars, // All vars (including secrets) - Hawser injects via shell env
+			files, // Files including .env (secrets NOT in .env file)
+			forceRecreate: forceRecreate || false,
+			removeVolumes: removeVolumes || false,
+			registries // Registry credentials for docker login
+		});
+
+		console.log(`${logPrefix} Sending request to Hawser agent...`);
+		const response = await dockerFetch(
+			'/_hawser/compose',
+			{
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body
+			},
+			envId
+		);
+
+		const result = (await response.json()) as {
+			success: boolean;
+			output?: string;
+			error?: string;
+		};
+
+		console.log(`${logPrefix} ----------------------------------------`);
+		console.log(`${logPrefix} HAWSER RESPONSE`);
+		console.log(`${logPrefix} ----------------------------------------`);
+		console.log(`${logPrefix} Success:`, result.success);
+		if (result.output) {
+			console.log(`${logPrefix} Output:`, result.output);
+		}
+		if (result.error) {
+			console.log(`${logPrefix} Error:`, result.error);
+		}
+
+		if (result.success) {
+			return {
+				success: true,
+				output: result.output || `Stack "${stackName}" ${operation} completed via Hawser`
+			};
+		} else {
+			return {
+				success: false,
+				output: result.output || '',
+				error: result.error || `Compose ${operation} failed`
+			};
+		}
+	} catch (err: any) {
+		console.log(`${logPrefix} EXCEPTION in executeComposeViaHawser:`, err.message);
+		return {
+			success: false,
+			output: '',
+			error: `Failed to ${operation} via Hawser: ${err.message}`
+		};
+	}
+}
+
+/**
+ * Route compose command to appropriate executor based on connection type.
+ *
+ * @param envVars - Non-secret environment variables (from .env file)
+ * @param secretVars - Secret environment variables (from DB, injected via shell env)
+ */
+async function executeComposeCommand(
+	operation: 'up' | 'down' | 'stop' | 'start' | 'restart' | 'pull',
+	options: ComposeCommandOptions,
+	composeContent: string,
+	envVars?: Record<string, string>,
+	secretVars?: Record<string, string>
+): Promise<StackOperationResult> {
+	const { stackName, envId, forceRecreate, removeVolumes, stackFiles } = options;
+
+	// Get environment configuration
+	const env = envId ? await getEnvironment(envId) : null;
+
+	if (!env) {
+		// Local socket connection (no environment specified)
+		return executeLocalCompose(
+			operation,
+			stackName,
+			composeContent,
+			undefined,
+			envVars,
+			secretVars,
+			forceRecreate,
+			removeVolumes,
+			envId
+		);
+	}
+
+	switch (env.connectionType) {
+		case 'hawser-standard':
+		case 'hawser-edge':
+			return executeComposeViaHawser(
+				operation,
+				stackName,
+				composeContent,
+				envId!,
+				envVars,
+				secretVars,
+				forceRecreate,
+				removeVolumes,
+				stackFiles
+			);
+
+		case 'direct': {
+			const port = env.port || 2375;
+			const dockerHost = `tcp://${env.host}:${port}`;
+			return executeLocalCompose(
+				operation,
+				stackName,
+				composeContent,
+				dockerHost,
+				envVars,
+				secretVars,
+				forceRecreate,
+				removeVolumes,
+				envId
+			);
+		}
+
+		case 'socket':
+		default:
+			return executeLocalCompose(
+				operation,
+				stackName,
+				composeContent,
+				undefined,
+				envVars,
+				secretVars,
+				forceRecreate,
+				removeVolumes,
+				envId
+			);
+	}
+}
+
+// =============================================================================
+// STACK DISCOVERY
+// =============================================================================
+
+/**
+ * List all compose stacks from Docker containers
+ */
+export async function listComposeStacks(envId?: number | null): Promise<ComposeStackInfo[]> {
+	// Import dynamically to avoid circular dependency
+	const { listContainers } = await import('./docker.js');
+
+	const containers = await listContainers(true, envId);
+	const stacks = new Map<string, Set<string>>();
+
+	containers.forEach((container) => {
+		const projectLabel = container.labels['com.docker.compose.project'];
+		if (projectLabel) {
+			if (!stacks.has(projectLabel)) {
+				stacks.set(projectLabel, new Set());
+			}
+			stacks.get(projectLabel)?.add(container.id);
+		}
+	});
+
+	const result: ComposeStackInfo[] = Array.from(stacks.entries()).map(([name, containerIds]) => {
+		const stackContainers = containers.filter((c) => containerIds.has(c.id));
+		const runningCount = stackContainers.filter((c) => c.state === 'running').length;
+
+		const containerDetails: ContainerDetail[] = stackContainers
+			.map((c) => {
+				const service = c.labels['com.docker.compose.service'] || c.name;
+
+				// Build ports with structured data for clickable links
+				const ports = (c.ports || [])
+					.filter((p) => p.PublicPort)
+					.map((p) => ({
+						publicPort: p.PublicPort!,
+						privatePort: p.PrivatePort,
+						type: p.Type,
+						display: `${p.PublicPort}:${p.PrivatePort}/${p.Type}`
+					}));
+
+				// Build networks with IP addresses
+				const networks = Object.entries(c.networks || {}).map(([name, data]) => ({
+					name,
+					ipAddress: data?.ipAddress || ''
+				}));
+
+				const volumeCount = c.mounts?.length || 0;
+
+				return {
+					id: c.id,
+					name: c.name,
+					service,
+					state: c.state,
+					status: c.status,
+					health: c.health,
+					image: c.image,
+					ports,
+					networks,
+					volumeCount,
+					restartCount: c.restartCount || 0,
+					created: c.created
+				};
+			})
+			.sort((a, b) => a.service.localeCompare(b.service));
+
+		return {
+			name,
+			containers: Array.from(containerIds),
+			containerDetails,
+			status:
+				runningCount === stackContainers.length
+					? 'running'
+					: runningCount === 0
+						? 'stopped'
+						: 'partial'
+		};
+	});
+
+	return result;
+}
+
+/**
+ * Get containers for a specific stack by label
+ */
+async function getStackContainers(stackName: string, envId?: number | null): Promise<any[]> {
+	const { listContainers } = await import('./docker.js');
+	const containers = await listContainers(true, envId);
+	return containers.filter((c) => c.labels['com.docker.compose.project'] === stackName);
+}
+
+/**
+ * Extract path hints from Docker container labels for a stack.
+ * Docker Compose adds labels like:
+ * - com.docker.compose.project.working_dir: /path/to/stack
+ * - com.docker.compose.project.config_files: /path/to/docker-compose.yml[,...]
+ */
+export async function getStackPathHints(
+	stackName: string,
+	envId?: number | null
+): Promise<{
+	workingDir: string | null;
+	configFiles: string[] | null;
+}> {
+	const containers = await getStackContainers(stackName, envId);
+
+	if (containers.length === 0) {
+		return { workingDir: null, configFiles: null };
+	}
+
+	// Get labels from first container (all containers in stack have same project labels)
+	const labels = containers[0].labels || {};
+
+	const workingDir = labels['com.docker.compose.project.working_dir'] || null;
+	const configFilesRaw = labels['com.docker.compose.project.config_files'] || null;
+
+	// Config files can be comma-separated if multiple compose files were used
+	const configFiles = configFilesRaw ? configFilesRaw.split(',').map((f: string) => f.trim()) : null;
+
+	return { workingDir, configFiles };
+}
+
+/**
+ * Helper to perform container-based operations for external stacks
+ * Used as fallback when no compose file exists.
+ * Uses Promise.allSettled for parallel execution.
+ */
+async function withContainerFallback(
+	stackName: string,
+	envId: number | null | undefined,
+	operation: 'start' | 'stop' | 'restart' | 'remove'
+): Promise<StackOperationResult> {
+	const { startContainer, stopContainer, restartContainer, removeContainer } = await import('./docker.js');
+
+	const containers = await getStackContainers(stackName, envId);
+	if (containers.length === 0) {
+		return { success: false, error: `No containers found for stack "${stackName}"` };
+	}
+
+	// Execute all container operations in parallel
+	// Note: listContainers returns containers with lowercase property names: id, name, labels
+	const operationResults = await Promise.allSettled(
+		containers.map(async (container) => {
+			const containerName = container.name || container.id;
+			switch (operation) {
+				case 'start':
+					await startContainer(container.id, envId);
+					break;
+				case 'stop':
+					await stopContainer(container.id, envId);
+					break;
+				case 'restart':
+					await restartContainer(container.id, envId);
+					break;
+				case 'remove':
+					await removeContainer(container.id, true, envId);
+					break;
+			}
+			return containerName;
+		})
+	);
+
+	// Collect successes and failures
+	const successes: string[] = [];
+	const errors: string[] = [];
+
+	operationResults.forEach((result, index) => {
+		const containerName = containers[index].name || containers[index].id;
+		if (result.status === 'fulfilled') {
+			successes.push(result.value);
+		} else {
+			errors.push(`${containerName}: ${result.reason?.message || 'Unknown error'}`);
+		}
+	});
+
+	if (errors.length > 0) {
+		return {
+			success: successes.length > 0,
+			error: errors.join('; '),
+			output: successes.length > 0 ? `Partial success: ${successes.join(', ')}` : undefined
+		};
+	}
+
+	return {
+		success: true,
+		output: `${operation} completed for ${successes.length} container(s): ${successes.join(', ')}`
+	};
+}
+
+// =============================================================================
+// STACK LIFECYCLE OPERATIONS
+// =============================================================================
+
+/**
+ * Result type for requireComposeFile - can indicate stack needs file location
+ */
+export interface RequireComposeResult {
+	success: boolean;
+	content?: string;
+	envVars?: Record<string, string>;
+	secretVars?: Record<string, string>;
+	needsFileLocation?: boolean;
+	error?: string;
+}
+
+/**
+ * Get compose file and env vars for stack operations.
+ *
+ * Returns:
+ * - content: The compose file content
+ * - envVars: Non-secret variables (from .env file, with DB fallback)
+ * - secretVars: Secret variables (from DB only, for shell injection)
+ * - needsFileLocation: true if stack needs user to specify file paths
+ *
+ * SECURITY: Secrets are NEVER written to .env files. They are stored in the database
+ * and injected via shell environment variables at runtime.
+ */
+async function requireComposeFile(
+	stackName: string,
+	envId?: number | null
+): Promise<RequireComposeResult> {
+	const composeResult = await getStackComposeFile(stackName, envId);
+
+	// If compose file not found, return info about what's needed
+	if (!composeResult.success) {
+		if (composeResult.needsFileLocation) {
+			return {
+				success: false,
+				needsFileLocation: true,
+				error: composeResult.error
+			};
+		}
+		return {
+			success: false,
+			error: composeResult.error || `Compose file not found for stack "${stackName}"`
+		};
+	}
+
+	// Get SECRET variables from database (for shell injection at runtime)
+	// These are NEVER written to disk
+	const secretVars = await getSecretEnvVarsAsRecord(stackName, envId);
+
+	// Get non-secret variables from database (for backward compatibility)
+	const dbNonSecretVars = await getNonSecretEnvVarsAsRecord(stackName, envId);
+
+	// Read non-secret vars from .env file
+	// For stacks with custom path, use the env path if set (and not empty string which means "no env file")
+	// Otherwise, use the .env file in the stack directory
+	let envFilePath: string | null = null;
+
+	if (composeResult.composePath && composeResult.envPath) {
+		// Custom compose path with explicit env path
+		envFilePath = composeResult.envPath;
+	} else if (composeResult.composePath && composeResult.envPath === '') {
+		// Custom compose path with explicit "no env file" - don't read any file
+		envFilePath = null;
+	} else {
+		// Default location - look for .env in stack directory
+		const stackDir = composeResult.stackDir || await findStackDir(stackName, envId) || await getStackDir(stackName, envId);
+		envFilePath = join(stackDir, '.env');
+	}
+
+	let fileEnvVars: Record<string, string> = {};
+
+	if (envFilePath && existsSync(envFilePath)) {
+		try {
+			const content = await Bun.file(envFilePath).text();
+			for (const line of content.split('\n')) {
+				const trimmed = line.trim();
+				if (!trimmed || trimmed.startsWith('#')) continue;
+				const eqIndex = trimmed.indexOf('=');
+				if (eqIndex > 0) {
+					const key = trimmed.substring(0, eqIndex).trim();
+					let value = trimmed.substring(eqIndex + 1);
+					if ((value.startsWith('"') && value.endsWith('"')) ||
+					    (value.startsWith("'") && value.endsWith("'"))) {
+						value = value.slice(1, -1);
+					}
+					fileEnvVars[key] = value;
+				}
+			}
+		} catch {
+			// Ignore file read errors
+		}
+	}
+
+	// Merge non-secret vars: DB as fallback, file values override
+	// This ensures external edits to .env are respected during deployment
+	const envVars = { ...dbNonSecretVars, ...fileEnvVars };
+
+	return { success: true, content: composeResult.content!, envVars, secretVars };
+}
+
+/**
+ * Start a stack using docker compose up
+ * Falls back to individual container start for stacks without compose files
+ */
+export async function startStack(
+	stackName: string,
+	envId?: number | null
+): Promise<StackOperationResult> {
+	const result = await requireComposeFile(stackName, envId);
+
+	if (!result.success) {
+		// No compose file - fall back to container-based operations
+		return withContainerFallback(stackName, envId, 'start');
+	}
+
+	return executeComposeCommand('up', { stackName, envId }, result.content!, result.envVars, result.secretVars);
+}
+
+/**
+ * Stop a stack using docker compose stop
+ * Falls back to individual container stop for stacks without compose files
+ */
+export async function stopStack(
+	stackName: string,
+	envId?: number | null
+): Promise<StackOperationResult> {
+	const result = await requireComposeFile(stackName, envId);
+
+	if (!result.success) {
+		// No compose file - fall back to container-based operations
+		return withContainerFallback(stackName, envId, 'stop');
+	}
+
+	return executeComposeCommand('stop', { stackName, envId }, result.content!, result.envVars, result.secretVars);
+}
+
+/**
+ * Restart a stack using docker compose restart
+ * Falls back to individual container restart for stacks without compose files
+ */
+export async function restartStack(
+	stackName: string,
+	envId?: number | null
+): Promise<StackOperationResult> {
+	const result = await requireComposeFile(stackName, envId);
+
+	if (!result.success) {
+		// No compose file - fall back to container-based operations
+		return withContainerFallback(stackName, envId, 'restart');
+	}
+
+	return executeComposeCommand('restart', { stackName, envId }, result.content!, result.envVars, result.secretVars);
+}
+
+/**
+ * Down a stack using docker compose down (removes containers, keeps files)
+ * For stacks without compose files, this is equivalent to stop
+ */
+export async function downStack(
+	stackName: string,
+	envId?: number | null,
+	removeVolumes = false
+): Promise<StackOperationResult> {
+	const result = await requireComposeFile(stackName, envId);
+
+	if (!result.success) {
+		// No compose file - down is the same as stop
+		return withContainerFallback(stackName, envId, 'stop');
+	}
+
+	return executeComposeCommand('down', { stackName, envId, removeVolumes }, result.content!, result.envVars, result.secretVars);
+}
+
+/**
+ * Remove a stack completely (compose down + delete files + cleanup database)
+ * Uses stack locking to prevent concurrent operations.
+ */
+export async function removeStack(
+	stackName: string,
+	envId?: number | null,
+	force = false
+): Promise<StackOperationResult> {
+	return withStackLock(stackName, async () => {
+		// Get compose file (may not exist for external stacks)
+		const composeResult = await getStackComposeFile(stackName);
+
+		// If compose file exists, run docker compose down first
+		if (composeResult.success) {
+			const envVars = await getNonSecretEnvVarsAsRecord(stackName, envId);
+			const secretVars = await getSecretEnvVarsAsRecord(stackName, envId);
+			const downResult = await executeComposeCommand(
+				'down',
+				{ stackName, envId },
+				composeResult.content!,
+				envVars,
+				secretVars
+			);
+			if (!downResult.success && !force) {
+				return downResult;
+			}
+		} else {
+			// External stack - remove containers directly in parallel
+			const { removeContainer } = await import('./docker.js');
+			const stackContainers = await getStackContainers(stackName, envId);
+
+			const removalResults = await Promise.allSettled(
+				stackContainers.map((container) =>
+					removeContainer(container.id, force, envId).then(() => container.name)
+				)
+			);
+
+			const errors: string[] = [];
+			removalResults.forEach((result, index) => {
+				if (result.status === 'rejected') {
+					const containerName = stackContainers[index].name || stackContainers[index].id;
+					errors.push(`Failed to remove ${containerName}: ${result.reason?.message || 'Unknown error'}`);
+				}
+			});
+
+			if (errors.length > 0 && !force) {
+				return {
+					success: false,
+					error: errors.join('; ')
+				};
+			}
+		}
+
+		// Clean up database records - collect errors but don't stop
+		const cleanupErrors: string[] = [];
+
+		// Delete compose file and directory
+		const stackDir = await findStackDir(stackName, envId) || await getStackDir(stackName, envId);
+		if (existsSync(stackDir)) {
+			try {
+				rmSync(stackDir, { recursive: true, force: true });
+			} catch (err: any) {
+				console.error(`Failed to delete stack directory: ${err.message}`);
+				cleanupErrors.push(`directory: ${err.message}`);
+			}
+			// Verify deletion succeeded (rmSync with force:true may not throw on some failures)
+			if (existsSync(stackDir)) {
+				const verifyErr = 'Directory still exists after deletion attempt';
+				console.error(`Failed to delete stack directory: ${verifyErr}`);
+				cleanupErrors.push(`directory: ${verifyErr}`);
+			}
+		}
+
+		try {
+			await deleteStackSource(stackName, envId);
+		} catch (err: any) {
+			cleanupErrors.push(`stack source: ${err.message}`);
+		}
+
+		try {
+			await deleteStackEnvVars(stackName, envId);
+		} catch (err: any) {
+			cleanupErrors.push(`env vars: ${err.message}`);
+		}
+
+		// If git stack, clean up git stack record
+		try {
+			const gitStack = await getGitStackByName(stackName, envId);
+			if (gitStack) {
+				await deleteGitStack(gitStack.id);
+				deleteGitStackFiles(gitStack.id);
+			}
+			// Also cleanup any orphaned git stacks with NULL environment_id for this stack name
+			if (envId !== undefined && envId !== null) {
+				const orphanedGitStack = await getGitStackByName(stackName, null);
+				if (orphanedGitStack) {
+					await deleteGitStack(orphanedGitStack.id);
+					deleteGitStackFiles(orphanedGitStack.id);
+				}
+			}
+		} catch (err: any) {
+			cleanupErrors.push(`git stack: ${err.message}`);
+		}
+
+		// Check if directory deletion failed - this blocks stack recreation
+		const directoryError = cleanupErrors.find(e => e.startsWith('directory:'));
+		if (directoryError) {
+			return {
+				success: false,
+				error: `Stack containers stopped but directory cleanup failed (${directoryError}). Cannot recreate stack with same name until directory is manually removed.`
+			};
+		}
+
+		// Return success with optional cleanup warnings for non-critical errors
+		const output = cleanupErrors.length > 0
+			? `Stack "${stackName}" removed with cleanup warnings: ${cleanupErrors.join('; ')}`
+			: `Stack "${stackName}" removed successfully`;
+
+		return { success: true, output };
+	});
+}
+
+/**
+ * Deploy a stack (create or update)
+ * Uses stack locking to prevent concurrent deployments.
+ */
+export async function deployStack(options: DeployStackOptions): Promise<StackOperationResult> {
+	const { name, compose, envId, envFileVars, sourceDir, forceRecreate } = options;
+	const logPrefix = `[Stack:${name}]`;
+
+	console.log(`${logPrefix} ========================================`);
+	console.log(`${logPrefix} DEPLOY STACK START`);
+	console.log(`${logPrefix} ========================================`);
+	console.log(`${logPrefix} Environment ID:`, envId ?? '(none - local)');
+	console.log(`${logPrefix} Force recreate:`, forceRecreate ?? false);
+	console.log(`${logPrefix} Source directory:`, sourceDir ?? '(none)');
+	console.log(`${logPrefix} Env file vars provided:`, envFileVars ? Object.keys(envFileVars).length : 0);
+	if (envFileVars && Object.keys(envFileVars).length > 0) {
+		console.log(`${logPrefix} Env file var keys:`, Object.keys(envFileVars).join(', '));
+		console.log(`${logPrefix} Env file vars (masked):`, JSON.stringify(maskSecrets(envFileVars), null, 2));
+	}
+
+	// Validate stack name - Docker Compose requires lowercase alphanumeric, hyphens, underscores
+	// Must also start with a letter or number
+	if (!/^[a-z0-9][a-z0-9_-]*$/.test(name)) {
+		console.log(`${logPrefix} ERROR: Invalid stack name format`);
+		return {
+			success: false,
+			output: '',
+			error: 'Stack name must be lowercase, start with a letter or number, and contain only letters, numbers, hyphens, and underscores'
+		};
+	}
+
+	return withStackLock(name, async () => {
+		const stackDir = await getStackDir(name, envId);
+
+		// Read all files from source directory if provided (for Hawser deployments)
+		let stackFiles: Record<string, string> | undefined;
+		if (sourceDir && existsSync(sourceDir)) {
+			stackFiles = await readDirFilesAsMap(sourceDir);
+			console.log(`${logPrefix} Read ${Object.keys(stackFiles).length} files from source directory`);
+			console.log(`${logPrefix} Files:`, Object.keys(stackFiles).join(', '));
+		}
+
+		// Handle stack directory setup
+		if (sourceDir && existsSync(sourceDir)) {
+			// Copy entire source directory to stack directory (for git stacks)
+			console.log(`${logPrefix} Copying source directory to stack directory...`);
+			if (existsSync(stackDir)) {
+				rmSync(stackDir, { recursive: true, force: true });
+			}
+			cpSync(sourceDir, stackDir, { recursive: true });
+			console.log(`${logPrefix} Copied ${sourceDir} -> ${stackDir}`);
+		} else {
+			// Traditional behavior: create directory and write compose file only
+			mkdirSync(stackDir, { recursive: true });
+			const composeFile = join(stackDir, 'docker-compose.yml');
+			await Bun.write(composeFile, compose);
+			console.log(`${logPrefix} Compose file written to:`, composeFile);
+		}
+
+		console.log(`${logPrefix} Compose content length:`, compose.length, 'chars');
+		console.log(`${logPrefix} Compose content (full):`);
+		console.log(compose);
+
+		// Fetch stack environment variables from database (these are user overrides)
+		const dbEnvVars = await getStackEnvVarsAsRecord(name, envId);
+		console.log(`${logPrefix} DB env vars count:`, Object.keys(dbEnvVars).length);
+		if (Object.keys(dbEnvVars).length > 0) {
+			console.log(`${logPrefix} DB env var keys:`, Object.keys(dbEnvVars).join(', '));
+			console.log(`${logPrefix} DB env vars (masked):`, JSON.stringify(maskSecrets(dbEnvVars), null, 2));
+		}
+
+		// Merge: env file vars as base, database overrides take precedence
+		const envVars = { ...envFileVars, ...dbEnvVars };
+		console.log(`${logPrefix} Merged env vars count:`, Object.keys(envVars).length);
+		if (Object.keys(envVars).length > 0) {
+			console.log(`${logPrefix} Merged env var keys:`, Object.keys(envVars).join(', '));
+			console.log(`${logPrefix} Merged env vars (masked):`, JSON.stringify(maskSecrets(envVars), null, 2));
+		}
+
+		console.log(`${logPrefix} Calling executeComposeCommand...`);
+		const result = await executeComposeCommand('up', { stackName: name, envId, forceRecreate, stackFiles }, compose, envVars);
+		console.log(`${logPrefix} ========================================`);
+		console.log(`${logPrefix} DEPLOY STACK RESULT`);
+		console.log(`${logPrefix} ========================================`);
+		console.log(`${logPrefix} Success:`, result.success);
+		if (result.output) {
+			console.log(`${logPrefix} Output:`, result.output);
+		}
+		if (result.error) {
+			console.log(`${logPrefix} Error:`, result.error);
+		}
+		return result;
+	});
+}
+
+/**
+ * Pull images for a stack
+ */
+export async function pullStackImages(
+	stackName: string,
+	envId?: number | null
+): Promise<{ success: boolean; output?: string; error?: string }> {
+	const result = await requireComposeFile(stackName, envId);
+
+	if (!result.success) {
+		return {
+			success: false,
+			error: result.error || 'Compose file not found'
+		};
+	}
+
+	return executeComposeCommand('pull', { stackName, envId }, result.content!, result.envVars, result.secretVars);
+}
+
+// =============================================================================
+// ENVIRONMENT VARIABLE HELPERS
+// =============================================================================
+
+/**
+ * Save environment variables for a stack to the database (for secret tracking)
+ */
+export async function saveStackEnvVarsToDb(
+	stackName: string,
+	variables: { key: string; value: string; isSecret?: boolean }[],
+	envId?: number | null
+): Promise<void> {
+	await setStackEnvVars(stackName, envId ?? null, variables);
+}
+
+/**
+ * Write environment variables to the .env file on disk (simple key=value format)
+ *
+ * WARNING: This generates a simple key=value file WITHOUT comments or formatting.
+ * ONLY use during initial stack CREATION when no .env file exists.
+ *
+ * For EDITS, use PUT /api/stacks/[name]/env/raw which preserves the raw content
+ * including all comments, formatting, and structure.
+ */
+export async function writeStackEnvFile(
+	stackName: string,
+	variables: { key: string; value: string; isSecret?: boolean }[],
+	envId?: number | null,
+	customEnvPath?: string
+): Promise<void> {
+	const envFilePath = customEnvPath
+		? customEnvPath
+		: join(await findStackDir(stackName, envId) || await getStackDir(stackName, envId), '.env');
+
+	// Ensure parent directory exists
+	const dir = dirname(envFilePath);
+	if (!existsSync(dir)) {
+		mkdirSync(dir, { recursive: true });
+	}
+
+	// SECURITY: Only write non-secret variables to .env file
+	// Secrets are stored in DB and injected via shell environment at runtime
+	const rawContent = variables
+		.filter(v => v.key?.trim() && !v.isSecret)
+		.map(v => `${v.key.trim()}=${v.value}`)
+		.join('\n') + '\n';
+
+	await Bun.write(envFilePath, rawContent);
+}
+
+/**
+ * Write raw environment content directly to the .env file (preserves comments/formatting)
+ *
+ * NOTE: Raw content should NOT contain secrets. Secrets are managed via the form view,
+ * stored in DB, and injected via shell environment at runtime.
+ */
+export async function writeRawStackEnvFile(
+	stackName: string,
+	rawContent: string,
+	envId?: number | null,
+	customEnvPath?: string
+): Promise<void> {
+	const envFilePath = customEnvPath
+		? customEnvPath
+		: join(await findStackDir(stackName, envId) || await getStackDir(stackName, envId), '.env');
+
+	// Ensure parent directory exists
+	const dir = dirname(envFilePath);
+	if (!existsSync(dir)) {
+		mkdirSync(dir, { recursive: true });
+	}
+
+	await Bun.write(envFilePath, rawContent);
+}
+
+/**
+ * Save environment variables for a stack (both to database and .env file)
+ *
+ * WARNING: Only use during initial stack CREATION - this generates a simple
+ * key=value file that does NOT preserve comments or formatting.
+ *
+ * For EDITS, the StackModal saves to:
+ * - PUT /api/stacks/[name]/env/raw (preserves raw content with comments)
+ * - PUT /api/stacks/[name]/env (updates secret flags in DB only)
+ */
+export async function saveStackEnvVars(
+	stackName: string,
+	variables: { key: string; value: string; isSecret?: boolean }[],
+	envId?: number | null,
+	customEnvPath?: string
+): Promise<void> {
+	// Save to database for secret tracking
+	await saveStackEnvVarsToDb(stackName, variables, envId);
+	// Write .env file to disk for Docker Compose
+	await writeStackEnvFile(stackName, variables, envId, customEnvPath);
+}
+
+// =============================================================================
+// RE-EXPORTS FOR BACKWARDS COMPATIBILITY
+// =============================================================================
+
+// These exports maintain API compatibility with code that imports from docker.ts
+// They can be removed once all imports are updated
+
+export type { StackOperationResult as CreateStackResult };
diff --git a/lib/server/subprocess-manager.ts b/src/lib/server/subprocess-manager.ts
similarity index 94%
rename from lib/server/subprocess-manager.ts
rename to src/lib/server/subprocess-manager.ts
index 6db4ec5..1b30440 100644
--- a/lib/server/subprocess-manager.ts
+++ b/src/lib/server/subprocess-manager.ts
@@ -26,6 +26,13 @@ function getSubprocessPath(name: string): string {
 	if (existsSync(prodPath)) {
 		return prodPath;
 	}
+
+	// Local build path - when running built version locally
+	const localBuildPath = path.join(process.cwd(), 'build', 'subprocesses', `${name}.js`);
+	
+	if(existsSync(localBuildPath)) {
+		return localBuildPath;
+	}
 	// Development path (relative to this file) - raw TS files
 	return path.join(__dirname, 'subprocesses', `${name}.ts`);
 }
@@ -102,7 +109,12 @@ export interface ShutdownCommand {
 	type: 'shutdown';
 }
 
-export type MainProcessCommand = RefreshEnvironmentsCommand | ShutdownCommand;
+export interface UpdateIntervalCommand {
+	type: 'update_interval';
+	intervalMs: number;
+}
+
+export type MainProcessCommand = RefreshEnvironmentsCommand | ShutdownCommand | UpdateIntervalCommand;
 
 // Subprocess configuration
 interface SubprocessConfig {
@@ -198,6 +210,20 @@ class SubprocessManager {
 		this.sendToEvents({ type: 'refresh_environments' });
 	}
 
+	/**
+	 * Send message to metrics subprocess
+	 */
+	sendToMetricsSubprocess(message: MainProcessCommand): void {
+		this.sendToMetrics(message);
+	}
+
+	/**
+	 * Send message to events subprocess
+	 */
+	sendToEventsSubprocess(message: MainProcessCommand): void {
+		this.sendToEvents(message);
+	}
+
 	/**
 	 * Start the metrics collection subprocess
 	 */
@@ -591,3 +617,21 @@ export function refreshSubprocessEnvironments(): void {
 		manager.refreshEnvironments();
 	}
 }
+
+/**
+ * Send message to event subprocess
+ */
+export function sendToEventSubprocess(message: MainProcessCommand): void {
+	if (manager) {
+		manager.sendToEventsSubprocess(message);
+	}
+}
+
+/**
+ * Send message to metrics subprocess
+ */
+export function sendToMetricsSubprocess(message: MainProcessCommand): void {
+	if (manager) {
+		manager.sendToMetricsSubprocess(message);
+	}
+}
diff --git a/lib/server/subprocesses/event-subprocess.ts b/src/lib/server/subprocesses/event-subprocess.ts
similarity index 59%
rename from lib/server/subprocesses/event-subprocess.ts
rename to src/lib/server/subprocesses/event-subprocess.ts
index 5b6a6c4..5abfc68 100644
--- a/lib/server/subprocesses/event-subprocess.ts
+++ b/src/lib/server/subprocesses/event-subprocess.ts
@@ -7,7 +7,7 @@
  * Communication with main process via IPC (process.send).
  */
 
-import { getEnvironments, type ContainerEventAction } from '../db';
+import { getEnvironments, getEventCollectionMode, getEventPollInterval, type ContainerEventAction } from '../db';
 import { getDockerEvents } from '../docker';
 import type { MainProcessCommand } from '../subprocess-manager';
 
@@ -19,9 +19,15 @@ const MAX_RECONNECT_DELAY = 60000; // 1 minute max
 // Only send notifications on status CHANGES, not on every reconnect attempt
 const environmentOnlineStatus: Map<number, boolean> = new Map();
 
-// Active collectors per environment
+// Active collectors per environment (for streaming mode)
 const collectors: Map<number, AbortController> = new Map();
 
+// Poll intervals per environment (for polling mode)
+const pollIntervals: Map<number, ReturnType<typeof setInterval>> = new Map();
+
+// Last poll timestamp per environment (for polling mode)
+const lastPollTime: Map<number, number> = new Map();
+
 // Recent event cache for deduplication (key: timeNano-containerId-action)
 const recentEvents: Map<string, number> = new Map();
 const DEDUP_WINDOW_MS = 5000; // 5 second window for deduplication
@@ -30,6 +36,10 @@ const CACHE_CLEANUP_INTERVAL_MS = 30000; // Clean up cache every 30 seconds
 let cacheCleanupInterval: ReturnType<typeof setInterval> | null = null;
 let isShuttingDown = false;
 
+// Track current settings to detect changes
+let currentPollInterval: number = 60000;
+let currentMode: 'stream' | 'poll' = 'stream';
+
 // Actions we care about for container activity
 const CONTAINER_ACTIONS: ContainerEventAction[] = [
 	'create',
@@ -134,10 +144,16 @@ function processEvent(event: DockerEvent, envId: number) {
 	if (event.Type !== 'container') return;
 
 	// Map Docker action to our action type
-	const action = event.Action.split(':')[0] as ContainerEventAction;
+	// For health_status events, Docker sends "health_status: unhealthy" or "health_status: healthy"
+	// We need to preserve the full string for notifications to distinguish healthy vs unhealthy
+	const rawAction = event.Action;
+	const baseAction = rawAction.split(':')[0] as ContainerEventAction;
 
 	// Skip actions we don't care about
-	if (!CONTAINER_ACTIONS.includes(action)) return;
+	if (!CONTAINER_ACTIONS.includes(baseAction)) return;
+
+	// For notifications, preserve full action for health_status to enable proper mapping
+	const action = rawAction.startsWith('health_status') ? rawAction : baseAction;
 
 	const containerId = event.Actor?.ID;
 	const containerName = event.Actor?.Attributes?.name;
@@ -169,14 +185,17 @@ function processEvent(event: DockerEvent, envId: number) {
 	const timestamp = new Date(Math.floor(event.timeNano / 1000000)).toISOString();
 
 	// Prepare notification data
-	const actionLabel = action.charAt(0).toUpperCase() + action.slice(1);
+	// For health_status events, create a cleaner label
+	const actionLabel = action.startsWith('health_status')
+		? action.includes('unhealthy') ? 'Unhealthy' : 'Healthy'
+		: action.charAt(0).toUpperCase() + action.slice(1);
 	const containerLabel = containerName || containerId.substring(0, 12);
 	const notificationType =
-		action === 'die' || action === 'kill' || action === 'oom'
+		action === 'die' || action === 'kill' || action === 'oom' || action.includes('unhealthy')
 			? 'error'
 			: action === 'stop'
 				? 'warning'
-				: action === 'start'
+				: action === 'start' || (action.includes('healthy') && !action.includes('unhealthy'))
 					? 'success'
 					: 'info';
 
@@ -202,6 +221,76 @@ function processEvent(event: DockerEvent, envId: number) {
 	});
 }
 
+/**
+ * Poll events for a specific environment (polling mode)
+ */
+async function pollEnvironmentEvents(envId: number, envName: string) {
+	try {
+		// Calculate 'since' timestamp (use last poll time, or start from 30s ago if first poll)
+		const now = Math.floor(Date.now() / 1000); // Unix timestamp in seconds
+		const since = lastPollTime.get(envId) || (now - 30); // Default to 30s ago on first poll
+
+		// Fetch events since last check until now
+		// IMPORTANT: 'until' is required for polling mode, otherwise Docker keeps the connection open
+		const eventStream = await getDockerEvents(
+			{ type: ['container'] },
+			envId,
+			{ since: since.toString(), until: now.toString() }
+		);
+
+		if (!eventStream) {
+			console.error(`[EventSubprocess] Failed to fetch events for ${envName}`);
+			updateEnvironmentStatus(envId, envName, false, 'Failed to fetch Docker events');
+			return;
+		}
+
+		// Mark environment as online
+		updateEnvironmentStatus(envId, envName, true);
+
+		// Read and process all events
+		const reader = eventStream.getReader();
+		const decoder = new TextDecoder();
+		let buffer = '';
+
+		try {
+			while (true) {
+				const { done, value } = await reader.read();
+				if (done) break;
+
+				buffer += decoder.decode(value, { stream: true });
+				const lines = buffer.split('\n');
+				buffer = lines.pop() || '';
+
+				for (const line of lines) {
+					if (line.trim()) {
+						try {
+							const event = JSON.parse(line) as DockerEvent;
+							processEvent(event, envId);
+						} catch {
+							// Ignore parse errors
+						}
+					}
+				}
+			}
+		} finally {
+			try {
+				reader.releaseLock();
+			} catch {
+				// Reader already released
+			}
+		}
+
+		// Update last poll time
+		lastPollTime.set(envId, now);
+
+	} catch (error: any) {
+		if (!isShuttingDown) {
+			console.error(`[EventSubprocess] Poll error for ${envName}:`, error.message);
+			updateEnvironmentStatus(envId, envName, false, error.message);
+		}
+	}
+}
+
 /**
  * Start collecting events for a specific environment
  */
@@ -323,7 +412,42 @@ async function startEnvironmentCollector(envId: number, envName: string) {
 }
 
 /**
- * Stop collecting events for a specific environment
+ * Start polling mode for a specific environment
+ */
+async function startEnvironmentPoller(envId: number, envName: string, interval: number) {
+	// Stop existing poller if any
+	stopEnvironmentPoller(envId);
+
+	console.log(`[EventSubprocess] Starting poller for ${envName} (every ${interval / 1000}s)`);
+
+	// Initial poll immediately
+	await pollEnvironmentEvents(envId, envName);
+
+	// Set up interval for subsequent polls
+	const intervalId = setInterval(async () => {
+		if (!isShuttingDown) {
+			await pollEnvironmentEvents(envId, envName);
+		}
+	}, interval);
+
+	pollIntervals.set(envId, intervalId);
+}
+
+/**
+ * Stop polling for a specific environment
+ */
+function stopEnvironmentPoller(envId: number) {
+	const intervalId = pollIntervals.get(envId);
+	if (intervalId) {
+		clearInterval(intervalId);
+		pollIntervals.delete(envId);
+		lastPollTime.delete(envId);
+		environmentOnlineStatus.delete(envId);
+	}
+}
+
+/**
+ * Stop collecting events for a specific environment (streaming mode)
  */
 function stopEnvironmentCollector(envId: number) {
 	const controller = collectors.get(envId);
@@ -342,6 +466,21 @@ async function refreshEventCollectors() {
 
 	try {
 		const environments = await getEnvironments();
+		const mode = await getEventCollectionMode();
+		const pollInterval = await getEventPollInterval();
+
+		// Detect if settings changed
+		const modeChanged = mode !== currentMode;
+		const intervalChanged = pollInterval !== currentPollInterval;
+
+		if (modeChanged) {
+			console.log(`[EventSubprocess] Mode changed from ${currentMode} to ${mode}`);
+			currentMode = mode;
+		}
+		if (intervalChanged) {
+			console.log(`[EventSubprocess] Poll interval changed from ${currentPollInterval}ms to ${pollInterval}ms`);
+			currentPollInterval = pollInterval;
+		}
 
 		// Filter: only collect for environments with activity enabled AND not Hawser Edge
 		const activeEnvIds = new Set(
@@ -353,18 +492,55 @@ async function refreshEventCollectors() {
 		// Stop collectors for removed environments or those with collection disabled
 		for (const envId of collectors.keys()) {
 			if (!activeEnvIds.has(envId)) {
-				console.log(`[EventSubprocess] Stopping collector for environment ${envId}`);
+				console.log(`[EventSubprocess] Stopping stream collector for environment ${envId}`);
 				stopEnvironmentCollector(envId);
 			}
 		}
 
-		// Start collectors for environments with collection enabled
+		// Stop pollers for removed environments or those with collection disabled
+		// Also restart all pollers if interval changed
+		for (const envId of pollIntervals.keys()) {
+			if (!activeEnvIds.has(envId)) {
+				console.log(`[EventSubprocess] Stopping poller for environment ${envId}`);
+				stopEnvironmentPoller(envId);
+			} else if (intervalChanged && mode === 'poll') {
+				// Restart poller with new interval
+				console.log(`[EventSubprocess] Restarting poller for environment ${envId} with new interval`);
+				stopEnvironmentPoller(envId);
+			}
+		}
+
+		// Start collectors based on mode
 		for (const env of environments) {
 			// Skip Hawser Edge (handled by main process)
 			if (env.connectionType === 'hawser-edge') continue;
 
-			if (env.collectActivity && !collectors.has(env.id)) {
-				startEnvironmentCollector(env.id, env.name);
+			// Skip if activity collection is disabled
+			if (!env.collectActivity) continue;
+
+			const hasStreamCollector = collectors.has(env.id);
+			const hasPoller = pollIntervals.has(env.id);
+
+			if (mode === 'stream') {
+				// Switch from polling to streaming if needed
+				if (hasPoller) {
+					console.log(`[EventSubprocess] Switching ${env.name} from poll to stream`);
+					stopEnvironmentPoller(env.id);
+				}
+				// Start stream if not already running
+				if (!hasStreamCollector) {
+					startEnvironmentCollector(env.id, env.name);
+				}
+			} else if (mode === 'poll') {
+				// Switch from streaming to polling if needed
+				if (hasStreamCollector) {
+					console.log(`[EventSubprocess] Switching ${env.name} from stream to poll`);
+					stopEnvironmentCollector(env.id);
+				}
+				// Start poller if not already running (will also restart after interval change above)
+				if (!hasPoller) {
+					startEnvironmentPoller(env.id, env.name, pollInterval);
+				}
 			}
 		}
 	} catch (error) {
@@ -383,6 +559,13 @@ function handleCommand(command: MainProcessCommand): void {
 			refreshEventCollectors();
 			break;
 
+		case 'update_interval':
+			// This is used by metrics subprocess, but we handle it here too for consistency
+			// Event subprocess re-reads interval from DB on refresh
+			console.log('[EventSubprocess] Interval update - refreshing collectors...');
+			refreshEventCollectors();
+			break;
+
 		case 'shutdown':
 			console.log('[EventSubprocess] Shutdown requested');
 			shutdown();
@@ -402,11 +585,16 @@ function shutdown(): void {
 		cacheCleanupInterval = null;
 	}
 
-	// Stop all environment collectors
+	// Stop all environment stream collectors
 	for (const envId of collectors.keys()) {
 		stopEnvironmentCollector(envId);
 	}
 
+	// Stop all environment pollers
+	for (const envId of pollIntervals.keys()) {
+		stopEnvironmentPoller(envId);
+	}
+
 	// Clear the deduplication cache
 	recentEvents.clear();
 
@@ -420,6 +608,15 @@ function shutdown(): void {
 async function start(): Promise<void> {
 	console.log('[EventSubprocess] Starting container event collection...');
 
+	// Initialize current settings from database
+	try {
+		currentMode = await getEventCollectionMode();
+		currentPollInterval = await getEventPollInterval();
+		console.log(`[EventSubprocess] Initial mode: ${currentMode}, poll interval: ${currentPollInterval}ms`);
+	} catch (error) {
+		console.error('[EventSubprocess] Failed to load settings, using defaults:', error);
+	}
+
 	// Start collectors for all environments
 	await refreshEventCollectors();
 
diff --git a/lib/server/subprocesses/metrics-subprocess.ts b/src/lib/server/subprocesses/metrics-subprocess.ts
similarity index 89%
rename from lib/server/subprocesses/metrics-subprocess.ts
rename to src/lib/server/subprocesses/metrics-subprocess.ts
index 139e6fa..74669c0 100644
--- a/lib/server/subprocesses/metrics-subprocess.ts
+++ b/src/lib/server/subprocesses/metrics-subprocess.ts
@@ -7,12 +7,12 @@
  * Communication with main process via IPC (process.send).
  */
 
-import { getEnvironments, getEnvSetting } from '../db';
+import { getEnvironments, getEnvSetting, getMetricsCollectionInterval } from '../db';
 import { listContainers, getContainerStats, getDockerInfo, getDiskUsage } from '../docker';
 import os from 'node:os';
 import type { MainProcessCommand } from '../subprocess-manager';
 
-const COLLECT_INTERVAL = 10000; // 10 seconds
+let COLLECT_INTERVAL = 30000; // 30 seconds (default, will be loaded from settings)
 const DISK_CHECK_INTERVAL = 300000; // 5 minutes
 const DEFAULT_DISK_THRESHOLD = 80; // 80% threshold for disk warnings
 const ENV_METRICS_TIMEOUT = 15000; // 15 seconds timeout per environment for metrics
@@ -82,12 +82,16 @@ async function collectEnvMetrics(env: { id: number; name: string; host?: string;
 					cpuPercent = (cpuDelta / systemDelta) * cpuCount * 100;
 				}
 
-				// Get container memory usage (subtract cache for actual usage)
+				// Get container memory usage using the same formula as Docker CLI
+				// Docker subtracts cache (inactive_file) from total usage
+				// - cgroup v2: uses 'inactive_file'
+				// - cgroup v1: uses 'total_inactive_file'
 				const memUsage = stats.memory_stats?.usage || 0;
-				const memCache = stats.memory_stats?.stats?.cache || 0;
-				const actualMemUsed = memUsage - memCache;
+				const memStats = stats.memory_stats?.stats || {};
+				const memCache = memStats.inactive_file ?? memStats.total_inactive_file ?? 0;
+				const actualMemUsed = memCache > 0 && memCache < memUsage ? memUsage - memCache : memUsage;
 
-				return { cpuPercent, memUsage: actualMemUsed > 0 ? actualMemUsed : memUsage };
+				return { cpuPercent, memUsage: actualMemUsed };
 			} catch {
 				return { cpuPercent: 0, memUsage: 0 };
 			}
@@ -356,6 +360,16 @@ function handleCommand(command: MainProcessCommand): void {
 			// The next collection cycle will pick up the new environments
 			break;
 
+		case 'update_interval':
+			console.log(`[MetricsSubprocess] Updating collection interval to ${command.intervalMs}ms`);
+			COLLECT_INTERVAL = command.intervalMs;
+			// Clear existing interval and restart with new timing
+			if (collectInterval) {
+				clearInterval(collectInterval);
+				collectInterval = setInterval(collectMetrics, COLLECT_INTERVAL);
+			}
+			break;
+
 		case 'shutdown':
 			console.log('[MetricsSubprocess] Shutdown requested');
 			shutdown();
@@ -386,8 +400,15 @@ function shutdown(): void {
 /**
  * Start the metrics collector
  */
-function start(): void {
-	console.log('[MetricsSubprocess] Starting metrics collection (every 10s)...');
+async function start(): Promise<void> {
+	// Load interval from settings
+	try {
+		COLLECT_INTERVAL = await getMetricsCollectionInterval();
+		console.log(`[MetricsSubprocess] Starting metrics collection (every ${COLLECT_INTERVAL / 1000}s)...`);
+	} catch (error) {
+		console.error('[MetricsSubprocess] Failed to load interval from settings, using default 30s');
+		COLLECT_INTERVAL = 30000;
+	}
 
 	// Initial collection
 	collectMetrics();
diff --git a/lib/server/uptime.ts b/src/lib/server/uptime.ts
similarity index 100%
rename from lib/server/uptime.ts
rename to src/lib/server/uptime.ts
diff --git a/lib/stores/audit-events.ts b/src/lib/stores/audit-events.ts
similarity index 100%
rename from lib/stores/audit-events.ts
rename to src/lib/stores/audit-events.ts
diff --git a/lib/stores/auth.ts b/src/lib/stores/auth.ts
similarity index 100%
rename from lib/stores/auth.ts
rename to src/lib/stores/auth.ts
diff --git a/lib/stores/dashboard.ts b/src/lib/stores/dashboard.ts
similarity index 100%
rename from lib/stores/dashboard.ts
rename to src/lib/stores/dashboard.ts
diff --git a/lib/stores/environment.ts b/src/lib/stores/environment.ts
similarity index 100%
rename from lib/stores/environment.ts
rename to src/lib/stores/environment.ts
diff --git a/lib/stores/events.ts b/src/lib/stores/events.ts
similarity index 100%
rename from lib/stores/events.ts
rename to src/lib/stores/events.ts
diff --git a/lib/stores/grid-preferences.ts b/src/lib/stores/grid-preferences.ts
similarity index 92%
rename from lib/stores/grid-preferences.ts
rename to src/lib/stores/grid-preferences.ts
index 3c174af..cdcb276 100644
--- a/lib/stores/grid-preferences.ts
+++ b/src/lib/stores/grid-preferences.ts
@@ -70,8 +70,21 @@ function createGridPreferencesStore() {
 				return getDefaultColumnPreferences(gridId);
 			}
 
-			// Return columns in saved order, filtering to visible ones
-			return gridPrefs.columns.filter((col) => col.visible);
+			// Merge with defaults to ensure new columns are included
+			const defaults = getDefaultColumnPreferences(gridId);
+			const savedIds = new Set(gridPrefs.columns.map((c) => c.id));
+
+			// Start with saved visible columns
+			const result = gridPrefs.columns.filter((col) => col.visible);
+
+			// Add any new default columns that aren't in saved preferences
+			for (const def of defaults) {
+				if (!savedIds.has(def.id) && def.visible) {
+					result.push(def);
+				}
+			}
+
+			return result;
 		},
 
 		// Get all columns for a grid (visible and hidden, in order)
diff --git a/lib/stores/license.ts b/src/lib/stores/license.ts
similarity index 100%
rename from lib/stores/license.ts
rename to src/lib/stores/license.ts
diff --git a/lib/stores/settings.ts b/src/lib/stores/settings.ts
similarity index 82%
rename from lib/stores/settings.ts
rename to src/lib/stores/settings.ts
index d067e7f..d88e1ce 100644
--- a/lib/stores/settings.ts
+++ b/src/lib/stores/settings.ts
@@ -4,6 +4,7 @@ import { browser } from '$app/environment';
 export type TimeFormat = '12h' | '24h';
 export type DateFormat = 'MM/DD/YYYY' | 'DD/MM/YYYY' | 'YYYY-MM-DD' | 'DD.MM.YYYY';
 export type DownloadFormat = 'tar' | 'tar.gz';
+export type EventCollectionMode = 'stream' | 'poll';
 
 export interface AppSettings {
 	confirmDestructive: boolean;
@@ -22,6 +23,11 @@ export interface AppSettings {
 	eventCleanupEnabled: boolean;
 	logBufferSizeKb: number;
 	defaultTimezone: string;
+	eventCollectionMode: EventCollectionMode;
+	eventPollInterval: number;
+	metricsCollectionInterval: number;
+	externalStackPaths: string[];
+	primaryStackLocation: string | null;
 }
 
 const DEFAULT_SETTINGS: AppSettings = {
@@ -40,7 +46,12 @@ const DEFAULT_SETTINGS: AppSettings = {
 	scheduleCleanupEnabled: true,
 	eventCleanupEnabled: true,
 	logBufferSizeKb: 500,
-	defaultTimezone: 'UTC'
+	defaultTimezone: 'UTC',
+	eventCollectionMode: 'stream',
+	eventPollInterval: 60000,
+	metricsCollectionInterval: 30000,
+	externalStackPaths: [],
+	primaryStackLocation: null
 };
 
 // Create a writable store for app settings
@@ -73,7 +84,12 @@ function createSettingsStore() {
 					scheduleCleanupEnabled: settings.scheduleCleanupEnabled ?? DEFAULT_SETTINGS.scheduleCleanupEnabled,
 					eventCleanupEnabled: settings.eventCleanupEnabled ?? DEFAULT_SETTINGS.eventCleanupEnabled,
 					logBufferSizeKb: settings.logBufferSizeKb ?? DEFAULT_SETTINGS.logBufferSizeKb,
-					defaultTimezone: settings.defaultTimezone ?? DEFAULT_SETTINGS.defaultTimezone
+					defaultTimezone: settings.defaultTimezone ?? DEFAULT_SETTINGS.defaultTimezone,
+					eventCollectionMode: settings.eventCollectionMode ?? DEFAULT_SETTINGS.eventCollectionMode,
+					eventPollInterval: settings.eventPollInterval ?? DEFAULT_SETTINGS.eventPollInterval,
+					metricsCollectionInterval: settings.metricsCollectionInterval ?? DEFAULT_SETTINGS.metricsCollectionInterval,
+					externalStackPaths: settings.externalStackPaths ?? DEFAULT_SETTINGS.externalStackPaths,
+					primaryStackLocation: settings.primaryStackLocation ?? DEFAULT_SETTINGS.primaryStackLocation
 				});
 			}
 		} catch {
@@ -109,7 +125,12 @@ function createSettingsStore() {
 					scheduleCleanupEnabled: updatedSettings.scheduleCleanupEnabled ?? DEFAULT_SETTINGS.scheduleCleanupEnabled,
 					eventCleanupEnabled: updatedSettings.eventCleanupEnabled ?? DEFAULT_SETTINGS.eventCleanupEnabled,
 					logBufferSizeKb: updatedSettings.logBufferSizeKb ?? DEFAULT_SETTINGS.logBufferSizeKb,
-					defaultTimezone: updatedSettings.defaultTimezone ?? DEFAULT_SETTINGS.defaultTimezone
+					defaultTimezone: updatedSettings.defaultTimezone ?? DEFAULT_SETTINGS.defaultTimezone,
+					eventCollectionMode: updatedSettings.eventCollectionMode ?? DEFAULT_SETTINGS.eventCollectionMode,
+					eventPollInterval: updatedSettings.eventPollInterval ?? DEFAULT_SETTINGS.eventPollInterval,
+					metricsCollectionInterval: updatedSettings.metricsCollectionInterval ?? DEFAULT_SETTINGS.metricsCollectionInterval,
+					externalStackPaths: updatedSettings.externalStackPaths ?? DEFAULT_SETTINGS.externalStackPaths,
+					primaryStackLocation: updatedSettings.primaryStackLocation ?? DEFAULT_SETTINGS.primaryStackLocation
 				});
 			}
 		} catch (error) {
@@ -248,6 +269,41 @@ function createSettingsStore() {
 				return newSettings;
 			});
 		},
+		setEventCollectionMode: (value: EventCollectionMode) => {
+			update((current) => {
+				const newSettings = { ...current, eventCollectionMode: value };
+				saveSettings({ eventCollectionMode: value });
+				return newSettings;
+			});
+		},
+		setEventPollInterval: (value: number) => {
+			update((current) => {
+				const newSettings = { ...current, eventPollInterval: value };
+				saveSettings({ eventPollInterval: value });
+				return newSettings;
+			});
+		},
+		setMetricsCollectionInterval: (value: number) => {
+			update((current) => {
+				const newSettings = { ...current, metricsCollectionInterval: value };
+				saveSettings({ metricsCollectionInterval: value });
+				return newSettings;
+			});
+		},
+		setExternalStackPaths: (value: string[]) => {
+			update((current) => {
+				const newSettings = { ...current, externalStackPaths: value };
+				saveSettings({ externalStackPaths: value });
+				return newSettings;
+			});
+		},
+		setPrimaryStackLocation: (value: string | null) => {
+			update((current) => {
+				const newSettings = { ...current, primaryStackLocation: value };
+				saveSettings({ primaryStackLocation: value });
+				return newSettings;
+			});
+		},
 		// Manual refresh from database
 		refresh: loadSettings
 	};
diff --git a/lib/stores/stats.ts b/src/lib/stores/stats.ts
similarity index 100%
rename from lib/stores/stats.ts
rename to src/lib/stores/stats.ts
diff --git a/lib/stores/theme.ts b/src/lib/stores/theme.ts
similarity index 100%
rename from lib/stores/theme.ts
rename to src/lib/stores/theme.ts
diff --git a/lib/themes.ts b/src/lib/themes.ts
similarity index 100%
rename from lib/themes.ts
rename to src/lib/themes.ts
diff --git a/lib/types.ts b/src/lib/types.ts
similarity index 93%
rename from lib/types.ts
rename to src/lib/types.ts
index 17bf013..a9309d2 100644
--- a/lib/types.ts
+++ b/src/lib/types.ts
@@ -34,6 +34,7 @@ export interface ImageInfo {
 	size: number;
 	virtualSize: number;
 	labels: Record<string, string>;
+	containers: number; // Number of containers using this image
 }
 
 export interface VolumeUsage {
@@ -90,7 +91,9 @@ export interface ContainerStats {
 	id: string;
 	name: string;
 	cpuPercent: number;
-	memoryUsage: number;
+	memoryUsage: number;      // Actual usage (total - cache), same as docker stats
+	memoryRaw: number;        // Raw total usage before cache subtraction
+	memoryCache: number;      // File cache (inactive_file)
 	memoryLimit: number;
 	memoryPercent: number;
 	networkRx: number;
diff --git a/lib/utils.ts b/src/lib/utils.ts
similarity index 100%
rename from lib/utils.ts
rename to src/lib/utils.ts
diff --git a/lib/utils/icons.ts b/src/lib/utils/icons.ts
similarity index 100%
rename from lib/utils/icons.ts
rename to src/lib/utils/icons.ts
diff --git a/lib/utils/ip.ts b/src/lib/utils/ip.ts
similarity index 100%
rename from lib/utils/ip.ts
rename to src/lib/utils/ip.ts
diff --git a/lib/utils/label-colors.ts b/src/lib/utils/label-colors.ts
similarity index 100%
rename from lib/utils/label-colors.ts
rename to src/lib/utils/label-colors.ts
diff --git a/src/lib/utils/pem.ts b/src/lib/utils/pem.ts
new file mode 100644
index 0000000..3a82b01
--- /dev/null
+++ b/src/lib/utils/pem.ts
@@ -0,0 +1,19 @@
+/**
+ * Clean PEM content by removing whitespace artifacts from copy/paste.
+ * Bun's TLS is strict about PEM format - it fails when certificates have
+ * leading/trailing spaces on lines or extra blank lines.
+ *
+ * @param pem - The PEM content to clean
+ * @returns Cleaned PEM content with trimmed lines and no empty lines, or null if empty
+ */
+export function cleanPem(pem: string | null | undefined): string | null {
+	if (!pem) return null;
+
+	const cleaned = pem
+		.split('\n')
+		.map((line) => line.trim())
+		.filter((line) => line.length > 0)
+		.join('\n');
+
+	return cleaned.length > 0 ? cleaned : null;
+}
diff --git a/lib/utils/update-steps.ts b/src/lib/utils/update-steps.ts
similarity index 100%
rename from lib/utils/update-steps.ts
rename to src/lib/utils/update-steps.ts
diff --git a/lib/utils/version.ts b/src/lib/utils/version.ts
similarity index 100%
rename from lib/utils/version.ts
rename to src/lib/utils/version.ts
diff --git a/routes/+layout.server.ts b/src/routes/+layout.server.ts
similarity index 100%
rename from routes/+layout.server.ts
rename to src/routes/+layout.server.ts
diff --git a/routes/+layout.svelte b/src/routes/+layout.svelte
similarity index 100%
rename from routes/+layout.svelte
rename to src/routes/+layout.svelte
diff --git a/routes/+layout.ts b/src/routes/+layout.ts
similarity index 100%
rename from routes/+layout.ts
rename to src/routes/+layout.ts
diff --git a/routes/+page.svelte b/src/routes/+page.svelte
similarity index 93%
rename from routes/+page.svelte
rename to src/routes/+page.svelte
index a589049..ff79a1a 100644
--- a/routes/+page.svelte
+++ b/src/routes/+page.svelte
@@ -12,6 +12,7 @@
 	import DraggableGrid, { type GridItemLayout } from './dashboard/DraggableGrid.svelte';
 	import { dashboardPreferences, dashboardData, GRID_COLS, GRID_ROW_HEIGHT, type TileItem } from '$lib/stores/dashboard';
 	import { currentEnvironment } from '$lib/stores/environment';
+	import { IsMobile } from '$lib/hooks/is-mobile.svelte.js';
 	import type { EnvironmentStats } from './api/dashboard/stats/+server';
 	import { getLabelColor, getLabelBgColor } from '$lib/utils/label-colors';
 
@@ -43,6 +44,8 @@
 	let initialLoading = $state(true);
 	let refreshing = $state(false);
 	let prefsLoaded = $state(false);
+	const mobileWatcher = new IsMobile();
+	const isMobile = $derived.by(() => mobileWatcher.current);
 
 	// Label filtering - load from localStorage
 	let filterLabels = $state<string[]>([]);
@@ -113,6 +116,9 @@
 			return tileLabels.some(label => filterLabels.includes(label));
 		});
 	});
+	const orderedGridItems = $derived.by(() => {
+		return [...filteredGridItems].sort((a, b) => (a.y - b.y) || (a.x - b.x));
+	});
 
 	// AbortController for SSE stream cleanup
 	let abortController: AbortController | null = null;
@@ -335,7 +341,7 @@
 												connectionType: env.connectionType || 'socket',
 												labels: env.labels || [],
 												scannerEnabled: false,
-												online: false,
+												online: undefined, // undefined = connecting, false = offline, true = online
 												containers: { total: 0, running: 0, stopped: 0, paused: 0, restarting: 0, unhealthy: 0 },
 												images: { total: 0, totalSize: 0 },
 												volumes: { total: 0, totalSize: 0 },
@@ -965,36 +971,68 @@
 			</Button>
 		</div>
 	{:else}
-		<!-- Custom Draggable Grid -->
-		<DraggableGrid
-			items={filteredGridItems}
-			cols={GRID_COLS}
-			rowHeight={GRID_ROW_HEIGHT}
-			gap={10}
-			minW={1}
-			maxW={2}
-			minH={1}
-			maxH={4}
-			onchange={handleGridChange}
-			onitemclick={handleTileClick}
-		>
-			{#snippet children({ item })}
-				{@const tile = getTileById(item.id)}
-				{#if tile}
-					{#if tile.loading && !tile.stats}
-						<!-- Show skeleton while loading -->
-						<EnvironmentTileSkeleton
-							name={tile.info?.name}
-							host={tile.info?.host}
-							width={item.w}
-							height={item.h}
-						/>
-					{:else if tile.stats}
-						<!-- Show actual tile with data -->
-						<EnvironmentTile stats={tile.stats} width={item.w} height={item.h} oneventsclick={() => handleEventsClick(tile.stats!.id)} />
+		{#if isMobile}
+			<div class="flex flex-col gap-3">
+				{#each orderedGridItems as item (item.id)}
+					{@const tile = getTileById(item.id)}
+					{#if tile}
+						{#if tile.loading && !tile.stats}
+							<!-- Show skeleton while loading -->
+							<div class="w-full">
+								<EnvironmentTileSkeleton
+									name={tile.info?.name}
+									host={tile.info?.host}
+									width={2}
+									height={Math.max(item.h, 2)}
+								/>
+							</div>
+						{:else if tile.stats}
+							<!-- Show actual tile with data -->
+							<div class="w-full cursor-pointer" onclick={() => handleTileClick(tile.stats!.id)}>
+								<EnvironmentTile
+									stats={tile.stats}
+									width={2}
+									height={Math.max(item.h, 2)}
+									oneventsclick={() => handleEventsClick(tile.stats!.id)}
+									showStacksBreakdown={false}
+								/>
+							</div>
+						{/if}
+					{/if}
+				{/each}
+			</div>
+		{:else}
+			<!-- Custom Draggable Grid -->
+			<DraggableGrid
+				items={filteredGridItems}
+				cols={GRID_COLS}
+				rowHeight={GRID_ROW_HEIGHT}
+				gap={10}
+				minW={1}
+				maxW={2}
+				minH={1}
+				maxH={4}
+				onchange={handleGridChange}
+				onitemclick={handleTileClick}
+			>
+				{#snippet children({ item })}
+					{@const tile = getTileById(item.id)}
+					{#if tile}
+						{#if tile.loading && !tile.stats}
+							<!-- Show skeleton while loading -->
+							<EnvironmentTileSkeleton
+								name={tile.info?.name}
+								host={tile.info?.host}
+								width={item.w}
+								height={item.h}
+							/>
+						{:else if tile.stats}
+							<!-- Show actual tile with data -->
+							<EnvironmentTile stats={tile.stats} width={item.w} height={item.h} oneventsclick={() => handleEventsClick(tile.stats!.id)} />
+						{/if}
 					{/if}
-				{/if}
-			{/snippet}
-		</DraggableGrid>
+				{/snippet}
+			</DraggableGrid>
+		{/if}
 	{/if}
 </div>
diff --git a/routes/activity/+page.svelte b/src/routes/activity/+page.svelte
similarity index 91%
rename from routes/activity/+page.svelte
rename to src/routes/activity/+page.svelte
index 132d58f..172f39d 100644
--- a/routes/activity/+page.svelte
+++ b/src/routes/activity/+page.svelte
@@ -30,7 +30,9 @@
 		Loader2,
 		FileX,
 		Heart,
-		Search
+		Search,
+		Wifi,
+		Radio
 	} from 'lucide-svelte';
 	import PageHeader from '$lib/components/PageHeader.svelte';
 	import { currentEnvironment, environments as environmentsStore } from '$lib/stores/environment';
@@ -38,7 +40,7 @@
 	import { canAccess } from '$lib/stores/auth';
 	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
 	import { toast } from 'svelte-sonner';
-	import { formatDateTime } from '$lib/stores/settings';
+	import { formatDateTime, appSettings } from '$lib/stores/settings';
 	import { NoEnvironment } from '$lib/components/ui/empty-state';
 	import { DataGrid } from '$lib/components/data-grid';
 
@@ -68,6 +70,7 @@
 
 	// State
 	let events = $state<ContainerEvent[]>([]);
+	let eventIds = $state<Set<number>>(new Set()); // Fast duplicate check
 	let total = $state(0);
 	let loading = $state(false);
 	let loadingMore = $state(false);
@@ -246,6 +249,7 @@
 			toast.success('Activity log cleared');
 			// Reset and reload
 			events = [];
+			eventIds = new Set();
 			total = 0;
 			hasMore = true;
 			fetchEvents(false);
@@ -301,13 +305,24 @@
 			}
 			const data = await response.json();
 
+			// Update total first so hasMore calculation is correct
+			total = data.total;
+
 			if (append) {
-				events = [...events, ...data.events];
+				// Use push() for O(k) append instead of spread for O(n) copy
+				events.push(...data.events);
+				events = events; // Trigger Svelte reactivity
+				hasMore = events.length < total;
+				// Update eventIds Set with new events
+				for (const evt of data.events) {
+					eventIds.add(evt.id);
+				}
 			} else {
 				events = data.events;
+				hasMore = events.length < total;
+				// Reset eventIds Set
+				eventIds = new Set(data.events.map((evt: ContainerEvent) => evt.id));
 			}
-			total = data.total;
-			hasMore = events.length < total;
 			dataFetched = true;
 
 			loading = false;
@@ -503,14 +518,19 @@
 					if (eventDate > filterToDate) return;
 				}
 
-				// Add to beginning of events (prepend new events)
-				if (!events.some(event => event.id === newEvent.id)) {
-					events = [newEvent, ...events];
+				// Add to beginning of events (prepend new events) - use Set for fast duplicate check
+				if (!eventIds.has(newEvent.id)) {
+					eventIds.add(newEvent.id);
+					// Use unshift() for in-place mutation instead of spread for O(n) copy
+					events.unshift(newEvent);
+					events = events; // Trigger Svelte reactivity
 					total = total + 1;
 
 					// Add container to list if not already there
 					if (newEvent.containerName && !containers.includes(newEvent.containerName)) {
-						containers = [...containers, newEvent.containerName].sort();
+						containers.push(newEvent.containerName);
+						containers.sort();
+						containers = containers; // Trigger Svelte reactivity
 					}
 				}
 			} catch {
@@ -625,7 +645,20 @@
 <div class="flex-1 min-h-0 flex flex-col gap-3 overflow-hidden">
 	<!-- Header with inline filters -->
 	<div class="shrink-0 flex flex-wrap justify-between items-center gap-3">
-		<PageHeader icon={Activity} title="Activity" count={visibleEnd > 0 ? `${visibleStart}-${visibleEnd}` : undefined} total={total > 0 ? total : undefined} countClass="min-w-32" />
+		<div class="flex items-center gap-3">
+			<PageHeader icon={Activity} title="Activity" count={visibleEnd > 0 ? `${visibleStart}-${visibleEnd}` : undefined} total={total > 0 ? total : undefined} countClass="min-w-32" />
+			<Badge variant="outline" class="gap-1.5 {($appSettings.eventCollectionMode || 'stream') === 'stream' ? 'text-green-500 border-green-500/50' : 'text-amber-500 border-amber-500/50'}">
+				{#if ($appSettings.eventCollectionMode || 'stream') === 'stream'}
+					<Wifi class="w-3 h-3" />
+					<span>Stream</span>
+				{:else if ($appSettings.eventCollectionMode || 'stream') === 'poll'}
+					<Radio class="w-3 h-3" />
+					<span>Poll</span><span class="text-[10px] opacity-70">({($appSettings.eventPollInterval || 60000) / 1000}s)</span>
+				{:else}
+					<span class="text-muted-foreground">Off</span>
+				{/if}
+			</Badge>
+		</div>
 		<div class="flex flex-wrap items-center gap-2">
 			<!-- Container name search -->
 			<div class="relative">
@@ -839,22 +872,19 @@
 					Loading...
 				</div>
 			{/snippet}
+			{#snippet footer()}
+				{#if loadingMore}
+					<div class="flex items-center justify-center py-2 text-muted-foreground">
+						<Loader2 class="w-4 h-4 animate-spin mr-2" />
+						Loading more...
+					</div>
+				{:else if !hasMore && events.length > 0}
+					<div class="text-center py-2 text-sm text-muted-foreground">
+						End of results ({total.toLocaleString()} events)
+					</div>
+				{/if}
+			{/snippet}
 		</DataGrid>
-
-		<!-- Loading more indicator -->
-		{#if loadingMore}
-			<div class="flex items-center justify-center py-2 text-muted-foreground border-t">
-				<Loader2 class="w-4 h-4 animate-spin mr-2" />
-				Loading more...
-			</div>
-		{/if}
-
-		<!-- End of results -->
-		{#if !hasMore && events.length > 0}
-			<div class="text-center py-2 text-sm text-muted-foreground border-t">
-				End of results ({total.toLocaleString()} events)
-			</div>
-		{/if}
 	{/if}
 </div>
 
diff --git a/routes/alerts/+page.svelte b/src/routes/alerts/+page.svelte
similarity index 100%
rename from routes/alerts/+page.svelte
rename to src/routes/alerts/+page.svelte
diff --git a/routes/api/activity/+server.ts b/src/routes/api/activity/+server.ts
similarity index 100%
rename from routes/api/activity/+server.ts
rename to src/routes/api/activity/+server.ts
diff --git a/routes/api/activity/containers/+server.ts b/src/routes/api/activity/containers/+server.ts
similarity index 100%
rename from routes/api/activity/containers/+server.ts
rename to src/routes/api/activity/containers/+server.ts
diff --git a/routes/api/activity/events/+server.ts b/src/routes/api/activity/events/+server.ts
similarity index 100%
rename from routes/api/activity/events/+server.ts
rename to src/routes/api/activity/events/+server.ts
diff --git a/routes/api/activity/stats/+server.ts b/src/routes/api/activity/stats/+server.ts
similarity index 100%
rename from routes/api/activity/stats/+server.ts
rename to src/routes/api/activity/stats/+server.ts
diff --git a/routes/api/audit/+server.ts b/src/routes/api/audit/+server.ts
similarity index 100%
rename from routes/api/audit/+server.ts
rename to src/routes/api/audit/+server.ts
diff --git a/routes/api/audit/events/+server.ts b/src/routes/api/audit/events/+server.ts
similarity index 100%
rename from routes/api/audit/events/+server.ts
rename to src/routes/api/audit/events/+server.ts
diff --git a/routes/api/audit/export/+server.ts b/src/routes/api/audit/export/+server.ts
similarity index 100%
rename from routes/api/audit/export/+server.ts
rename to src/routes/api/audit/export/+server.ts
diff --git a/routes/api/audit/users/+server.ts b/src/routes/api/audit/users/+server.ts
similarity index 100%
rename from routes/api/audit/users/+server.ts
rename to src/routes/api/audit/users/+server.ts
diff --git a/routes/api/auth/ldap/+server.ts b/src/routes/api/auth/ldap/+server.ts
similarity index 100%
rename from routes/api/auth/ldap/+server.ts
rename to src/routes/api/auth/ldap/+server.ts
diff --git a/routes/api/auth/ldap/[id]/+server.ts b/src/routes/api/auth/ldap/[id]/+server.ts
similarity index 100%
rename from routes/api/auth/ldap/[id]/+server.ts
rename to src/routes/api/auth/ldap/[id]/+server.ts
diff --git a/routes/api/auth/ldap/[id]/test/+server.ts b/src/routes/api/auth/ldap/[id]/test/+server.ts
similarity index 100%
rename from routes/api/auth/ldap/[id]/test/+server.ts
rename to src/routes/api/auth/ldap/[id]/test/+server.ts
diff --git a/routes/api/auth/login/+server.ts b/src/routes/api/auth/login/+server.ts
similarity index 100%
rename from routes/api/auth/login/+server.ts
rename to src/routes/api/auth/login/+server.ts
diff --git a/routes/api/auth/logout/+server.ts b/src/routes/api/auth/logout/+server.ts
similarity index 100%
rename from routes/api/auth/logout/+server.ts
rename to src/routes/api/auth/logout/+server.ts
diff --git a/routes/api/auth/oidc/+server.ts b/src/routes/api/auth/oidc/+server.ts
similarity index 100%
rename from routes/api/auth/oidc/+server.ts
rename to src/routes/api/auth/oidc/+server.ts
diff --git a/routes/api/auth/oidc/[id]/+server.ts b/src/routes/api/auth/oidc/[id]/+server.ts
similarity index 100%
rename from routes/api/auth/oidc/[id]/+server.ts
rename to src/routes/api/auth/oidc/[id]/+server.ts
diff --git a/routes/api/auth/oidc/[id]/initiate/+server.ts b/src/routes/api/auth/oidc/[id]/initiate/+server.ts
similarity index 100%
rename from routes/api/auth/oidc/[id]/initiate/+server.ts
rename to src/routes/api/auth/oidc/[id]/initiate/+server.ts
diff --git a/routes/api/auth/oidc/[id]/test/+server.ts b/src/routes/api/auth/oidc/[id]/test/+server.ts
similarity index 100%
rename from routes/api/auth/oidc/[id]/test/+server.ts
rename to src/routes/api/auth/oidc/[id]/test/+server.ts
diff --git a/routes/api/auth/oidc/callback/+server.ts b/src/routes/api/auth/oidc/callback/+server.ts
similarity index 100%
rename from routes/api/auth/oidc/callback/+server.ts
rename to src/routes/api/auth/oidc/callback/+server.ts
diff --git a/routes/api/auth/providers/+server.ts b/src/routes/api/auth/providers/+server.ts
similarity index 100%
rename from routes/api/auth/providers/+server.ts
rename to src/routes/api/auth/providers/+server.ts
diff --git a/routes/api/auth/session/+server.ts b/src/routes/api/auth/session/+server.ts
similarity index 100%
rename from routes/api/auth/session/+server.ts
rename to src/routes/api/auth/session/+server.ts
diff --git a/routes/api/auth/settings/+server.ts b/src/routes/api/auth/settings/+server.ts
similarity index 100%
rename from routes/api/auth/settings/+server.ts
rename to src/routes/api/auth/settings/+server.ts
diff --git a/routes/api/auto-update/+server.ts b/src/routes/api/auto-update/+server.ts
similarity index 100%
rename from routes/api/auto-update/+server.ts
rename to src/routes/api/auto-update/+server.ts
diff --git a/routes/api/auto-update/[containerName]/+server.ts b/src/routes/api/auto-update/[containerName]/+server.ts
similarity index 100%
rename from routes/api/auto-update/[containerName]/+server.ts
rename to src/routes/api/auto-update/[containerName]/+server.ts
diff --git a/routes/api/batch/+server.ts b/src/routes/api/batch/+server.ts
similarity index 100%
rename from routes/api/batch/+server.ts
rename to src/routes/api/batch/+server.ts
diff --git a/routes/api/changelog/+server.ts b/src/routes/api/changelog/+server.ts
similarity index 100%
rename from routes/api/changelog/+server.ts
rename to src/routes/api/changelog/+server.ts
diff --git a/routes/api/config-sets/+server.ts b/src/routes/api/config-sets/+server.ts
similarity index 100%
rename from routes/api/config-sets/+server.ts
rename to src/routes/api/config-sets/+server.ts
diff --git a/routes/api/config-sets/[id]/+server.ts b/src/routes/api/config-sets/[id]/+server.ts
similarity index 100%
rename from routes/api/config-sets/[id]/+server.ts
rename to src/routes/api/config-sets/[id]/+server.ts
diff --git a/routes/api/containers/+server.ts b/src/routes/api/containers/+server.ts
similarity index 100%
rename from routes/api/containers/+server.ts
rename to src/routes/api/containers/+server.ts
diff --git a/routes/api/containers/[id]/+server.ts b/src/routes/api/containers/[id]/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/+server.ts
rename to src/routes/api/containers/[id]/+server.ts
diff --git a/src/routes/api/containers/[id]/attach/+server.ts b/src/routes/api/containers/[id]/attach/+server.ts
new file mode 100644
index 0000000..fd03312
--- /dev/null
+++ b/src/routes/api/containers/[id]/attach/+server.ts
@@ -0,0 +1,38 @@
+import { authorize } from '$lib/server/authorize';
+import { getDockerConnectionInfo } from "$lib/server/docker";
+import { json } from "@sveltejs/kit";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ params, cookies, url }) => {
+    const auth = await authorize(cookies);
+
+    if (auth.authEnabled && !auth.isAuthenticated) {
+        return json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const containerId = params.id;
+    const envIdParam = url.searchParams.get("envId");
+    const envId = envIdParam ? parseInt(envIdParam, 10) : undefined;
+
+    // Permission check with environment context
+    if (!(await auth.can("containers", "attach", envId))) {
+        return json({ error: "Permission denied" }, { status: 403 });
+    }
+
+    try {
+        const connectionInfo = await getDockerConnectionInfo(envId);
+
+        return json({
+            containerId,
+            connectionInfo: {
+                type: connectionInfo.type,
+                host: connectionInfo.host,
+                port: connectionInfo.port,
+            },
+        });
+    } catch (error) {
+        console.error("Error attaching to container:", error);
+
+        return json({ error: "Failed to attach to container" }, { status: 500 });
+    }
+};
diff --git a/routes/api/containers/[id]/exec/+server.ts b/src/routes/api/containers/[id]/exec/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/exec/+server.ts
rename to src/routes/api/containers/[id]/exec/+server.ts
diff --git a/routes/api/containers/[id]/files/+server.ts b/src/routes/api/containers/[id]/files/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/+server.ts
rename to src/routes/api/containers/[id]/files/+server.ts
diff --git a/routes/api/containers/[id]/files/chmod/+server.ts b/src/routes/api/containers/[id]/files/chmod/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/chmod/+server.ts
rename to src/routes/api/containers/[id]/files/chmod/+server.ts
diff --git a/routes/api/containers/[id]/files/content/+server.ts b/src/routes/api/containers/[id]/files/content/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/content/+server.ts
rename to src/routes/api/containers/[id]/files/content/+server.ts
diff --git a/routes/api/containers/[id]/files/create/+server.ts b/src/routes/api/containers/[id]/files/create/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/create/+server.ts
rename to src/routes/api/containers/[id]/files/create/+server.ts
diff --git a/routes/api/containers/[id]/files/delete/+server.ts b/src/routes/api/containers/[id]/files/delete/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/delete/+server.ts
rename to src/routes/api/containers/[id]/files/delete/+server.ts
diff --git a/routes/api/containers/[id]/files/download/+server.ts b/src/routes/api/containers/[id]/files/download/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/download/+server.ts
rename to src/routes/api/containers/[id]/files/download/+server.ts
diff --git a/routes/api/containers/[id]/files/rename/+server.ts b/src/routes/api/containers/[id]/files/rename/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/rename/+server.ts
rename to src/routes/api/containers/[id]/files/rename/+server.ts
diff --git a/routes/api/containers/[id]/files/upload/+server.ts b/src/routes/api/containers/[id]/files/upload/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/files/upload/+server.ts
rename to src/routes/api/containers/[id]/files/upload/+server.ts
diff --git a/routes/api/containers/[id]/inspect/+server.ts b/src/routes/api/containers/[id]/inspect/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/inspect/+server.ts
rename to src/routes/api/containers/[id]/inspect/+server.ts
diff --git a/routes/api/containers/[id]/logs/+server.ts b/src/routes/api/containers/[id]/logs/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/logs/+server.ts
rename to src/routes/api/containers/[id]/logs/+server.ts
diff --git a/routes/api/containers/[id]/logs/stream/+server.ts b/src/routes/api/containers/[id]/logs/stream/+server.ts
similarity index 92%
rename from routes/api/containers/[id]/logs/stream/+server.ts
rename to src/routes/api/containers/[id]/logs/stream/+server.ts
index 9e2b77d..fd0d83a 100644
--- a/routes/api/containers/[id]/logs/stream/+server.ts
+++ b/src/routes/api/containers/[id]/logs/stream/+server.ts
@@ -285,11 +285,19 @@ export const GET: RequestHandler = async ({ params, url, cookies }) => {
 			const inspectUrl = `${config.type}://${config.host}:${config.port}${inspectPath}`;
 			const inspectHeaders: Record<string, string> = {};
 			if (config.hawserToken) inspectHeaders['X-Hawser-Token'] = config.hawserToken;
-			inspectResponse = await fetch(inspectUrl, {
-				headers: inspectHeaders,
-				// @ts-ignore
-				tls: config.type === 'https' ? { ca: config.ca, cert: config.cert, key: config.key } : undefined
-			});
+			const fetchOpts: any = { headers: inspectHeaders };
+			if (config.type === 'https') {
+				fetchOpts.tls = {
+					sessionTimeout: 0, // Disable TLS session caching for mTLS
+					servername: config.host,
+					rejectUnauthorized: true
+				};
+				if (config.ca) fetchOpts.tls.ca = [config.ca];
+				if (config.cert) fetchOpts.tls.cert = [config.cert];
+				if (config.key) fetchOpts.tls.key = config.key;
+				fetchOpts.keepalive = false;
+			}
+			inspectResponse = await fetch(inspectUrl, fetchOpts);
 		}
 
 		if (inspectResponse.ok) {
@@ -341,12 +349,22 @@ export const GET: RequestHandler = async ({ params, url, cookies }) => {
 					const logsUrl = `${config.type}://${config.host}:${config.port}${logsPath}`;
 					const logsHeaders: Record<string, string> = {};
 					if (config.hawserToken) logsHeaders['X-Hawser-Token'] = config.hawserToken;
-					response = await fetch(logsUrl, {
+					const fetchOpts: any = {
 						headers: logsHeaders,
-						signal: abortController?.signal,
-						// @ts-ignore
-						tls: config.type === 'https' ? { ca: config.ca, cert: config.cert, key: config.key } : undefined
-					});
+						signal: abortController?.signal
+					};
+					if (config.type === 'https') {
+						fetchOpts.tls = {
+							sessionTimeout: 0, // Disable TLS session caching for mTLS
+							servername: config.host,
+							rejectUnauthorized: true
+						};
+						if (config.ca) fetchOpts.tls.ca = [config.ca];
+						if (config.cert) fetchOpts.tls.cert = [config.cert];
+						if (config.key) fetchOpts.tls.key = config.key;
+						fetchOpts.keepalive = false;
+					}
+					response = await fetch(logsUrl, fetchOpts);
 				}
 
 				if (!response.ok) {
diff --git a/routes/api/containers/[id]/pause/+server.ts b/src/routes/api/containers/[id]/pause/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/pause/+server.ts
rename to src/routes/api/containers/[id]/pause/+server.ts
diff --git a/routes/api/containers/[id]/rename/+server.ts b/src/routes/api/containers/[id]/rename/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/rename/+server.ts
rename to src/routes/api/containers/[id]/rename/+server.ts
diff --git a/routes/api/containers/[id]/restart/+server.ts b/src/routes/api/containers/[id]/restart/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/restart/+server.ts
rename to src/routes/api/containers/[id]/restart/+server.ts
diff --git a/routes/api/containers/[id]/start/+server.ts b/src/routes/api/containers/[id]/start/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/start/+server.ts
rename to src/routes/api/containers/[id]/start/+server.ts
diff --git a/routes/api/containers/[id]/stats/+server.ts b/src/routes/api/containers/[id]/stats/+server.ts
similarity index 66%
rename from routes/api/containers/[id]/stats/+server.ts
rename to src/routes/api/containers/[id]/stats/+server.ts
index 5690d85..c06e99c 100644
--- a/routes/api/containers/[id]/stats/+server.ts
+++ b/src/routes/api/containers/[id]/stats/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
-import { getContainerStats } from '$lib/server/docker';
+import { getContainerStats, EnvironmentNotFoundError } from '$lib/server/docker';
 import { authorize } from '$lib/server/authorize';
 import { hasEnvironments } from '$lib/server/db';
 
@@ -47,6 +47,28 @@ function calculateBlockIO(stats: any): { read: number; write: number } {
 	return { read, write };
 }
 
+/**
+ * Calculate memory usage the same way Docker CLI does.
+ * Docker subtracts cache (inactive_file) from total usage to show actual memory consumption.
+ * - cgroup v2: subtract inactive_file from stats
+ * - cgroup v1: subtract total_inactive_file from stats
+ * See: https://docs.docker.com/engine/containers/runmetrics/
+ *
+ * Returns: { usage: actual memory (minus cache), raw: total usage, cache: file cache }
+ */
+function calculateMemoryUsage(memoryStats: any): { usage: number; raw: number; cache: number } {
+	const raw = memoryStats?.usage || 0;
+	const stats = memoryStats?.stats || {};
+
+	// cgroup v2 uses 'inactive_file', cgroup v1 uses 'total_inactive_file'
+	const cache = stats.inactive_file ?? stats.total_inactive_file ?? 0;
+
+	// Only subtract cache if it's less than raw usage (sanity check)
+	const usage = (cache > 0 && cache < raw) ? raw - cache : raw;
+
+	return { usage, raw, cache };
+}
+
 export const GET: RequestHandler = async ({ params, url, cookies }) => {
 	const auth = await authorize(cookies);
 
@@ -67,15 +89,17 @@ export const GET: RequestHandler = async ({ params, url, cookies }) => {
 		const stats = await getContainerStats(params.id, envIdNum) as any;
 
 		const cpuPercent = calculateCpuPercent(stats);
-		const memoryUsage = stats.memory_stats?.usage || 0;
+		const memory = calculateMemoryUsage(stats.memory_stats);
 		const memoryLimit = stats.memory_stats?.limit || 1;
-		const memoryPercent = (memoryUsage / memoryLimit) * 100;
+		const memoryPercent = (memory.usage / memoryLimit) * 100;
 		const networkIO = calculateNetworkIO(stats);
 		const blockIO = calculateBlockIO(stats);
 
 		return json({
 			cpuPercent: Math.round(cpuPercent * 100) / 100,
-			memoryUsage,
+			memoryUsage: memory.usage,
+			memoryRaw: memory.raw,
+			memoryCache: memory.cache,
 			memoryLimit,
 			memoryPercent: Math.round(memoryPercent * 100) / 100,
 			networkRx: networkIO.rx,
@@ -85,6 +109,10 @@ export const GET: RequestHandler = async ({ params, url, cookies }) => {
 			timestamp: Date.now()
 		});
 	} catch (error: any) {
+		// Return 404 for deleted environments so client can clear stale cache
+		if (error instanceof EnvironmentNotFoundError) {
+			return json({ error: 'Environment not found' }, { status: 404 });
+		}
 		console.error('Failed to get container stats:', error);
 		return json({ error: error.message || 'Failed to get stats' }, { status: 500 });
 	}
diff --git a/routes/api/containers/[id]/stop/+server.ts b/src/routes/api/containers/[id]/stop/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/stop/+server.ts
rename to src/routes/api/containers/[id]/stop/+server.ts
diff --git a/routes/api/containers/[id]/top/+server.ts b/src/routes/api/containers/[id]/top/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/top/+server.ts
rename to src/routes/api/containers/[id]/top/+server.ts
diff --git a/routes/api/containers/[id]/unpause/+server.ts b/src/routes/api/containers/[id]/unpause/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/unpause/+server.ts
rename to src/routes/api/containers/[id]/unpause/+server.ts
diff --git a/routes/api/containers/[id]/update/+server.ts b/src/routes/api/containers/[id]/update/+server.ts
similarity index 100%
rename from routes/api/containers/[id]/update/+server.ts
rename to src/routes/api/containers/[id]/update/+server.ts
diff --git a/routes/api/containers/batch-update-stream/+server.ts b/src/routes/api/containers/batch-update-stream/+server.ts
similarity index 100%
rename from routes/api/containers/batch-update-stream/+server.ts
rename to src/routes/api/containers/batch-update-stream/+server.ts
diff --git a/routes/api/containers/batch-update/+server.ts b/src/routes/api/containers/batch-update/+server.ts
similarity index 100%
rename from routes/api/containers/batch-update/+server.ts
rename to src/routes/api/containers/batch-update/+server.ts
diff --git a/routes/api/containers/check-updates/+server.ts b/src/routes/api/containers/check-updates/+server.ts
similarity index 100%
rename from routes/api/containers/check-updates/+server.ts
rename to src/routes/api/containers/check-updates/+server.ts
diff --git a/routes/api/containers/pending-updates/+server.ts b/src/routes/api/containers/pending-updates/+server.ts
similarity index 100%
rename from routes/api/containers/pending-updates/+server.ts
rename to src/routes/api/containers/pending-updates/+server.ts
diff --git a/routes/api/containers/sizes/+server.ts b/src/routes/api/containers/sizes/+server.ts
similarity index 100%
rename from routes/api/containers/sizes/+server.ts
rename to src/routes/api/containers/sizes/+server.ts
diff --git a/routes/api/containers/stats/+server.ts b/src/routes/api/containers/stats/+server.ts
similarity index 74%
rename from routes/api/containers/stats/+server.ts
rename to src/routes/api/containers/stats/+server.ts
index 60b78a5..ed1bf6e 100644
--- a/routes/api/containers/stats/+server.ts
+++ b/src/routes/api/containers/stats/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
-import { listContainers, getContainerStats } from '$lib/server/docker';
+import { listContainers, getContainerStats, EnvironmentNotFoundError } from '$lib/server/docker';
 import { authorize } from '$lib/server/authorize';
 import { hasEnvironments } from '$lib/server/db';
 import type { ContainerStats } from '$lib/types';
@@ -48,6 +48,28 @@ function calculateBlockIO(stats: any): { read: number; write: number } {
 	return { read, write };
 }
 
+/**
+ * Calculate memory usage the same way Docker CLI does.
+ * Docker subtracts cache (inactive_file) from total usage to show actual memory consumption.
+ * - cgroup v2: subtract inactive_file from stats
+ * - cgroup v1: subtract total_inactive_file from stats
+ * See: https://docs.docker.com/engine/containers/runmetrics/
+ *
+ * Returns: { usage: actual memory (minus cache), raw: total usage, cache: file cache }
+ */
+function calculateMemoryUsage(memoryStats: any): { usage: number; raw: number; cache: number } {
+	const raw = memoryStats?.usage || 0;
+	const stats = memoryStats?.stats || {};
+
+	// cgroup v2 uses 'inactive_file', cgroup v1 uses 'total_inactive_file'
+	const cache = stats.inactive_file ?? stats.total_inactive_file ?? 0;
+
+	// Only subtract cache if it's less than raw usage (sanity check)
+	const usage = (cache > 0 && cache < raw) ? raw - cache : raw;
+
+	return { usage, raw, cache };
+}
+
 // Helper to add timeout to promises
 function withTimeout<T>(promise: Promise<T>, ms: number, fallback: T): Promise<T> {
 	return Promise.race([
@@ -112,10 +134,10 @@ export const GET: RequestHandler = async ({ url, cookies }) => {
 				if (!stats) return null;
 
 				const cpuPercent = calculateCpuPercent(stats);
-				// Use raw memory usage (total memory attributed to container)
-				const memoryUsage = stats.memory_stats?.usage || 0;
+				// Calculate memory usage the same way Docker CLI does (excludes cache)
+				const memory = calculateMemoryUsage(stats.memory_stats);
 				const memoryLimit = stats.memory_stats?.limit || 1;
-				const memoryPercent = (memoryUsage / memoryLimit) * 100;
+				const memoryPercent = (memory.usage / memoryLimit) * 100;
 				const networkIO = calculateNetworkIO(stats);
 				const blockIO = calculateBlockIO(stats);
 
@@ -123,7 +145,9 @@ export const GET: RequestHandler = async ({ url, cookies }) => {
 					id: container.id,
 					name: container.name,
 					cpuPercent: Math.round(cpuPercent * 100) / 100,
-					memoryUsage,
+					memoryUsage: memory.usage,
+					memoryRaw: memory.raw,
+					memoryCache: memory.cache,
 					memoryLimit,
 					memoryPercent: Math.round(memoryPercent * 100) / 100,
 					networkRx: networkIO.rx,
@@ -142,6 +166,10 @@ export const GET: RequestHandler = async ({ url, cookies }) => {
 
 		return json(validStats);
 	} catch (error: any) {
+		// Return 404 for deleted environments so client can clear stale cache
+		if (error instanceof EnvironmentNotFoundError) {
+			return json({ error: 'Environment not found' }, { status: 404 });
+		}
 		console.error('Failed to get container stats:', error);
 		return json([], { status: 200 }); // Return empty array instead of error
 	}
diff --git a/routes/api/dashboard/preferences/+server.ts b/src/routes/api/dashboard/preferences/+server.ts
similarity index 100%
rename from routes/api/dashboard/preferences/+server.ts
rename to src/routes/api/dashboard/preferences/+server.ts
diff --git a/routes/api/dashboard/stats/+server.ts b/src/routes/api/dashboard/stats/+server.ts
similarity index 99%
rename from routes/api/dashboard/stats/+server.ts
rename to src/routes/api/dashboard/stats/+server.ts
index 02bfe99..50ec6e3 100644
--- a/routes/api/dashboard/stats/+server.ts
+++ b/src/routes/api/dashboard/stats/+server.ts
@@ -52,7 +52,7 @@ export interface EnvironmentStats {
 	updateCheckAutoUpdate: boolean;
 	labels?: string[];
 	connectionType: 'socket' | 'direct' | 'hawser-standard' | 'hawser-edge';
-	online: boolean;
+	online?: boolean; // undefined = connecting, false = offline, true = online
 	error?: string;
 	containers: {
 		total: number;
diff --git a/routes/api/dashboard/stats/stream/+server.ts b/src/routes/api/dashboard/stats/stream/+server.ts
similarity index 86%
rename from routes/api/dashboard/stats/stream/+server.ts
rename to src/routes/api/dashboard/stats/stream/+server.ts
index 4fc1f8b..e8b35b4 100644
--- a/routes/api/dashboard/stats/stream/+server.ts
+++ b/src/routes/api/dashboard/stats/stream/+server.ts
@@ -12,7 +12,6 @@ import {
 	listContainers,
 	listImages,
 	listNetworks,
-	getDockerInfo,
 	getContainerStats,
 	getDiskUsage
 } from '$lib/server/docker';
@@ -95,6 +94,28 @@ function calculateCpuPercent(stats: any): number {
 	return 0;
 }
 
+/**
+ * Calculate memory usage the same way Docker CLI does.
+ * Docker subtracts cache (inactive_file) from total usage to show actual memory consumption.
+ * - cgroup v2: subtract inactive_file from stats
+ * - cgroup v1: subtract total_inactive_file from stats
+ * See: https://docs.docker.com/engine/containers/runmetrics/
+ */
+function calculateMemoryUsage(memoryStats: any): number {
+	const usage = memoryStats?.usage || 0;
+	const stats = memoryStats?.stats || {};
+
+	// cgroup v2 uses 'inactive_file', cgroup v1 uses 'total_inactive_file'
+	const cache = stats.inactive_file ?? stats.total_inactive_file ?? 0;
+
+	// Only subtract cache if it's less than usage (sanity check)
+	if (cache > 0 && cache < usage) {
+		return usage - cache;
+	}
+
+	return usage;
+}
+
 // Progressive stats loading - returns stats object and emits partial updates via callback
 async function getEnvironmentStatsProgressive(
 	env: any,
@@ -150,23 +171,9 @@ async function getEnvironmentStatsProgressive(
 			envStats.updateCheckAutoUpdate = updateCheckSettings.autoUpdate;
 		}
 
-		// Check if Docker is accessible (with 5 second timeout)
-		const dockerInfo = await withTimeout(getDockerInfo(env.id), 5000, null);
-		if (!dockerInfo) {
-			envStats.error = 'Connection timeout or Docker not accessible';
-			envStats.loading = undefined; // Clear loading states on error
-			// Send offline status to client
-			onPartialUpdate({
-				id: env.id,
-				online: false,
-				error: envStats.error,
-				loading: undefined
-			});
-			return envStats;
-		}
-		envStats.online = true;
-
 		// Get all database stats in parallel for better performance
+		// NOTE: We do NOT block on getDockerInfo() here - slow environments would block all others
+		// Instead, we determine online status from whether listContainers succeeds
 		const [latestMetrics, eventStats, recentEventsResult, metricsHistory] = await Promise.all([
 			getLatestHostMetrics(env.id),
 			getContainerEventStats(env.id),
@@ -204,10 +211,9 @@ async function getEnvironmentStatsProgressive(
 			}));
 		}
 
-		// Send initial update with DB data and online status
+		// Send initial update with DB data (online status determined later by Docker API success)
 		onPartialUpdate({
 			id: env.id,
-			online: true,
 			metrics: envStats.metrics,
 			events: envStats.events,
 			recentEvents: envStats.recentEvents,
@@ -223,9 +229,22 @@ async function getEnvironmentStatsProgressive(
 			return size && size > 0 ? size : 0;
 		};
 
-		// PHASE 1: Containers (usually fast)
-		const containersPromise = withTimeout(listContainers(true, env.id).catch(() => []), 10000, [])
+		// Track if Docker API is accessible - determined by listContainers success
+		let dockerApiAccessible = false;
+		let dockerApiError: string | null = null;
+
+		// PHASE 1: Containers (usually fast) - this determines online status
+		// Use 10s timeout - this is the critical path that determines if env is online
+		const containersPromise = withTimeout(listContainers(true, env.id), 10000, null)
 			.then(async (containers) => {
+				// Timeout returns null
+				if (containers === null) {
+					throw new Error('Connection timeout');
+				}
+				// If we got here, Docker API is accessible
+				dockerApiAccessible = true;
+				envStats.online = true;
+
 				envStats.containers.total = containers.length;
 				envStats.containers.running = containers.filter((c: any) => c.state === 'running').length;
 				envStats.containers.stopped = containers.filter((c: any) => c.state === 'exited').length;
@@ -236,11 +255,39 @@ async function getEnvironmentStatsProgressive(
 
 				onPartialUpdate({
 					id: env.id,
+					online: true,
 					containers: { ...envStats.containers },
 					loading: { ...envStats.loading! }
 				});
 
 				return containers;
+			})
+			.catch((error) => {
+				// Docker API failed - mark as offline
+				dockerApiAccessible = false;
+				const errorStr = String(error);
+				if (errorStr.includes('not connected') || errorStr.includes('Edge agent')) {
+					dockerApiError = 'Agent not connected';
+				} else if (errorStr.includes('FailedToOpenSocket') || errorStr.includes('ECONNREFUSED')) {
+					dockerApiError = 'Docker socket not accessible';
+				} else if (errorStr.includes('ECONNRESET') || errorStr.includes('connection was closed')) {
+					dockerApiError = 'Connection lost';
+				} else if (errorStr.includes('timeout') || errorStr.includes('Timeout')) {
+					dockerApiError = 'Connection timeout';
+				} else {
+					dockerApiError = 'Connection error';
+				}
+				envStats.error = dockerApiError;
+				envStats.loading!.containers = false;
+
+				onPartialUpdate({
+					id: env.id,
+					online: false,
+					error: dockerApiError,
+					loading: { ...envStats.loading! }
+				});
+
+				return [] as any[];
 			});
 
 		// PHASE 2: Images, Networks, Stacks (medium speed) - run in parallel
@@ -339,7 +386,7 @@ async function getEnvironmentStatsProgressive(
 					if (!stats) return null;
 
 					const cpuPercent = calculateCpuPercent(stats);
-					const memoryUsage = stats.memory_stats?.usage || 0;
+					const memoryUsage = calculateMemoryUsage(stats.memory_stats);
 					const memoryLimit = stats.memory_stats?.limit || 1;
 					const memoryPercent = (memoryUsage / memoryLimit) * 100;
 
diff --git a/routes/api/dependencies/+server.ts b/src/routes/api/dependencies/+server.ts
similarity index 100%
rename from routes/api/dependencies/+server.ts
rename to src/routes/api/dependencies/+server.ts
diff --git a/routes/api/environments/+server.ts b/src/routes/api/environments/+server.ts
similarity index 85%
rename from routes/api/environments/+server.ts
rename to src/routes/api/environments/+server.ts
index 790d946..46b8d71 100644
--- a/routes/api/environments/+server.ts
+++ b/src/routes/api/environments/+server.ts
@@ -1,9 +1,10 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
-import { getEnvironments, createEnvironment, assignUserRole, getRoleByName, getEnvironmentPublicIps, setEnvironmentPublicIp, getEnvUpdateCheckSettings, getEnvironmentTimezone, type Environment } from '$lib/server/db';
+import { getEnvironments, getEnvironmentByName, createEnvironment, assignUserRole, getRoleByName, getEnvironmentPublicIps, setEnvironmentPublicIp, getEnvUpdateCheckSettings, getEnvironmentTimezone, type Environment } from '$lib/server/db';
 import { authorize } from '$lib/server/authorize';
 import { refreshSubprocessEnvironments } from '$lib/server/subprocess-manager';
 import { serializeLabels, parseLabels, MAX_LABELS } from '$lib/utils/label-colors';
+import { cleanPem } from '$lib/utils/pem';
 
 export const GET: RequestHandler = async ({ cookies }) => {
 	const auth = await authorize(cookies);
@@ -69,6 +70,12 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 			return json({ error: 'Name is required' }, { status: 400 });
 		}
 
+		// Check if environment with this name already exists
+		const existing = await getEnvironmentByName(data.name);
+		if (existing) {
+			return json({ error: 'An environment with this name already exists' }, { status: 409 });
+		}
+
 		// Host is required for direct and hawser-standard connections
 		const connectionType = data.connectionType || 'socket';
 		if ((connectionType === 'direct' || connectionType === 'hawser-standard') && !data.host) {
@@ -83,9 +90,10 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 			host: data.host,
 			port: data.port || 2375,
 			protocol: data.protocol || 'http',
-			tlsCa: data.tlsCa,
-			tlsCert: data.tlsCert,
-			tlsKey: data.tlsKey,
+			tlsCa: cleanPem(data.tlsCa),
+			tlsCert: cleanPem(data.tlsCert),
+			tlsKey: cleanPem(data.tlsKey),
+			tlsSkipVerify: data.tlsSkipVerify || false,
 			icon: data.icon || 'globe',
 			socketPath: data.socketPath || '/var/run/docker.sock',
 			collectActivity: data.collectActivity !== false,
@@ -123,7 +131,6 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 		return json(env);
 	} catch (error) {
 		console.error('Failed to create environment:', error);
-		const message = error instanceof Error ? error.message : 'Failed to create environment';
-		return json({ error: message }, { status: 500 });
+		return json({ error: 'Failed to create environment' }, { status: 500 });
 	}
 };
diff --git a/routes/api/environments/[id]/+server.ts b/src/routes/api/environments/[id]/+server.ts
similarity index 96%
rename from routes/api/environments/[id]/+server.ts
rename to src/routes/api/environments/[id]/+server.ts
index e290ac2..1f34bd9 100644
--- a/routes/api/environments/[id]/+server.ts
+++ b/src/routes/api/environments/[id]/+server.ts
@@ -6,6 +6,7 @@ import { deleteGitStackFiles } from '$lib/server/git';
 import { authorize } from '$lib/server/authorize';
 import { refreshSubprocessEnvironments } from '$lib/server/subprocess-manager';
 import { serializeLabels, parseLabels, MAX_LABELS } from '$lib/utils/label-colors';
+import { cleanPem } from '$lib/utils/pem';
 import { unregisterSchedule } from '$lib/server/scheduler';
 import { closeEdgeConnection } from '$lib/server/hawser';
 
@@ -62,9 +63,10 @@ export const PUT: RequestHandler = async ({ params, request, cookies }) => {
 			host: data.host,
 			port: data.port,
 			protocol: data.protocol,
-			tlsCa: data.tlsCa,
-			tlsCert: data.tlsCert,
-			tlsKey: data.tlsKey,
+			tlsCa: cleanPem(data.tlsCa),
+			tlsCert: cleanPem(data.tlsCert),
+			tlsKey: cleanPem(data.tlsKey),
+			tlsSkipVerify: data.tlsSkipVerify,
 			icon: data.icon,
 			socketPath: data.socketPath,
 			collectActivity: data.collectActivity,
diff --git a/routes/api/environments/[id]/notifications/+server.ts b/src/routes/api/environments/[id]/notifications/+server.ts
similarity index 100%
rename from routes/api/environments/[id]/notifications/+server.ts
rename to src/routes/api/environments/[id]/notifications/+server.ts
diff --git a/routes/api/environments/[id]/notifications/[notificationId]/+server.ts b/src/routes/api/environments/[id]/notifications/[notificationId]/+server.ts
similarity index 100%
rename from routes/api/environments/[id]/notifications/[notificationId]/+server.ts
rename to src/routes/api/environments/[id]/notifications/[notificationId]/+server.ts
diff --git a/routes/api/environments/[id]/test/+server.ts b/src/routes/api/environments/[id]/test/+server.ts
similarity index 100%
rename from routes/api/environments/[id]/test/+server.ts
rename to src/routes/api/environments/[id]/test/+server.ts
diff --git a/routes/api/environments/[id]/timezone/+server.ts b/src/routes/api/environments/[id]/timezone/+server.ts
similarity index 100%
rename from routes/api/environments/[id]/timezone/+server.ts
rename to src/routes/api/environments/[id]/timezone/+server.ts
diff --git a/routes/api/environments/[id]/update-check/+server.ts b/src/routes/api/environments/[id]/update-check/+server.ts
similarity index 100%
rename from routes/api/environments/[id]/update-check/+server.ts
rename to src/routes/api/environments/[id]/update-check/+server.ts
diff --git a/routes/api/environments/detect-socket/+server.ts b/src/routes/api/environments/detect-socket/+server.ts
similarity index 100%
rename from routes/api/environments/detect-socket/+server.ts
rename to src/routes/api/environments/detect-socket/+server.ts
diff --git a/routes/api/environments/test/+server.ts b/src/routes/api/environments/test/+server.ts
similarity index 76%
rename from routes/api/environments/test/+server.ts
rename to src/routes/api/environments/test/+server.ts
index f7221ff..7222c8b 100644
--- a/routes/api/environments/test/+server.ts
+++ b/src/routes/api/environments/test/+server.ts
@@ -60,50 +60,54 @@ export const POST: RequestHandler = async ({ request }) => {
 				headers['X-Hawser-Token'] = config.hawserToken;
 			}
 
-			// For HTTPS with custom CA or skip verification, use subprocess to avoid Vite dev server TLS issues
-			if (protocol === 'https' && (config.tlsCa || config.tlsSkipVerify)) {
-				const fs = await import('node:fs');
-				let tempCaPath = '';
-
-				// Clean the certificate - remove leading/trailing whitespace from each line
-				let cleanedCa = '';
-				if (config.tlsCa && !config.tlsSkipVerify) {
-					cleanedCa = config.tlsCa
-						.split('\n')
-						.map((line) => line.trim())
-						.filter((line) => line.length > 0)
-						.join('\n');
-
-					tempCaPath = `/tmp/dockhand-ca-${Date.now()}.pem`;
-					fs.writeFileSync(tempCaPath, cleanedCa);
-				}
-
-				// Build Bun script that runs outside Vite's process (Vite interferes with TLS)
-				const tlsConfig = config.tlsSkipVerify
-					? `tls: { rejectUnauthorized: false }`
-					: `tls: { ca: await Bun.file('${tempCaPath}').text() }`;
-
+			// For HTTPS with custom CA, client certs, or skip verification, use subprocess to avoid Vite dev server TLS issues
+			if (protocol === 'https' && (config.tlsCa || config.tlsCert || config.tlsSkipVerify)) {
+				// Clean PEM content (remove extra whitespace)
+				const cleanPem = (pem: string) => pem
+					.split('\n')
+					.map((line) => line.trim())
+					.filter((line) => line.length > 0)
+					.join('\n');
+
+				// Pass config as base64-encoded JSON to avoid escaping issues
+				const tlsConfig = {
+					url: `https://${host}:${port}/info`,
+					headers,
+					tlsSkipVerify: config.tlsSkipVerify || false,
+					ca: config.tlsCa && !config.tlsSkipVerify ? cleanPem(config.tlsCa) : null,
+					cert: config.tlsCert ? cleanPem(config.tlsCert) : null,
+					key: config.tlsKey ? cleanPem(config.tlsKey) : null,
+					host
+				};
+				const configBase64 = Buffer.from(JSON.stringify(tlsConfig)).toString('base64');
+
+				// Inline script with config embedded (bun -e doesn't pass argv correctly)
 				const scriptContent = `
-const response = await fetch('https://${host}:${port}/info', {
-  headers: ${JSON.stringify(headers)},
-  ${tlsConfig}
-});
-const body = await response.text();
-console.log(JSON.stringify({ status: response.status, body }));
+const config = JSON.parse(Buffer.from('${configBase64}', 'base64').toString());
+try {
+  const tls = {
+    sessionTimeout: 0,
+    servername: config.host,
+    rejectUnauthorized: !config.tlsSkipVerify
+  };
+  if (config.ca) tls.ca = [config.ca];
+  if (config.cert) tls.cert = [config.cert];
+  if (config.key) tls.key = config.key;
+  const response = await fetch(config.url, {
+    headers: config.headers,
+    tls,
+    keepalive: false
+  });
+  const body = await response.text();
+  console.log(JSON.stringify({ status: response.status, body }));
+} catch (e) {
+  console.log(JSON.stringify({ error: e.message }));
+}
 `;
-				const scriptPath = `/tmp/dockhand-test-${Date.now()}.ts`;
-				fs.writeFileSync(scriptPath, scriptContent);
-
-				const proc = Bun.spawn(['bun', scriptPath], { stdout: 'pipe', stderr: 'pipe' });
+				const proc = Bun.spawn(['bun', '-e', scriptContent], { stdout: 'pipe', stderr: 'pipe' });
 				const output = await new Response(proc.stdout).text();
 				const stderr = await new Response(proc.stderr).text();
 
-				// Cleanup temp files
-				if (tempCaPath) {
-					try { fs.unlinkSync(tempCaPath); } catch {}
-				}
-				try { fs.unlinkSync(scriptPath); } catch {}
-
 				if (!output.trim()) {
 					throw new Error(stderr || 'Empty response from TLS test subprocess');
 				}
diff --git a/routes/api/events/+server.ts b/src/routes/api/events/+server.ts
similarity index 89%
rename from routes/api/events/+server.ts
rename to src/routes/api/events/+server.ts
index caeb8c0..2ade909 100644
--- a/routes/api/events/+server.ts
+++ b/src/routes/api/events/+server.ts
@@ -1,5 +1,5 @@
 import type { RequestHandler } from './$types';
-import { getDockerEvents } from '$lib/server/docker';
+import { getDockerEvents, EnvironmentNotFoundError } from '$lib/server/docker';
 import { getEnvironment } from '$lib/server/db';
 
 export const GET: RequestHandler = async ({ url }) => {
@@ -118,8 +118,13 @@ export const GET: RequestHandler = async ({ url }) => {
 
 				processEvents();
 			} catch (error: any) {
-				console.error('Failed to connect to Docker events:', error);
-				sendEvent('error', { message: error.message || 'Failed to connect to Docker' });
+				if (error instanceof EnvironmentNotFoundError) {
+					// Expected error when environment doesn't exist - don't spam logs
+					sendEvent('error', { message: 'Environment not found' });
+				} else {
+					console.error('Failed to connect to Docker events:', error);
+					sendEvent('error', { message: error.message || 'Failed to connect to Docker' });
+				}
 				clearInterval(heartbeatInterval);
 				controller.close();
 			}
diff --git a/routes/api/git/credentials/+server.ts b/src/routes/api/git/credentials/+server.ts
similarity index 100%
rename from routes/api/git/credentials/+server.ts
rename to src/routes/api/git/credentials/+server.ts
diff --git a/routes/api/git/credentials/[id]/+server.ts b/src/routes/api/git/credentials/[id]/+server.ts
similarity index 100%
rename from routes/api/git/credentials/[id]/+server.ts
rename to src/routes/api/git/credentials/[id]/+server.ts
diff --git a/routes/api/git/repositories/+server.ts b/src/routes/api/git/repositories/+server.ts
similarity index 100%
rename from routes/api/git/repositories/+server.ts
rename to src/routes/api/git/repositories/+server.ts
diff --git a/routes/api/git/repositories/[id]/+server.ts b/src/routes/api/git/repositories/[id]/+server.ts
similarity index 100%
rename from routes/api/git/repositories/[id]/+server.ts
rename to src/routes/api/git/repositories/[id]/+server.ts
diff --git a/routes/api/git/repositories/[id]/deploy/+server.ts b/src/routes/api/git/repositories/[id]/deploy/+server.ts
similarity index 100%
rename from routes/api/git/repositories/[id]/deploy/+server.ts
rename to src/routes/api/git/repositories/[id]/deploy/+server.ts
diff --git a/routes/api/git/repositories/[id]/sync/+server.ts b/src/routes/api/git/repositories/[id]/sync/+server.ts
similarity index 100%
rename from routes/api/git/repositories/[id]/sync/+server.ts
rename to src/routes/api/git/repositories/[id]/sync/+server.ts
diff --git a/routes/api/git/repositories/[id]/test/+server.ts b/src/routes/api/git/repositories/[id]/test/+server.ts
similarity index 100%
rename from routes/api/git/repositories/[id]/test/+server.ts
rename to src/routes/api/git/repositories/[id]/test/+server.ts
diff --git a/routes/api/git/repositories/test/+server.ts b/src/routes/api/git/repositories/test/+server.ts
similarity index 100%
rename from routes/api/git/repositories/test/+server.ts
rename to src/routes/api/git/repositories/test/+server.ts
diff --git a/routes/api/git/stacks/+server.ts b/src/routes/api/git/stacks/+server.ts
similarity index 97%
rename from routes/api/git/stacks/+server.ts
rename to src/routes/api/git/stacks/+server.ts
index 22e5f28..f769413 100644
--- a/routes/api/git/stacks/+server.ts
+++ b/src/routes/api/git/stacks/+server.ts
@@ -11,7 +11,7 @@ import {
 import { deployGitStack } from '$lib/server/git';
 import { authorize } from '$lib/server/authorize';
 import { registerSchedule } from '$lib/server/scheduler';
-import crypto from 'node:crypto';
+import { secureRandomBytes } from '$lib/server/crypto-fallback';
 
 export const GET: RequestHandler = async ({ url, cookies }) => {
 	const auth = await authorize(cookies);
@@ -94,7 +94,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 		// Generate webhook secret if webhook is enabled
 		let webhookSecret = data.webhookSecret;
 		if (data.webhookEnabled && !webhookSecret) {
-			webhookSecret = crypto.randomBytes(32).toString('hex');
+			webhookSecret = secureRandomBytes(32).toString('hex');
 		}
 
 		const gitStack = await createGitStack({
diff --git a/routes/api/git/stacks/[id]/+server.ts b/src/routes/api/git/stacks/[id]/+server.ts
similarity index 100%
rename from routes/api/git/stacks/[id]/+server.ts
rename to src/routes/api/git/stacks/[id]/+server.ts
diff --git a/routes/api/git/stacks/[id]/deploy-stream/+server.ts b/src/routes/api/git/stacks/[id]/deploy-stream/+server.ts
similarity index 100%
rename from routes/api/git/stacks/[id]/deploy-stream/+server.ts
rename to src/routes/api/git/stacks/[id]/deploy-stream/+server.ts
diff --git a/routes/api/git/stacks/[id]/deploy/+server.ts b/src/routes/api/git/stacks/[id]/deploy/+server.ts
similarity index 100%
rename from routes/api/git/stacks/[id]/deploy/+server.ts
rename to src/routes/api/git/stacks/[id]/deploy/+server.ts
diff --git a/routes/api/git/stacks/[id]/env-files/+server.ts b/src/routes/api/git/stacks/[id]/env-files/+server.ts
similarity index 100%
rename from routes/api/git/stacks/[id]/env-files/+server.ts
rename to src/routes/api/git/stacks/[id]/env-files/+server.ts
diff --git a/routes/api/git/stacks/[id]/sync/+server.ts b/src/routes/api/git/stacks/[id]/sync/+server.ts
similarity index 100%
rename from routes/api/git/stacks/[id]/sync/+server.ts
rename to src/routes/api/git/stacks/[id]/sync/+server.ts
diff --git a/routes/api/git/stacks/[id]/test/+server.ts b/src/routes/api/git/stacks/[id]/test/+server.ts
similarity index 100%
rename from routes/api/git/stacks/[id]/test/+server.ts
rename to src/routes/api/git/stacks/[id]/test/+server.ts
diff --git a/routes/api/git/stacks/[id]/webhook/+server.ts b/src/routes/api/git/stacks/[id]/webhook/+server.ts
similarity index 100%
rename from routes/api/git/stacks/[id]/webhook/+server.ts
rename to src/routes/api/git/stacks/[id]/webhook/+server.ts
diff --git a/routes/api/git/webhook/[id]/+server.ts b/src/routes/api/git/webhook/[id]/+server.ts
similarity index 100%
rename from routes/api/git/webhook/[id]/+server.ts
rename to src/routes/api/git/webhook/[id]/+server.ts
diff --git a/routes/api/hawser/connect/+server.ts b/src/routes/api/hawser/connect/+server.ts
similarity index 100%
rename from routes/api/hawser/connect/+server.ts
rename to src/routes/api/hawser/connect/+server.ts
diff --git a/routes/api/hawser/tokens/+server.ts b/src/routes/api/hawser/tokens/+server.ts
similarity index 100%
rename from routes/api/hawser/tokens/+server.ts
rename to src/routes/api/hawser/tokens/+server.ts
diff --git a/routes/api/health/+server.ts b/src/routes/api/health/+server.ts
similarity index 100%
rename from routes/api/health/+server.ts
rename to src/routes/api/health/+server.ts
diff --git a/routes/api/health/database/+server.ts b/src/routes/api/health/database/+server.ts
similarity index 100%
rename from routes/api/health/database/+server.ts
rename to src/routes/api/health/database/+server.ts
diff --git a/routes/api/host/+server.ts b/src/routes/api/host/+server.ts
similarity index 100%
rename from routes/api/host/+server.ts
rename to src/routes/api/host/+server.ts
diff --git a/routes/api/images/+server.ts b/src/routes/api/images/+server.ts
similarity index 100%
rename from routes/api/images/+server.ts
rename to src/routes/api/images/+server.ts
diff --git a/routes/api/images/[id]/+server.ts b/src/routes/api/images/[id]/+server.ts
similarity index 100%
rename from routes/api/images/[id]/+server.ts
rename to src/routes/api/images/[id]/+server.ts
diff --git a/routes/api/images/[id]/export/+server.ts b/src/routes/api/images/[id]/export/+server.ts
similarity index 100%
rename from routes/api/images/[id]/export/+server.ts
rename to src/routes/api/images/[id]/export/+server.ts
diff --git a/routes/api/images/[id]/history/+server.ts b/src/routes/api/images/[id]/history/+server.ts
similarity index 100%
rename from routes/api/images/[id]/history/+server.ts
rename to src/routes/api/images/[id]/history/+server.ts
diff --git a/routes/api/images/[id]/tag/+server.ts b/src/routes/api/images/[id]/tag/+server.ts
similarity index 100%
rename from routes/api/images/[id]/tag/+server.ts
rename to src/routes/api/images/[id]/tag/+server.ts
diff --git a/routes/api/images/pull/+server.ts b/src/routes/api/images/pull/+server.ts
similarity index 100%
rename from routes/api/images/pull/+server.ts
rename to src/routes/api/images/pull/+server.ts
diff --git a/routes/api/images/push/+server.ts b/src/routes/api/images/push/+server.ts
similarity index 100%
rename from routes/api/images/push/+server.ts
rename to src/routes/api/images/push/+server.ts
diff --git a/routes/api/images/scan/+server.ts b/src/routes/api/images/scan/+server.ts
similarity index 100%
rename from routes/api/images/scan/+server.ts
rename to src/routes/api/images/scan/+server.ts
diff --git a/routes/api/legal/license/+server.ts b/src/routes/api/legal/license/+server.ts
similarity index 100%
rename from routes/api/legal/license/+server.ts
rename to src/routes/api/legal/license/+server.ts
diff --git a/routes/api/legal/privacy/+server.ts b/src/routes/api/legal/privacy/+server.ts
similarity index 100%
rename from routes/api/legal/privacy/+server.ts
rename to src/routes/api/legal/privacy/+server.ts
diff --git a/routes/api/license/+server.ts b/src/routes/api/license/+server.ts
similarity index 100%
rename from routes/api/license/+server.ts
rename to src/routes/api/license/+server.ts
diff --git a/routes/api/logs/merged/+server.ts b/src/routes/api/logs/merged/+server.ts
similarity index 100%
rename from routes/api/logs/merged/+server.ts
rename to src/routes/api/logs/merged/+server.ts
diff --git a/routes/api/metrics/+server.ts b/src/routes/api/metrics/+server.ts
similarity index 100%
rename from routes/api/metrics/+server.ts
rename to src/routes/api/metrics/+server.ts
diff --git a/routes/api/networks/+server.ts b/src/routes/api/networks/+server.ts
similarity index 100%
rename from routes/api/networks/+server.ts
rename to src/routes/api/networks/+server.ts
diff --git a/routes/api/networks/[id]/+server.ts b/src/routes/api/networks/[id]/+server.ts
similarity index 100%
rename from routes/api/networks/[id]/+server.ts
rename to src/routes/api/networks/[id]/+server.ts
diff --git a/routes/api/networks/[id]/connect/+server.ts b/src/routes/api/networks/[id]/connect/+server.ts
similarity index 100%
rename from routes/api/networks/[id]/connect/+server.ts
rename to src/routes/api/networks/[id]/connect/+server.ts
diff --git a/routes/api/networks/[id]/disconnect/+server.ts b/src/routes/api/networks/[id]/disconnect/+server.ts
similarity index 100%
rename from routes/api/networks/[id]/disconnect/+server.ts
rename to src/routes/api/networks/[id]/disconnect/+server.ts
diff --git a/routes/api/networks/[id]/inspect/+server.ts b/src/routes/api/networks/[id]/inspect/+server.ts
similarity index 100%
rename from routes/api/networks/[id]/inspect/+server.ts
rename to src/routes/api/networks/[id]/inspect/+server.ts
diff --git a/routes/api/notifications/+server.ts b/src/routes/api/notifications/+server.ts
similarity index 100%
rename from routes/api/notifications/+server.ts
rename to src/routes/api/notifications/+server.ts
diff --git a/routes/api/notifications/[id]/+server.ts b/src/routes/api/notifications/[id]/+server.ts
similarity index 100%
rename from routes/api/notifications/[id]/+server.ts
rename to src/routes/api/notifications/[id]/+server.ts
diff --git a/routes/api/notifications/[id]/test/+server.ts b/src/routes/api/notifications/[id]/test/+server.ts
similarity index 100%
rename from routes/api/notifications/[id]/test/+server.ts
rename to src/routes/api/notifications/[id]/test/+server.ts
diff --git a/routes/api/notifications/test/+server.ts b/src/routes/api/notifications/test/+server.ts
similarity index 100%
rename from routes/api/notifications/test/+server.ts
rename to src/routes/api/notifications/test/+server.ts
diff --git a/routes/api/notifications/trigger-test/+server.ts b/src/routes/api/notifications/trigger-test/+server.ts
similarity index 100%
rename from routes/api/notifications/trigger-test/+server.ts
rename to src/routes/api/notifications/trigger-test/+server.ts
diff --git a/routes/api/preferences/favorite-groups/+server.ts b/src/routes/api/preferences/favorite-groups/+server.ts
similarity index 100%
rename from routes/api/preferences/favorite-groups/+server.ts
rename to src/routes/api/preferences/favorite-groups/+server.ts
diff --git a/routes/api/preferences/favorites/+server.ts b/src/routes/api/preferences/favorites/+server.ts
similarity index 100%
rename from routes/api/preferences/favorites/+server.ts
rename to src/routes/api/preferences/favorites/+server.ts
diff --git a/routes/api/preferences/grid/+server.ts b/src/routes/api/preferences/grid/+server.ts
similarity index 100%
rename from routes/api/preferences/grid/+server.ts
rename to src/routes/api/preferences/grid/+server.ts
diff --git a/routes/api/profile/+server.ts b/src/routes/api/profile/+server.ts
similarity index 100%
rename from routes/api/profile/+server.ts
rename to src/routes/api/profile/+server.ts
diff --git a/routes/api/profile/avatar/+server.ts b/src/routes/api/profile/avatar/+server.ts
similarity index 100%
rename from routes/api/profile/avatar/+server.ts
rename to src/routes/api/profile/avatar/+server.ts
diff --git a/routes/api/profile/preferences/+server.ts b/src/routes/api/profile/preferences/+server.ts
similarity index 100%
rename from routes/api/profile/preferences/+server.ts
rename to src/routes/api/profile/preferences/+server.ts
diff --git a/routes/api/prune/all/+server.ts b/src/routes/api/prune/all/+server.ts
similarity index 100%
rename from routes/api/prune/all/+server.ts
rename to src/routes/api/prune/all/+server.ts
diff --git a/routes/api/prune/containers/+server.ts b/src/routes/api/prune/containers/+server.ts
similarity index 100%
rename from routes/api/prune/containers/+server.ts
rename to src/routes/api/prune/containers/+server.ts
diff --git a/routes/api/prune/images/+server.ts b/src/routes/api/prune/images/+server.ts
similarity index 100%
rename from routes/api/prune/images/+server.ts
rename to src/routes/api/prune/images/+server.ts
diff --git a/routes/api/prune/networks/+server.ts b/src/routes/api/prune/networks/+server.ts
similarity index 100%
rename from routes/api/prune/networks/+server.ts
rename to src/routes/api/prune/networks/+server.ts
diff --git a/routes/api/prune/volumes/+server.ts b/src/routes/api/prune/volumes/+server.ts
similarity index 100%
rename from routes/api/prune/volumes/+server.ts
rename to src/routes/api/prune/volumes/+server.ts
diff --git a/routes/api/registries/+server.ts b/src/routes/api/registries/+server.ts
similarity index 100%
rename from routes/api/registries/+server.ts
rename to src/routes/api/registries/+server.ts
diff --git a/routes/api/registries/[id]/+server.ts b/src/routes/api/registries/[id]/+server.ts
similarity index 100%
rename from routes/api/registries/[id]/+server.ts
rename to src/routes/api/registries/[id]/+server.ts
diff --git a/routes/api/registries/[id]/default/+server.ts b/src/routes/api/registries/[id]/default/+server.ts
similarity index 100%
rename from routes/api/registries/[id]/default/+server.ts
rename to src/routes/api/registries/[id]/default/+server.ts
diff --git a/routes/api/registry/catalog/+server.ts b/src/routes/api/registry/catalog/+server.ts
similarity index 100%
rename from routes/api/registry/catalog/+server.ts
rename to src/routes/api/registry/catalog/+server.ts
diff --git a/routes/api/registry/image/+server.ts b/src/routes/api/registry/image/+server.ts
similarity index 100%
rename from routes/api/registry/image/+server.ts
rename to src/routes/api/registry/image/+server.ts
diff --git a/routes/api/registry/search/+server.ts b/src/routes/api/registry/search/+server.ts
similarity index 100%
rename from routes/api/registry/search/+server.ts
rename to src/routes/api/registry/search/+server.ts
diff --git a/routes/api/registry/tags/+server.ts b/src/routes/api/registry/tags/+server.ts
similarity index 76%
rename from routes/api/registry/tags/+server.ts
rename to src/routes/api/registry/tags/+server.ts
index cba2360..b19312a 100644
--- a/routes/api/registry/tags/+server.ts
+++ b/src/routes/api/registry/tags/+server.ts
@@ -16,7 +16,16 @@ function isDockerHub(url: string): boolean {
 		   lower.includes('registry.hub.docker.com');
 }
 
-async function fetchDockerHubTags(imageName: string): Promise<TagInfo[]> {
+interface PaginatedTags {
+	tags: TagInfo[];
+	total: number;
+	page: number;
+	pageSize: number;
+	hasNext: boolean;
+	hasPrev: boolean;
+}
+
+async function fetchDockerHubTags(imageName: string, page: number = 1, pageSize: number = 20): Promise<PaginatedTags> {
 	// Docker Hub uses a different API
 	// For official images: https://hub.docker.com/v2/repositories/library/<image>/tags
 	// For user images: https://hub.docker.com/v2/repositories/<user>/<image>/tags
@@ -27,7 +36,7 @@ async function fetchDockerHubTags(imageName: string): Promise<TagInfo[]> {
 		repoPath = `library/${imageName}`;
 	}
 
-	const url = `https://hub.docker.com/v2/repositories/${repoPath}/tags?page_size=100&ordering=last_updated`;
+	const url = `https://hub.docker.com/v2/repositories/${repoPath}/tags?page_size=${pageSize}&page=${page}&ordering=last_updated`;
 
 	const response = await fetch(url, {
 		headers: {
@@ -45,12 +54,21 @@ async function fetchDockerHubTags(imageName: string): Promise<TagInfo[]> {
 	const data = await response.json();
 	const results = data.results || [];
 
-	return results.map((tag: any) => ({
+	const tags = results.map((tag: any) => ({
 		name: tag.name,
 		size: tag.full_size || tag.images?.[0]?.size,
 		lastUpdated: tag.last_updated || tag.tag_last_pushed,
 		digest: tag.images?.[0]?.digest
 	}));
+
+	return {
+		tags,
+		total: data.count || 0,
+		page,
+		pageSize,
+		hasNext: !!data.next,
+		hasPrev: !!data.previous
+	};
 }
 
 async function fetchRegistryTags(registry: any, imageName: string): Promise<TagInfo[]> {
@@ -104,16 +122,18 @@ export const GET: RequestHandler = async ({ url }) => {
 	try {
 		const registryId = url.searchParams.get('registry');
 		const imageName = url.searchParams.get('image');
+		const page = parseInt(url.searchParams.get('page') || '1');
+		const pageSize = parseInt(url.searchParams.get('pageSize') || '20');
 
 		if (!imageName) {
 			return json({ error: 'Image name is required' }, { status: 400 });
 		}
 
-		let tags: TagInfo[];
+		let result: PaginatedTags;
 
 		if (!registryId) {
 			// No registry specified, assume Docker Hub
-			tags = await fetchDockerHubTags(imageName);
+			result = await fetchDockerHubTags(imageName, page, pageSize);
 		} else {
 			const registry = await getRegistry(parseInt(registryId));
 			if (!registry) {
@@ -121,13 +141,22 @@ export const GET: RequestHandler = async ({ url }) => {
 			}
 
 			if (isDockerHub(registry.url)) {
-				tags = await fetchDockerHubTags(imageName);
+				result = await fetchDockerHubTags(imageName, page, pageSize);
 			} else {
-				tags = await fetchRegistryTags(registry, imageName);
+				// V2 registries don't support pagination well, return all tags
+				const tags = await fetchRegistryTags(registry, imageName);
+				result = {
+					tags,
+					total: tags.length,
+					page: 1,
+					pageSize: tags.length,
+					hasNext: false,
+					hasPrev: false
+				};
 			}
 		}
 
-		return json(tags);
+		return json(result);
 	} catch (error: any) {
 		console.error('Error fetching tags:', error);
 
diff --git a/routes/api/roles/+server.ts b/src/routes/api/roles/+server.ts
similarity index 100%
rename from routes/api/roles/+server.ts
rename to src/routes/api/roles/+server.ts
diff --git a/routes/api/roles/[id]/+server.ts b/src/routes/api/roles/[id]/+server.ts
similarity index 100%
rename from routes/api/roles/[id]/+server.ts
rename to src/routes/api/roles/[id]/+server.ts
diff --git a/routes/api/schedules/+server.ts b/src/routes/api/schedules/+server.ts
similarity index 100%
rename from routes/api/schedules/+server.ts
rename to src/routes/api/schedules/+server.ts
diff --git a/routes/api/schedules/[type]/[id]/+server.ts b/src/routes/api/schedules/[type]/[id]/+server.ts
similarity index 100%
rename from routes/api/schedules/[type]/[id]/+server.ts
rename to src/routes/api/schedules/[type]/[id]/+server.ts
diff --git a/routes/api/schedules/[type]/[id]/run/+server.ts b/src/routes/api/schedules/[type]/[id]/run/+server.ts
similarity index 100%
rename from routes/api/schedules/[type]/[id]/run/+server.ts
rename to src/routes/api/schedules/[type]/[id]/run/+server.ts
diff --git a/routes/api/schedules/[type]/[id]/toggle/+server.ts b/src/routes/api/schedules/[type]/[id]/toggle/+server.ts
similarity index 100%
rename from routes/api/schedules/[type]/[id]/toggle/+server.ts
rename to src/routes/api/schedules/[type]/[id]/toggle/+server.ts
diff --git a/routes/api/schedules/executions/+server.ts b/src/routes/api/schedules/executions/+server.ts
similarity index 100%
rename from routes/api/schedules/executions/+server.ts
rename to src/routes/api/schedules/executions/+server.ts
diff --git a/routes/api/schedules/executions/[id]/+server.ts b/src/routes/api/schedules/executions/[id]/+server.ts
similarity index 100%
rename from routes/api/schedules/executions/[id]/+server.ts
rename to src/routes/api/schedules/executions/[id]/+server.ts
diff --git a/routes/api/schedules/settings/+server.ts b/src/routes/api/schedules/settings/+server.ts
similarity index 100%
rename from routes/api/schedules/settings/+server.ts
rename to src/routes/api/schedules/settings/+server.ts
diff --git a/routes/api/schedules/stream/+server.ts b/src/routes/api/schedules/stream/+server.ts
similarity index 100%
rename from routes/api/schedules/stream/+server.ts
rename to src/routes/api/schedules/stream/+server.ts
diff --git a/routes/api/schedules/system/[id]/toggle/+server.ts b/src/routes/api/schedules/system/[id]/toggle/+server.ts
similarity index 100%
rename from routes/api/schedules/system/[id]/toggle/+server.ts
rename to src/routes/api/schedules/system/[id]/toggle/+server.ts
diff --git a/routes/api/settings/general/+server.ts b/src/routes/api/settings/general/+server.ts
similarity index 74%
rename from routes/api/settings/general/+server.ts
rename to src/routes/api/settings/general/+server.ts
index 6cd65ba..012429d 100644
--- a/routes/api/settings/general/+server.ts
+++ b/src/routes/api/settings/general/+server.ts
@@ -15,14 +15,26 @@ import {
 	getEventCleanupEnabled,
 	setEventCleanupEnabled,
 	getDefaultTimezone,
-	setDefaultTimezone
+	setDefaultTimezone,
+	getEventCollectionMode,
+	setEventCollectionMode,
+	getEventPollInterval,
+	setEventPollInterval,
+	getMetricsCollectionInterval,
+	setMetricsCollectionInterval,
+	getExternalStackPaths,
+	setExternalStackPaths,
+	getPrimaryStackLocation,
+	setPrimaryStackLocation
 } from '$lib/server/db';
 import { authorize } from '$lib/server/authorize';
 import { refreshSystemJobs } from '$lib/server/scheduler';
+import { sendToEventSubprocess, sendToMetricsSubprocess, type UpdateIntervalCommand } from '$lib/server/subprocess-manager';
 
 export type TimeFormat = '12h' | '24h';
 export type DateFormat = 'MM/DD/YYYY' | 'DD/MM/YYYY' | 'YYYY-MM-DD' | 'DD.MM.YYYY';
 export type DownloadFormat = 'tar' | 'tar.gz';
+export type EventCollectionMode = 'stream' | 'poll';
 
 export interface GeneralSettings {
 	confirmDestructive: boolean;
@@ -41,6 +53,10 @@ export interface GeneralSettings {
 	eventCleanupEnabled: boolean;
 	logBufferSizeKb: number;
 	defaultTimezone: string;
+	// Background monitoring settings
+	eventCollectionMode: EventCollectionMode;
+	eventPollInterval: number;
+	metricsCollectionInterval: number;
 	// Theme settings (for when auth is disabled)
 	lightTheme: string;
 	darkTheme: string;
@@ -48,6 +64,10 @@ export interface GeneralSettings {
 	fontSize: string;
 	gridFontSize: string;
 	terminalFont: string;
+	// External stack paths
+	externalStackPaths: string[];
+	// Primary stack location
+	primaryStackLocation: string | null;
 }
 
 const DEFAULT_SETTINGS: Omit<GeneralSettings, 'scheduleRetentionDays' | 'eventRetentionDays' | 'scheduleCleanupCron' | 'eventCleanupCron' | 'scheduleCleanupEnabled' | 'eventCleanupEnabled'> = {
@@ -61,6 +81,9 @@ const DEFAULT_SETTINGS: Omit<GeneralSettings, 'scheduleRetentionDays' | 'eventRe
 	defaultTrivyArgs: 'image --format json {image}',
 	logBufferSizeKb: 500,
 	defaultTimezone: 'UTC',
+	eventCollectionMode: 'stream',
+	eventPollInterval: 60000,
+	metricsCollectionInterval: 30000,
 	lightTheme: 'default',
 	darkTheme: 'default',
 	font: 'system',
@@ -104,12 +127,17 @@ export const GET: RequestHandler = async ({ cookies }) => {
 			eventCleanupEnabled,
 			logBufferSizeKb,
 			defaultTimezone,
+			eventCollectionMode,
+			eventPollInterval,
+			metricsCollectionInterval,
 			lightTheme,
 			darkTheme,
 			font,
 			fontSize,
 			gridFontSize,
-			terminalFont
+			terminalFont,
+			externalStackPaths,
+			primaryStackLocation
 		] = await Promise.all([
 			getSetting('confirm_destructive'),
 			getSetting('show_stopped_containers'),
@@ -127,12 +155,17 @@ export const GET: RequestHandler = async ({ cookies }) => {
 			getEventCleanupEnabled(),
 			getSetting('log_buffer_size_kb'),
 			getDefaultTimezone(),
+			getEventCollectionMode(),
+			getEventPollInterval(),
+			getMetricsCollectionInterval(),
 			getSetting('theme_light'),
 			getSetting('theme_dark'),
 			getSetting('theme_font'),
 			getSetting('theme_font_size'),
 			getSetting('theme_grid_font_size'),
-			getSetting('theme_terminal_font')
+			getSetting('theme_terminal_font'),
+			getExternalStackPaths(),
+			getPrimaryStackLocation()
 		]);
 
 		const settings: GeneralSettings = {
@@ -152,12 +185,17 @@ export const GET: RequestHandler = async ({ cookies }) => {
 			eventCleanupEnabled,
 			logBufferSizeKb: logBufferSizeKb ?? DEFAULT_SETTINGS.logBufferSizeKb,
 			defaultTimezone: defaultTimezone ?? DEFAULT_SETTINGS.defaultTimezone,
+			eventCollectionMode: (eventCollectionMode ?? DEFAULT_SETTINGS.eventCollectionMode) as EventCollectionMode,
+			eventPollInterval: eventPollInterval ?? DEFAULT_SETTINGS.eventPollInterval,
+			metricsCollectionInterval: metricsCollectionInterval ?? DEFAULT_SETTINGS.metricsCollectionInterval,
 			lightTheme: lightTheme ?? DEFAULT_SETTINGS.lightTheme,
 			darkTheme: darkTheme ?? DEFAULT_SETTINGS.darkTheme,
 			font: font ?? DEFAULT_SETTINGS.font,
 			fontSize: fontSize ?? DEFAULT_SETTINGS.fontSize,
 			gridFontSize: gridFontSize ?? DEFAULT_SETTINGS.gridFontSize,
-			terminalFont: terminalFont ?? DEFAULT_SETTINGS.terminalFont
+			terminalFont: terminalFont ?? DEFAULT_SETTINGS.terminalFont,
+			externalStackPaths,
+			primaryStackLocation
 		};
 
 		return json(settings);
@@ -175,7 +213,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 
 	try {
 		const body = await request.json();
-		const { confirmDestructive, showStoppedContainers, highlightUpdates, timeFormat, dateFormat, downloadFormat, defaultGrypeArgs, defaultTrivyArgs, scheduleRetentionDays, eventRetentionDays, scheduleCleanupCron, eventCleanupCron, scheduleCleanupEnabled, eventCleanupEnabled, logBufferSizeKb, defaultTimezone, lightTheme, darkTheme, font, fontSize, gridFontSize, terminalFont } = body;
+		const { confirmDestructive, showStoppedContainers, highlightUpdates, timeFormat, dateFormat, downloadFormat, defaultGrypeArgs, defaultTrivyArgs, scheduleRetentionDays, eventRetentionDays, scheduleCleanupCron, eventCleanupCron, scheduleCleanupEnabled, eventCleanupEnabled, logBufferSizeKb, defaultTimezone, eventCollectionMode, eventPollInterval, metricsCollectionInterval, lightTheme, darkTheme, font, fontSize, gridFontSize, terminalFont, externalStackPaths, primaryStackLocation } = body;
 
 		if (confirmDestructive !== undefined) {
 			await setSetting('confirm_destructive', confirmDestructive);
@@ -228,6 +266,25 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 			// Refresh system jobs to use the new timezone
 			await refreshSystemJobs();
 		}
+		if (eventCollectionMode !== undefined && (eventCollectionMode === 'stream' || eventCollectionMode === 'poll')) {
+			await setEventCollectionMode(eventCollectionMode);
+			// Notify event subprocess to refresh collectors with new mode
+			sendToEventSubprocess({ type: 'refresh_environments' });
+		}
+		if (eventPollInterval !== undefined && typeof eventPollInterval === 'number') {
+			// Validate: 30s - 300s (30 seconds to 5 minutes)
+			const validatedInterval = Math.max(30000, Math.min(300000, eventPollInterval));
+			await setEventPollInterval(validatedInterval);
+			// Notify event subprocess to refresh collectors with new interval
+			sendToEventSubprocess({ type: 'refresh_environments' });
+		}
+		if (metricsCollectionInterval !== undefined && typeof metricsCollectionInterval === 'number') {
+			// Validate: 10s - 300s (10 seconds to 5 minutes)
+			const validatedInterval = Math.max(10000, Math.min(300000, metricsCollectionInterval));
+			await setMetricsCollectionInterval(validatedInterval);
+			// Notify metrics subprocess to update its collection interval
+			sendToMetricsSubprocess({ type: 'update_interval', intervalMs: validatedInterval });
+		}
 		if (lightTheme !== undefined && VALID_LIGHT_THEMES.includes(lightTheme)) {
 			await setSetting('theme_light', lightTheme);
 		}
@@ -246,6 +303,20 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 		if (terminalFont !== undefined && VALID_TERMINAL_FONTS.includes(terminalFont)) {
 			await setSetting('theme_terminal_font', terminalFont);
 		}
+		if (externalStackPaths !== undefined && Array.isArray(externalStackPaths)) {
+			// Filter to valid non-empty strings
+			const validPaths = externalStackPaths.filter((p: unknown) => typeof p === 'string' && p.trim());
+			await setExternalStackPaths(validPaths);
+		}
+		if (primaryStackLocation !== undefined) {
+			// Accept string or null
+			if (primaryStackLocation === null || (typeof primaryStackLocation === 'string' && primaryStackLocation.trim())) {
+				await setPrimaryStackLocation(primaryStackLocation);
+			} else if (primaryStackLocation === '') {
+				// Empty string means clear the setting
+				await setPrimaryStackLocation(null);
+			}
+		}
 
 		// Fetch all settings in parallel for the response
 		const [
@@ -265,12 +336,17 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 			eventCleanupEnabledVal,
 			logBufferSizeKbVal,
 			defaultTimezoneVal,
+			eventCollectionModeVal,
+			eventPollIntervalVal,
+			metricsCollectionIntervalVal,
 			lightThemeVal,
 			darkThemeVal,
 			fontVal,
 			fontSizeVal,
 			gridFontSizeVal,
-			terminalFontVal
+			terminalFontVal,
+			externalStackPathsVal,
+			primaryStackLocationVal
 		] = await Promise.all([
 			getSetting('confirm_destructive'),
 			getSetting('show_stopped_containers'),
@@ -288,12 +364,17 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 			getEventCleanupEnabled(),
 			getSetting('log_buffer_size_kb'),
 			getDefaultTimezone(),
+			getEventCollectionMode(),
+			getEventPollInterval(),
+			getMetricsCollectionInterval(),
 			getSetting('theme_light'),
 			getSetting('theme_dark'),
 			getSetting('theme_font'),
 			getSetting('theme_font_size'),
 			getSetting('theme_grid_font_size'),
-			getSetting('theme_terminal_font')
+			getSetting('theme_terminal_font'),
+			getExternalStackPaths(),
+			getPrimaryStackLocation()
 		]);
 
 		const settings: GeneralSettings = {
@@ -313,12 +394,17 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 			eventCleanupEnabled: eventCleanupEnabledVal,
 			logBufferSizeKb: logBufferSizeKbVal ?? DEFAULT_SETTINGS.logBufferSizeKb,
 			defaultTimezone: defaultTimezoneVal ?? DEFAULT_SETTINGS.defaultTimezone,
+			eventCollectionMode: (eventCollectionModeVal ?? DEFAULT_SETTINGS.eventCollectionMode) as EventCollectionMode,
+			eventPollInterval: eventPollIntervalVal ?? DEFAULT_SETTINGS.eventPollInterval,
+			metricsCollectionInterval: metricsCollectionIntervalVal ?? DEFAULT_SETTINGS.metricsCollectionInterval,
 			lightTheme: lightThemeVal ?? DEFAULT_SETTINGS.lightTheme,
 			darkTheme: darkThemeVal ?? DEFAULT_SETTINGS.darkTheme,
 			font: fontVal ?? DEFAULT_SETTINGS.font,
 			fontSize: fontSizeVal ?? DEFAULT_SETTINGS.fontSize,
 			gridFontSize: gridFontSizeVal ?? DEFAULT_SETTINGS.gridFontSize,
-			terminalFont: terminalFontVal ?? DEFAULT_SETTINGS.terminalFont
+			terminalFont: terminalFontVal ?? DEFAULT_SETTINGS.terminalFont,
+			externalStackPaths: externalStackPathsVal,
+			primaryStackLocation: primaryStackLocationVal
 		};
 
 		return json(settings);
diff --git a/routes/api/settings/scanner/+server.ts b/src/routes/api/settings/scanner/+server.ts
similarity index 100%
rename from routes/api/settings/scanner/+server.ts
rename to src/routes/api/settings/scanner/+server.ts
diff --git a/routes/api/stacks/+server.ts b/src/routes/api/stacks/+server.ts
similarity index 55%
rename from routes/api/stacks/+server.ts
rename to src/routes/api/stacks/+server.ts
index 50b5a16..14c245d 100644
--- a/routes/api/stacks/+server.ts
+++ b/src/routes/api/stacks/+server.ts
@@ -1,5 +1,5 @@
 import { json } from '@sveltejs/kit';
-import { listComposeStacks, deployStack, saveStackComposeFile } from '$lib/server/stacks';
+import { listComposeStacks, deployStack, saveStackComposeFile, saveStackEnvVars, writeRawStackEnvFile, saveStackEnvVarsToDb } from '$lib/server/stacks';
 import { EnvironmentNotFoundError } from '$lib/server/docker';
 import { upsertStackSource, getStackSources } from '$lib/server/db';
 import { authorize } from '$lib/server/authorize';
@@ -35,11 +35,9 @@ export const GET: RequestHandler = async ({ url, cookies }) => {
 		const existingNames = new Set(stacks.map((s) => s.name));
 
 		for (const source of stackSources) {
-			// Only add internal/git stacks that aren't already in the list
-			if (
-				!existingNames.has(source.stackName) &&
-				(source.sourceType === 'internal' || source.sourceType === 'git')
-			) {
+			// Add stacks from database that aren't already in the Docker list
+			// This includes internal, git, and external (adopted) stacks that are currently down
+			if (!existingNames.has(source.stackName)) {
 				stacks.push({
 					name: source.stackName,
 					containers: [],
@@ -78,7 +76,7 @@ export const POST: RequestHandler = async ({ request, url, cookies }) => {
 
 	try {
 		const body = await request.json();
-		const { name, compose, start } = body;
+		const { name, compose, start, envVars, rawEnvContent, composePath, envPath } = body;
 
 		if (!name || typeof name !== 'string') {
 			return json({ error: 'Stack name is required' }, { status: 400 });
@@ -90,37 +88,86 @@ export const POST: RequestHandler = async ({ request, url, cookies }) => {
 
 		// If start is false, only create the compose file without deploying
 		if (start === false) {
-			const result = await saveStackComposeFile(name, compose, true);
+			const result = await saveStackComposeFile(name, compose, true, envIdNum, {
+				composePath: composePath || undefined,
+				envPath: envPath || undefined
+			});
 			if (!result.success) {
 				return json({ error: result.error }, { status: 400 });
 			}
 
-			// Record the stack as internally created
+			// Save environment variables
+			// - rawEnvContent: non-secret vars with comments → .env file
+			// - envVars: ALL vars → DB (secrets stored for shell injection, non-secrets for metadata)
+			if (rawEnvContent) {
+				// Write raw content to .env file (should NOT contain secrets)
+				await writeRawStackEnvFile(name, rawEnvContent, envIdNum, envPath || undefined);
+			}
+			// Save ALL vars to DB (secrets for shell injection at runtime)
+			if (envVars && Array.isArray(envVars) && envVars.length > 0) {
+				await saveStackEnvVarsToDb(name, envVars, envIdNum);
+			}
+			// Fallback: if no rawEnvContent, generate .env from non-secret vars
+			if (!rawEnvContent && envVars && Array.isArray(envVars) && envVars.length > 0) {
+				await saveStackEnvVars(name, envVars, envIdNum, envPath || undefined);
+			}
+
+			// Record the stack as internally created with custom paths if provided
 			await upsertStackSource({
 				stackName: name,
 				environmentId: envIdNum,
-				sourceType: 'internal'
+				sourceType: 'internal',
+				composePath: composePath || undefined,
+				envPath: envPath || undefined
 			});
 
 			return json({ success: true, started: false });
 		}
 
+		// Save environment variables BEFORE deploying so they're available during start
+		if (rawEnvContent || (envVars && Array.isArray(envVars) && envVars.length > 0)) {
+			// First ensure the stack directory exists by saving compose file
+			await saveStackComposeFile(name, compose, true, envIdNum, {
+				composePath: composePath || undefined,
+				envPath: envPath || undefined
+			});
+
+			// - rawEnvContent: non-secret vars with comments → .env file
+			// - envVars: ALL vars → DB (secrets stored for shell injection, non-secrets for metadata)
+			if (rawEnvContent) {
+				// Write raw content to .env file (should NOT contain secrets)
+				await writeRawStackEnvFile(name, rawEnvContent, envIdNum, envPath || undefined);
+			}
+			// Save ALL vars to DB (secrets for shell injection at runtime)
+			if (envVars && Array.isArray(envVars) && envVars.length > 0) {
+				await saveStackEnvVarsToDb(name, envVars, envIdNum);
+			}
+			// Fallback: if no rawEnvContent, generate .env from non-secret vars
+			if (!rawEnvContent && envVars && Array.isArray(envVars) && envVars.length > 0) {
+				await saveStackEnvVars(name, envVars, envIdNum, envPath || undefined);
+			}
+		}
+
 		// Deploy and start the stack
 		const result = await deployStack({
 			name,
 			compose,
-			envId: envIdNum
+			envId: envIdNum,
+			composePath: composePath || undefined,
+			envPath: envPath || undefined
 		});
 
 		if (!result.success) {
 			return json({ error: result.error, output: result.output }, { status: 400 });
 		}
 
-		// Record the stack as internally created
+		// Record the stack as internally created with custom paths if provided
 		await upsertStackSource({
 			stackName: name,
 			environmentId: envIdNum,
-			sourceType: 'internal'
+			sourceType: 'internal',
+			composePath: composePath || undefined,
+			envPath: envPath || undefined
 		});
 
 		return json({ success: true, started: true, output: result.output });
diff --git a/routes/api/stacks/[name]/+server.ts b/src/routes/api/stacks/[name]/+server.ts
similarity index 88%
rename from routes/api/stacks/[name]/+server.ts
rename to src/routes/api/stacks/[name]/+server.ts
index 38098b5..9ed0945 100644
--- a/routes/api/stacks/[name]/+server.ts
+++ b/src/routes/api/stacks/[name]/+server.ts
@@ -1,5 +1,5 @@
 import { json } from '@sveltejs/kit';
-import { removeStack, ExternalStackError, ComposeFileNotFoundError } from '$lib/server/stacks';
+import { removeStack, ComposeFileNotFoundError } from '$lib/server/stacks';
 import { authorize } from '$lib/server/authorize';
 import { auditStack } from '$lib/server/audit';
 import type { RequestHandler } from './$types';
@@ -34,9 +34,6 @@ export const DELETE: RequestHandler = async (event) => {
 		}
 		return json({ success: true });
 	} catch (error) {
-		if (error instanceof ExternalStackError) {
-			return json({ error: error.message }, { status: 400 });
-		}
 		if (error instanceof ComposeFileNotFoundError) {
 			return json({ error: error.message }, { status: 404 });
 		}
diff --git a/src/routes/api/stacks/[name]/check-path-change/+server.ts b/src/routes/api/stacks/[name]/check-path-change/+server.ts
new file mode 100644
index 0000000..22e733b
--- /dev/null
+++ b/src/routes/api/stacks/[name]/check-path-change/+server.ts
@@ -0,0 +1,79 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { authorize } from '$lib/server/authorize';
+import { getStackSource } from '$lib/server/db';
+import { findStackDir } from '$lib/server/stacks';
+import { existsSync, readdirSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+
+/**
+ * POST /api/stacks/[name]/check-path-change
+ *
+ * Check if the proposed compose path differs from current and if old directory has files.
+ * Returns information about what would need to be moved if location changes.
+ */
+export const POST: RequestHandler = async ({ params, request, url, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !(await auth.can('stacks', 'edit'))) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	const { name } = params;
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	try {
+		const body = await request.json();
+		const { newComposePath } = body;
+
+		// Get current source info
+		const source = await getStackSource(name, envIdNum);
+
+		// Determine current compose path and directory
+		let currentComposePath: string | null = null;
+		let currentDir: string | null = null;
+
+		if (source?.composePath) {
+			currentComposePath = source.composePath;
+			currentDir = dirname(source.composePath);
+		} else {
+			// Stack uses default directory structure
+			const stackDir = await findStackDir(name, envIdNum);
+			if (stackDir) {
+				const defaultComposePath = join(stackDir, 'docker-compose.yml');
+				if (existsSync(defaultComposePath)) {
+					currentComposePath = defaultComposePath;
+					currentDir = stackDir;
+				}
+			}
+		}
+
+		// Determine new directory
+		const newDir = newComposePath ? dirname(newComposePath) : null;
+
+		// Check if directories are different and old directory exists with files
+		let hasChanges = false;
+		let fileCount = 0;
+
+		if (currentDir && newDir && currentDir !== newDir && existsSync(currentDir)) {
+			try {
+				const files = readdirSync(currentDir);
+				fileCount = files.length;
+				hasChanges = fileCount > 0;
+			} catch {
+				// Ignore read errors
+			}
+		}
+
+		return json({
+			hasChanges,
+			oldDir: currentDir,
+			newDir,
+			fileCount,
+			currentComposePath
+		});
+	} catch (error: any) {
+		console.error(`Error checking path change for stack ${name}:`, error);
+		return json({ error: error.message || 'Failed to check path changes' }, { status: 500 });
+	}
+};
diff --git a/routes/api/stacks/[name]/compose/+server.ts b/src/routes/api/stacks/[name]/compose/+server.ts
similarity index 51%
rename from routes/api/stacks/[name]/compose/+server.ts
rename to src/routes/api/stacks/[name]/compose/+server.ts
index 08b5c11..750838f 100644
--- a/routes/api/stacks/[name]/compose/+server.ts
+++ b/src/routes/api/stacks/[name]/compose/+server.ts
@@ -4,22 +4,36 @@ import { getStackComposeFile, deployStack, saveStackComposeFile } from '$lib/ser
 import { authorize } from '$lib/server/authorize';
 
 // GET /api/stacks/[name]/compose - Get compose file content
-export const GET: RequestHandler = async ({ params, cookies }) => {
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
 	const auth = await authorize(cookies);
 	if (auth.authEnabled && !(await auth.can('stacks', 'view'))) {
 		return json({ error: 'Permission denied' }, { status: 403 });
 	}
 
 	const { name } = params;
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
 
 	try {
-		const result = await getStackComposeFile(name);
+		const result = await getStackComposeFile(name, envIdNum);
 
 		if (!result.success) {
-			return json({ error: result.error }, { status: 404 });
+			// Return info about what's needed - unified response for all missing compose files
+			return json({
+				error: result.error,
+				needsFileLocation: result.needsFileLocation || false,
+				composePath: result.composePath,
+				envPath: result.envPath
+			}, { status: 404 });
 		}
 
-		return json({ content: result.content });
+		return json({
+			content: result.content,
+			stackDir: result.stackDir,
+			composePath: result.composePath,
+			envPath: result.envPath,
+			suggestedEnvPath: result.suggestedEnvPath
+		});
 	} catch (error: any) {
 		console.error(`Error getting compose file for stack ${name}:`, error);
 		return json({ error: error.message || 'Failed to get compose file' }, { status: 500 });
@@ -41,23 +55,38 @@ export const PUT: RequestHandler = async ({ params, request, url, cookies }) =>
 
 	try {
 		const body = await request.json();
-		const { content, restart = false } = body;
+		const { content, restart = false, composePath, envPath, moveFromDir, oldComposePath, oldEnvPath } = body;
 
 		if (!content || typeof content !== 'string') {
 			return json({ error: 'Compose file content is required' }, { status: 400 });
 		}
 
+		// Build options object for custom paths, move operation, and file renames
+		const pathOptions = (composePath || envPath !== undefined || moveFromDir || oldComposePath || oldEnvPath)
+			? { composePath, envPath, moveFromDir, oldComposePath, oldEnvPath }
+			: undefined;
+
 		let result;
 		if (restart) {
-			// Deploy with docker compose up -d (only recreates changed services)
+			// Deploy with docker compose up -d --force-recreate
+			// Force recreate ensures env var changes are applied
+			// Note: deployStack uses requireComposeFile which will use saved paths
+			// Save paths first if provided
+			if (pathOptions) {
+				const saveResult = await saveStackComposeFile(name, content, false, envIdNum, pathOptions);
+				if (!saveResult.success) {
+					return json({ error: saveResult.error }, { status: 500 });
+				}
+			}
 			result = await deployStack({
 				name,
 				compose: content,
-				envId: envIdNum
+				envId: envIdNum,
+				forceRecreate: true
 			});
 		} else {
-			// Just save the file without restarting
-			result = await saveStackComposeFile(name, content);
+			// Just save the file without restarting (update operation, not create)
+			result = await saveStackComposeFile(name, content, false, envIdNum, pathOptions);
 		}
 
 		if (!result.success) {
diff --git a/routes/api/stacks/[name]/down/+server.ts b/src/routes/api/stacks/[name]/down/+server.ts
similarity index 89%
rename from routes/api/stacks/[name]/down/+server.ts
rename to src/routes/api/stacks/[name]/down/+server.ts
index 1995f71..19f6aa0 100644
--- a/routes/api/stacks/[name]/down/+server.ts
+++ b/src/routes/api/stacks/[name]/down/+server.ts
@@ -1,5 +1,5 @@
 import { json } from '@sveltejs/kit';
-import { downStack, ExternalStackError, ComposeFileNotFoundError } from '$lib/server/stacks';
+import { downStack, ComposeFileNotFoundError } from '$lib/server/stacks';
 import { authorize } from '$lib/server/authorize';
 import { auditStack } from '$lib/server/audit';
 import type { RequestHandler } from './$types';
@@ -42,9 +42,6 @@ export const POST: RequestHandler = async (event) => {
 		}
 		return json({ success: true, output: result.output });
 	} catch (error) {
-		if (error instanceof ExternalStackError) {
-			return json({ error: error.message }, { status: 400 });
-		}
 		if (error instanceof ComposeFileNotFoundError) {
 			return json({ error: error.message }, { status: 404 });
 		}
diff --git a/src/routes/api/stacks/[name]/env/+server.ts b/src/routes/api/stacks/[name]/env/+server.ts
new file mode 100644
index 0000000..0265db6
--- /dev/null
+++ b/src/routes/api/stacks/[name]/env/+server.ts
@@ -0,0 +1,222 @@
+import { json } from '@sveltejs/kit';
+import { getStackEnvVars, setStackEnvVars, getStackSource } from '$lib/server/db';
+import { findStackDir } from '$lib/server/stacks';
+import { authorize } from '$lib/server/authorize';
+import { existsSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import type { RequestHandler } from './$types';
+
+/**
+ * Parse a .env file content into key-value pairs
+ */
+function parseEnvFile(content: string): Record<string, string> {
+	const result: Record<string, string> = {};
+	for (const line of content.split('\n')) {
+		const trimmed = line.trim();
+		// Skip empty lines and comments
+		if (!trimmed || trimmed.startsWith('#')) continue;
+		const eqIndex = trimmed.indexOf('=');
+		if (eqIndex > 0) {
+			const key = trimmed.substring(0, eqIndex).trim();
+			let value = trimmed.substring(eqIndex + 1);
+			// Remove surrounding quotes if present
+			if ((value.startsWith('"') && value.endsWith('"')) ||
+			    (value.startsWith("'") && value.endsWith("'"))) {
+				value = value.slice(1, -1);
+			}
+			result[key] = value;
+		}
+	}
+	return result;
+}
+
+/**
+ * GET /api/stacks/[name]/env?env=X
+ * Get all environment variables for a stack.
+ * Merges variables from database with .env file (file values override for non-secrets).
+ *
+ * SECURITY: Secrets are returned as '***' (masked) - they are NEVER sent in plain text.
+ * Secrets are stored only in the database and injected via shell environment at runtime.
+ * The .env file only contains non-secret variables.
+ */
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : null;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'view', envIdNum ?? undefined)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	// Environment access check (enterprise only)
+	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
+		return json({ error: 'Access denied to this environment' }, { status: 403 });
+	}
+
+	try {
+		const stackName = decodeURIComponent(params.name);
+
+		// Get variables from database (masked - secrets show as '***')
+		const dbVariables = await getStackEnvVars(stackName, envIdNum, true);
+		const dbByKey = new Map(dbVariables.map(v => [v.key, v]));
+
+		// Check if this stack has a custom compose path configured
+		const source = await getStackSource(stackName, envIdNum);
+
+		// Determine the env file path based on path resolution rules:
+		// - envPath = '' (empty string) → explicitly no env file
+		// - envPath = '/path/.env' → use custom path
+		// - envPath = null with composePath → suggest .env next to compose (but don't auto-load)
+		// - envPath = null without composePath → use default location
+		let envFilePath: string | null = null;
+
+		if (source?.envPath === '') {
+			// Empty string = explicitly no env file
+			envFilePath = null;
+		} else if (source?.envPath) {
+			// Custom env path specified
+			envFilePath = source.envPath;
+		} else if (source?.composePath) {
+			// Custom compose path but no env path - suggest .env next to compose
+			// For loading, check if it exists (but don't fail if it doesn't)
+			envFilePath = join(dirname(source.composePath), '.env');
+		} else {
+			// Default location - .env in stack directory
+			const stackDir = await findStackDir(stackName, envIdNum);
+			if (stackDir) {
+				envFilePath = join(stackDir, '.env');
+			}
+		}
+
+		let fileVars: Record<string, string> = {};
+
+		if (envFilePath && existsSync(envFilePath)) {
+			try {
+				const content = await Bun.file(envFilePath).text();
+				fileVars = parseEnvFile(content);
+			} catch (e) {
+				// Ignore file read errors
+			}
+		}
+
+		// Merge: DB variables (with secrets masked) + file variables (non-secrets only)
+		// For non-secrets: file value overrides DB value (user may have edited file)
+		// For secrets: only DB value exists (masked as '***')
+		const mergedKeys = new Set([...dbByKey.keys(), ...Object.keys(fileVars)]);
+		const variables: { key: string; value: string; isSecret: boolean }[] = [];
+
+		for (const key of mergedKeys) {
+			const dbVar = dbByKey.get(key);
+			const fileValue = fileVars[key];
+
+			if (dbVar) {
+				if (dbVar.isSecret) {
+					// Secret: use masked value from DB, ignore any file value
+					variables.push({ key, value: dbVar.value, isSecret: true });
+				} else if (fileValue !== undefined) {
+					// Non-secret with file value: file overrides (user may have edited)
+					variables.push({ key, value: fileValue, isSecret: false });
+				} else {
+					// Non-secret only in DB: use DB value
+					variables.push({ key, value: dbVar.value, isSecret: false });
+				}
+			} else if (fileValue !== undefined) {
+				// Variable only in file - add it as non-secret
+				variables.push({ key, value: fileValue, isSecret: false });
+			}
+		}
+
+		return json({ variables });
+	} catch (error) {
+		console.error('Error getting stack env vars:', error);
+		return json({ error: 'Failed to get environment variables' }, { status: 500 });
+	}
+};
+
+/**
+ * PUT /api/stacks/[name]/env?env=X
+ * Set/replace all environment variables for a stack.
+ * Body: { variables: [{ key, value, isSecret? }] }
+ *
+ * SECURITY: Secrets are stored ONLY in the database, NEVER written to .env file.
+ * For secrets, if the value is '***' (the masked placeholder), the original
+ * secret value from the database is preserved instead of overwriting with '***'.
+ *
+ * The .env file only contains non-secret variables (can be edited manually).
+ * Secrets are injected via shell environment variables at runtime.
+ */
+export const PUT: RequestHandler = async ({ params, url, cookies, request }) => {
+	const auth = await authorize(cookies);
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : null;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'edit', envIdNum ?? undefined)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	// Environment access check (enterprise only)
+	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
+		return json({ error: 'Access denied to this environment' }, { status: 403 });
+	}
+
+	try {
+		const stackName = decodeURIComponent(params.name);
+		const body = await request.json();
+
+		if (!body.variables || !Array.isArray(body.variables)) {
+			return json({ error: 'Invalid request body: variables array required' }, { status: 400 });
+		}
+
+		// Validate variables
+		for (const v of body.variables) {
+			if (!v.key || typeof v.key !== 'string') {
+				return json({ error: 'Invalid variable: key is required and must be a string' }, { status: 400 });
+			}
+			if (typeof v.value !== 'string') {
+				return json({ error: `Invalid variable "${v.key}": value must be a string` }, { status: 400 });
+			}
+			// Validate key format (env var naming convention)
+			if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(v.key)) {
+				return json({ error: `Invalid variable name "${v.key}": must start with a letter or underscore and contain only alphanumeric characters and underscores` }, { status: 400 });
+			}
+		}
+
+		// Check if any secrets have the masked placeholder '***'
+		// If so, we need to preserve their original values from the database
+		const secretsWithMaskedValue = body.variables.filter(
+			(v: { key: string; value: string; isSecret?: boolean }) =>
+				v.isSecret && v.value === '***'
+		);
+
+		let variablesToSave = body.variables;
+
+		if (secretsWithMaskedValue.length > 0) {
+			// Get existing variables (unmasked) to preserve secret values
+			const existingVars = await getStackEnvVars(stackName, envIdNum, false);
+			const existingByKey = new Map(existingVars.map(v => [v.key, v]));
+
+			// Replace masked secrets with their original values
+			variablesToSave = body.variables.map((v: { key: string; value: string; isSecret?: boolean }) => {
+				if (v.isSecret && v.value === '***') {
+					const existing = existingByKey.get(v.key);
+					if (existing && existing.isSecret) {
+						// Preserve the original secret value
+						return { ...v, value: existing.value };
+					}
+				}
+				return v;
+			});
+		}
+
+		// Save ALL variables (including secrets) to database
+		// Note: The .env file is written by PUT /env/raw endpoint, which preserves comments
+		await setStackEnvVars(stackName, envIdNum, variablesToSave);
+
+		return json({ success: true, count: variablesToSave.length });
+	} catch (error) {
+		console.error('Error setting stack env vars:', error);
+		return json({ error: 'Failed to set environment variables' }, { status: 500 });
+	}
+};
diff --git a/src/routes/api/stacks/[name]/env/raw/+server.ts b/src/routes/api/stacks/[name]/env/raw/+server.ts
new file mode 100644
index 0000000..6fbc3c5
--- /dev/null
+++ b/src/routes/api/stacks/[name]/env/raw/+server.ts
@@ -0,0 +1,164 @@
+import { json } from '@sveltejs/kit';
+import { findStackDir, getStackDir } from '$lib/server/stacks';
+import { getStackSource } from '$lib/server/db';
+import { authorize } from '$lib/server/authorize';
+import { existsSync, rmSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import type { RequestHandler } from './$types';
+
+/**
+ * GET /api/stacks/[name]/env/raw?env=X
+ * Get the raw .env file content as-is (with comments, formatting, etc.)
+ */
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : null;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'view', envIdNum ?? undefined)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	// Environment access check (enterprise only)
+	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
+		return json({ error: 'Access denied to this environment' }, { status: 403 });
+	}
+
+	try {
+		const stackName = decodeURIComponent(params.name);
+
+		// Check if this stack has custom paths configured
+		const source = await getStackSource(stackName, envIdNum);
+
+		// Determine the env file path based on path resolution rules:
+		// - envPath = '' (empty string) → explicitly no env file
+		// - envPath = '/path/.env' → use custom path
+		// - envPath = null with composePath → suggest .env next to compose
+		// - envPath = null without composePath → use default location
+		let envFilePath: string | null = null;
+
+		if (source?.envPath === '') {
+			// Empty string = explicitly no env file
+			return json({ content: '', noEnvFile: true });
+		} else if (source?.envPath) {
+			// Custom env path specified
+			envFilePath = source.envPath;
+		} else if (source?.composePath) {
+			// Custom compose path but no env path - suggest .env next to compose
+			envFilePath = join(dirname(source.composePath), '.env');
+		} else {
+			// Default location - .env in stack directory
+			const stackDir = await findStackDir(stackName, envIdNum);
+			if (stackDir) {
+				envFilePath = join(stackDir, '.env');
+			}
+		}
+
+		let content = '';
+		if (envFilePath && existsSync(envFilePath)) {
+			try {
+				content = await Bun.file(envFilePath).text();
+			} catch {
+				// File read failed
+			}
+		}
+
+		return json({ content });
+	} catch (error) {
+		console.error('Error getting raw env file:', error);
+		return json({ error: 'Failed to get environment file' }, { status: 500 });
+	}
+};
+
+/**
+ * PUT /api/stacks/[name]/env/raw?env=X
+ * Save raw .env file content directly to disk.
+ * Body: { content: string }
+ */
+export const PUT: RequestHandler = async ({ params, url, cookies, request }) => {
+	const auth = await authorize(cookies);
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : null;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'edit', envIdNum ?? undefined)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	// Environment access check (enterprise only)
+	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
+		return json({ error: 'Access denied to this environment' }, { status: 403 });
+	}
+
+	try {
+		const stackName = decodeURIComponent(params.name);
+		const body = await request.json();
+
+		if (typeof body.content !== 'string') {
+			return json({ error: 'Invalid request body: content string required' }, { status: 400 });
+		}
+
+		// Check if this stack has custom paths configured
+		const source = await getStackSource(stackName, envIdNum);
+
+		// Determine the env file path based on path resolution rules:
+		// - envPath = '' (empty string) → explicitly no env file, don't write
+		// - envPath = '/path/.env' → use custom path
+		// - envPath = null with composePath → suggest .env next to compose
+		// - envPath = null without composePath → use default location
+		let envFilePath: string | null = null;
+
+		if (source?.envPath === '') {
+			// Empty string = explicitly no env file - don't allow writes
+			return json({ success: true, noEnvFile: true });
+		} else if (source?.envPath) {
+			// Custom env path specified
+			envFilePath = source.envPath;
+		} else if (source?.composePath) {
+			// Custom compose path but no env path - suggest .env next to compose
+			envFilePath = join(dirname(source.composePath), '.env');
+		} else {
+			// Default location - .env in stack directory
+			const stackDir = await findStackDir(stackName, envIdNum);
+			if (stackDir) {
+				envFilePath = join(stackDir, '.env');
+			}
+		}
+
+		// Only write if we have a valid path
+		if (!envFilePath) {
+			return json({ error: 'Stack directory not found' }, { status: 404 });
+		}
+
+		let content = body.content;
+
+		// If content is empty, delete the .env file instead of writing empty file
+		if (!content || !content.trim()) {
+			if (existsSync(envFilePath)) {
+				rmSync(envFilePath);
+				return json({ success: true, deleted: true });
+			}
+			return json({ success: true });
+		}
+
+		// Guard against writing masked secret placeholders (would corrupt the file)
+		if (content.match(/^[A-Za-z_][A-Za-z0-9_]*=\*\*\*$/m)) {
+			return json({
+				error: 'Cannot write masked placeholder "***" to .env file - this would corrupt secret values'
+			}, { status: 400 });
+		}
+
+		// Ensure content ends with newline
+		if (!content.endsWith('\n')) {
+			content += '\n';
+		}
+
+		await Bun.write(envFilePath, content);
+
+		return json({ success: true });
+	} catch (error) {
+		console.error('Error saving raw env file:', error);
+		return json({ error: 'Failed to save environment file' }, { status: 500 });
+	}
+};
diff --git a/routes/api/stacks/[name]/env/validate/+server.ts b/src/routes/api/stacks/[name]/env/validate/+server.ts
similarity index 100%
rename from routes/api/stacks/[name]/env/validate/+server.ts
rename to src/routes/api/stacks/[name]/env/validate/+server.ts
diff --git a/src/routes/api/stacks/[name]/relocate/+server.ts b/src/routes/api/stacks/[name]/relocate/+server.ts
new file mode 100644
index 0000000..e3f47d1
--- /dev/null
+++ b/src/routes/api/stacks/[name]/relocate/+server.ts
@@ -0,0 +1,131 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { authorize } from '$lib/server/authorize';
+import { getStackSource, updateStackSource } from '$lib/server/db';
+import { existsSync, readdirSync, renameSync, readFileSync, writeFileSync, unlinkSync, mkdirSync, rmSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+
+/**
+ * POST /api/stacks/[name]/relocate
+ *
+ * Move all stack files from old directory to new location.
+ * Updates the database with new paths and returns refreshed content.
+ */
+export const POST: RequestHandler = async ({ params, request, url, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !(await auth.can('stacks', 'edit'))) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	const { name } = params;
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	try {
+		const body = await request.json();
+		const { oldDir, newComposePath, newEnvPath } = body;
+
+		if (!oldDir || !newComposePath) {
+			return json({ error: 'oldDir and newComposePath are required' }, { status: 400 });
+		}
+
+		const newDir = dirname(newComposePath);
+
+		// Verify old directory exists
+		if (!existsSync(oldDir)) {
+			return json({ error: 'Source directory does not exist' }, { status: 400 });
+		}
+
+		// Create new directory if it doesn't exist
+		if (!existsSync(newDir)) {
+			mkdirSync(newDir, { recursive: true });
+		}
+
+		// Move all files from old directory to new directory
+		const files = readdirSync(oldDir);
+		const movedFiles: string[] = [];
+		const errors: string[] = [];
+
+		for (const file of files) {
+			const oldFilePath = join(oldDir, file);
+			const newFilePath = join(newDir, file);
+
+			try {
+				// Use rename for atomic move (same filesystem) or copy+delete for cross-filesystem
+				renameSync(oldFilePath, newFilePath);
+				movedFiles.push(file);
+			} catch (renameErr: any) {
+				if (renameErr.code === 'EXDEV') {
+					// Cross-filesystem move - copy then delete
+					try {
+						const data = readFileSync(oldFilePath);
+						writeFileSync(newFilePath, data);
+						unlinkSync(oldFilePath);
+						movedFiles.push(file);
+					} catch (copyErr: any) {
+						errors.push(`Failed to copy ${file}: ${copyErr.message}`);
+					}
+				} else {
+					errors.push(`Failed to move ${file}: ${renameErr.message}`);
+				}
+			}
+		}
+
+		// Remove old directory if it's now empty
+		try {
+			const remaining = readdirSync(oldDir);
+			if (remaining.length === 0) {
+				rmSync(oldDir, { recursive: true, force: true });
+			}
+		} catch {
+			// Ignore errors when checking/removing old directory
+		}
+
+		// Update database with new paths
+		await updateStackSource(name, envIdNum ?? null, {
+			composePath: newComposePath,
+			envPath: newEnvPath || null
+		});
+
+		// Read content from new location
+		let composeContent = '';
+		let rawEnvContent = '';
+		const envVars: { key: string; value: string; isSecret: boolean }[] = [];
+
+		// Read compose file
+		if (existsSync(newComposePath)) {
+			composeContent = readFileSync(newComposePath, 'utf-8');
+		}
+
+		// Read env file if it exists
+		const envFilePath = newEnvPath || join(newDir, '.env');
+		if (existsSync(envFilePath)) {
+			rawEnvContent = readFileSync(envFilePath, 'utf-8');
+
+			// Parse env vars from raw content
+			const lines = rawEnvContent.split('\n');
+			for (const line of lines) {
+				const trimmed = line.trim();
+				if (!trimmed || trimmed.startsWith('#')) continue;
+				const eqIndex = trimmed.indexOf('=');
+				if (eqIndex > 0) {
+					const key = trimmed.substring(0, eqIndex);
+					const value = trimmed.substring(eqIndex + 1);
+					envVars.push({ key, value, isSecret: false });
+				}
+			}
+		}
+
+		return json({
+			success: true,
+			movedFiles,
+			errors: errors.length > 0 ? errors : undefined,
+			composeContent,
+			rawEnvContent,
+			envVars
+		});
+	} catch (error: any) {
+		console.error(`Error relocating stack ${name}:`, error);
+		return json({ error: error.message || 'Failed to relocate stack' }, { status: 500 });
+	}
+};
diff --git a/routes/api/stacks/[name]/restart/+server.ts b/src/routes/api/stacks/[name]/restart/+server.ts
similarity index 87%
rename from routes/api/stacks/[name]/restart/+server.ts
rename to src/routes/api/stacks/[name]/restart/+server.ts
index 29ecbf5..b4d9ce3 100644
--- a/routes/api/stacks/[name]/restart/+server.ts
+++ b/src/routes/api/stacks/[name]/restart/+server.ts
@@ -1,5 +1,5 @@
 import { json } from '@sveltejs/kit';
-import { restartStack, ExternalStackError, ComposeFileNotFoundError } from '$lib/server/stacks';
+import { restartStack, ComposeFileNotFoundError } from '$lib/server/stacks';
 import { authorize } from '$lib/server/authorize';
 import { auditStack } from '$lib/server/audit';
 import type { RequestHandler } from './$types';
@@ -33,9 +33,6 @@ export const POST: RequestHandler = async (event) => {
 		}
 		return json({ success: true, output: result.output });
 	} catch (error) {
-		if (error instanceof ExternalStackError) {
-			return json({ error: error.message }, { status: 400 });
-		}
 		if (error instanceof ComposeFileNotFoundError) {
 			return json({ error: error.message }, { status: 404 });
 		}
diff --git a/routes/api/stacks/[name]/start/+server.ts b/src/routes/api/stacks/[name]/start/+server.ts
similarity index 87%
rename from routes/api/stacks/[name]/start/+server.ts
rename to src/routes/api/stacks/[name]/start/+server.ts
index 7e5fc5f..928841e 100644
--- a/routes/api/stacks/[name]/start/+server.ts
+++ b/src/routes/api/stacks/[name]/start/+server.ts
@@ -1,5 +1,5 @@
 import { json } from '@sveltejs/kit';
-import { startStack, ExternalStackError, ComposeFileNotFoundError } from '$lib/server/stacks';
+import { startStack, ComposeFileNotFoundError } from '$lib/server/stacks';
 import { authorize } from '$lib/server/authorize';
 import { auditStack } from '$lib/server/audit';
 import type { RequestHandler } from './$types';
@@ -33,9 +33,6 @@ export const POST: RequestHandler = async (event) => {
 		}
 		return json({ success: true, output: result.output });
 	} catch (error) {
-		if (error instanceof ExternalStackError) {
-			return json({ error: error.message }, { status: 400 });
-		}
 		if (error instanceof ComposeFileNotFoundError) {
 			return json({ error: error.message }, { status: 404 });
 		}
diff --git a/routes/api/stacks/[name]/stop/+server.ts b/src/routes/api/stacks/[name]/stop/+server.ts
similarity index 87%
rename from routes/api/stacks/[name]/stop/+server.ts
rename to src/routes/api/stacks/[name]/stop/+server.ts
index d57fa7b..2c2a0fe 100644
--- a/routes/api/stacks/[name]/stop/+server.ts
+++ b/src/routes/api/stacks/[name]/stop/+server.ts
@@ -1,5 +1,5 @@
 import { json } from '@sveltejs/kit';
-import { stopStack, ExternalStackError, ComposeFileNotFoundError } from '$lib/server/stacks';
+import { stopStack, ComposeFileNotFoundError } from '$lib/server/stacks';
 import { authorize } from '$lib/server/authorize';
 import { auditStack } from '$lib/server/audit';
 import type { RequestHandler } from './$types';
@@ -33,9 +33,6 @@ export const POST: RequestHandler = async (event) => {
 		}
 		return json({ success: true, output: result.output });
 	} catch (error) {
-		if (error instanceof ExternalStackError) {
-			return json({ error: error.message }, { status: 400 });
-		}
 		if (error instanceof ComposeFileNotFoundError) {
 			return json({ error: error.message }, { status: 404 });
 		}
diff --git a/src/routes/api/stacks/adopt/+server.ts b/src/routes/api/stacks/adopt/+server.ts
new file mode 100644
index 0000000..543d132
--- /dev/null
+++ b/src/routes/api/stacks/adopt/+server.ts
@@ -0,0 +1,41 @@
+import { json, type RequestHandler } from '@sveltejs/kit';
+import { authorize } from '$lib/server/authorize';
+import { adoptSelectedStacks, type DiscoveredStack } from '$lib/server/stack-scanner';
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('stacks', 'create')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const body = await request.json();
+		const stacks = body.stacks as DiscoveredStack[];
+		const environmentId = body.environmentId as number | undefined;
+
+		if (!stacks || !Array.isArray(stacks) || stacks.length === 0) {
+			return json({ error: 'No stacks provided' }, { status: 400 });
+		}
+
+		if (!environmentId || typeof environmentId !== 'number') {
+			return json({ error: 'Environment ID is required' }, { status: 400 });
+		}
+
+		// Validate each stack has required fields
+		for (const stack of stacks) {
+			if (!stack.name || !stack.composePath) {
+				return json({ error: 'Invalid stack data: missing name or composePath' }, { status: 400 });
+			}
+		}
+
+		const result = await adoptSelectedStacks(stacks, environmentId);
+
+		return json({
+			adopted: result.adopted,
+			failed: result.failed
+		});
+	} catch (error) {
+		const message = error instanceof Error ? error.message : 'Unknown error';
+		return json({ error: message }, { status: 500 });
+	}
+};
diff --git a/src/routes/api/stacks/base-path/+server.ts b/src/routes/api/stacks/base-path/+server.ts
new file mode 100644
index 0000000..9573760
--- /dev/null
+++ b/src/routes/api/stacks/base-path/+server.ts
@@ -0,0 +1,14 @@
+import { json } from '@sveltejs/kit';
+import { getStacksDir } from '$lib/server/stacks';
+import type { RequestHandler } from './$types';
+
+/**
+ * GET /api/stacks/base-path
+ *
+ * Returns the default Dockhand stacks directory path.
+ * This is where stacks are stored by default ($DATA_DIR/stacks/).
+ */
+export const GET: RequestHandler = async () => {
+	const basePath = getStacksDir();
+	return json({ basePath });
+};
diff --git a/src/routes/api/stacks/default-path/+server.ts b/src/routes/api/stacks/default-path/+server.ts
new file mode 100644
index 0000000..efbbc9d
--- /dev/null
+++ b/src/routes/api/stacks/default-path/+server.ts
@@ -0,0 +1,54 @@
+import { json } from '@sveltejs/kit';
+import { join } from 'path';
+import { getStackDir } from '$lib/server/stacks';
+import { getEnvironment } from '$lib/server/db';
+import type { RequestHandler } from './$types';
+
+/**
+ * Get the default path for a new stack
+ * Used by the UI to show where files will be created
+ *
+ * Query params:
+ * - name: Stack name (required)
+ * - env: Environment ID (optional)
+ * - location: Custom base location path (optional)
+ *
+ * If location is provided, path will be: {location}/{envName}/{stackName}/
+ * Otherwise uses Dockhand's default: $DATA_DIR/stacks/{envName}/{stackName}/
+ */
+export const GET: RequestHandler = async ({ url }) => {
+	const stackName = url.searchParams.get('name');
+	const envId = url.searchParams.get('env');
+	const location = url.searchParams.get('location');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	if (!stackName) {
+		return json({ error: 'Stack name is required' }, { status: 400 });
+	}
+
+	let stackDir: string;
+
+	if (location) {
+		// Custom location: {location}/{envName}/{stackName}/
+		if (envIdNum) {
+			const env = await getEnvironment(envIdNum);
+			if (env) {
+				stackDir = join(location, env.name, stackName);
+			} else {
+				stackDir = join(location, stackName);
+			}
+		} else {
+			stackDir = join(location, stackName);
+		}
+	} else {
+		// Dockhand default location
+		stackDir = await getStackDir(stackName, envIdNum);
+	}
+
+	return json({
+		stackDir,
+		composePath: `${stackDir}/docker-compose.yml`,
+		envPath: `${stackDir}/.env`,
+		source: location ? 'custom' : 'default'
+	});
+};
diff --git a/src/routes/api/stacks/path-hints/+server.ts b/src/routes/api/stacks/path-hints/+server.ts
new file mode 100644
index 0000000..92b7715
--- /dev/null
+++ b/src/routes/api/stacks/path-hints/+server.ts
@@ -0,0 +1,37 @@
+import { json, type RequestHandler } from '@sveltejs/kit';
+import { getStackPathHints } from '$lib/server/stacks';
+import { authorize } from '$lib/server/authorize';
+
+/**
+ * GET /api/stacks/path-hints?name=stackName&env=envId
+ * Returns path hints extracted from Docker container labels for a stack.
+ */
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !auth.isAuthenticated) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	const stackName = url.searchParams.get('name');
+	const envId = url.searchParams.get('env');
+
+	if (!stackName) {
+		return json({ error: 'Stack name is required' }, { status: 400 });
+	}
+
+	try {
+		const hints = await getStackPathHints(stackName, envId ? parseInt(envId) : undefined);
+
+		return json({
+			stackName,
+			workingDir: hints.workingDir,
+			configFiles: hints.configFiles
+		});
+	} catch (error) {
+		console.error('Failed to get stack path hints:', error);
+		return json(
+			{ error: error instanceof Error ? error.message : 'Failed to get path hints' },
+			{ status: 500 }
+		);
+	}
+};
diff --git a/src/routes/api/stacks/scan/+server.ts b/src/routes/api/stacks/scan/+server.ts
new file mode 100644
index 0000000..4314c5f
--- /dev/null
+++ b/src/routes/api/stacks/scan/+server.ts
@@ -0,0 +1,35 @@
+import { json, type RequestHandler } from '@sveltejs/kit';
+import { authorize } from '$lib/server/authorize';
+import { scanExternalPaths, scanPaths, detectRunningStacks } from '$lib/server/stack-scanner';
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('stacks', 'create')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const body = await request.json().catch(() => ({}));
+		const { path } = body;
+
+		let result;
+		if (path) {
+			// Scan a specific path provided by the user
+			result = await scanPaths([path]);
+		} else {
+			// Scan all configured external paths (legacy behavior)
+			result = await scanExternalPaths();
+		}
+
+		// Detect which stacks are already running on any environment
+		const discoveredWithRunning = await detectRunningStacks(result.discovered);
+
+		return json({
+			...result,
+			discovered: discoveredWithRunning
+		});
+	} catch (error) {
+		const message = error instanceof Error ? error.message : 'Unknown error';
+		return json({ error: message }, { status: 500 });
+	}
+};
diff --git a/routes/api/stacks/sources/+server.ts b/src/routes/api/stacks/sources/+server.ts
similarity index 87%
rename from routes/api/stacks/sources/+server.ts
rename to src/routes/api/stacks/sources/+server.ts
index d0688d9..a2f1a17 100644
--- a/routes/api/stacks/sources/+server.ts
+++ b/src/routes/api/stacks/sources/+server.ts
@@ -18,10 +18,11 @@ export const GET: RequestHandler = async ({ url, cookies }) => {
 		const sources = await getStackSources(envIdNum);
 
 		// Convert to a map for easier lookup in the frontend
-		const sourceMap: Record<string, { sourceType: string; repository?: any }> = {};
+		const sourceMap: Record<string, { sourceType: string; composePath?: string | null; repository?: any }> = {};
 		for (const source of sources) {
 			sourceMap[source.stackName] = {
 				sourceType: source.sourceType,
+				composePath: source.composePath,
 				repository: source.repository
 			};
 		}
diff --git a/src/routes/api/stacks/validate-path/+server.ts b/src/routes/api/stacks/validate-path/+server.ts
new file mode 100644
index 0000000..1958902
--- /dev/null
+++ b/src/routes/api/stacks/validate-path/+server.ts
@@ -0,0 +1,28 @@
+import { json, type RequestHandler } from '@sveltejs/kit';
+import { authorize } from '$lib/server/authorize';
+import { validatePath } from '$lib/server/stack-scanner';
+import { getExternalStackPaths } from '$lib/server/db';
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('settings', 'edit')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const { path } = await request.json();
+
+		if (!path || typeof path !== 'string') {
+			return json({ valid: false, error: 'Path is required' });
+		}
+
+		// Get existing paths to check for overlaps
+		const existingPaths = await getExternalStackPaths();
+
+		const result = validatePath(path, existingPaths);
+		return json(result);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : 'Unknown error';
+		return json({ valid: false, error: message });
+	}
+};
diff --git a/routes/api/system/+server.ts b/src/routes/api/system/+server.ts
similarity index 99%
rename from routes/api/system/+server.ts
rename to src/routes/api/system/+server.ts
index 04c369a..118fb4f 100644
--- a/routes/api/system/+server.ts
+++ b/src/routes/api/system/+server.ts
@@ -186,6 +186,7 @@ export const GET: RequestHandler = async ({ url, cookies }) => {
 				nodeVersion: process.version,
 				platform: os.platform(),
 				arch: os.arch(),
+				kernel: os.release(),
 				memory: bunInfo.memory,
 				container: containerRuntime,
 				ownContainer
diff --git a/routes/api/system/disk/+server.ts b/src/routes/api/system/disk/+server.ts
similarity index 100%
rename from routes/api/system/disk/+server.ts
rename to src/routes/api/system/disk/+server.ts
diff --git a/src/routes/api/system/files/+server.ts b/src/routes/api/system/files/+server.ts
new file mode 100644
index 0000000..7e036f5
--- /dev/null
+++ b/src/routes/api/system/files/+server.ts
@@ -0,0 +1,80 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { readdirSync, statSync, existsSync } from 'node:fs';
+import { join, basename } from 'node:path';
+import { authorize } from '$lib/server/authorize';
+
+export interface FileEntry {
+	name: string;
+	path: string;
+	type: 'file' | 'directory' | 'symlink';
+	size: number;
+	mtime: string;
+	mode: string;
+}
+
+/**
+ * GET /api/system/files
+ * Browse Dockhand's local filesystem (for mount browsing)
+ *
+ * Query params:
+ * - path: Directory path to list
+ */
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	if (auth.authEnabled && !await auth.can('stacks', 'edit')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	const path = url.searchParams.get('path') || '/';
+
+	try {
+		if (!existsSync(path)) {
+			return json({ error: `Path not found: ${path}` }, { status: 404 });
+		}
+
+		const stat = statSync(path);
+		if (!stat.isDirectory()) {
+			return json({ error: `Not a directory: ${path}` }, { status: 400 });
+		}
+
+		const entries: FileEntry[] = [];
+		const dirEntries = readdirSync(path, { withFileTypes: true });
+
+		for (const entry of dirEntries) {
+			try {
+				const fullPath = join(path, entry.name);
+				const entryStat = statSync(fullPath);
+
+				entries.push({
+					name: entry.name,
+					path: fullPath,
+					type: entry.isDirectory() ? 'directory' : entry.isSymbolicLink() ? 'symlink' : 'file',
+					size: entryStat.size,
+					mtime: entryStat.mtime.toISOString(),
+					mode: (entryStat.mode & 0o777).toString(8).padStart(3, '0')
+				});
+			} catch {
+				// Skip entries we can't stat (permission issues, etc.)
+			}
+		}
+
+		// Sort: directories first, then alphabetically
+		entries.sort((a, b) => {
+			if (a.type === 'directory' && b.type !== 'directory') return -1;
+			if (a.type !== 'directory' && b.type === 'directory') return 1;
+			return a.name.localeCompare(b.name);
+		});
+
+		return json({
+			path,
+			parent: path === '/' ? null : join(path, '..'),
+			entries
+		});
+	} catch (error) {
+		console.error('Error listing directory:', error);
+		const message = error instanceof Error ? error.message : 'Unknown error';
+		return json({ error: `Failed to list directory: ${message}` }, { status: 500 });
+	}
+};
diff --git a/src/routes/api/system/files/content/+server.ts b/src/routes/api/system/files/content/+server.ts
new file mode 100644
index 0000000..13294ef
--- /dev/null
+++ b/src/routes/api/system/files/content/+server.ts
@@ -0,0 +1,55 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { readFileSync, existsSync, statSync } from 'node:fs';
+import { authorize } from '$lib/server/authorize';
+
+/**
+ * GET /api/system/files/content
+ * Read file content from Dockhand's local filesystem
+ *
+ * Query params:
+ * - path: File path to read
+ */
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	if (auth.authEnabled && !await auth.can('stacks', 'edit')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	const path = url.searchParams.get('path');
+
+	if (!path) {
+		return json({ error: 'Path is required' }, { status: 400 });
+	}
+
+	try {
+		if (!existsSync(path)) {
+			return json({ error: `File not found: ${path}` }, { status: 404 });
+		}
+
+		const stat = statSync(path);
+		if (stat.isDirectory()) {
+			return json({ error: `Cannot read directory as file: ${path}` }, { status: 400 });
+		}
+
+		// Limit file size to 10MB
+		const maxSize = 10 * 1024 * 1024;
+		if (stat.size > maxSize) {
+			return json({ error: `File too large (max ${maxSize / 1024 / 1024}MB)` }, { status: 400 });
+		}
+
+		const content = readFileSync(path, 'utf-8');
+
+		return json({
+			path,
+			content,
+			size: stat.size,
+			mtime: stat.mtime.toISOString()
+		});
+	} catch (error) {
+		console.error('Error reading file:', error);
+		const message = error instanceof Error ? error.message : 'Unknown error';
+		return json({ error: `Failed to read file: ${message}` }, { status: 500 });
+	}
+};
diff --git a/routes/api/users/+server.ts b/src/routes/api/users/+server.ts
similarity index 92%
rename from routes/api/users/+server.ts
rename to src/routes/api/users/+server.ts
index ea0f4ab..4d3616d 100644
--- a/routes/api/users/+server.ts
+++ b/src/routes/api/users/+server.ts
@@ -128,9 +128,15 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 		}, { status: 201 });
 	} catch (error: any) {
 		console.error('Failed to create user:', error);
-		if (error.message?.includes('UNIQUE constraint failed')) {
+		console.error('Error details:', {
+			message: error.message,
+			code: error.code,
+			name: error.name,
+			stack: error.stack
+		});
+		if (error.message?.includes('UNIQUE constraint failed') || error.code === '23505') {
 			return json({ error: 'Username already exists' }, { status: 409 });
 		}
-		return json({ error: 'Failed to create user' }, { status: 500 });
+		return json({ error: 'Failed to create user', details: error.message }, { status: 500 });
 	}
 };
diff --git a/routes/api/users/[id]/+server.ts b/src/routes/api/users/[id]/+server.ts
similarity index 100%
rename from routes/api/users/[id]/+server.ts
rename to src/routes/api/users/[id]/+server.ts
diff --git a/routes/api/users/[id]/mfa/+server.ts b/src/routes/api/users/[id]/mfa/+server.ts
similarity index 81%
rename from routes/api/users/[id]/mfa/+server.ts
rename to src/routes/api/users/[id]/mfa/+server.ts
index 4fac9c4..d767452 100644
--- a/routes/api/users/[id]/mfa/+server.ts
+++ b/src/routes/api/users/[id]/mfa/+server.ts
@@ -1,9 +1,7 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from '@sveltejs/kit';
-import { isEnterprise } from '$lib/server/license';
 import {
 	validateSession,
-	checkPermission,
 	generateMfaSetup,
 	verifyAndEnableMfa,
 	disableMfa
@@ -11,11 +9,6 @@ import {
 
 // POST /api/users/[id]/mfa - Setup MFA (generate QR code)
 export const POST: RequestHandler = async ({ params, request, cookies }) => {
-	// Check enterprise license
-	if (!(await isEnterprise())) {
-		return json({ error: 'Enterprise license required' }, { status: 403 });
-	}
-
 	const currentUser = await validateSession(cookies);
 
 	if (!params.id) {
@@ -38,12 +31,16 @@ export const POST: RequestHandler = async ({ params, request, cookies }) => {
 				return json({ error: 'MFA token is required' }, { status: 400 });
 			}
 
-			const success = await verifyAndEnableMfa(userId, body.token);
-			if (!success) {
+			const result = await verifyAndEnableMfa(userId, body.token);
+			if (!result.success) {
 				return json({ error: 'Invalid MFA code' }, { status: 400 });
 			}
 
-			return json({ success: true, message: 'MFA enabled successfully' });
+			return json({
+				success: true,
+				message: 'MFA enabled successfully',
+				backupCodes: result.backupCodes
+			});
 		}
 
 		// Generate new MFA setup
@@ -64,11 +61,6 @@ export const POST: RequestHandler = async ({ params, request, cookies }) => {
 
 // DELETE /api/users/[id]/mfa - Disable MFA
 export const DELETE: RequestHandler = async ({ params, cookies }) => {
-	// Check enterprise license
-	if (!(await isEnterprise())) {
-		return json({ error: 'Enterprise license required' }, { status: 403 });
-	}
-
 	const currentUser = await validateSession(cookies);
 
 	if (!params.id) {
diff --git a/routes/api/users/[id]/roles/+server.ts b/src/routes/api/users/[id]/roles/+server.ts
similarity index 100%
rename from routes/api/users/[id]/roles/+server.ts
rename to src/routes/api/users/[id]/roles/+server.ts
diff --git a/routes/api/volumes/+server.ts b/src/routes/api/volumes/+server.ts
similarity index 100%
rename from routes/api/volumes/+server.ts
rename to src/routes/api/volumes/+server.ts
diff --git a/routes/api/volumes/[name]/+server.ts b/src/routes/api/volumes/[name]/+server.ts
similarity index 100%
rename from routes/api/volumes/[name]/+server.ts
rename to src/routes/api/volumes/[name]/+server.ts
diff --git a/routes/api/volumes/[name]/browse/+server.ts b/src/routes/api/volumes/[name]/browse/+server.ts
similarity index 100%
rename from routes/api/volumes/[name]/browse/+server.ts
rename to src/routes/api/volumes/[name]/browse/+server.ts
diff --git a/routes/api/volumes/[name]/browse/content/+server.ts b/src/routes/api/volumes/[name]/browse/content/+server.ts
similarity index 100%
rename from routes/api/volumes/[name]/browse/content/+server.ts
rename to src/routes/api/volumes/[name]/browse/content/+server.ts
diff --git a/routes/api/volumes/[name]/browse/release/+server.ts b/src/routes/api/volumes/[name]/browse/release/+server.ts
similarity index 100%
rename from routes/api/volumes/[name]/browse/release/+server.ts
rename to src/routes/api/volumes/[name]/browse/release/+server.ts
diff --git a/routes/api/volumes/[name]/clone/+server.ts b/src/routes/api/volumes/[name]/clone/+server.ts
similarity index 100%
rename from routes/api/volumes/[name]/clone/+server.ts
rename to src/routes/api/volumes/[name]/clone/+server.ts
diff --git a/routes/api/volumes/[name]/export/+server.ts b/src/routes/api/volumes/[name]/export/+server.ts
similarity index 100%
rename from routes/api/volumes/[name]/export/+server.ts
rename to src/routes/api/volumes/[name]/export/+server.ts
diff --git a/routes/api/volumes/[name]/inspect/+server.ts b/src/routes/api/volumes/[name]/inspect/+server.ts
similarity index 100%
rename from routes/api/volumes/[name]/inspect/+server.ts
rename to src/routes/api/volumes/[name]/inspect/+server.ts
diff --git a/src/routes/attach/AttachPanel.svelte b/src/routes/attach/AttachPanel.svelte
new file mode 100644
index 0000000..0609d01
--- /dev/null
+++ b/src/routes/attach/AttachPanel.svelte
@@ -0,0 +1,188 @@
+<script lang="ts">
+	import { Copy, RefreshCw, Trash2, X } from 'lucide-svelte';
+	import { onDestroy, onMount } from 'svelte';
+	import AttachTerminal from './AttachTerminal.svelte';
+
+	interface Props {
+		containerId: string;
+		containerName: string;
+		visible: boolean;
+		envId: number | null;
+		fillHeight?: boolean;
+		onClose: () => void;
+	}
+
+	let { containerId, containerName, visible, envId, fillHeight = false, onClose }: Props = $props();
+
+	let attachComponent: ReturnType<typeof AttachTerminal>;
+	let panelRef: HTMLDivElement;
+	let connected = $state(false);
+
+	// Font size options
+	let fontSize = $state(13);
+	const fontSizeOptions = [10, 12, 13, 14, 16];
+
+	// Panel height with localStorage persistence
+	const STORAGE_KEY = 'dockhand-attach-panel-height';
+	const SETTINGS_STORAGE_KEY = 'dockhand-attach-settings';
+	const DEFAULT_HEIGHT = 300;
+	const MIN_HEIGHT = 150;
+	const MAX_HEIGHT = 600;
+
+	let panelHeight = $state(DEFAULT_HEIGHT);
+	let isDragging = $state(false);
+
+	// Load saved settings from localStorage
+	function loadSettings() {
+		if (typeof window !== 'undefined') {
+			// Load height
+			const savedHeight = localStorage.getItem(STORAGE_KEY);
+			if (savedHeight) {
+				const h = parseInt(savedHeight);
+				if (!isNaN(h) && h >= MIN_HEIGHT && h <= MAX_HEIGHT) {
+					panelHeight = h;
+				}
+			}
+			// Load other settings
+			const savedSettings = localStorage.getItem(SETTINGS_STORAGE_KEY);
+			if (savedSettings) {
+				try {
+					const settings = JSON.parse(savedSettings);
+					if (settings.fontSize !== undefined && fontSizeOptions.includes(settings.fontSize)) {
+						fontSize = settings.fontSize;
+					}
+				} catch {
+					// ignore parsing errors
+				}
+			}
+		}
+	}
+
+	// Save height to localStorage
+	function saveHeight() {
+		if (typeof window !== 'undefined') {
+			localStorage.setItem(STORAGE_KEY, String(panelHeight));
+		}
+	}
+
+	// Save settings to localStorage
+	function saveSettings() {
+		if (typeof window !== 'undefined') {
+			localStorage.setItem(
+				SETTINGS_STORAGE_KEY,
+				JSON.stringify({
+					fontSize
+				})
+			);
+		}
+	}
+
+	// Drag handle functionality
+	function startDrag(e: MouseEvent) {
+		e.preventDefault();
+		isDragging = true;
+		document.addEventListener('mousemove', handleDrag);
+		document.addEventListener('mouseup', stopDrag);
+	}
+
+	function handleDrag(e: MouseEvent) {
+		if (!isDragging || !panelRef) return;
+		const newHeight = window.innerHeight - e.clientY;
+		panelHeight = Math.max(MIN_HEIGHT, Math.min(MAX_HEIGHT, newHeight));
+	}
+
+	function stopDrag() {
+		isDragging = false;
+		document.removeEventListener('mousemove', handleDrag);
+		document.removeEventListener('mouseup', stopDrag);
+		saveHeight();
+		// Fit terminal after resize
+		setTimeout(() => attachComponent?.fit(), 50);
+	}
+
+	// Poll connected state
+	function pollConnected() {
+		if (attachComponent) {
+			connected = attachComponent.getConnected();
+		}
+	}
+
+	onMount(() => {
+		loadSettings();
+		const pollInterval = setInterval(pollConnected, 500);
+		return () => clearInterval(pollInterval);
+	});
+
+	onDestroy(() => {
+		document.removeEventListener('mousemove', handleDrag);
+		document.removeEventListener('mouseup', stopDrag);
+	});
+</script>
+
+<div
+	bind:this={panelRef}
+	class="border-t {isDragging ? 'cursor-row-resize' : ''}"
+	style={fillHeight ? 'height: 100%;' : `height: ${panelHeight}px;`}
+>
+	<div class="flex items-center justify-between h-9 px-3 py-1.5 border-b bg-muted/50 shrink-0">
+		<div class="flex items-center gap-2 min-w-0 flex-1">
+			<span class="text-xs font-medium truncate text-muted-foreground">Attach: {containerName}</span
+			>
+			{#if connected}
+				<span class="inline-flex items-center gap-1 text-xs text-green-500 whitespace-nowrap">
+					<span class="w-1.5 h-1.5 rounded-full bg-green-500 animate-pulse"></span>
+					Attached
+				</span>
+			{:else}
+				<span class="text-xs text-zinc-500 whitespace-nowrap">Detached</span>
+			{/if}
+		</div>
+		<div class="flex items-center gap-2 shrink-0">
+			<button
+				onclick={() => attachComponent?.copyOutput()}
+				title="Copy output"
+				class="p-1 rounded hover:bg-background transition-colors"
+			>
+				<Copy class="w-3.5 h-3.5 text-muted-foreground hover:text-foreground" />
+			</button>
+			<button
+				onclick={() => attachComponent?.clear()}
+				title="Clear"
+				class="p-1 rounded hover:bg-background transition-colors"
+			>
+				<Trash2 class="w-3.5 h-3.5 text-muted-foreground hover:text-foreground" />
+			</button>
+			<button
+				onclick={() => attachComponent?.reconnect()}
+				title="Reconnect"
+				class="p-1 rounded hover:bg-background transition-colors"
+			>
+				<RefreshCw class="w-3.5 h-3.5 text-muted-foreground hover:text-foreground" />
+			</button>
+			<button
+				onclick={onClose}
+				title="Close"
+				class="p-1 rounded hover:bg-background transition-colors"
+			>
+				<X class="w-3.5 h-3.5 text-muted-foreground hover:text-foreground" />
+			</button>
+		</div>
+	</div>
+
+	{#if !fillHeight}
+		<div
+			class="h-1 bg-border hover:bg-primary/30 cursor-row-resize transition-colors"
+			onmousedown={startDrag}
+		></div>
+	{/if}
+
+	<div class="flex-1 min-h-0 overflow-hidden">
+		<AttachTerminal bind:this={attachComponent} {containerId} {containerName} {envId} {fontSize} />
+	</div>
+</div>
+
+<style>
+	:global(.attach-terminal-container) {
+		height: 100%;
+	}
+</style>
diff --git a/src/routes/attach/AttachTerminal.svelte b/src/routes/attach/AttachTerminal.svelte
new file mode 100644
index 0000000..03519da
--- /dev/null
+++ b/src/routes/attach/AttachTerminal.svelte
@@ -0,0 +1,287 @@
+<script lang="ts">
+	import { themeStore } from '$lib/stores/theme';
+	import { getMonospaceFont } from '$lib/themes';
+	import { onDestroy, onMount } from 'svelte';
+
+	// Dynamic imports for browser-only xterm
+	let TerminalClass: any;
+	let FitAddon: any;
+	let WebLinksAddon: any;
+	let xtermLoaded = $state(false);
+
+	interface Props {
+		containerId: string;
+		containerName: string;
+		envId: number | null;
+		fontSize?: number;
+		autoConnect?: boolean;
+	}
+
+	let { containerId, containerName, envId, fontSize = 13, autoConnect = true }: Props = $props();
+
+	let terminal: any = null;
+	let fitAddon: any = null;
+	let ws: WebSocket | null = null;
+	let terminalRef: HTMLDivElement;
+
+	let connected = $state(false);
+	let error = $state<string | null>(null);
+
+	// Expose these via bindable props
+	export function getConnected() {
+		return connected;
+	}
+	export function getError() {
+		return error;
+	}
+
+	export function clear() {
+		terminal?.clear();
+		terminal?.focus();
+	}
+
+	export function focus() {
+		terminal?.focus();
+	}
+
+	export function fit() {
+		fitAddon?.fit();
+	}
+
+	export async function copyOutput(): Promise<string> {
+		if (!terminal) return '';
+		const buffer = terminal.buffer.active;
+		let text = '';
+		for (let i = 0; i < buffer.length; i++) {
+			const line = buffer.getLine(i);
+			if (line) {
+				text += line.translateToString(true) + '\n';
+			}
+		}
+		try {
+			await navigator.clipboard.writeText(text.trim());
+		} catch {
+			// Ignore clipboard errors
+		}
+		terminal.focus();
+		return text.trim();
+	}
+
+	export function setFontSize(size: number) {
+		if (terminal) {
+			terminal.options.fontSize = size;
+			fitAddon?.fit();
+		}
+	}
+
+	export function reconnect() {
+		if (ws) {
+			ws.close();
+			ws = null;
+		}
+		connected = false;
+		terminal?.writeln('\x1b[90m\r\nReconnecting...\x1b[0m');
+		connect();
+	}
+
+	export function disconnect() {
+		if (ws) {
+			ws.close();
+			ws = null;
+		}
+		connected = false;
+	}
+
+	export function dispose() {
+		if (ws) ws.close();
+		if (terminal) terminal.dispose();
+		ws = null;
+		terminal = null;
+		fitAddon = null;
+	}
+
+	function getTerminalFontFamily(): string {
+		const fontMeta = getMonospaceFont($themeStore.terminalFont);
+		return fontMeta?.family || 'ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace';
+	}
+
+	function initTerminal() {
+		if (!terminalRef || !xtermLoaded || terminal) return;
+
+		terminal = new TerminalClass({
+			cursorBlink: true,
+			fontFamily: getTerminalFontFamily(),
+			fontSize,
+			theme: {
+				background: '#0c0c0c',
+				foreground: '#cccccc',
+				cursor: '#ffffff',
+				cursorAccent: '#000000',
+				selectionBackground: '#264f78',
+				black: '#0c0c0c',
+				red: '#c50f1f',
+				green: '#13a10e',
+				yellow: '#c19c00',
+				blue: '#0037da',
+				magenta: '#881798',
+				cyan: '#3a96dd',
+				white: '#cccccc',
+				brightBlack: '#767676',
+				brightRed: '#e74856',
+				brightGreen: '#16c60c',
+				brightYellow: '#f9f1a5',
+				brightBlue: '#3b78ff',
+				brightMagenta: '#b4009e',
+				brightCyan: '#61d6d6',
+				brightWhite: '#f2f2f2'
+			}
+		});
+
+		fitAddon = new FitAddon();
+		terminal.loadAddon(fitAddon);
+		terminal.loadAddon(new WebLinksAddon());
+
+		terminal.open(terminalRef);
+		fitAddon.fit();
+
+		// Handle Ctrl+L to clear terminal
+		terminal.attachCustomKeyEventHandler((e: KeyboardEvent) => {
+			if ((e.ctrlKey || e.metaKey) && e.key === 'l') {
+				e.preventDefault();
+				clear();
+				return false;
+			}
+			return true;
+		});
+
+		// Handle terminal input
+		terminal.onData((data: string) => {
+			if (ws && ws.readyState === WebSocket.OPEN) {
+				ws.send(JSON.stringify({ type: 'input', data: data }));
+			}
+		});
+
+		// Handle resize
+		terminal.onResize(({ cols, rows }: { cols: number; rows: number }) => {
+			if (ws && ws.readyState === WebSocket.OPEN) {
+				ws.send(JSON.stringify({ type: 'resize', cols, rows }));
+			}
+		});
+
+		if (autoConnect) {
+			connect();
+		}
+	}
+
+	function connect() {
+		if (!terminal) return;
+
+		error = null;
+		const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
+		const wsHost = window.location.hostname;
+		// In dev mode (vite), connect directly to the WS server on port 5174
+		// In production, connect to the same port as the app
+		const isDev = import.meta.env.DEV;
+		const portPart = isDev ? ':5174' : window.location.port ? `:${window.location.port}` : '';
+		let wsUrl = `${protocol}//${wsHost}${portPart}/api/containers/${containerId}/attach`;
+
+		if (envId) {
+			wsUrl += `?envId=${envId}`;
+		}
+
+		terminal.writeln(`\x1b[90mAttaching to ${containerName}...\x1b[0m`);
+		terminal.writeln('');
+
+		ws = new WebSocket(wsUrl);
+
+		ws.onopen = () => {
+			connected = true;
+			terminal?.focus();
+			if (fitAddon && terminal) {
+				const dims = fitAddon.proposeDimensions();
+				if (dims) {
+					ws?.send(JSON.stringify({ type: 'resize', cols: dims.cols, rows: dims.rows }));
+				}
+			}
+		};
+
+		ws.onmessage = (event) => {
+			try {
+				const msg = JSON.parse(event.data);
+				if (msg.type === 'output') {
+					terminal?.write(msg.data);
+				} else if (msg.type === 'error') {
+					error = msg.message;
+					terminal?.writeln(`\x1b[31mError: ${msg.message}\x1b[0m`);
+				} else if (msg.type === 'exit') {
+					terminal?.writeln('\x1b[90m\r\nAttachment ended.\x1b[0m');
+					connected = false;
+				}
+			} catch {
+				terminal?.write(event.data);
+			}
+		};
+
+		ws.onerror = () => {
+			error = 'Connection error';
+			terminal?.writeln('\x1b[31mConnection error\x1b[0m');
+		};
+
+		ws.onclose = () => {
+			connected = false;
+			terminal?.writeln('\x1b[90mDetached.\x1b[0m');
+		};
+	}
+
+	function handleResize() {
+		fitAddon?.fit();
+	}
+
+	$effect(() => {
+		if (xtermLoaded && terminalRef && !terminal) {
+			setTimeout(initTerminal, 50);
+		}
+	});
+
+	// Update font when terminal font preference changes
+	$effect(() => {
+		if (terminal && $themeStore.terminalFont) {
+			const fontFamily = getTerminalFontFamily();
+			terminal.options.fontFamily = fontFamily;
+			fitAddon?.fit();
+		}
+	});
+
+	onMount(async () => {
+		window.addEventListener('resize', handleResize);
+
+		const xtermModule = await import('@xterm/xterm');
+		const fitModule = await import('@xterm/addon-fit');
+		const webLinksModule = await import('@xterm/addon-web-links');
+
+		TerminalClass = xtermModule.Terminal || xtermModule.default?.Terminal;
+		FitAddon = fitModule.FitAddon || fitModule.default?.FitAddon;
+		WebLinksAddon = webLinksModule.WebLinksAddon || webLinksModule.default?.WebLinksAddon;
+
+		await import('@xterm/xterm/css/xterm.css');
+		xtermLoaded = true;
+	});
+
+	onDestroy(() => {
+		window.removeEventListener('resize', handleResize);
+		dispose();
+	});
+</script>
+
+<div bind:this={terminalRef} class="h-full w-full terminal-container"></div>
+
+<style>
+	.terminal-container :global(.xterm) {
+		height: 100%;
+		padding: 4px;
+	}
+
+	.terminal-container :global(.xterm-viewport) {
+		overflow-y: auto !important;
+	}
+</style>
diff --git a/src/routes/attach/[id]/+page.svelte b/src/routes/attach/[id]/+page.svelte
new file mode 100644
index 0000000..b10badb
--- /dev/null
+++ b/src/routes/attach/[id]/+page.svelte
@@ -0,0 +1,340 @@
+<script lang="ts">
+	import { page } from '$app/stores';
+	import { appendEnvParam, currentEnvironment } from '$lib/stores/environment';
+	import type { ContainerInfo } from '$lib/types';
+	import { Terminal as TerminalIcon } from 'lucide-svelte';
+	import { onDestroy, onMount } from 'svelte';
+
+	// Dynamic imports for browser-only xterm
+	let Terminal: any;
+	let FitAddon: any;
+	let WebLinksAddon: any;
+	let xtermLoaded = $state(false);
+
+	let terminalRef = $state<HTMLDivElement | undefined>();
+	let terminal = $state<any>(null);
+	let fitAddon = $state<any>(null);
+	let ws = $state<WebSocket | null>(null);
+	let connected = $state(false);
+	let error = $state<string | null>(null);
+	let containerName = $state('');
+	let containerValid = $state(false);
+	let validationError = $state<string | null>(null);
+	let envId = $state<number | null>(null);
+	let containerInfo = $state<ContainerInfo | null>(null);
+
+	// Get params from URL
+	let containerId = $derived($page.params.id);
+	let name = $derived($page.url.searchParams.get('name') || 'Container');
+
+	// Subscribe to environment changes
+	currentEnvironment.subscribe((env) => {
+		envId = env?.id ?? null;
+		if (env) {
+			validateContainer();
+		}
+	});
+
+	// Check if container can be attached to
+	function canAttachToContainer(container: ContainerInfo): boolean {
+		// Container must be running
+		if (container.state !== 'running') {
+			return false;
+		}
+		return true;
+	}
+
+	// Get validation error message for a container
+	function getAttachValidationError(container: ContainerInfo): string | null {
+		if (container.state !== 'running') {
+			return `Container is ${container.state} (must be running)`;
+		}
+		return null;
+	}
+
+	async function validateContainer() {
+		try {
+			const response = await fetch(appendEnvParam(`/api/containers/${containerId}`, envId));
+			if (!response.ok) {
+				validationError = 'Container not found';
+				containerValid = false;
+				return;
+			}
+
+			const container = await response.json();
+			containerInfo = container;
+
+			if (!canAttachToContainer(container)) {
+				validationError = getAttachValidationError(container);
+				containerValid = false;
+			} else {
+				validationError = null;
+				containerValid = true;
+			}
+		} catch (err) {
+			console.error('Failed to validate container:', err);
+			validationError = 'Failed to validate container';
+			containerValid = false;
+		}
+	}
+
+	function initTerminal() {
+		if (!terminalRef || terminal || !xtermLoaded) return;
+
+		// Validate container before initializing terminal
+		if (!containerValid || !containerInfo) {
+			return;
+		}
+
+		containerName = containerInfo.name || name;
+
+		terminal = new Terminal({
+			cursorBlink: true,
+			fontFamily: 'Menlo, Monaco, "Courier New", monospace',
+			fontSize: 14,
+			theme: {
+				background: '#0c0c0c',
+				foreground: '#cccccc',
+				cursor: '#ffffff',
+				cursorAccent: '#000000',
+				selectionBackground: '#264f78',
+				black: '#0c0c0c',
+				red: '#c50f1f',
+				green: '#13a10e',
+				yellow: '#c19c00',
+				blue: '#0037da',
+				magenta: '#881798',
+				cyan: '#3a96dd',
+				white: '#cccccc',
+				brightBlack: '#767676',
+				brightRed: '#e74856',
+				brightGreen: '#16c60c',
+				brightYellow: '#f9f1a5',
+				brightBlue: '#3b78ff',
+				brightMagenta: '#b4009e',
+				brightCyan: '#61d6d6',
+				brightWhite: '#f2f2f2'
+			}
+		});
+
+		fitAddon = new FitAddon();
+		terminal.loadAddon(fitAddon);
+		terminal.loadAddon(new WebLinksAddon());
+
+		terminal.open(terminalRef);
+		fitAddon.fit();
+
+		// Handle Ctrl+L to clear terminal
+		terminal.attachCustomKeyEventHandler((e: KeyboardEvent) => {
+			if ((e.ctrlKey || e.metaKey) && e.key === 'l') {
+				e.preventDefault();
+				terminal?.clear();
+				return false;
+			}
+			return true;
+		});
+
+		// Handle terminal input
+		terminal.onData((data: string) => {
+			if (ws && ws.readyState === WebSocket.OPEN) {
+				ws.send(JSON.stringify({ type: 'input', data }));
+			}
+		});
+
+		// Handle resize
+		terminal.onResize(({ cols, rows }: { cols: number; rows: number }) => {
+			if (ws && ws.readyState === WebSocket.OPEN) {
+				ws.send(JSON.stringify({ type: 'resize', cols, rows }));
+			}
+		});
+
+		// Connect to container
+		connect();
+	}
+
+	function connect() {
+		if (!terminal || !containerValid) return;
+
+		error = null;
+		const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
+		const isDev = import.meta.env.DEV;
+		const wsHost = window.location.hostname;
+		const portPart = isDev ? ':5174' : window.location.port ? `:${window.location.port}` : '';
+		let wsUrl = `${protocol}//${wsHost}${portPart}/api/containers/${containerId}/attach`;
+		if (envId) {
+			wsUrl += `?envId=${envId}`;
+		}
+
+		terminal.writeln(`\x1b[90mAttaching to ${containerName}...\x1b[0m`);
+		terminal.writeln(`\x1b[90mContainer: ${containerInfo?.image || 'unknown'}\x1b[0m`);
+		terminal.writeln('');
+
+		ws = new WebSocket(wsUrl);
+
+		ws.onopen = () => {
+			connected = true;
+			document.title = `Attach - ${containerName}`;
+			terminal?.focus();
+			// Send initial resize
+			if (fitAddon && terminal) {
+				const dims = fitAddon.proposeDimensions();
+				if (dims) {
+					ws?.send(JSON.stringify({ type: 'resize', cols: dims.cols, rows: dims.rows }));
+				}
+			}
+		};
+
+		ws.onmessage = (event) => {
+			try {
+				const msg = JSON.parse(event.data);
+				if (msg.type === 'output') {
+					terminal?.write(msg.data);
+				} else if (msg.type === 'error') {
+					error = msg.message;
+					terminal?.writeln(`\x1b[31mError: ${msg.message}\x1b[0m`);
+				} else if (msg.type === 'exit') {
+					terminal?.writeln('\x1b[90m\r\nAttachment ended.\x1b[0m');
+					connected = false;
+				}
+			} catch (e) {
+				terminal?.write(event.data);
+			}
+		};
+
+		ws.onerror = (e) => {
+			console.error('WebSocket error:', e);
+			error = 'Connection error';
+			terminal?.writeln('\x1b[31mConnection error\x1b[0m');
+		};
+
+		ws.onclose = () => {
+			connected = false;
+			terminal?.writeln('\x1b[90mDetached.\x1b[0m');
+		};
+	}
+
+	function disconnect() {
+		if (ws) {
+			ws.close();
+			ws = null;
+		}
+	}
+
+	function cleanup() {
+		disconnect();
+		if (terminal) {
+			terminal.dispose();
+			terminal = null;
+		}
+		fitAddon = null;
+	}
+
+	// Handle window resize
+	function handleResize() {
+		if (fitAddon && terminal) {
+			fitAddon.fit();
+		}
+	}
+
+	onMount(async () => {
+		window.addEventListener('resize', handleResize);
+
+		// Validate container immediately
+		await validateContainer();
+
+		// Dynamically load xterm modules (browser only)
+		const xtermModule = await import('@xterm/xterm');
+		const fitModule = await import('@xterm/addon-fit');
+		const webLinksModule = await import('@xterm/addon-web-links');
+
+		// Handle both ESM and CommonJS exports
+		Terminal = xtermModule.Terminal || xtermModule.default?.Terminal;
+		FitAddon = fitModule.FitAddon || fitModule.default?.FitAddon;
+		WebLinksAddon = webLinksModule.WebLinksAddon || webLinksModule.default?.WebLinksAddon;
+
+		// Load CSS
+		await import('@xterm/xterm/css/xterm.css');
+		xtermLoaded = true;
+
+		// Initialize terminal after xterm is loaded
+		setTimeout(() => {
+			initTerminal();
+		}, 100);
+	});
+
+	onDestroy(() => {
+		window.removeEventListener('resize', handleResize);
+		cleanup();
+	});
+</script>
+
+<svelte:head>
+	<title>Attach - {containerName || 'Loading...'}</title>
+</svelte:head>
+
+<div class="h-screen w-screen flex flex-col bg-[#0c0c0c]">
+	<!-- Header -->
+	<div
+		class="flex items-center justify-between px-4 py-2 bg-zinc-900 border-b border-zinc-800 shrink-0"
+	>
+		<div class="flex items-center gap-2">
+			<TerminalIcon class="w-4 h-4 text-zinc-400" />
+			<span class="text-sm text-zinc-200 font-medium">{containerName || containerId}</span>
+			{#if containerValid}
+				{#if connected}
+					<span class="inline-flex items-center gap-1 text-xs text-green-500">
+						<span class="w-2 h-2 rounded-full bg-green-500 animate-pulse"></span>
+						Attached
+					</span>
+				{:else}
+					<span class="text-xs text-zinc-500">Connecting...</span>
+				{/if}
+			{:else if validationError}
+				<span class="text-xs text-red-500">{validationError}</span>
+			{:else}
+				<span class="text-xs text-zinc-500">Validating...</span>
+			{/if}
+		</div>
+		<div class="flex items-center gap-2 text-xs text-zinc-500">
+			<span>Attach Mode</span>
+		</div>
+	</div>
+
+	<!-- Terminal or Error message -->
+	<div class="flex-1 p-2 overflow-hidden flex flex-col">
+		{#if validationError}
+			<div class="flex items-center justify-center h-full">
+				<div class="text-center">
+					<TerminalIcon class="w-12 h-12 mx-auto mb-3 opacity-50 text-red-500" />
+					<p class="text-zinc-400 mb-2">{validationError}</p>
+					<p class="text-zinc-600 text-sm">
+						Go back to <a href="/attach" class="text-blue-500 hover:text-blue-400">attach</a> page
+					</p>
+				</div>
+			</div>
+		{:else if xtermLoaded && containerValid}
+			<div bind:this={terminalRef} class="h-full w-full"></div>
+		{:else}
+			<div class="h-full w-full flex items-center justify-center">
+				<span class="text-zinc-500">Loading...</span>
+			</div>
+		{/if}
+	</div>
+</div>
+
+<style>
+	:global(body) {
+		margin: 0;
+		padding: 0;
+		overflow: hidden;
+	}
+
+	:global(.xterm) {
+		height: 100%;
+		padding: 8px;
+	}
+
+	:global(.xterm-viewport) {
+		overflow-y: auto !important;
+	}
+</style>
diff --git a/routes/audit/+page.svelte b/src/routes/audit/+page.svelte
similarity index 100%
rename from routes/audit/+page.svelte
rename to src/routes/audit/+page.svelte
diff --git a/routes/audit/+server.ts b/src/routes/audit/+server.ts
similarity index 100%
rename from routes/audit/+server.ts
rename to src/routes/audit/+server.ts
diff --git a/routes/audit/users/+server.ts b/src/routes/audit/users/+server.ts
similarity index 100%
rename from routes/audit/users/+server.ts
rename to src/routes/audit/users/+server.ts
diff --git a/routes/containers/+page.svelte b/src/routes/containers/+page.svelte
similarity index 86%
rename from routes/containers/+page.svelte
rename to src/routes/containers/+page.svelte
index 8fa394a..8018400 100644
--- a/routes/containers/+page.svelte
+++ b/src/routes/containers/+page.svelte
@@ -1,5 +1,7 @@
 <script lang="ts">
 	import { onMount, onDestroy } from 'svelte';
+	import { goto } from '$app/navigation';
+	import { page } from '$app/stores';
 	import { toast } from 'svelte-sonner';
 	import * as Dialog from '$lib/components/ui/dialog';
 	import * as Popover from '$lib/components/ui/popover';
@@ -49,9 +51,11 @@
 		ShieldX,
 		Shield,
 		ShieldCheck,
-		Box
+		Box,
+		Zap
 	} from 'lucide-svelte';
 	import { broom } from '@lucide/lab';
+	import AttachPanel from '../attach/AttachPanel.svelte';
 	import CreateContainerModal from './CreateContainerModal.svelte';
 	import EditContainerModal from './EditContainerModal.svelte';
 	import TerminalPanel from '../terminal/TerminalPanel.svelte';
@@ -204,11 +208,27 @@
 		user: string;
 	}
 	let activeTerminals = $state<ActiveTerminal[]>([]);
-	let currentTerminalContainerId = $state<string | null>(null);
 	let terminalPopoverStates = $state<Record<string, boolean>>({});
 	let terminalShell = $state('/bin/bash');
 	let terminalUser = $state('root');
 
+	// Attach state - track active attach sessions per container
+	interface ActiveAttach {
+		containerId: string;
+		containerName: string;
+	}
+	let activeAttach = $state<ActiveAttach[]>([]);
+
+	// Helper to check if container has active terminal
+	function hasActiveAttach(containerId: string): boolean {
+		return activeAttach.some(t => t.containerId === containerId);
+	}
+
+	// Helper to get active terminal
+	function getActiveAttach(containerId: string): ActiveAttach | undefined {
+		return activeAttach.find(t => t.containerId === containerId);
+	}
+
 	// Confirmation popover state
 	let confirmStopId = $state<string | null>(null);
 	let confirmRestartId = $state<string | null>(null);
@@ -522,7 +542,6 @@
 		containerName: string;
 	}
 	let activeLogs = $state<ActiveLogs[]>([]);
-	let currentLogsContainerId = $state<string | null>(null);
 
 	// Helper to check if container has active logs
 	function hasActiveLogs(containerId: string): boolean {
@@ -1015,8 +1034,7 @@
 		const existingTerminal = getActiveTerminal(container.id);
 		if (existingTerminal) {
 			// Just show the existing terminal
-			currentTerminalContainerId = container.id;
-			terminalPopoverStates[container.id] = false;
+			return;
 		} else {
 			// Show popover to configure new terminal
 			terminalPopoverStates[container.id] = true;
@@ -1024,6 +1042,11 @@
 	}
 
 	function startTerminal(container: ContainerInfo) {
+		// Check if we already have 2 active sessions
+		if (activeTerminals.length + activeAttach.length >= 2) {
+			toast.error('Maximum 2 terminal sessions allowed');
+			return;
+		}
 		// Create new terminal session
 		const terminal: ActiveTerminal = {
 			containerId: container.id,
@@ -1032,22 +1055,35 @@
 			user: terminalUser
 		};
 		activeTerminals = [...activeTerminals, terminal];
-		currentTerminalContainerId = container.id;
-		terminalPopoverStates[container.id] = false;
 	}
 
 	function closeTerminal(containerId: string) {
 		activeTerminals = activeTerminals.filter(t => t.containerId !== containerId);
-		if (currentTerminalContainerId === containerId) {
-			currentTerminalContainerId = null;
+	}
+
+	function startAttach(container: ContainerInfo) {
+		// Check if we already have 2 active sessions
+		if (activeTerminals.length + activeAttach.length >= 2) {
+			toast.error('Maximum 2 terminal sessions allowed');
+			return;
 		}
+		// Create new attach session - automatically open it
+		const attach: ActiveAttach = {
+			containerId: container.id,
+			containerName: container.name
+		};
+		activeAttach = [...activeAttach, attach];
+	}
+
+	function closeAttach(containerId: string) {
+		activeAttach = activeAttach.filter((a) => a.containerId !== containerId);
 	}
 
 	function showLogs(container: ContainerInfo) {
 		// Check if there's already active logs for this container
 		if (hasActiveLogs(container.id)) {
 			// Just show the existing logs
-			currentLogsContainerId = container.id;
+			return;
 		} else {
 			// Create new logs session
 			const logs: ActiveLogs = {
@@ -1055,33 +1091,15 @@
 				containerName: container.name
 			};
 			activeLogs = [...activeLogs, logs];
-			currentLogsContainerId = container.id;
 		}
 	}
 
 	function closeLogs(containerId: string) {
 		activeLogs = activeLogs.filter(l => l.containerId !== containerId);
-		if (currentLogsContainerId === containerId) {
-			currentLogsContainerId = null;
-		}
 	}
 
 	function selectContainer(container: ContainerInfo) {
-		// Handle logs - show if container has active logs, hide otherwise
-		if (hasActiveLogs(container.id)) {
-			currentLogsContainerId = container.id;
-		} else if (currentLogsContainerId) {
-			// Hide current logs but keep the session active
-			currentLogsContainerId = null;
-		}
-
-		// Handle terminal - show if container has active terminal, hide otherwise
-		if (hasActiveTerminal(container.id)) {
-			currentTerminalContainerId = container.id;
-		} else if (currentTerminalContainerId) {
-			// Hide current terminal but keep the session active
-			currentTerminalContainerId = null;
-		}
+		// No longer needed since all panels are shown
 	}
 
 	function editContainer(id: string) {
@@ -1299,6 +1317,12 @@
 		loadLayoutMode();
 		loadStatusFilter();
 
+		// Check for image filter from URL params (from images page link)
+		const imageParam = $page.url.searchParams.get('image');
+		if (imageParam) {
+			searchQuery = imageParam;
+		}
+
 		// Load persisted pending updates from database
 		loadPendingUpdates();
 
@@ -1362,42 +1386,32 @@
 				defaultIcon={Box}
 			/>
 			<div class="flex gap-2">
-				{#if $canAccess('containers', 'create')}
-				<Button size="sm" variant="secondary" onclick={() => (showCreateModal = true)}>
-					<Plus class="w-3.5 h-3.5 mr-1" />
-					Create
-				</Button>
-				{/if}
-				<Button
-					size="sm"
-					variant="outline"
-					onclick={checkForUpdates}
-					disabled={updateCheckStatus === 'checking'}
-					title="Check for available updates"
-				>
-					{#if updateCheckStatus === 'checking'}
-						<CircleArrowUp class="w-3.5 h-3.5 mr-1 animate-spin" />
-					{:else if updateCheckStatus === 'none' || updateCheckStatus === 'found'}
-						<Check class="w-3.5 h-3.5 mr-1 text-green-600" />
-					{:else if updateCheckStatus === 'error'}
-						<XCircle class="w-3.5 h-3.5 mr-1 text-destructive" />
-					{:else}
-						<CircleArrowUp class="w-3.5 h-3.5 mr-1" />
+					{#if $canAccess('containers', 'create')}
+					<Button size="sm" variant="secondary" onclick={() => (showCreateModal = true)}>
+						<Plus class="w-3.5 h-3.5 mr-1" />
+						Create
+					</Button>
 					{/if}
-					Check for updates
-				</Button>
-				{#if batchUpdateContainerIds.length > 0}
-				<Button
-					size="sm"
-					variant="outline"
-					onclick={updateAllContainers}
-					class="border-amber-500/40 text-amber-600 hover:bg-amber-500/10 hover:border-amber-500"
-					title="Update all containers with available updates"
-				>
-					<CircleArrowUp class="w-3.5 h-3.5 mr-1" />
-					Update all ({batchUpdateContainerIds.length})
-				</Button>
-				{/if}
+
+					<!-- Check for updates -->
+					<Button size="sm" variant="outline" onclick={checkForUpdates} title="Check for container updates">
+						{#if updateCheckStatus === 'checking'}
+							<CircleArrowUp class="w-3.5 h-3.5 mr-1 animate-spin" />
+						{:else if updateCheckStatus === 'none' || updateCheckStatus === 'found'}
+							<Check class="w-3.5 h-3.5 mr-1 text-green-600" />
+						{:else if updateCheckStatus === 'error'}
+							<XCircle class="w-3.5 h-3.5 mr-1 text-destructive" />
+						{:else}
+							<CircleArrowUp class="w-3.5 h-3.5 mr-1" />
+						{/if}
+						Check for updates
+					</Button>
+
+					<!-- Update all (open batch modal) -->
+					<Button size="sm" variant="outline" onclick={updateAllContainers} disabled={batchUpdateContainerIds.length === 0} title="Update all containers with available updates">
+						<CircleArrowUp class="w-3.5 h-3.5 mr-1" />
+						Update all ({batchUpdateContainerIds.length})
+					</Button>
 				{#if $canAccess('containers', 'remove')}
 				<ConfirmPopover
 					open={confirmPrune}
@@ -1610,15 +1624,12 @@
 				highlightedKey={highlightedRowId}
 				rowClass={(container) => {
 					let classes = '';
-					if (currentLogsContainerId === container.id) classes += 'bg-blue-500/10 hover:bg-blue-500/15 ';
-					if (currentTerminalContainerId === container.id) classes += 'bg-green-500/10 hover:bg-green-500/15 ';
+					if (hasActiveLogs(container.id)) classes += 'bg-blue-500/10 hover:bg-blue-500/15 ';
+					if (hasActiveTerminal(container.id)) classes += 'bg-green-500/10 hover:bg-green-500/15 ';
 					if ($appSettings.highlightUpdates && containersWithUpdatesSet.has(container.id)) classes += 'has-update ';
 					return classes;
 				}}
 				onRowClick={(container, e) => {
-					if (activeLogs.length > 0 || activeTerminals.length > 0) {
-						selectContainer(container);
-					}
 					highlightedRowId = highlightedRowId === container.id ? null : container.id;
 				}}
 			>
@@ -1626,7 +1637,12 @@
 					{@const ports = formatPorts(container.ports)}
 					{@const stack = getComposeProject(container.labels)}
 					{#if column.id === 'name'}
-						<span class="text-xs font-medium truncate block" title={container.name}>{container.name}</span>
+						<button
+							type="button"
+							class="text-xs font-medium truncate block text-left hover:text-primary hover:underline cursor-pointer"
+							title={container.name}
+							onclick={(e) => { e.stopPropagation(); inspectContainer(container); }}
+						>{container.name}</button>
 					{:else if column.id === 'image'}
 						<div class="flex items-center gap-1.5 {$appSettings.highlightUpdates && containersWithUpdatesSet.has(container.id) ? 'update-border' : ''}">
 							{#if containersWithUpdatesSet.has(container.id)}
@@ -1681,7 +1697,10 @@
 						<div class="{isFieldHighlighted(container.id, 'memory') ? 'stat-highlight' : ''} text-right">
 							{#if containerStats.get(container.id)}
 								{@const stats = containerStats.get(container.id)}
-								<span class="text-xs font-mono {stats.memoryPercent > 80 ? 'text-red-500' : stats.memoryPercent > 50 ? 'text-yellow-500' : 'text-muted-foreground'}" title="{formatBytes(stats.memoryUsage)} / {formatBytes(stats.memoryLimit)}">{formatBytes(stats.memoryUsage)}</span>
+								{@const memoryTooltip = stats.memoryCache > 0
+									? `${formatBytes(stats.memoryUsage)} / ${formatBytes(stats.memoryLimit)} (Total: ${formatBytes(stats.memoryRaw)} | Cache: ${formatBytes(stats.memoryCache)})`
+									: `${formatBytes(stats.memoryUsage)} / ${formatBytes(stats.memoryLimit)}`}
+								<span class="text-xs font-mono {stats.memoryPercent > 80 ? 'text-red-500' : stats.memoryPercent > 50 ? 'text-yellow-500' : 'text-muted-foreground'}" title={memoryTooltip}>{formatBytes(stats.memoryUsage)}</span>
 							{:else if container.state === 'running'}
 								<span class="text-xs text-muted-foreground/50">...</span>
 							{:else}
@@ -1765,7 +1784,13 @@
 						{/if}
 					{:else if column.id === 'stack'}
 						{#if stack}
-							<Badge variant="outline" class="text-xs py-0 px-1.5">{stack}</Badge>
+							<button
+								type="button"
+								onclick={(e) => { e.stopPropagation(); goto(appendEnvParam(`/stacks?search=${encodeURIComponent(stack)}`, envId)); }}
+								class="cursor-pointer"
+							>
+								<Badge variant="outline" class="text-xs py-0 px-1.5 hover:bg-primary/10 hover:border-primary/50 transition-colors">{stack}</Badge>
+							</button>
 						{:else}
 							<span class="text-gray-400 dark:text-gray-600 text-xs">-</span>
 						{/if}
@@ -1878,8 +1903,8 @@
 							{#if hasActiveLogs(container.id)}
 								<button
 									type="button"
-									onclick={(e) => { e.stopPropagation(); currentLogsContainerId = container.id; }}
-									title="Show logs"
+									onclick={(e) => { e.stopPropagation(); closeLogs(container.id); }}
+									title="Close logs"
 									class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
 								>
 									<FileText class="w-4 h-4 text-blue-400" style="filter: drop-shadow(0 0 4px rgba(96,165,250,0.9)) drop-shadow(0 0 8px rgba(96,165,250,0.6));" strokeWidth={2.5} />
@@ -1895,74 +1920,112 @@
 								</button>
 							{/if}
 							{/if}
-							{#if container.state === 'running' && $canAccess('containers', 'exec')}
-							{#if hasActiveTerminal(container.id)}
-								<button
-									type="button"
-									onclick={(e) => { e.stopPropagation(); currentTerminalContainerId = container.id; }}
-									title="Show terminal"
-									class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
-								>
-									<Terminal class="w-4 h-4 text-green-400" style="filter: drop-shadow(0 0 4px rgba(74,222,128,0.9)) drop-shadow(0 0 8px rgba(74,222,128,0.6));" strokeWidth={2.5} />
-								</button>
-							{:else}
-								<Popover.Root open={terminalPopoverStates[container.id] ?? false} onOpenChange={(open) => { terminalPopoverStates[container.id] = open; }}>
-									<Popover.Trigger
-										onclick={(e: MouseEvent) => e.stopPropagation()}
-										class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
+							   {#if container.state === 'running' && $canAccess('containers', 'exec')}
+							   {#if hasActiveTerminal(container.id) || hasActiveAttach(container.id)}
+								   <button
+									   type="button"
+									   onclick={(e) => {
+										   e.stopPropagation();
+										   if (hasActiveTerminal(container.id)) {
+											   closeTerminal(container.id);
+										   } else if (hasActiveAttach(container.id)) {
+											   closeAttach(container.id);
+										   }
+									   }}
+									   title={hasActiveTerminal(container.id) || hasActiveAttach(container.id) ? "Close terminal" : "Open terminal"}
+									   class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
+								   >
+									   {#if hasActiveAttach(container.id) && hasActiveTerminal(container.id)}
+										   <Terminal
+											   class="w-4 h-4 text-cyan-400"
+											   style="filter: drop-shadow(0 0 4px #06b6d4) drop-shadow(0 0 8px #06b6d4);"
+											   strokeWidth={2.5}
+										   />
+									   {:else if hasActiveAttach(container.id)}
+										   <Terminal
+											   class="w-4 h-4 text-yellow-400"
+											   style="filter: drop-shadow(0 0 4px #facc15) drop-shadow(0 0 8px #facc15);"
+											   strokeWidth={2.5}
+										   />
+									   {:else}
+										   <Terminal
+											   class="w-4 h-4 text-green-400"
+											   style="filter: drop-shadow(0 0 4px #4ade80) drop-shadow(0 0 8px #4ade80);"
+											   strokeWidth={2.5}
+										   />
+									   {/if}
+								   </button>
+							   {:else}
+									<Popover.Root
+										open={terminalPopoverStates[container.id] ?? false}
+										onOpenChange={(open) => {
+											terminalPopoverStates[container.id] = open;
+										}}
 									>
-										<Terminal class="w-3 h-3 text-muted-foreground hover:text-foreground" />
-									</Popover.Trigger>
-									<Popover.Content class="w-56 p-0" align="end" sideOffset={5}>
-										<div class="px-3 py-2 border-b bg-muted/50">
-											<div class="flex items-center gap-2">
+										<Popover.Trigger
+											onclick={(e: MouseEvent) => e.stopPropagation()}
+											class="p-0.5 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
+										>
+											<Terminal class="w-3 h-3 text-muted-foreground hover:text-foreground" />
+										</Popover.Trigger>
+										<Popover.Content class="w-60 p-0" align="end" sideOffset={5}>
+											<div class="px-3 py-2 border-b bg-muted/50 flex items-center gap-2">
 												<Terminal class="w-3.5 h-3.5 text-muted-foreground" />
 												<span class="text-xs font-medium truncate" title={container.name}>{container.name}</span>
 											</div>
-										</div>
-										<div class="p-3 space-y-3">
-											<div class="space-y-1.5">
-												<Label class="text-xs">Shell</Label>
-												<Select.Root type="single" bind:value={terminalShell}>
-													<Select.Trigger class="w-full h-8 text-xs">
-														<Shell class="w-3 h-3 mr-1.5 text-muted-foreground" />
-														<span>{shellOptions.find(o => o.value === terminalShell)?.label || 'Select'}</span>
+
+											<div class="p-3 space-y-4">
+												<!-- Exec -->
+												{#if $canAccess('containers', 'exec')}
+												<div class="space-y-2">
+													<Label class="text-xs">Exec</Label>
+													<Select.Root type="single" bind:value={terminalShell}>
+													<Select.Trigger class="w-full h-7 text-xs">
+														<Shell class="w-3 h-3 mr-1 text-muted-foreground" />
+														<span>{shellOptions.find((o) => o.value === terminalShell)?.label || 'Shell'}</span>
 													</Select.Trigger>
 													<Select.Content>
 														{#each shellOptions as option}
-															<Select.Item value={option.value} label={option.label}>
-																<Shell class="w-3 h-3 mr-1.5 text-muted-foreground" />
-																{option.label}
-															</Select.Item>
+														<Select.Item value={option.value} label={option.label}>
+															<Shell class="w-3 h-3 mr-1 text-muted-foreground" /> {option.label}
+														</Select.Item>
 														{/each}
 													</Select.Content>
-												</Select.Root>
-											</div>
-											<div class="space-y-1.5">
-												<Label class="text-xs">User</Label>
-												<Select.Root type="single" bind:value={terminalUser}>
-													<Select.Trigger class="w-full h-8 text-xs">
-														<User class="w-3 h-3 mr-1.5 text-muted-foreground" />
-														<span>{userOptions.find(o => o.value === terminalUser)?.label || 'Select'}</span>
+													</Select.Root>
+
+													<Select.Root type="single" bind:value={terminalUser}>
+													<Select.Trigger class="w-full h-7 text-xs">
+														<User class="w-3 h-3 mr-1 text-muted-foreground" />
+														<span>{userOptions.find((o) => o.value === terminalUser)?.label || 'User'}</span>
 													</Select.Trigger>
 													<Select.Content>
 														{#each userOptions as option}
-															<Select.Item value={option.value} label={option.label}>
-																<User class="w-3 h-3 mr-1.5 text-muted-foreground" />
-																{option.label}
-															</Select.Item>
+														<Select.Item value={option.value} label={option.label}>
+															<User class="w-3 h-3 mr-1 text-muted-foreground" /> {option.label}
+														</Select.Item>
 														{/each}
 													</Select.Content>
-												</Select.Root>
+													</Select.Root>
+
+													<Button size="sm" class="w-full h-7 text-xs" onclick={() => startTerminal(container)}>
+													<Terminal class="w-3 h-3 mr-1" /> Connect
+													</Button>
+												</div>
+												{/if}
+
+												<!-- Attach -->
+												{#if container.attachable && $canAccess('containers', 'attach')}
+												<div class="space-y-2">
+													<Label class="text-xs">Attach</Label>
+													<Button size="sm" class="w-full h-7 text-xs" onclick={() => startAttach(container)}>
+													<Zap class="w-3 h-3 mr-1" /> Connect
+													</Button>
+												</div>
+												{/if}
 											</div>
-											<Button size="sm" class="w-full h-7 text-xs" onclick={() => startTerminal(container)}>
-												<Terminal class="w-3 h-3 mr-1" />
-												Connect
-											</Button>
-										</div>
-									</Popover.Content>
-								</Popover.Root>
-							{/if}
+										</Popover.Content>
+									</Popover.Root>
+								{/if}
 							{/if}
 							{#if $canAccess('containers', 'remove')}
 							<ConfirmPopover
@@ -1981,9 +2044,9 @@
 							{/if}
 							{#if operationError?.id === container.id}
 								<div class="absolute bottom-full right-0 mb-1 z-50 bg-destructive text-destructive-foreground rounded-md shadow-lg p-2 text-xs whitespace-nowrap flex items-center gap-2 max-w-xs">
-									<AlertTriangle class="w-3 h-3 flex-shrink-0" />
+									   <AlertTriangle class="w-3 h-3 shrink-0" />
 									<span class="truncate">{operationError.message}</span>
-									<button onclick={() => operationError = null} class="flex-shrink-0 hover:bg-white/20 rounded p-0.5">
+									   <button onclick={() => operationError = null} class="shrink-0 hover:bg-white/20 rounded p-0.5">
 										<X class="w-3 h-3" />
 									</button>
 								</div>
@@ -1994,7 +2057,7 @@
 			</DataGrid>
 
 			<!-- Panels section - in vertical mode this is a column on the right with resize handle -->
-			{#if layoutMode === 'vertical' && (currentLogsContainerId || currentTerminalContainerId)}
+			{#if layoutMode === 'vertical' && (activeLogs.length > 0 || activeTerminals.length > 0 || activeAttach.length > 0)}
 				<!-- Vertical resize handle -->
 				<div
 					role="separator"
@@ -2006,76 +2069,89 @@
 				</div>
 
 				<div class="flex flex-col gap-3 h-full overflow-hidden" style="width: {panelWidth}px; flex-shrink: 0;">
-					<!-- Current Logs Panel -->
-					{#if currentLogsContainerId}
-						{@const activeLog = activeLogs.find(l => l.containerId === currentLogsContainerId)}
-						{#if activeLog}
-							<div class="flex-1 min-h-0">
-								<LogsPanel
-									containerId={activeLog.containerId}
-									containerName={activeLog.containerName}
-									visible={true}
-									envId={envId}
-									fillHeight={true}
-									onClose={() => closeLogs(activeLog.containerId)}
-								/>
-							</div>
-						{/if}
-					{/if}
-
-					<!-- Current Terminal Panel -->
-					{#if currentTerminalContainerId}
-						{@const activeTerminal = activeTerminals.find(t => t.containerId === currentTerminalContainerId)}
-						{#if activeTerminal}
-							<div class="flex-1 min-h-0">
-								<TerminalPanel
-									containerId={activeTerminal.containerId}
-									containerName={activeTerminal.containerName}
-									shell={activeTerminal.shell}
-									user={activeTerminal.user}
-									visible={true}
-									envId={envId}
-									fillHeight={true}
-									onClose={() => closeTerminal(activeTerminal.containerId)}
-								/>
-							</div>
-						{/if}
-					{/if}
+					<!-- All Logs Panels -->
+					{#each activeLogs as activeLog (activeLog.containerId)}
+						<div class="flex-1 min-h-0">
+							<LogsPanel
+								containerId={activeLog.containerId}
+								containerName={activeLog.containerName}
+								visible={true}
+								envId={envId}
+								fillHeight={true}
+								onClose={() => closeLogs(activeLog.containerId)}
+							/>
+						</div>
+					{/each}
+
+					<!-- All Terminal Panels -->
+					{#each activeTerminals as activeTerminal (activeTerminal.containerId)}
+						<div class="flex-1 min-h-0">
+							<TerminalPanel
+								containerId={activeTerminal.containerId}
+								containerName={activeTerminal.containerName}
+								shell={activeTerminal.shell}
+								user={activeTerminal.user}
+								visible={true}
+								envId={envId}
+								fillHeight={true}
+								onClose={() => closeTerminal(activeTerminal.containerId)}
+							/>
+						</div>
+					{/each}
+
+					<!-- All Attach Panels -->
+					{#each activeAttach as activeAtt (activeAtt.containerId)}
+						<div class="flex-1 min-h-0">
+							<AttachPanel
+								containerId={activeAtt.containerId}
+								containerName={activeAtt.containerName}
+								visible={true}
+								{envId}
+								fillHeight={true}
+								onClose={() => closeAttach(activeAtt.containerId)}
+							/>
+						</div>
+					{/each}
 				</div>
 			{/if}
 		</div>
 
 		<!-- Panels for horizontal mode - below the table, full width -->
-		{#if layoutMode === 'horizontal'}
-			<!-- Show current logs panel -->
-			{#if currentLogsContainerId}
-				{@const activeLog = activeLogs.find(l => l.containerId === currentLogsContainerId)}
-				{#if activeLog}
-					<LogsPanel
-						containerId={activeLog.containerId}
-						containerName={activeLog.containerName}
-						visible={true}
-						envId={envId}
-						onClose={() => closeLogs(activeLog.containerId)}
-					/>
-				{/if}
-			{/if}
-
-			<!-- Show current terminal panel -->
-			{#if currentTerminalContainerId}
-				{@const activeTerminal = activeTerminals.find(t => t.containerId === currentTerminalContainerId)}
-				{#if activeTerminal}
-					<TerminalPanel
-						containerId={activeTerminal.containerId}
-						containerName={activeTerminal.containerName}
-						shell={activeTerminal.shell}
-						user={activeTerminal.user}
-						visible={true}
-						envId={envId}
-						onClose={() => closeTerminal(activeTerminal.containerId)}
-					/>
-				{/if}
-			{/if}
+		{#if layoutMode === 'horizontal' && (activeLogs.length > 0 || activeTerminals.length > 0 || activeAttach.length > 0)}
+			<!-- All Logs Panels -->
+			{#each activeLogs as activeLog (activeLog.containerId)}
+				<LogsPanel
+					containerId={activeLog.containerId}
+					containerName={activeLog.containerName}
+					visible={true}
+					envId={envId}
+					onClose={() => closeLogs(activeLog.containerId)}
+				/>
+			{/each}
+
+			<!-- All Terminal Panels -->
+			{#each activeTerminals as activeTerminal (activeTerminal.containerId)}
+				<TerminalPanel
+					containerId={activeTerminal.containerId}
+					containerName={activeTerminal.containerName}
+					shell={activeTerminal.shell}
+					user={activeTerminal.user}
+					visible={true}
+					envId={envId}
+					onClose={() => closeTerminal(activeTerminal.containerId)}
+				/>
+			{/each}
+
+			<!-- All Attach Panels -->
+			{#each activeAttach as activeAtt (activeAtt.containerId)}
+				<AttachPanel
+					containerId={activeAtt.containerId}
+					containerName={activeAtt.containerName}
+					visible={true}
+					{envId}
+					onClose={() => closeAttach(activeAtt.containerId)}
+				/>
+			{/each}
 		{/if}
 	{/if}
 </div>
diff --git a/routes/containers/AutoUpdateSettings.svelte b/src/routes/containers/AutoUpdateSettings.svelte
similarity index 100%
rename from routes/containers/AutoUpdateSettings.svelte
rename to src/routes/containers/AutoUpdateSettings.svelte
diff --git a/routes/containers/BatchUpdateModal.svelte b/src/routes/containers/BatchUpdateModal.svelte
similarity index 99%
rename from routes/containers/BatchUpdateModal.svelte
rename to src/routes/containers/BatchUpdateModal.svelte
index d192303..e72fe78 100644
--- a/routes/containers/BatchUpdateModal.svelte
+++ b/src/routes/containers/BatchUpdateModal.svelte
@@ -543,7 +543,7 @@
 							<!-- Pull and Scan logs (collapsible) -->
 							{#if item.showLogs && hasLogs}
 								<div
-									class="bg-muted/50 px-3 py-2 font-mono text-xs max-h-40 overflow-auto border-t overflow-x-hidden"
+									class="bg-muted/50 px-3 py-2 font-mono text-xs border-t overflow-x-hidden"
 								>
 									{#each item.pullLogs as log}
 										<div class="text-muted-foreground break-all">
diff --git a/routes/containers/ContainerInspectModal.svelte b/src/routes/containers/ContainerInspectModal.svelte
similarity index 91%
rename from routes/containers/ContainerInspectModal.svelte
rename to src/routes/containers/ContainerInspectModal.svelte
index 8d97585..e30c461 100644
--- a/routes/containers/ContainerInspectModal.svelte
+++ b/src/routes/containers/ContainerInspectModal.svelte
@@ -4,10 +4,10 @@
 	import * as Tabs from '$lib/components/ui/tabs';
 	import { Button } from '$lib/components/ui/button';
 	import { Badge } from '$lib/components/ui/badge';
-	import { Loader2, Box, Info, Layers, Cpu, MemoryStick, HardDrive, Network, Shield, Settings2, Code, Copy, Check, Activity, Wifi, Pencil, RefreshCw, X, FolderOpen, Moon } from 'lucide-svelte';
+	import { Loader2, Box, Info, Layers, Cpu, MemoryStick, HardDrive, Network, Shield, Settings2, Code, Copy, Check, Activity, Wifi, Pencil, RefreshCw, X, FolderOpen, Moon, Tags, ExternalLink } from 'lucide-svelte';
 	import { Input } from '$lib/components/ui/input';
 	import { Label } from '$lib/components/ui/label';
-	import { currentEnvironment, appendEnvParam } from '$lib/stores/environment';
+	import { currentEnvironment, appendEnvParam, environments } from '$lib/stores/environment';
 	import ImageLayersView from '../images/ImageLayersView.svelte';
 	import LogsPanel from '../logs/LogsPanel.svelte';
 	import FileBrowserPanel from './FileBrowserPanel.svelte';
@@ -42,6 +42,19 @@
 	let showRawJson = $state(false);
 	let jsonCopied = $state(false);
 
+	// Label copy state
+	let copiedLabel = $state<string | null>(null);
+
+	async function copyLabel(key: string, value: string) {
+		try {
+			await navigator.clipboard.writeText(`${key}=${value}`);
+			copiedLabel = key;
+			setTimeout(() => copiedLabel = null, 2000);
+		} catch (err) {
+			console.error('Failed to copy:', err);
+		}
+	}
+
 	// Processes state
 	interface ProcessesData {
 		Titles: string[];
@@ -75,6 +88,44 @@
 
 	let editInputRef: HTMLInputElement | null = null;
 
+	// Current environment details for port URL generation
+	const currentEnvDetails = $derived($environments.find(e => e.id === $currentEnvironment?.id) ?? null);
+
+	function extractHostFromUrl(urlString: string): string | null {
+		if (!urlString) return null;
+		// Handle tcp:// URLs (Docker remote)
+		const tcpMatch = urlString.match(/^tcp:\/\/([^:\/]+)/);
+		if (tcpMatch) return tcpMatch[1];
+		// Handle http:// or https:// URLs
+		const httpMatch = urlString.match(/^https?:\/\/([^:\/]+)/);
+		if (httpMatch) return httpMatch[1];
+		// Handle host:port format
+		const hostPortMatch = urlString.match(/^([^:\/]+):\d+/);
+		if (hostPortMatch) return hostPortMatch[1];
+		// Just a hostname
+		return urlString;
+	}
+
+	function getPortUrl(publicPort: number): string | null {
+		const env = currentEnvDetails;
+		if (!env) return null;
+		// Priority 1: Use publicIp if configured
+		if (env.publicIp) {
+			return `http://${env.publicIp}:${publicPort}`;
+		}
+		// Priority 2: Extract from host for direct/hawser-standard
+		const connectionType = env.connectionType || 'socket';
+		if (connectionType === 'direct' && env.host) {
+			const host = extractHostFromUrl(env.host);
+			if (host) return `http://${host}:${publicPort}`;
+		} else if (connectionType === 'hawser-standard' && env.host) {
+			const host = extractHostFromUrl(env.host);
+			if (host) return `http://${host}:${publicPort}`;
+		}
+		// No public IP available for socket or hawser-edge
+		return null;
+	}
+
 	function startEditing() {
 		editName = displayName;
 		isEditing = true;
@@ -379,7 +430,7 @@
 </script>
 
 <Dialog.Root bind:open>
-	<Dialog.Content class="max-w-6xl h-[90vh] flex flex-col">
+	<Dialog.Content class="max-w-6xl w-full h-[calc(100vh-2rem)] flex flex-col">
 		<Dialog.Header class="shrink-0">
 			<Dialog.Title class="flex items-center gap-2">
 				<Box class="w-5 h-5" />
@@ -450,7 +501,7 @@
 			</Dialog.Title>
 		</Dialog.Header>
 
-		<div class="flex-1 flex flex-col min-h-0">
+		<div class="flex-1 flex flex-col min-h-[400px]">
 			{#if loading}
 				<div class="flex items-center justify-center py-8">
 					<Loader2 class="w-6 h-6 animate-spin text-muted-foreground" />
@@ -461,7 +512,7 @@
 				</div>
 			{:else if containerData}
 				<Tabs.Root bind:value={activeTab} class="w-full h-full flex flex-col">
-					<Tabs.List class="w-full justify-start shrink-0 flex-wrap">
+					<Tabs.List class="w-full justify-start shrink-0 flex-wrap h-auto min-h-10 bg-muted rounded-lg">
 						<Tabs.Trigger value="overview" onclick={() => showLogs = false}>Overview</Tabs.Trigger>
 						<Tabs.Trigger value="logs" onclick={() => showLogs = true}>Logs</Tabs.Trigger>
 						<Tabs.Trigger value="layers" onclick={() => showLogs = false}>Layers</Tabs.Trigger>
@@ -470,6 +521,7 @@
 						<Tabs.Trigger value="mounts" onclick={() => showLogs = false}>Mounts</Tabs.Trigger>
 						<Tabs.Trigger value="files" onclick={() => showLogs = false}>Files</Tabs.Trigger>
 						<Tabs.Trigger value="env" onclick={() => showLogs = false}>Environment</Tabs.Trigger>
+						<Tabs.Trigger value="labels" onclick={() => showLogs = false}>Labels</Tabs.Trigger>
 						<Tabs.Trigger value="security" onclick={() => showLogs = false}>Security</Tabs.Trigger>
 						<Tabs.Trigger value="resources" onclick={() => showLogs = false}>Resources</Tabs.Trigger>
 						<Tabs.Trigger value="health" onclick={() => showLogs = false}>Health</Tabs.Trigger>
@@ -642,23 +694,6 @@
 							</div>
 						{/if}
 
-						<!-- Labels (collapsible) -->
-						{#if containerData.Config?.Labels && Object.keys(containerData.Config.Labels).length > 0}
-							<details class="group">
-								<summary class="text-sm font-semibold cursor-pointer hover:text-primary">
-									Labels ({Object.keys(containerData.Config.Labels).length})
-								</summary>
-								<div class="space-y-1 mt-2 max-h-32 overflow-y-auto">
-									{#each Object.entries(containerData.Config.Labels) as [key, value]}
-										<div class="text-xs p-2 bg-muted rounded">
-											<code class="text-muted-foreground">{key}</code>
-											<code class="text-muted-foreground">=</code>
-											<code class="break-all">{value}</code>
-										</div>
-									{/each}
-								</div>
-							</details>
-						{/if}
 					</Tabs.Content>
 
 					<!-- Processes Tab -->
@@ -845,8 +880,22 @@
 									{#each Object.entries(containerData.NetworkSettings.Ports) as [containerPort, hostBindings]}
 										{#if hostBindings && hostBindings.length > 0}
 											{#each hostBindings as binding}
+												{@const url = getPortUrl(parseInt(binding.HostPort))}
 												<div class="flex items-center gap-2 text-xs p-2 bg-muted rounded">
-													<code>{binding.HostIp || '0.0.0.0'}:{binding.HostPort}</code>
+													{#if url}
+														<a
+															href={url}
+															target="_blank"
+															rel="noopener noreferrer"
+															class="inline-flex items-center gap-1 text-primary hover:underline"
+															title="Open {url}"
+														>
+															<code>{binding.HostIp || '0.0.0.0'}:{binding.HostPort}</code>
+															<ExternalLink class="w-3 h-3" />
+														</a>
+													{:else}
+														<code>{binding.HostIp || '0.0.0.0'}:{binding.HostPort}</code>
+													{/if}
 													<span class="text-muted-foreground">→</span>
 													<code>{containerPort}</code>
 												</div>
@@ -944,6 +993,37 @@
 						{/if}
 					</Tabs.Content>
 
+					<!-- Labels Tab -->
+					<Tabs.Content value="labels" class="space-y-4 overflow-auto">
+						{#if containerData.Config?.Labels && Object.keys(containerData.Config.Labels).length > 0}
+							<div class="space-y-1">
+								{#each Object.entries(containerData.Config.Labels).sort((a, b) => a[0].localeCompare(b[0])) as [key, value]}
+									<div class="text-xs p-2 bg-muted rounded flex items-start gap-2 group">
+										<div class="flex-1 min-w-0">
+											<code class="text-muted-foreground font-medium">{key}</code>
+											<code class="text-muted-foreground">=</code>
+											<code class="break-all">{value}</code>
+										</div>
+										<button
+											type="button"
+											onclick={() => copyLabel(key, value)}
+											class="shrink-0 p-1 rounded hover:bg-background/50 transition-colors opacity-0 group-hover:opacity-100 {copiedLabel === key ? '!opacity-100' : ''}"
+											title={copiedLabel === key ? 'Copied!' : 'Copy label'}
+										>
+											{#if copiedLabel === key}
+												<Check class="w-3 h-3 text-green-500" />
+											{:else}
+												<Copy class="w-3 h-3 text-muted-foreground" />
+											{/if}
+										</button>
+									</div>
+								{/each}
+							</div>
+						{:else}
+							<p class="text-sm text-muted-foreground">No labels</p>
+						{/if}
+					</Tabs.Content>
+
 					<!-- Security Tab -->
 					<Tabs.Content value="security" class="space-y-4 overflow-auto">
 						<!-- Privileged & User -->
@@ -1187,7 +1267,7 @@
 
 <!-- Raw JSON Modal -->
 <Dialog.Root bind:open={showRawJson}>
-	<Dialog.Content class="max-w-4xl h-[80vh] flex flex-col">
+	<Dialog.Content class="max-w-4xl max-h-[90vh] sm:max-h-[80vh] flex flex-col">
 		<Dialog.Header class="shrink-0">
 			<Dialog.Title class="flex items-center gap-2">
 				<Code class="w-5 h-5" />
diff --git a/src/routes/containers/ContainerSettingsTab.svelte b/src/routes/containers/ContainerSettingsTab.svelte
new file mode 100644
index 0000000..90ba559
--- /dev/null
+++ b/src/routes/containers/ContainerSettingsTab.svelte
@@ -0,0 +1,1268 @@
+<script lang="ts">
+	import * as Select from '$lib/components/ui/select';
+	import { Label } from '$lib/components/ui/label';
+	import { Input } from '$lib/components/ui/input';
+	import { Button } from '$lib/components/ui/button';
+	import { Checkbox } from '$lib/components/ui/checkbox';
+	import { TogglePill, ToggleGroup } from '$lib/components/ui/toggle-pill';
+	import { Plus, Trash2, Settings2, RefreshCw, Network, X, Ban, RotateCw, AlertTriangle, PauseCircle, Share2, Server, CircleOff, ChevronDown, ChevronRight, Cpu, Shield, HeartPulse, Wifi, HardDrive, Lock, Loader2, CheckCircle2, Package } from 'lucide-svelte';
+	import { Badge } from '$lib/components/ui/badge';
+	import AutoUpdateSettings from './AutoUpdateSettings.svelte';
+	import type { VulnerabilityCriteria } from '$lib/components/VulnerabilityCriteriaSelector.svelte';
+
+	// Protocol options for ports
+	const protocolOptions = [
+		{ value: 'tcp', label: 'TCP' },
+		{ value: 'udp', label: 'UDP' }
+	];
+
+	// Mode options for volumes
+	const volumeModeOptions = [
+		{ value: 'rw', label: 'RW' },
+		{ value: 'ro', label: 'RO' }
+	];
+
+	const commonCapabilities = [
+		'SYS_ADMIN', 'SYS_PTRACE', 'NET_ADMIN', 'NET_RAW', 'IPC_LOCK',
+		'SYS_TIME', 'SYS_RESOURCE', 'MKNOD', 'AUDIT_WRITE', 'SETFCAP',
+		'CHOWN', 'DAC_OVERRIDE', 'FOWNER', 'FSETID', 'KILL', 'SETGID',
+		'SETUID', 'SETPCAP', 'NET_BIND_SERVICE', 'SYS_CHROOT', 'AUDIT_CONTROL'
+	];
+
+	const commonUlimits = ['nofile', 'nproc', 'core', 'memlock', 'stack', 'cpu', 'fsize', 'locks'];
+
+	interface ConfigSet {
+		id: number;
+		name: string;
+		description?: string;
+		envVars?: { key: string; value: string }[];
+		labels?: { key: string; value: string }[];
+		ports?: { hostPort: string; containerPort: string; protocol: string }[];
+		volumes?: { hostPath: string; containerPath: string; mode: string }[];
+		networkMode: string;
+		restartPolicy: string;
+	}
+
+	interface DockerNetwork {
+		id: string;
+		name: string;
+		driver: string;
+	}
+
+	interface Props {
+		mode: 'create' | 'edit';
+		// Basic settings
+		name: string;
+		image: string;
+		command: string;
+		restartPolicy: string;
+		restartMaxRetries: number | '';
+		networkMode: string;
+		startAfterCreate?: boolean;
+		// Port mappings
+		portMappings: { hostPort: string; containerPort: string; protocol: string }[];
+		// Volume mappings
+		volumeMappings: { hostPath: string; containerPath: string; mode: string }[];
+		// Environment variables
+		envVars: { key: string; value: string }[];
+		// Labels
+		labels: { key: string; value: string }[];
+		// Networks
+		availableNetworks: DockerNetwork[];
+		selectedNetworks: string[];
+		// User/Group
+		containerUser: string;
+		// Privileged mode
+		privilegedMode: boolean;
+		// Healthcheck settings
+		healthcheckEnabled: boolean;
+		healthcheckCommand: string;
+		healthcheckInterval: number;
+		healthcheckTimeout: number;
+		healthcheckRetries: number;
+		healthcheckStartPeriod: number;
+		// Resource limits
+		memoryLimit: string;
+		memoryReservation: string;
+		cpuShares: string;
+		nanoCpus: string;
+		cpuQuota: string;
+		cpuPeriod: string;
+		// Capabilities
+		capAdd: string[];
+		capDrop: string[];
+		// Security options
+		securityOptions: string[];
+		// Devices
+		deviceMappings: { hostPath: string; containerPath: string; permissions: string }[];
+		// DNS settings
+		dnsServers: string[];
+		dnsSearch: string[];
+		dnsOptions: string[];
+		// Ulimits
+		ulimits: { name: string; soft: string; hard: string }[];
+		// Auto-update
+		autoUpdateEnabled: boolean;
+		autoUpdateCronExpression: string;
+		vulnerabilityCriteria: VulnerabilityCriteria;
+		// Config sets
+		configSets: ConfigSet[];
+		selectedConfigSetId: string;
+		// Errors
+		errors: { name?: string; image?: string };
+		// Create mode specific
+		imageSummary?: {
+			isPulling: boolean;
+			isScanning: boolean;
+			imageReady: boolean;
+			scanResults?: { summary: { critical: number; high: number } }[];
+			totalVulnerabilities?: number;
+			hasCriticalOrHigh?: boolean;
+		};
+	}
+
+	let {
+		mode,
+		name = $bindable(),
+		image = $bindable(),
+		command = $bindable(),
+		restartPolicy = $bindable(),
+		restartMaxRetries = $bindable(),
+		networkMode = $bindable(),
+		startAfterCreate = $bindable(true),
+		portMappings = $bindable(),
+		volumeMappings = $bindable(),
+		envVars = $bindable(),
+		labels = $bindable(),
+		availableNetworks,
+		selectedNetworks = $bindable(),
+		containerUser = $bindable(),
+		privilegedMode = $bindable(),
+		healthcheckEnabled = $bindable(),
+		healthcheckCommand = $bindable(),
+		healthcheckInterval = $bindable(),
+		healthcheckTimeout = $bindable(),
+		healthcheckRetries = $bindable(),
+		healthcheckStartPeriod = $bindable(),
+		memoryLimit = $bindable(),
+		memoryReservation = $bindable(),
+		cpuShares = $bindable(),
+		nanoCpus = $bindable(),
+		cpuQuota = $bindable(),
+		cpuPeriod = $bindable(),
+		capAdd = $bindable(),
+		capDrop = $bindable(),
+		securityOptions = $bindable(),
+		deviceMappings = $bindable(),
+		dnsServers = $bindable(),
+		dnsSearch = $bindable(),
+		dnsOptions = $bindable(),
+		ulimits = $bindable(),
+		autoUpdateEnabled = $bindable(),
+		autoUpdateCronExpression = $bindable(),
+		vulnerabilityCriteria = $bindable(),
+		configSets,
+		selectedConfigSetId = $bindable(),
+		errors = $bindable(),
+		imageSummary
+	}: Props = $props();
+
+	// Collapsible sections state
+	let showResources = $state(false);
+	let showSecurity = $state(false);
+	let showHealth = $state(false);
+	let showDns = $state(false);
+	let showDevices = $state(false);
+	let showUlimits = $state(false);
+
+	// DNS input fields
+	let dnsInput = $state('');
+	let dnsSearchInput = $state('');
+	let dnsOptionInput = $state('');
+
+	// Security options input
+	let securityOptionInput = $state('');
+
+	// Helper functions for form
+	function addPortMapping() {
+		portMappings = [...portMappings, { hostPort: '', containerPort: '', protocol: 'tcp' }];
+	}
+
+	function removePortMapping(index: number) {
+		portMappings = portMappings.filter((_, i) => i !== index);
+	}
+
+	function addVolumeMapping() {
+		volumeMappings = [...volumeMappings, { hostPath: '', containerPath: '', mode: 'rw' }];
+	}
+
+	function removeVolumeMapping(index: number) {
+		volumeMappings = volumeMappings.filter((_, i) => i !== index);
+	}
+
+	function addEnvVar() {
+		envVars = [...envVars, { key: '', value: '' }];
+	}
+
+	function removeEnvVar(index: number) {
+		envVars = envVars.filter((_, i) => i !== index);
+	}
+
+	function addLabel() {
+		labels = [...labels, { key: '', value: '' }];
+	}
+
+	function removeLabel(index: number) {
+		labels = labels.filter((_, i) => i !== index);
+	}
+
+	function addNetwork(networkId: string) {
+		if (networkId && !selectedNetworks.includes(networkId)) {
+			selectedNetworks = [...selectedNetworks, networkId];
+		}
+	}
+
+	function removeNetwork(networkId: string) {
+		selectedNetworks = selectedNetworks.filter((n) => n !== networkId);
+	}
+
+	function addDeviceMapping() {
+		deviceMappings = [...deviceMappings, { hostPath: '', containerPath: '', permissions: 'rwm' }];
+	}
+
+	function removeDeviceMapping(index: number) {
+		deviceMappings = deviceMappings.filter((_, i) => i !== index);
+	}
+
+	function addUlimit() {
+		ulimits = [...ulimits, { name: 'nofile', soft: '', hard: '' }];
+	}
+
+	function removeUlimit(index: number) {
+		ulimits = ulimits.filter((_, i) => i !== index);
+	}
+
+	function addCapability(type: 'add' | 'drop', cap: string) {
+		if (!cap) return;
+		const capUpper = cap.toUpperCase();
+		if (type === 'add') {
+			if (!capAdd.includes(capUpper)) {
+				capAdd = [...capAdd, capUpper];
+			}
+		} else {
+			if (!capDrop.includes(capUpper)) {
+				capDrop = [...capDrop, capUpper];
+			}
+		}
+	}
+
+	function removeCapability(type: 'add' | 'drop', cap: string) {
+		if (type === 'add') {
+			capAdd = capAdd.filter(c => c !== cap);
+		} else {
+			capDrop = capDrop.filter(c => c !== cap);
+		}
+	}
+
+	function addSecurityOption() {
+		if (securityOptionInput.trim() && !securityOptions.includes(securityOptionInput.trim())) {
+			securityOptions = [...securityOptions, securityOptionInput.trim()];
+			securityOptionInput = '';
+		}
+	}
+
+	function removeSecurityOption(option: string) {
+		securityOptions = securityOptions.filter(o => o !== option);
+	}
+
+	function addDnsServer() {
+		if (dnsInput.trim() && !dnsServers.includes(dnsInput.trim())) {
+			dnsServers = [...dnsServers, dnsInput.trim()];
+			dnsInput = '';
+		}
+	}
+
+	function removeDnsServer(server: string) {
+		dnsServers = dnsServers.filter(s => s !== server);
+	}
+
+	function addDnsSearch() {
+		if (dnsSearchInput.trim() && !dnsSearch.includes(dnsSearchInput.trim())) {
+			dnsSearch = [...dnsSearch, dnsSearchInput.trim()];
+			dnsSearchInput = '';
+		}
+	}
+
+	function removeDnsSearch(domain: string) {
+		dnsSearch = dnsSearch.filter(d => d !== domain);
+	}
+
+	function addDnsOption() {
+		if (dnsOptionInput.trim() && !dnsOptions.includes(dnsOptionInput.trim())) {
+			dnsOptions = [...dnsOptions, dnsOptionInput.trim()];
+			dnsOptionInput = '';
+		}
+	}
+
+	function removeDnsOption(option: string) {
+		dnsOptions = dnsOptions.filter(o => o !== option);
+	}
+
+	function applyConfigSet(configSetId: string) {
+		selectedConfigSetId = configSetId;
+		if (!configSetId) return;
+
+		const configSet = configSets.find((c) => c.id === parseInt(configSetId));
+		if (!configSet) return;
+
+		if (configSet.envVars && configSet.envVars.length > 0) {
+			if (mode === 'edit') {
+				// Merge mode for edit
+				const existingKeys = new Set(envVars.map(e => e.key).filter(k => k));
+				const newEnvVars = configSet.envVars.filter(e => !existingKeys.has(e.key));
+				envVars = [...envVars.filter(e => e.key), ...newEnvVars.map(e => ({ ...e }))];
+				if (envVars.length === 0) envVars = [{ key: '', value: '' }];
+			} else {
+				envVars = configSet.envVars.map((e) => ({ ...e }));
+			}
+		}
+		if (configSet.labels && configSet.labels.length > 0) {
+			if (mode === 'edit') {
+				const existingKeys = new Set(labels.map(l => l.key).filter(k => k));
+				const newLabels = configSet.labels.filter(l => !existingKeys.has(l.key));
+				labels = [...labels.filter(l => l.key), ...newLabels.map(l => ({ ...l }))];
+				if (labels.length === 0) labels = [{ key: '', value: '' }];
+			} else {
+				labels = configSet.labels.map((l) => ({ ...l }));
+			}
+		}
+		if (configSet.ports && configSet.ports.length > 0) {
+			if (mode === 'edit') {
+				const existingPorts = new Set(portMappings.map(p => `${p.hostPort}:${p.containerPort}`).filter(p => p !== ':'));
+				const newPorts = configSet.ports.filter(p => !existingPorts.has(`${p.hostPort}:${p.containerPort}`));
+				portMappings = [...portMappings.filter(p => p.hostPort || p.containerPort), ...newPorts.map(p => ({ ...p }))];
+				if (portMappings.length === 0) portMappings = [{ hostPort: '', containerPort: '', protocol: 'tcp' }];
+			} else {
+				portMappings = configSet.ports.map((p) => ({ ...p }));
+			}
+		}
+		if (configSet.volumes && configSet.volumes.length > 0) {
+			if (mode === 'edit') {
+				const existingPaths = new Set(volumeMappings.map(v => v.containerPath).filter(p => p));
+				const newVolumes = configSet.volumes.filter(v => !existingPaths.has(v.containerPath));
+				volumeMappings = [...volumeMappings.filter(v => v.hostPath || v.containerPath), ...newVolumes.map(v => ({ ...v }))];
+				if (volumeMappings.length === 0) volumeMappings = [{ hostPath: '', containerPath: '', mode: 'rw' }];
+			} else {
+				volumeMappings = configSet.volumes.map((v) => ({ ...v }));
+			}
+		}
+		if (configSet.networkMode) {
+			networkMode = configSet.networkMode;
+		}
+		if (configSet.restartPolicy) {
+			restartPolicy = configSet.restartPolicy;
+		}
+	}
+
+	function getDriverBadgeClasses(driver: string): string {
+		const base = 'text-2xs px-1.5 py-0.5 rounded font-medium';
+		switch (driver.toLowerCase()) {
+			case 'bridge': return `${base} bg-emerald-100 text-emerald-700 dark:bg-emerald-900/50 dark:text-emerald-300`;
+			case 'host': return `${base} bg-sky-100 text-sky-700 dark:bg-sky-900/50 dark:text-sky-300`;
+			case 'null': case 'none': return `${base} bg-slate-100 text-slate-600 dark:bg-slate-800 dark:text-slate-400`;
+			case 'overlay': return `${base} bg-violet-100 text-violet-700 dark:bg-violet-900/50 dark:text-violet-300`;
+			case 'macvlan': return `${base} bg-amber-100 text-amber-700 dark:bg-amber-900/50 dark:text-amber-300`;
+			default: return `${base} bg-slate-100 text-slate-600 dark:bg-slate-800 dark:text-slate-400`;
+		}
+	}
+</script>
+
+<div class="space-y-5">
+	<!-- Image Summary (create mode only) -->
+	{#if mode === 'create' && imageSummary}
+		<div class="p-3 rounded-lg bg-muted/50 border">
+			<div class="flex items-center gap-3">
+				<Package class="w-5 h-5 text-muted-foreground" />
+				<div>
+					<p class="text-sm font-medium">Image: <code class="bg-muted px-1.5 py-0.5 rounded">{image || 'Not set'}</code></p>
+					{#if imageSummary.isPulling || imageSummary.isScanning}
+						<p class="text-xs text-blue-600 flex items-center gap-1 mt-0.5">
+							<Loader2 class="w-3 h-3 animate-spin" />
+							{imageSummary.isScanning ? 'Scanning...' : 'Pulling...'}
+						</p>
+					{:else if imageSummary.imageReady}
+						<p class="text-xs text-muted-foreground flex items-center gap-1 mt-0.5">
+							<CheckCircle2 class="w-3 h-3" />
+							Image pulled and ready
+							{#if imageSummary.scanResults && imageSummary.scanResults.length > 0}
+								• <span class="{imageSummary.hasCriticalOrHigh ? 'text-red-600' : (imageSummary.totalVulnerabilities ?? 0) > 0 ? 'text-amber-600' : 'text-green-600'}">{imageSummary.totalVulnerabilities ?? 0} vulnerabilities</span>
+							{/if}
+						</p>
+					{:else if !image}
+						<p class="text-xs text-amber-600 flex items-center gap-1 mt-0.5">
+							<AlertTriangle class="w-3 h-3" />
+							Go to "Pull" tab to set the image
+						</p>
+					{/if}
+				</div>
+			</div>
+		</div>
+	{/if}
+
+	<!-- Config Set Selector -->
+	{#if configSets.length > 0}
+		<div class="space-y-2">
+			<div class="flex items-center gap-2 pb-2 border-b">
+				<Settings2 class="w-4 h-4 text-muted-foreground" />
+				<h3 class="text-sm font-semibold text-foreground">{mode === 'edit' ? 'Apply config set' : 'Config set'}</h3>
+			</div>
+			<div class="flex gap-2 items-end">
+				<div class="flex-1">
+					<Select.Root type="single" value={selectedConfigSetId} onValueChange={applyConfigSet}>
+						<Select.Trigger class="w-full h-9">
+							<span>{selectedConfigSetId ? configSets.find(c => c.id === parseInt(selectedConfigSetId))?.name : (mode === 'edit' ? 'Select a config set to merge values...' : 'Select a config set to pre-fill values...')}</span>
+						</Select.Trigger>
+						<Select.Content>
+							{#each configSets as configSet}
+								<Select.Item value={String(configSet.id)} label={configSet.name}>
+									<div class="flex flex-col">
+										<span>{configSet.name}</span>
+										{#if configSet.description}
+											<span class="text-xs text-muted-foreground">{configSet.description}</span>
+										{/if}
+									</div>
+								</Select.Item>
+							{/each}
+						</Select.Content>
+					</Select.Root>
+				</div>
+			</div>
+			{#if mode === 'edit'}
+				<p class="text-xs text-muted-foreground">Note: Values from the config set will be merged with existing settings. Existing keys won't be overwritten.</p>
+			{/if}
+		</div>
+	{/if}
+
+	<!-- Basic Settings -->
+	<div class="space-y-3">
+		<div class="flex items-center gap-2 pb-2 border-b">
+			<h3 class="text-sm font-semibold text-foreground">Basic settings</h3>
+		</div>
+
+		<div class="grid grid-cols-2 gap-3">
+			<div class="space-y-1.5">
+				<Label for="name" class="text-xs font-medium">Container name *</Label>
+				<Input
+					id="name"
+					bind:value={name}
+					placeholder="my-container"
+					required
+					class="h-9 {errors.name ? 'border-destructive focus-visible:ring-destructive' : ''}"
+					oninput={() => errors.name = undefined}
+				/>
+				{#if errors.name}
+					<p class="text-xs text-destructive">{errors.name}</p>
+				{/if}
+			</div>
+			{#if mode === 'edit'}
+				<div class="space-y-1.5">
+					<Label for="image" class="text-xs font-medium">Image *</Label>
+					<Input
+						id="image"
+						bind:value={image}
+						placeholder="nginx:latest"
+						required
+						class="h-9 {errors.image ? 'border-destructive focus-visible:ring-destructive' : ''}"
+						oninput={() => errors.image = undefined}
+					/>
+					{#if errors.image}
+						<p class="text-xs text-destructive">{errors.image}</p>
+					{/if}
+				</div>
+			{/if}
+		</div>
+
+		<div class="space-y-1.5">
+			<Label for="command" class="text-xs font-medium">Command (optional)</Label>
+			<Input id="command" bind:value={command} placeholder="/bin/sh -c 'echo hello'" class="h-9" />
+		</div>
+
+		<div class="grid grid-cols-2 gap-3">
+			<div class="space-y-1.5">
+				<Label class="text-xs font-medium">Restart policy</Label>
+				<Select.Root type="single" bind:value={restartPolicy}>
+					<Select.Trigger id="restartPolicy" tabindex={0} class="w-full h-9">
+						<span class="flex items-center">
+							{#if restartPolicy === 'no'}
+								<Ban class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
+							{:else if restartPolicy === 'always'}
+								<RotateCw class="w-3.5 h-3.5 mr-2 text-green-500" />
+							{:else if restartPolicy === 'on-failure'}
+								<AlertTriangle class="w-3.5 h-3.5 mr-2 text-amber-500" />
+							{:else}
+								<PauseCircle class="w-3.5 h-3.5 mr-2 text-blue-500" />
+							{/if}
+							{restartPolicy === 'no' ? 'No' : restartPolicy === 'always' ? 'Always' : restartPolicy === 'on-failure' ? 'On failure' : 'Unless stopped'}
+						</span>
+					</Select.Trigger>
+					<Select.Content>
+						<Select.Item value="no">
+							{#snippet children()}
+								<Ban class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
+								No
+							{/snippet}
+						</Select.Item>
+						<Select.Item value="always">
+							{#snippet children()}
+								<RotateCw class="w-3.5 h-3.5 mr-2 text-green-500" />
+								Always
+							{/snippet}
+						</Select.Item>
+						<Select.Item value="on-failure">
+							{#snippet children()}
+								<AlertTriangle class="w-3.5 h-3.5 mr-2 text-amber-500" />
+								On failure
+							{/snippet}
+						</Select.Item>
+						<Select.Item value="unless-stopped">
+							{#snippet children()}
+								<PauseCircle class="w-3.5 h-3.5 mr-2 text-blue-500" />
+								Unless stopped
+							{/snippet}
+						</Select.Item>
+					</Select.Content>
+				</Select.Root>
+				{#if restartPolicy === 'on-failure'}
+					<div class="space-y-1.5 mt-2">
+						<Label class="text-xs font-medium">Max retry count</Label>
+						<Input
+							type="number"
+							bind:value={restartMaxRetries}
+							placeholder="Unlimited"
+							min="0"
+							class="h-9"
+						/>
+						<p class="text-xs text-muted-foreground">Leave empty for unlimited retries</p>
+					</div>
+				{/if}
+			</div>
+
+			<div class="space-y-1.5">
+				<Label class="text-xs font-medium">Network mode</Label>
+				<Select.Root type="single" bind:value={networkMode}>
+					<Select.Trigger id="networkMode" tabindex={0} class="w-full h-9">
+						<span class="flex items-center">
+							{#if networkMode === 'bridge'}
+								<Share2 class="w-3.5 h-3.5 mr-2 text-emerald-500" />
+							{:else if networkMode === 'host'}
+								<Server class="w-3.5 h-3.5 mr-2 text-sky-500" />
+							{:else}
+								<CircleOff class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
+							{/if}
+							{networkMode === 'bridge' ? 'Bridge' : networkMode === 'host' ? 'Host' : 'None'}
+						</span>
+					</Select.Trigger>
+					<Select.Content>
+						<Select.Item value="bridge">
+							{#snippet children()}
+								<Share2 class="w-3.5 h-3.5 mr-2 text-emerald-500" />
+								Bridge
+							{/snippet}
+						</Select.Item>
+						<Select.Item value="host">
+							{#snippet children()}
+								<Server class="w-3.5 h-3.5 mr-2 text-sky-500" />
+								Host
+							{/snippet}
+						</Select.Item>
+						<Select.Item value="none">
+							{#snippet children()}
+								<CircleOff class="w-3.5 h-3.5 mr-2 text-muted-foreground" />
+								None
+							{/snippet}
+						</Select.Item>
+					</Select.Content>
+				</Select.Root>
+			</div>
+		</div>
+
+		<div class="flex items-center gap-3 pt-1">
+			<Label class="text-xs font-normal">Start container after {mode === 'create' ? 'creation' : 'update'}</Label>
+			<TogglePill bind:checked={startAfterCreate} />
+		</div>
+	</div>
+
+	<!-- Networks -->
+	{#if availableNetworks.length > 0}
+		<div class="space-y-2">
+			<div class="flex justify-between items-center pb-2 border-b">
+				<div class="flex items-center gap-2">
+					<Network class="w-4 h-4 text-muted-foreground" />
+					<h3 class="text-sm font-semibold text-foreground">Networks</h3>
+				</div>
+			</div>
+
+			<div class="space-y-2">
+				<Select.Root type="single" value="" onValueChange={addNetwork}>
+					<Select.Trigger tabindex={0} class="w-full h-9">
+						<span class="text-muted-foreground">Select network to add...</span>
+					</Select.Trigger>
+					<Select.Content>
+						{#each availableNetworks.filter(n => !selectedNetworks.includes(n.name) && !['bridge', 'host', 'none'].includes(n.name)) as network}
+							<Select.Item value={network.name}>
+								{#snippet children()}
+									<div class="flex items-center justify-between w-full">
+										<span>{network.name}</span>
+										<span class={getDriverBadgeClasses(network.driver)}>{network.driver}</span>
+									</div>
+								{/snippet}
+							</Select.Item>
+						{/each}
+					</Select.Content>
+				</Select.Root>
+
+				{#if selectedNetworks.length > 0}
+					<div class="flex flex-wrap gap-2 pt-1">
+						{#each selectedNetworks as networkName}
+							{@const network = availableNetworks.find(n => n.name === networkName)}
+							<Badge variant="secondary" class="flex items-center gap-1.5 pr-1">
+								{networkName}
+								{#if network}
+									<span class={getDriverBadgeClasses(network.driver)}>{network.driver}</span>
+								{/if}
+								<button
+									type="button"
+									onclick={() => removeNetwork(networkName)}
+									class="ml-0.5 hover:bg-destructive/20 rounded p-0.5"
+								>
+									<X class="w-3 h-3" />
+								</button>
+							</Badge>
+						{/each}
+					</div>
+				{/if}
+				{#if mode === 'edit'}
+					<p class="text-xs text-muted-foreground">Container will be connected to selected networks in addition to the network mode above</p>
+				{/if}
+			</div>
+		</div>
+	{/if}
+
+	<!-- Port Mappings -->
+	<div class="space-y-2">
+		<div class="flex justify-between items-center pb-2 border-b">
+			<h3 class="text-sm font-semibold text-foreground">Port mappings</h3>
+			<Button type="button" size="sm" variant="ghost" onclick={addPortMapping} class="h-7 text-xs">
+				<Plus class="w-3.5 h-3.5 mr-1" />
+				Add
+			</Button>
+		</div>
+
+		<div class="space-y-2">
+			{#each portMappings as mapping, index}
+				<div class="flex gap-2 items-center">
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Host</span>
+						<Input bind:value={mapping.hostPort} type="number" class="h-9" />
+					</div>
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Container</span>
+						<Input bind:value={mapping.containerPort} type="number" class="h-9" />
+					</div>
+					<ToggleGroup
+						value={mapping.protocol}
+						options={protocolOptions}
+						onchange={(v) => { portMappings[index].protocol = v; }}
+					/>
+					<Button
+						type="button"
+						size="icon"
+						variant="ghost"
+						onclick={() => removePortMapping(index)}
+						disabled={portMappings.length === 1}
+						class="h-9 w-9 text-muted-foreground hover:text-destructive"
+					>
+						<Trash2 class="w-4 h-4" />
+					</Button>
+				</div>
+			{/each}
+		</div>
+	</div>
+
+	<!-- Volume Mappings -->
+	<div class="space-y-2">
+		<div class="flex justify-between items-center pb-2 border-b">
+			<h3 class="text-sm font-semibold text-foreground">Volume mappings</h3>
+			<Button type="button" size="sm" variant="ghost" onclick={addVolumeMapping} class="h-7 text-xs">
+				<Plus class="w-3.5 h-3.5 mr-1" />
+				Add
+			</Button>
+		</div>
+
+		<div class="space-y-2">
+			{#each volumeMappings as mapping, index}
+				<div class="flex gap-2 items-center">
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Host path</span>
+						<Input bind:value={mapping.hostPath} class="h-9" />
+					</div>
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Container path</span>
+						<Input bind:value={mapping.containerPath} class="h-9" />
+					</div>
+					<ToggleGroup
+						value={mapping.mode}
+						options={volumeModeOptions}
+						onchange={(v) => { volumeMappings[index].mode = v; }}
+					/>
+					<Button
+						type="button"
+						size="icon"
+						variant="ghost"
+						onclick={() => removeVolumeMapping(index)}
+						disabled={volumeMappings.length === 1}
+						class="h-9 w-9 text-muted-foreground hover:text-destructive"
+					>
+						<Trash2 class="w-4 h-4" />
+					</Button>
+				</div>
+			{/each}
+		</div>
+	</div>
+
+	<!-- Environment Variables -->
+	<div class="space-y-2">
+		<div class="flex justify-between items-center pb-2 border-b">
+			<h3 class="text-sm font-semibold text-foreground">Environment variables</h3>
+			<Button type="button" size="sm" variant="ghost" onclick={addEnvVar} class="h-7 text-xs">
+				<Plus class="w-3.5 h-3.5 mr-1" />
+				Add
+			</Button>
+		</div>
+
+		<div class="space-y-2">
+			{#each envVars as envVar, index}
+				<div class="flex gap-2 items-center">
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Key</span>
+						<Input bind:value={envVar.key} class="h-9" />
+					</div>
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Value</span>
+						<Input bind:value={envVar.value} class="h-9" />
+					</div>
+					<Button
+						type="button"
+						size="icon"
+						variant="ghost"
+						onclick={() => removeEnvVar(index)}
+						disabled={envVars.length === 1}
+						class="h-9 w-9 text-muted-foreground hover:text-destructive"
+					>
+						<Trash2 class="w-4 h-4" />
+					</Button>
+				</div>
+			{/each}
+		</div>
+	</div>
+
+	<!-- Labels -->
+	<div class="space-y-2">
+		<div class="flex justify-between items-center pb-2 border-b">
+			<h3 class="text-sm font-semibold text-foreground">Labels</h3>
+			<Button type="button" size="sm" variant="ghost" onclick={addLabel} class="h-7 text-xs">
+				<Plus class="w-3.5 h-3.5 mr-1" />
+				Add
+			</Button>
+		</div>
+
+		<div class="space-y-2">
+			{#each labels as label, index}
+				<div class="flex gap-2 items-center">
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Key</span>
+						<Input bind:value={label.key} class="h-9" />
+					</div>
+					<div class="flex-1 relative">
+						<span class="absolute -top-2 left-2 text-2xs text-muted-foreground bg-background px-1">Value</span>
+						<Input bind:value={label.value} class="h-9" />
+					</div>
+					<Button
+						type="button"
+						size="icon"
+						variant="ghost"
+						onclick={() => removeLabel(index)}
+						disabled={labels.length === 1}
+						class="h-9 w-9 text-muted-foreground hover:text-destructive"
+					>
+						<Trash2 class="w-4 h-4" />
+					</Button>
+				</div>
+			{/each}
+		</div>
+	</div>
+
+	<!-- Advanced Options Header -->
+	<div class="pt-2">
+		<p class="text-xs text-muted-foreground mb-3">Advanced container options (click to expand)</p>
+	</div>
+
+	<!-- Resources Section (Collapsible) -->
+	<div class="border rounded-lg">
+		<button
+			type="button"
+			onclick={() => showResources = !showResources}
+			class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
+		>
+			<div class="flex items-center gap-2">
+				<Cpu class="w-4 h-4 text-muted-foreground" />
+				<span class="text-sm font-medium">Resources</span>
+				{#if memoryLimit || nanoCpus || cpuShares}
+					<Badge variant="secondary" class="text-2xs">configured</Badge>
+				{/if}
+			</div>
+			{#if showResources}
+				<ChevronDown class="w-4 h-4 text-muted-foreground" />
+			{:else}
+				<ChevronRight class="w-4 h-4 text-muted-foreground" />
+			{/if}
+		</button>
+		{#if showResources}
+			<div class="px-3 pb-3 space-y-3 border-t">
+				<p class="text-xs text-muted-foreground pt-2">Configure memory and CPU limits for this container</p>
+				<div class="grid grid-cols-2 gap-3">
+					<div class="space-y-1.5">
+						<Label for="memoryLimit" class="text-xs font-medium">Memory limit</Label>
+						<Input id="memoryLimit" bind:value={memoryLimit} placeholder="e.g., 512m, 1g" class="h-9" />
+					</div>
+					<div class="space-y-1.5">
+						<Label for="memoryReservation" class="text-xs font-medium">Memory reservation</Label>
+						<Input id="memoryReservation" bind:value={memoryReservation} placeholder="e.g., 256m" class="h-9" />
+					</div>
+				</div>
+				<div class="grid grid-cols-2 gap-3">
+					<div class="space-y-1.5">
+						<Label for="nanoCpus" class="text-xs font-medium">CPU limit</Label>
+						<Input id="nanoCpus" bind:value={nanoCpus} placeholder="e.g., 0.5, 1.5, 2" class="h-9" />
+					</div>
+					<div class="space-y-1.5">
+						<Label for="cpuShares" class="text-xs font-medium">CPU shares</Label>
+						<Input id="cpuShares" bind:value={cpuShares} type="number" placeholder="1024" class="h-9" />
+					</div>
+				</div>
+				<div class="grid grid-cols-2 gap-3">
+					<div class="space-y-1.5">
+						<Label for="cpuQuota" class="text-xs font-medium">CPU quota</Label>
+						<Input id="cpuQuota" bind:value={cpuQuota} type="number" placeholder="e.g., 50000" class="h-9" />
+						<p class="text-xs text-muted-foreground">Microseconds per period</p>
+					</div>
+					<div class="space-y-1.5">
+						<Label for="cpuPeriod" class="text-xs font-medium">CPU period</Label>
+						<Input id="cpuPeriod" bind:value={cpuPeriod} type="number" placeholder="Default: 100000" class="h-9" />
+						<p class="text-xs text-muted-foreground">Period in microseconds</p>
+					</div>
+				</div>
+			</div>
+		{/if}
+	</div>
+
+	<!-- Security Section (Collapsible) -->
+	<div class="border rounded-lg">
+		<button
+			type="button"
+			onclick={() => showSecurity = !showSecurity}
+			class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
+		>
+			<div class="flex items-center gap-2">
+				<Shield class="w-4 h-4 text-muted-foreground" />
+				<span class="text-sm font-medium">Security</span>
+				{#if privilegedMode || containerUser || capAdd.length > 0 || capDrop.length > 0 || securityOptions.length > 0}
+					<Badge variant="secondary" class="text-2xs">configured</Badge>
+				{/if}
+			</div>
+			{#if showSecurity}
+				<ChevronDown class="w-4 h-4 text-muted-foreground" />
+			{:else}
+				<ChevronRight class="w-4 h-4 text-muted-foreground" />
+			{/if}
+		</button>
+		{#if showSecurity}
+			<div class="px-3 pb-3 space-y-3 border-t">
+				<div class="grid grid-cols-2 gap-3 pt-2">
+					<div class="space-y-1.5">
+						<Label for="containerUser" class="text-xs font-medium">User</Label>
+						<Input id="containerUser" bind:value={containerUser} placeholder="user:group or UID:GID" class="h-9" />
+					</div>
+					<div class="space-y-1.5 flex flex-col justify-center pt-4">
+						<div class="flex items-center space-x-2">
+							<Checkbox id="privilegedMode" bind:checked={privilegedMode} />
+							<Label for="privilegedMode" class="text-xs font-normal flex items-center gap-1">
+								<Lock class="w-3 h-3 text-amber-500" />
+								Privileged mode
+							</Label>
+						</div>
+					</div>
+				</div>
+
+				<div class="space-y-2">
+					<Label class="text-xs font-medium">Add capabilities</Label>
+					<Select.Root type="single" value="" onValueChange={(v) => { addCapability('add', v); }}>
+						<Select.Trigger class="h-9">
+							<span class="text-muted-foreground">Select capability to add...</span>
+						</Select.Trigger>
+						<Select.Content>
+							{#each commonCapabilities.filter(c => !capAdd.includes(c)) as cap}
+								<Select.Item value={cap} label={cap} />
+							{/each}
+						</Select.Content>
+					</Select.Root>
+					{#if capAdd.length > 0}
+						<div class="flex flex-wrap gap-1.5">
+							{#each capAdd as cap}
+								<Badge variant="outline" class="text-2xs bg-green-50 text-green-700 dark:bg-green-900/30 dark:text-green-400">
+									+{cap}
+									<button type="button" onclick={() => removeCapability('add', cap)} class="ml-1 hover:text-destructive">
+										<X class="w-3 h-3" />
+									</button>
+								</Badge>
+							{/each}
+						</div>
+					{/if}
+				</div>
+
+				<div class="space-y-2">
+					<Label class="text-xs font-medium">Drop capabilities</Label>
+					<Select.Root type="single" value="" onValueChange={(v) => { addCapability('drop', v); }}>
+						<Select.Trigger class="h-9">
+							<span class="text-muted-foreground">Select capability to drop...</span>
+						</Select.Trigger>
+						<Select.Content>
+							{#each commonCapabilities.filter(c => !capDrop.includes(c)) as cap}
+								<Select.Item value={cap} label={cap} />
+							{/each}
+						</Select.Content>
+					</Select.Root>
+					{#if capDrop.length > 0}
+						<div class="flex flex-wrap gap-1.5">
+							{#each capDrop as cap}
+								<Badge variant="outline" class="text-2xs bg-red-50 text-red-700 dark:bg-red-900/30 dark:text-red-400">
+									-{cap}
+									<button type="button" onclick={() => removeCapability('drop', cap)} class="ml-1 hover:text-destructive">
+										<X class="w-3 h-3" />
+									</button>
+								</Badge>
+							{/each}
+						</div>
+					{/if}
+				</div>
+
+				<div class="space-y-2 pt-2 border-t">
+					<Label class="text-xs font-medium">Security options</Label>
+					<div class="flex gap-2">
+						<Input
+							bind:value={securityOptionInput}
+							placeholder="e.g., no-new-privileges, seccomp=unconfined"
+							class="h-9 flex-1"
+							onkeydown={(e) => { if (e.key === 'Enter') { e.preventDefault(); addSecurityOption(); } }}
+						/>
+						<Button type="button" size="sm" variant="outline" onclick={addSecurityOption} class="h-9">
+							<Plus class="w-4 h-4" />
+						</Button>
+					</div>
+					{#if securityOptions.length > 0}
+						<div class="flex flex-wrap gap-1.5">
+							{#each securityOptions as option}
+								<Badge variant="secondary" class="text-2xs">
+									{option}
+									<button type="button" onclick={() => removeSecurityOption(option)} class="ml-1 hover:text-destructive">
+										<X class="w-3 h-3" />
+									</button>
+								</Badge>
+							{/each}
+						</div>
+					{/if}
+					<p class="text-xs text-muted-foreground">Common options: no-new-privileges, seccomp=unconfined, apparmor=unconfined</p>
+				</div>
+			</div>
+		{/if}
+	</div>
+
+	<!-- Health Section (Collapsible) -->
+	<div class="border rounded-lg">
+		<button
+			type="button"
+			onclick={() => showHealth = !showHealth}
+			class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
+		>
+			<div class="flex items-center gap-2">
+				<HeartPulse class="w-4 h-4 text-muted-foreground" />
+				<span class="text-sm font-medium">Healthcheck</span>
+				{#if healthcheckEnabled}
+					<Badge variant="secondary" class="text-2xs">enabled</Badge>
+				{/if}
+			</div>
+			{#if showHealth}
+				<ChevronDown class="w-4 h-4 text-muted-foreground" />
+			{:else}
+				<ChevronRight class="w-4 h-4 text-muted-foreground" />
+			{/if}
+		</button>
+		{#if showHealth}
+			<div class="px-3 pb-3 space-y-3 border-t">
+				<div class="flex items-center space-x-2 pt-2">
+					<Checkbox id="healthcheckEnabled" bind:checked={healthcheckEnabled} />
+					<Label for="healthcheckEnabled" class="text-xs font-normal">Enable healthcheck</Label>
+				</div>
+				{#if healthcheckEnabled}
+					<div class="space-y-1.5">
+						<Label for="healthcheckCommand" class="text-xs font-medium">Command</Label>
+						<Input id="healthcheckCommand" bind:value={healthcheckCommand} placeholder="e.g., curl -f http://localhost/ || exit 1" class="h-9" />
+					</div>
+					<div class="grid grid-cols-4 gap-3">
+						<div class="space-y-1.5">
+							<Label for="healthcheckInterval" class="text-xs font-medium">Interval (s)</Label>
+							<Input id="healthcheckInterval" type="number" bind:value={healthcheckInterval} min="1" class="h-9" />
+						</div>
+						<div class="space-y-1.5">
+							<Label for="healthcheckTimeout" class="text-xs font-medium">Timeout (s)</Label>
+							<Input id="healthcheckTimeout" type="number" bind:value={healthcheckTimeout} min="1" class="h-9" />
+						</div>
+						<div class="space-y-1.5">
+							<Label for="healthcheckRetries" class="text-xs font-medium">Retries</Label>
+							<Input id="healthcheckRetries" type="number" bind:value={healthcheckRetries} min="1" class="h-9" />
+						</div>
+						<div class="space-y-1.5">
+							<Label for="healthcheckStartPeriod" class="text-xs font-medium">Start (s)</Label>
+							<Input id="healthcheckStartPeriod" type="number" bind:value={healthcheckStartPeriod} min="0" class="h-9" />
+						</div>
+					</div>
+				{/if}
+			</div>
+		{/if}
+	</div>
+
+	<!-- DNS Section (Collapsible) -->
+	<div class="border rounded-lg">
+		<button
+			type="button"
+			onclick={() => showDns = !showDns}
+			class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
+		>
+			<div class="flex items-center gap-2">
+				<Wifi class="w-4 h-4 text-muted-foreground" />
+				<span class="text-sm font-medium">DNS settings</span>
+				{#if dnsServers.length > 0 || dnsSearch.length > 0}
+					<Badge variant="secondary" class="text-2xs">configured</Badge>
+				{/if}
+			</div>
+			{#if showDns}
+				<ChevronDown class="w-4 h-4 text-muted-foreground" />
+			{:else}
+				<ChevronRight class="w-4 h-4 text-muted-foreground" />
+			{/if}
+		</button>
+		{#if showDns}
+			<div class="px-3 pb-3 space-y-3 border-t">
+				<div class="space-y-2 pt-2">
+					<Label class="text-xs font-medium">DNS servers</Label>
+					<div class="flex gap-2">
+						<Input
+							bind:value={dnsInput}
+							placeholder="e.g., 8.8.8.8"
+							class="h-9 flex-1"
+							onkeydown={(e) => { if (e.key === 'Enter') { e.preventDefault(); addDnsServer(); } }}
+						/>
+						<Button type="button" size="sm" variant="outline" onclick={addDnsServer} class="h-9">
+							<Plus class="w-4 h-4" />
+						</Button>
+					</div>
+					{#if dnsServers.length > 0}
+						<div class="flex flex-wrap gap-1.5">
+							{#each dnsServers as server}
+								<Badge variant="secondary" class="text-2xs">
+									{server}
+									<button type="button" onclick={() => removeDnsServer(server)} class="ml-1 hover:text-destructive">
+										<X class="w-3 h-3" />
+									</button>
+								</Badge>
+							{/each}
+						</div>
+					{/if}
+				</div>
+
+				<!-- DNS Search domains -->
+				<div class="space-y-2">
+					<Label class="text-xs font-medium">DNS search domains</Label>
+					<div class="flex gap-2">
+						<Input
+							bind:value={dnsSearchInput}
+							placeholder="e.g., example.com"
+							class="h-9 flex-1"
+							onkeydown={(e) => { if (e.key === 'Enter') { e.preventDefault(); addDnsSearch(); } }}
+						/>
+						<Button type="button" size="sm" variant="outline" onclick={addDnsSearch} class="h-9">
+							<Plus class="w-4 h-4" />
+						</Button>
+					</div>
+					{#if dnsSearch.length > 0}
+						<div class="flex flex-wrap gap-1.5">
+							{#each dnsSearch as domain}
+								<Badge variant="secondary" class="text-2xs">
+									{domain}
+									<button type="button" onclick={() => removeDnsSearch(domain)} class="ml-1 hover:text-destructive">
+										<X class="w-3 h-3" />
+									</button>
+								</Badge>
+							{/each}
+						</div>
+					{/if}
+				</div>
+
+				<!-- DNS Options -->
+				<div class="space-y-2">
+					<Label class="text-xs font-medium">DNS options</Label>
+					<div class="flex gap-2">
+						<Input
+							bind:value={dnsOptionInput}
+							placeholder="e.g., ndots:5"
+							class="h-9 flex-1"
+							onkeydown={(e) => { if (e.key === 'Enter') { e.preventDefault(); addDnsOption(); } }}
+						/>
+						<Button type="button" size="sm" variant="outline" onclick={addDnsOption} class="h-9">
+							<Plus class="w-4 h-4" />
+						</Button>
+					</div>
+					{#if dnsOptions.length > 0}
+						<div class="flex flex-wrap gap-1.5">
+							{#each dnsOptions as option}
+								<Badge variant="secondary" class="text-2xs">
+									{option}
+									<button type="button" onclick={() => removeDnsOption(option)} class="ml-1 hover:text-destructive">
+										<X class="w-3 h-3" />
+									</button>
+								</Badge>
+							{/each}
+						</div>
+					{/if}
+				</div>
+			</div>
+		{/if}
+	</div>
+
+	<!-- Devices Section (Collapsible) -->
+	<div class="border rounded-lg">
+		<button
+			type="button"
+			onclick={() => showDevices = !showDevices}
+			class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
+		>
+			<div class="flex items-center gap-2">
+				<HardDrive class="w-4 h-4 text-muted-foreground" />
+				<span class="text-sm font-medium">Devices</span>
+				{#if deviceMappings.length > 0}
+					<Badge variant="secondary" class="text-2xs">{deviceMappings.length}</Badge>
+				{/if}
+			</div>
+			{#if showDevices}
+				<ChevronDown class="w-4 h-4 text-muted-foreground" />
+			{:else}
+				<ChevronRight class="w-4 h-4 text-muted-foreground" />
+			{/if}
+		</button>
+		{#if showDevices}
+			<div class="px-3 pb-3 space-y-3 border-t">
+				<div class="flex justify-end pt-2">
+					<Button type="button" size="sm" variant="ghost" onclick={addDeviceMapping} class="h-7 text-xs">
+						<Plus class="w-3.5 h-3.5 mr-1" />
+						Add device
+					</Button>
+				</div>
+				{#each deviceMappings as mapping, index}
+					<div class="flex gap-2 items-center">
+						<Input bind:value={mapping.hostPath} placeholder="/dev/sda" class="h-9 flex-1" />
+						<Input bind:value={mapping.containerPath} placeholder="/dev/sda" class="h-9 flex-1" />
+						<Button
+							type="button"
+							size="icon"
+							variant="ghost"
+							onclick={() => removeDeviceMapping(index)}
+							class="h-9 w-9 text-muted-foreground hover:text-destructive"
+						>
+							<Trash2 class="w-4 h-4" />
+						</Button>
+					</div>
+				{/each}
+			</div>
+		{/if}
+	</div>
+
+	<!-- Ulimits Section (Collapsible) -->
+	<div class="border rounded-lg">
+		<button
+			type="button"
+			onclick={() => showUlimits = !showUlimits}
+			class="w-full flex items-center justify-between p-3 hover:bg-muted/50 transition-colors"
+		>
+			<div class="flex items-center gap-2">
+				<Settings2 class="w-4 h-4 text-muted-foreground" />
+				<span class="text-sm font-medium">Ulimits</span>
+				{#if ulimits.length > 0}
+					<Badge variant="secondary" class="text-2xs">{ulimits.length}</Badge>
+				{/if}
+			</div>
+			{#if showUlimits}
+				<ChevronDown class="w-4 h-4 text-muted-foreground" />
+			{:else}
+				<ChevronRight class="w-4 h-4 text-muted-foreground" />
+			{/if}
+		</button>
+		{#if showUlimits}
+			<div class="px-3 pb-3 space-y-3 border-t">
+				<div class="flex justify-end pt-2">
+					<Button type="button" size="sm" variant="ghost" onclick={addUlimit} class="h-7 text-xs">
+						<Plus class="w-3.5 h-3.5 mr-1" />
+						Add ulimit
+					</Button>
+				</div>
+				{#each ulimits as ulimit, index}
+					<div class="flex gap-2 items-center">
+						<Select.Root type="single" bind:value={ulimit.name}>
+							<Select.Trigger class="w-32 h-9">
+								<span>{ulimit.name}</span>
+							</Select.Trigger>
+							<Select.Content>
+								{#each commonUlimits as name}
+									<Select.Item value={name} label={name} />
+								{/each}
+							</Select.Content>
+						</Select.Root>
+						<Input bind:value={ulimit.soft} type="number" placeholder="Soft" class="h-9 flex-1" />
+						<Input bind:value={ulimit.hard} type="number" placeholder="Hard" class="h-9 flex-1" />
+						<Button
+							type="button"
+							size="icon"
+							variant="ghost"
+							onclick={() => removeUlimit(index)}
+							class="h-9 w-9 text-muted-foreground hover:text-destructive"
+						>
+							<Trash2 class="w-4 h-4" />
+						</Button>
+					</div>
+				{/each}
+			</div>
+		{/if}
+	</div>
+
+	<!-- Auto-update Settings -->
+	<div class="space-y-3">
+		<div class="flex items-center gap-2 pb-2 border-b">
+			<RefreshCw class="w-4 h-4 text-muted-foreground" />
+			<h3 class="text-sm font-semibold text-foreground">Auto-update</h3>
+		</div>
+		<AutoUpdateSettings
+			bind:enabled={autoUpdateEnabled}
+			bind:cronExpression={autoUpdateCronExpression}
+			bind:vulnerabilityCriteria={vulnerabilityCriteria}
+		/>
+	</div>
+</div>
diff --git a/routes/containers/ContainerTerminal.svelte b/src/routes/containers/ContainerTerminal.svelte
similarity index 100%
rename from routes/containers/ContainerTerminal.svelte
rename to src/routes/containers/ContainerTerminal.svelte
diff --git a/routes/containers/ContainerTile.svelte b/src/routes/containers/ContainerTile.svelte
similarity index 100%
rename from routes/containers/ContainerTile.svelte
rename to src/routes/containers/ContainerTile.svelte
diff --git a/src/routes/containers/CreateContainerModal.svelte b/src/routes/containers/CreateContainerModal.svelte
new file mode 100644
index 0000000..71893e8
--- /dev/null
+++ b/src/routes/containers/CreateContainerModal.svelte
@@ -0,0 +1,755 @@
+<script lang="ts">
+	import { tick } from 'svelte';
+	import * as Dialog from '$lib/components/ui/dialog';
+	import { Button } from '$lib/components/ui/button';
+	import { ArrowBigRight, Settings2, Shield, Loader2, Download, CheckCircle2, XCircle, ShieldCheck, ShieldAlert, ShieldX, AlertTriangle, X, Play } from 'lucide-svelte';
+	import { toast } from 'svelte-sonner';
+	import { currentEnvironment } from '$lib/stores/environment';
+	import { focusFirstInput } from '$lib/utils';
+	import PullTab from '$lib/components/PullTab.svelte';
+	import ScanTab from '$lib/components/ScanTab.svelte';
+	import type { ScanResult } from '$lib/components/ScanTab.svelte';
+	import ContainerSettingsTab from './ContainerSettingsTab.svelte';
+	import type { VulnerabilityCriteria } from '$lib/components/VulnerabilityCriteriaSelector.svelte';
+
+	// Parse shell command respecting quotes
+	function parseShellCommand(cmd: string): string[] {
+		const args: string[] = [];
+		let current = '';
+		let inQuotes = false;
+		let quoteChar = '';
+
+		for (let i = 0; i < cmd.length; i++) {
+			const char = cmd[i];
+
+			if ((char === '"' || char === "'") && !inQuotes) {
+				inQuotes = true;
+				quoteChar = char;
+			} else if (char === quoteChar && inQuotes) {
+				inQuotes = false;
+				quoteChar = '';
+			} else if (char === ' ' && !inQuotes) {
+				if (current) {
+					args.push(current);
+					current = '';
+				}
+			} else {
+				current += char;
+			}
+		}
+
+		if (current) {
+			args.push(current);
+		}
+
+		return args;
+	}
+
+	interface ConfigSet {
+		id: number;
+		name: string;
+		description?: string;
+		envVars?: { key: string; value: string }[];
+		labels?: { key: string; value: string }[];
+		ports?: { hostPort: string; containerPort: string; protocol: string }[];
+		volumes?: { hostPath: string; containerPath: string; mode: string }[];
+		networkMode: string;
+		restartPolicy: string;
+	}
+
+
+	interface Props {
+		open: boolean;
+		onClose?: () => void;
+		onSuccess?: () => void;
+		prefilledImage?: string;
+		skipPullTab?: boolean;
+		autoPull?: boolean;
+	}
+
+	let { open = $bindable(), onClose, onSuccess, prefilledImage, skipPullTab = false, autoPull = false }: Props = $props();
+
+	// Track if we've already auto-pulled for this modal session
+	let hasAutoPulled = $state(false);
+
+	// Tab state - start on settings if skipping pull tab
+	let activeTab = $state<'pull' | 'scan' | 'container'>(skipPullTab ? 'container' : 'pull');
+
+	// Config sets
+	let configSets = $state<ConfigSet[]>([]);
+	let selectedConfigSetId = $state<string>('');
+
+	// Form state
+	let name = $state('');
+	let image = $state('');
+	let command = $state('');
+	let restartPolicy = $state('no');
+	let restartMaxRetries = $state<number | ''>('');
+	let networkMode = $state('bridge');
+	let startAfterCreate = $state(true);
+
+	// Port mappings
+	let portMappings = $state<{ hostPort: string; containerPort: string; protocol: string }[]>([
+		{ hostPort: '', containerPort: '', protocol: 'tcp' }
+	]);
+
+	// Volume mappings
+	let volumeMappings = $state<{ hostPath: string; containerPath: string; mode: string }[]>([
+		{ hostPath: '', containerPath: '', mode: 'rw' }
+	]);
+
+	// Environment variables
+	let envVars = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
+
+	// Labels
+	let labels = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
+
+	// Networks
+	interface DockerNetwork {
+		id: string;
+		name: string;
+		driver: string;
+	}
+	let availableNetworks = $state<DockerNetwork[]>([]);
+	let selectedNetworks = $state<string[]>([]);
+
+	// Auto-update settings
+	let autoUpdateEnabled = $state(false);
+	let autoUpdateCronExpression = $state('0 3 * * *');
+	let vulnerabilityCriteria = $state<VulnerabilityCriteria>('never');
+
+
+	// User/Group
+	let containerUser = $state('');
+
+	// Privileged mode
+	let privilegedMode = $state(false);
+
+	// Healthcheck settings
+	let healthcheckEnabled = $state(false);
+	let healthcheckCommand = $state('');
+	let healthcheckInterval = $state(30);
+	let healthcheckTimeout = $state(30);
+	let healthcheckRetries = $state(3);
+	let healthcheckStartPeriod = $state(0);
+
+	// Resource limits
+	let memoryLimit = $state('');
+	let memoryReservation = $state('');
+	let cpuShares = $state('');
+	let nanoCpus = $state('');
+	let cpuQuota = $state('');
+	let cpuPeriod = $state('');
+
+	// Capabilities
+	let capAdd = $state<string[]>([]);
+	let capDrop = $state<string[]>([]);
+
+	// Devices
+	let deviceMappings = $state<{ hostPath: string; containerPath: string; permissions: string }[]>([]);
+
+	// DNS settings
+	let dnsServers = $state<string[]>([]);
+	let dnsSearch = $state<string[]>([]);
+	let dnsOptions = $state<string[]>([]);
+
+	// Security options
+	let securityOptions = $state<string[]>([]);
+
+	// Ulimits
+	let ulimits = $state<{ name: string; soft: string; hard: string }[]>([]);
+
+	let loading = $state(false);
+	let errors = $state<{ name?: string; image?: string }>({});
+
+	// Component refs
+	let pullTabRef: PullTab | undefined;
+	let scanTabRef: ScanTab | undefined;
+
+	// Pull & Scan status (tracked via component callbacks)
+	let pullStatus = $state<'idle' | 'pulling' | 'complete' | 'error'>('idle');
+	let pullStarted = $state(false);
+	let scanStatus = $state<'idle' | 'scanning' | 'complete' | 'error'>('idle');
+	let scanStarted = $state(false);
+	let scanResults = $state<ScanResult[]>([]);
+
+	// Scanner settings - scanning is enabled if a scanner is configured
+	let envHasScanning = $state(false);
+
+	// Fetch config sets and networks when modal opens
+	$effect(() => {
+		if (open) {
+			fetchConfigSets();
+			fetchNetworks();
+			fetchScannerSettings();
+		}
+	});
+
+	// Track previous open state to detect when modal opens
+	let wasOpen = $state(false);
+
+	$effect(() => {
+		if (open && !wasOpen) {
+			// Modal just opened - reset state
+			pullStatus = 'idle';
+			pullStarted = !skipPullTab;
+			scanStatus = 'idle';
+			scanStarted = false;
+			scanResults = [];
+			hasAutoPulled = false;
+			autoSwitchedToScan = false;
+			autoSwitchedToContainer = false;
+			activeTab = skipPullTab ? 'container' : 'pull';
+
+			// Reset components
+			pullTabRef?.reset();
+			scanTabRef?.reset();
+
+			// Set image from prefilledImage if provided
+			if (prefilledImage) {
+				image = prefilledImage;
+			}
+		}
+		wasOpen = open;
+	});
+
+	// Auto-pull when autoPull is true and modal opens with an image
+	$effect(() => {
+		if (autoPull && open && prefilledImage && !hasAutoPulled && pullStatus === 'idle') {
+			hasAutoPulled = true;
+			// Small delay to ensure component is mounted
+			setTimeout(() => pullTabRef?.startPull(), 100);
+		}
+	});
+
+	// Track auto-switch state to prevent re-triggering when user manually clicks tabs
+	let autoSwitchedToScan = $state(false);
+	let autoSwitchedToContainer = $state(false);
+
+	// Handle pull completion
+	function handlePullComplete() {
+		pullStatus = 'complete';
+		// Auto-start scan if enabled
+		if (envHasScanning && !autoSwitchedToScan) {
+			autoSwitchedToScan = true;
+			scanStarted = true;
+			activeTab = 'scan';
+			// Start scan with small delay for tab switch
+			setTimeout(() => scanTabRef?.startScan(), 100);
+		} else if (!envHasScanning && !autoSwitchedToContainer) {
+			// Go to container tab if no scan
+			autoSwitchedToContainer = true;
+			activeTab = 'container';
+		}
+	}
+
+	function handlePullError(error: string) {
+		pullStatus = 'error';
+	}
+
+	function handlePullStatusChange(status: 'idle' | 'pulling' | 'complete' | 'error') {
+		pullStatus = status;
+	}
+
+	function handleScanComplete(results: ScanResult[]) {
+		scanStatus = 'complete';
+		scanResults = results;
+		// Auto-switch to container tab
+		if (!autoSwitchedToContainer) {
+			autoSwitchedToContainer = true;
+			activeTab = 'container';
+		}
+	}
+
+	function handleScanError(error: string) {
+		scanStatus = 'error';
+	}
+
+	function handleScanStatusChange(status: 'idle' | 'scanning' | 'complete' | 'error') {
+		scanStatus = status;
+	}
+
+	async function fetchNetworks() {
+		try {
+			const envParam = $currentEnvironment ? `?env=${$currentEnvironment.id}` : '';
+			const response = await fetch(`/api/networks${envParam}`);
+			if (response.ok) {
+				availableNetworks = await response.json();
+			}
+		} catch (err) {
+			console.error('Failed to fetch networks:', err);
+		}
+	}
+
+	async function fetchConfigSets() {
+		try {
+			const response = await fetch('/api/config-sets');
+			if (response.ok) {
+				configSets = await response.json();
+			}
+		} catch (err) {
+			console.error('Failed to fetch config sets:', err);
+		}
+	}
+
+	async function fetchScannerSettings() {
+		try {
+			const envId = $currentEnvironment?.id;
+			const url = envId ? `/api/settings/scanner?env=${envId}&settingsOnly=true` : '/api/settings/scanner?settingsOnly=true';
+			const response = await fetch(url);
+			if (response.ok) {
+				const data = await response.json();
+				const scanner = data.settings?.scanner ?? 'none';
+				// Scanning is enabled if a scanner is configured
+				envHasScanning = scanner !== 'none';
+			}
+		} catch (err) {
+			console.error('Failed to fetch scanner settings:', err);
+		}
+	}
+
+
+	function parseMemory(value: string): number | undefined {
+		if (!value) return undefined;
+		const match = value.trim().toLowerCase().match(/^(\d+(?:\.\d+)?)\s*([kmgt]?b?)?$/);
+		if (!match) return undefined;
+		const num = parseFloat(match[1]);
+		const unit = match[2] || '';
+		switch (unit) {
+			case 'k': case 'kb': return Math.floor(num * 1024);
+			case 'm': case 'mb': return Math.floor(num * 1024 * 1024);
+			case 'g': case 'gb': return Math.floor(num * 1024 * 1024 * 1024);
+			case 't': case 'tb': return Math.floor(num * 1024 * 1024 * 1024 * 1024);
+			default: return Math.floor(num);
+		}
+	}
+
+	function parseNanoCpus(value: string): number | undefined {
+		if (!value) return undefined;
+		const num = parseFloat(value);
+		if (isNaN(num)) return undefined;
+		return Math.floor(num * 1e9);
+	}
+
+	async function handleSubmit(e: Event) {
+		e.preventDefault();
+		errors = {};
+
+		let hasErrors = false;
+		if (!name.trim()) {
+			errors.name = 'Container name is required';
+			hasErrors = true;
+		}
+
+		if (!image.trim()) {
+			errors.image = 'Image name is required';
+			hasErrors = true;
+		}
+
+		if (hasErrors) {
+			return;
+		}
+
+		loading = true;
+
+		try {
+			const ports: any = {};
+			portMappings
+				.filter((p) => p.containerPort && p.hostPort)
+				.forEach((p) => {
+					const key = `${p.containerPort}/${p.protocol}`;
+					ports[key] = { HostPort: String(p.hostPort) };
+				});
+
+			const volumeBinds = volumeMappings
+				.filter((v) => v.hostPath && v.containerPath)
+				.map((v) => `${v.hostPath}:${v.containerPath}:${v.mode}`);
+
+			const env = envVars
+				.filter((e) => e.key && e.value)
+				.map((e) => `${e.key}=${e.value}`);
+
+			const labelsObj: any = {};
+			labels
+				.filter((l) => l.key && l.value)
+				.forEach((l) => {
+					labelsObj[l.key] = l.value;
+				});
+
+			const cmd = command.trim() ? parseShellCommand(command.trim()) : undefined;
+
+			let healthcheck: any = undefined;
+			if (healthcheckEnabled && healthcheckCommand.trim()) {
+				healthcheck = {
+					test: ['CMD-SHELL', healthcheckCommand.trim()],
+					interval: healthcheckInterval * 1e9,
+					timeout: healthcheckTimeout * 1e9,
+					retries: healthcheckRetries,
+					startPeriod: healthcheckStartPeriod * 1e9
+				};
+			}
+
+			const devices = deviceMappings
+				.filter(d => d.hostPath && d.containerPath)
+				.map(d => ({
+					hostPath: d.hostPath,
+					containerPath: d.containerPath,
+					permissions: d.permissions || 'rwm'
+				}));
+
+			const ulimitsArray = ulimits
+				.filter(u => u.name && u.soft && u.hard)
+				.map(u => ({
+					name: u.name,
+					soft: parseInt(u.soft) || 0,
+					hard: parseInt(u.hard) || 0
+				}));
+
+			const payload = {
+				name: name.trim(),
+				image: image.trim(),
+				ports: Object.keys(ports).length > 0 ? ports : undefined,
+				volumeBinds: volumeBinds.length > 0 ? volumeBinds : undefined,
+				env: env.length > 0 ? env : undefined,
+				labels: Object.keys(labelsObj).length > 0 ? labelsObj : undefined,
+				cmd,
+				restartPolicy,
+				restartMaxRetries: restartPolicy === 'on-failure' && restartMaxRetries !== '' ? Number(restartMaxRetries) : undefined,
+				networkMode,
+				networks: selectedNetworks.length > 0 ? selectedNetworks : undefined,
+				startAfterCreate,
+				user: containerUser.trim() || undefined,
+				privileged: privilegedMode || undefined,
+				healthcheck,
+				memory: parseMemory(memoryLimit),
+				memoryReservation: parseMemory(memoryReservation),
+				cpuShares: cpuShares ? parseInt(cpuShares) : undefined,
+				nanoCpus: parseNanoCpus(nanoCpus),
+				cpuQuota: cpuQuota ? parseInt(cpuQuota) : undefined,
+				cpuPeriod: cpuPeriod ? parseInt(cpuPeriod) : undefined,
+				capAdd: capAdd.length > 0 ? capAdd : undefined,
+				capDrop: capDrop.length > 0 ? capDrop : undefined,
+				devices: devices.length > 0 ? devices : undefined,
+				dns: dnsServers.length > 0 ? dnsServers : undefined,
+				dnsSearch: dnsSearch.length > 0 ? dnsSearch : undefined,
+				dnsOptions: dnsOptions.length > 0 ? dnsOptions : undefined,
+				securityOpt: securityOptions.length > 0 ? securityOptions : undefined,
+				ulimits: ulimitsArray.length > 0 ? ulimitsArray : undefined
+			};
+
+			const envParam = $currentEnvironment ? `?env=${$currentEnvironment.id}` : '';
+			const response = await fetch(`/api/containers${envParam}`, {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify(payload)
+			});
+
+			const result = await response.json();
+
+			if (!response.ok) {
+				let errorMsg = result.error || 'Failed to create container';
+				if (result.details) {
+					errorMsg += ': ' + result.details;
+				}
+				toast.error(errorMsg);
+				return;
+			}
+
+			if (autoUpdateEnabled) {
+				try {
+					const envParam = $currentEnvironment ? `?env=${$currentEnvironment.id}` : '';
+					await fetch(`/api/auto-update/${encodeURIComponent(name.trim())}${envParam}`, {
+						method: 'POST',
+						headers: { 'Content-Type': 'application/json' },
+						body: JSON.stringify({
+							enabled: autoUpdateEnabled,
+							cronExpression: autoUpdateCronExpression,
+							vulnerabilityCriteria: vulnerabilityCriteria
+						})
+					});
+				} catch (err) {
+					console.error('Failed to save auto-update settings:', err);
+				}
+			}
+
+			if (result.imagePulled) {
+				toast.success(`Container created (image ${image.trim()} was pulled automatically)`);
+			} else {
+				toast.success('Container created successfully');
+			}
+
+			open = false;
+			resetForm();
+			onSuccess?.();
+			onClose?.();
+		} catch (err) {
+			toast.error('Failed to create container: ' + String(err));
+		} finally {
+			loading = false;
+		}
+	}
+
+	function resetForm() {
+		name = '';
+		image = '';
+		command = '';
+		restartPolicy = 'no';
+		restartMaxRetries = '';
+		networkMode = 'bridge';
+		startAfterCreate = true;
+		portMappings = [{ hostPort: '', containerPort: '', protocol: 'tcp' }];
+		volumeMappings = [{ hostPath: '', containerPath: '', mode: 'rw' }];
+		envVars = [{ key: '', value: '' }];
+		labels = [{ key: '', value: '' }];
+		selectedNetworks = [];
+		autoUpdateEnabled = false;
+		autoUpdateCronExpression = '0 3 * * *';
+		vulnerabilityCriteria = 'never';
+		errors = {};
+		selectedConfigSetId = '';
+		containerUser = '';
+		privilegedMode = false;
+		healthcheckEnabled = false;
+		healthcheckCommand = '';
+		healthcheckInterval = 30;
+		healthcheckTimeout = 30;
+		healthcheckRetries = 3;
+		healthcheckStartPeriod = 0;
+		memoryLimit = '';
+		memoryReservation = '';
+		cpuShares = '';
+		nanoCpus = '';
+		cpuQuota = '';
+		cpuPeriod = '';
+		capAdd = [];
+		capDrop = [];
+		deviceMappings = [];
+		dnsServers = [];
+		dnsSearch = [];
+		dnsOptions = [];
+		securityOptions = [];
+		ulimits = [];
+		// Reset pull/scan state
+		activeTab = skipPullTab ? 'container' : 'pull';
+		pullStatus = 'idle';
+		pullStarted = false;
+		scanStatus = 'idle';
+		scanStarted = false;
+		scanResults = [];
+		hasAutoPulled = false;
+		autoSwitchedToScan = false;
+		autoSwitchedToContainer = false;
+		// Reset components
+		pullTabRef?.reset();
+		scanTabRef?.reset();
+	}
+
+	function handleClose() {
+		open = false;
+		resetForm();
+		onClose?.();
+	}
+
+	const totalVulnerabilities = $derived(
+		scanResults.reduce((total, r) => total + r.vulnerabilities.length, 0)
+	);
+
+	const hasCriticalOrHigh = $derived(
+		scanResults.some(r => r.summary.critical > 0 || r.summary.high > 0)
+	);
+
+	const isPulling = $derived(pullStatus === 'pulling');
+	const isScanning = $derived(scanStatus === 'scanning');
+	const imageReady = $derived(pullStatus === 'complete');
+</script>
+
+<Dialog.Root bind:open onOpenChange={(isOpen) => isOpen && focusFirstInput()}>
+	<Dialog.Content class="max-w-4xl w-full max-h-[90vh] sm:max-h-[85vh] p-0 flex flex-col overflow-hidden !zoom-in-0 !zoom-out-0" showCloseButton={false}>
+		<Dialog.Header class="px-5 py-4 border-b bg-muted/30 shrink-0 sticky top-0 z-10">
+			<Dialog.Title class="text-base font-semibold">Create new container</Dialog.Title>
+			<button
+				type="button"
+				onclick={handleClose}
+				disabled={loading || isPulling || isScanning}
+				class="absolute right-4 top-4 rounded-sm opacity-70 ring-offset-background transition-opacity hover:opacity-100 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:pointer-events-none disabled:opacity-30"
+			>
+				<X class="h-4 w-4" />
+				<span class="sr-only">Close</span>
+			</button>
+		</Dialog.Header>
+
+		<!-- Tabs (hidden when skipPullTab) -->
+		{#if !skipPullTab}
+		<div class="flex items-center border-b shrink-0 px-5 bg-muted/10">
+			<!-- Pull Tab -->
+			<button
+				class="px-4 py-2.5 text-sm font-medium border-b-2 transition-colors cursor-pointer flex items-center gap-2 {activeTab === 'pull' ? 'border-primary text-foreground' : 'border-transparent text-muted-foreground hover:text-foreground'}"
+				onclick={() => activeTab = 'pull'}
+			>
+				<Download class="w-4 h-4" />
+				Pull
+				{#if pullStatus === 'complete'}
+					<CheckCircle2 class="w-3.5 h-3.5 text-green-500" />
+				{:else if pullStatus === 'pulling'}
+					<Loader2 class="w-3.5 h-3.5 animate-spin" />
+				{:else if pullStatus === 'error'}
+					<XCircle class="w-3.5 h-3.5 text-red-500" />
+				{/if}
+			</button>
+			{#if envHasScanning}
+				<ArrowBigRight class="w-3.5 h-3.5 text-muted-foreground/50 shrink-0" />
+				<!-- Scan Tab -->
+				<button
+					class="px-4 py-2.5 text-sm font-medium border-b-2 transition-colors cursor-pointer flex items-center gap-2 {activeTab === 'scan' ? 'border-primary text-foreground' : 'border-transparent text-muted-foreground hover:text-foreground'}"
+					onclick={() => activeTab = 'scan'}
+					disabled={pullStatus === 'idle' || pullStatus === 'pulling'}
+				>
+					<Shield class="w-4 h-4" />
+					Scan
+					{#if scanStatus === 'complete' && scanResults.length > 0}
+						{#if hasCriticalOrHigh}
+							<ShieldX class="w-3.5 h-3.5 text-red-500" />
+						{:else if totalVulnerabilities > 0}
+							<ShieldAlert class="w-3.5 h-3.5 text-yellow-500" />
+						{:else}
+							<ShieldCheck class="w-3.5 h-3.5 text-green-500" />
+						{/if}
+					{:else if scanStatus === 'scanning'}
+						<Loader2 class="w-3.5 h-3.5 animate-spin" />
+					{/if}
+				</button>
+			{/if}
+			<ArrowBigRight class="w-3.5 h-3.5 text-muted-foreground/50 shrink-0" />
+			<!-- Container Tab -->
+			<button
+				class="px-4 py-2.5 text-sm font-medium border-b-2 transition-colors cursor-pointer flex items-center gap-2 {activeTab === 'container' ? 'border-primary text-foreground' : 'border-transparent text-muted-foreground hover:text-foreground'}"
+				onclick={() => activeTab = 'container'}
+			>
+				<Settings2 class="w-4 h-4" />
+				Container
+			</button>
+		</div>
+		{/if}
+
+		<!-- Tab Content -->
+		<!-- Pull Tab - using PullTab component -->
+		<div class="px-5 py-4 flex-1 min-h-0 flex flex-col" class:hidden={activeTab !== 'pull'}>
+			<PullTab
+				bind:this={pullTabRef}
+				imageName={image}
+				envId={$currentEnvironment?.id}
+				showImageInput={!autoPull}
+				autoStart={pullStarted && pullStatus === 'idle' && !!prefilledImage}
+				onComplete={handlePullComplete}
+				onError={handlePullError}
+				onStatusChange={handlePullStatusChange}
+				onImageChange={(newImage) => image = newImage}
+			/>
+		</div>
+
+		<!-- Scan Tab - using ScanTab component -->
+		<div class="px-5 py-4 flex-1 min-h-0 flex flex-col" class:hidden={activeTab !== 'scan'}>
+			{#if envHasScanning}
+				<ScanTab
+					bind:this={scanTabRef}
+					imageName={image}
+					envId={$currentEnvironment?.id}
+					autoStart={scanStarted && scanStatus === 'idle'}
+					onComplete={handleScanComplete}
+					onError={handleScanError}
+					onStatusChange={handleScanStatusChange}
+				/>
+			{:else}
+				<!-- Scanning disabled -->
+				<div class="flex-1 flex items-center justify-center">
+					<div class="text-center">
+						<Shield class="w-12 h-12 text-muted-foreground/50 mx-auto mb-2" />
+						<p class="text-sm text-muted-foreground">Vulnerability scanning is disabled for this environment.</p>
+						<p class="text-xs text-muted-foreground mt-1">Enable it in Settings -> Environments to scan images.</p>
+					</div>
+				</div>
+			{/if}
+		</div>
+
+		<!-- Container Settings Tab -->
+		<div class="px-5 py-4 flex-1 overflow-y-auto" class:hidden={activeTab !== 'container'}>
+			<ContainerSettingsTab
+				mode="create"
+				bind:name
+				bind:image
+				bind:command
+				bind:restartPolicy
+				bind:restartMaxRetries
+				bind:networkMode
+				bind:startAfterCreate
+				bind:portMappings
+				bind:volumeMappings
+				bind:envVars
+				bind:labels
+				{availableNetworks}
+				bind:selectedNetworks
+				bind:containerUser
+				bind:privilegedMode
+				bind:healthcheckEnabled
+				bind:healthcheckCommand
+				bind:healthcheckInterval
+				bind:healthcheckTimeout
+				bind:healthcheckRetries
+				bind:healthcheckStartPeriod
+				bind:memoryLimit
+				bind:memoryReservation
+				bind:cpuShares
+				bind:nanoCpus
+				bind:cpuQuota
+				bind:cpuPeriod
+				bind:capAdd
+				bind:capDrop
+				bind:securityOptions
+				bind:deviceMappings
+				bind:dnsServers
+				bind:dnsSearch
+				bind:dnsOptions
+				bind:ulimits
+				bind:autoUpdateEnabled
+				bind:autoUpdateCronExpression
+				bind:vulnerabilityCriteria
+				{configSets}
+				bind:selectedConfigSetId
+				bind:errors
+				imageSummary={{
+					isPulling,
+					isScanning,
+					imageReady,
+					scanResults,
+					totalVulnerabilities,
+					hasCriticalOrHigh
+				}}
+			/>
+		</div>
+
+		<div class="flex justify-between gap-2 px-5 py-3 border-t bg-muted/30 shrink-0">
+			<div>
+				{#if activeTab === 'container' && hasCriticalOrHigh}
+					<div class="flex items-center gap-2 text-amber-600 text-xs">
+						<AlertTriangle class="w-4 h-4" />
+						<span>Critical/high vulnerabilities found in image</span>
+					</div>
+				{/if}
+			</div>
+			<div class="flex gap-2">
+				<Button type="button" variant="outline" onclick={handleClose} disabled={loading || isPulling || isScanning}>
+					Cancel
+				</Button>
+				<Button type="button" disabled={loading || isPulling || isScanning || activeTab !== 'container'} onclick={handleSubmit}>
+					{#if loading}
+						<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+						Creating...
+					{:else}
+						<Play class="w-4 h-4 mr-2" />
+						Create container
+					{/if}
+				</Button>
+			</div>
+		</div>
+	</Dialog.Content>
+</Dialog.Root>
diff --git a/src/routes/containers/EditContainerModal.svelte b/src/routes/containers/EditContainerModal.svelte
new file mode 100644
index 0000000..d5a28fa
--- /dev/null
+++ b/src/routes/containers/EditContainerModal.svelte
@@ -0,0 +1,1040 @@
+<script lang="ts">
+	import * as Dialog from '$lib/components/ui/dialog';
+	import { Button } from '$lib/components/ui/button';
+	import { Pencil, Check, Loader2, X, Layers } from 'lucide-svelte';
+	import { currentEnvironment, appendEnvParam } from '$lib/stores/environment';
+	import { focusFirstInput } from '$lib/utils';
+	import ContainerSettingsTab from './ContainerSettingsTab.svelte';
+	import type { VulnerabilityCriteria } from '$lib/components/VulnerabilityCriteriaSelector.svelte';
+
+	// Parse shell command respecting quotes
+	function parseShellCommand(cmd: string): string[] {
+		const args: string[] = [];
+		let current = '';
+		let inQuotes = false;
+		let quoteChar = '';
+
+		for (let i = 0; i < cmd.length; i++) {
+			const char = cmd[i];
+
+			if ((char === '"' || char === "'") && !inQuotes) {
+				inQuotes = true;
+				quoteChar = char;
+			} else if (char === quoteChar && inQuotes) {
+				inQuotes = false;
+				quoteChar = '';
+			} else if (char === ' ' && !inQuotes) {
+				if (current) {
+					args.push(current);
+					current = '';
+				}
+			} else {
+				current += char;
+			}
+		}
+
+		if (current) {
+			args.push(current);
+		}
+
+		return args;
+	}
+
+	interface ConfigSet {
+		id: number;
+		name: string;
+		description?: string;
+		envVars?: { key: string; value: string }[];
+		labels?: { key: string; value: string }[];
+		ports?: { hostPort: string; containerPort: string; protocol: string }[];
+		volumes?: { hostPath: string; containerPath: string; mode: string }[];
+		networkMode: string;
+		restartPolicy: string;
+	}
+
+	interface Props {
+		open: boolean;
+		containerId: string;
+		onClose: () => void;
+		onSuccess: () => void;
+	}
+
+	let { open = $bindable(), containerId, onClose, onSuccess }: Props = $props();
+
+	// Config sets
+	let configSets = $state<ConfigSet[]>([]);
+	let selectedConfigSetId = $state<string>('');
+
+	// Guard to prevent reloading data while user is editing
+	let hasLoadedData = $state(false);
+
+	async function fetchConfigSets() {
+		try {
+			const response = await fetch('/api/config-sets');
+			if (response.ok) {
+				configSets = await response.json();
+			}
+		} catch (err) {
+			console.error('Failed to fetch config sets:', err);
+		}
+	}
+
+	// Form state - Basic
+	let name = $state('');
+	let image = $state('');
+	let command = $state('');
+	let restartPolicy = $state('no');
+	let restartMaxRetries = $state<number | ''>('');
+	let networkMode = $state('bridge');
+	let startAfterUpdate = $state(true);
+
+	// Port mappings
+	let portMappings = $state<{ hostPort: string; containerPort: string; protocol: string }[]>([
+		{ hostPort: '', containerPort: '', protocol: 'tcp' }
+	]);
+
+	// Volume mappings
+	let volumeMappings = $state<{ hostPath: string; containerPath: string; mode: string }[]>([
+		{ hostPath: '', containerPath: '', mode: 'rw' }
+	]);
+
+	// Environment variables
+	let envVars = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
+
+	// Labels
+	let labels = $state<{ key: string; value: string }[]>([{ key: '', value: '' }]);
+
+	// Networks
+	interface DockerNetwork {
+		id: string;
+		name: string;
+		driver: string;
+	}
+	let availableNetworks = $state<DockerNetwork[]>([]);
+	let selectedNetworks = $state<string[]>([]);
+
+	// User/Group
+	let containerUser = $state('');
+
+	// Privileged mode
+	let privilegedMode = $state(false);
+
+	// Healthcheck settings
+	let healthcheckEnabled = $state(false);
+	let healthcheckCommand = $state('');
+	let healthcheckInterval = $state(30);
+	let healthcheckTimeout = $state(30);
+	let healthcheckRetries = $state(3);
+	let healthcheckStartPeriod = $state(0);
+
+	// Resource limits
+	let memoryLimit = $state('');
+	let memoryReservation = $state('');
+	let cpuShares = $state('');
+	let nanoCpus = $state('');
+	let cpuQuota = $state('');
+	let cpuPeriod = $state('');
+
+	// Capabilities
+	let capAdd = $state<string[]>([]);
+	let capDrop = $state<string[]>([]);
+
+	// Devices
+	let deviceMappings = $state<{ hostPath: string; containerPath: string; permissions: string }[]>([]);
+
+	// DNS settings
+	let dnsServers = $state<string[]>([]);
+	let dnsSearch = $state<string[]>([]);
+	let dnsOptions = $state<string[]>([]);
+
+	// Security options
+	let securityOptions = $state<string[]>([]);
+
+	// Ulimits
+	let ulimits = $state<{ name: string; soft: string; hard: string }[]>([]);
+
+	// Auto-update settings
+	let autoUpdateEnabled = $state(false);
+	let autoUpdateCronExpression = $state('0 3 * * *');
+	let vulnerabilityCriteria = $state<VulnerabilityCriteria>('never');
+	let currentEnvId = $state<number | null>(null);
+	currentEnvironment.subscribe(env => currentEnvId = env?.id || null);
+
+	// Track original values to detect changes
+	let originalConfig = $state<{
+		name: string;
+		image: string;
+		command: string;
+		restartPolicy: string;
+		networkMode: string;
+		portMappings: typeof portMappings;
+		volumeMappings: typeof volumeMappings;
+		envVars: typeof envVars;
+		labels: typeof labels;
+		selectedNetworks: string[];
+		// Advanced options
+		containerUser: string;
+		privilegedMode: boolean;
+		healthcheckEnabled: boolean;
+		healthcheckCommand: string;
+		healthcheckInterval: number;
+		healthcheckTimeout: number;
+		healthcheckRetries: number;
+		healthcheckStartPeriod: number;
+		memoryLimit: string;
+		memoryReservation: string;
+		cpuShares: string;
+		nanoCpus: string;
+		cpuQuota: string;
+		cpuPeriod: string;
+		capAdd: string[];
+		capDrop: string[];
+		securityOptions: string[];
+		deviceMappings: typeof deviceMappings;
+		dnsServers: string[];
+		dnsSearch: string[];
+		dnsOptions: string[];
+		ulimits: typeof ulimits;
+	} | null>(null);
+
+	// Compose container detection
+	let isComposeContainer = $state(false);
+	let composeStackName = $state('');
+
+	let originalAutoUpdate = $state<{
+		enabled: boolean;
+		cronExpression: string;
+		vulnerabilityCriteria: string;
+	} | null>(null);
+
+	let loading = $state(false);
+	let loadingData = $state(true);
+	let error = $state('');
+	let statusMessage = $state('');
+	let visible = $state(false);
+
+	// Field-specific errors for inline validation
+	let errors = $state<{ name?: string; image?: string }>({});
+
+	// Inline rename state (for title bar)
+	let isEditingTitle = $state(false);
+	let editTitleName = $state('');
+	let renamingTitle = $state(false);
+
+	async function fetchNetworks() {
+		try {
+			const envParam = currentEnvId ? `?env=${currentEnvId}` : '';
+			const response = await fetch(`/api/networks${envParam}`);
+			if (response.ok) {
+				availableNetworks = await response.json();
+			}
+		} catch (err) {
+			console.error('Failed to fetch networks:', err);
+		}
+	}
+
+	// Inline title rename functions
+	let titleInputRef: HTMLInputElement | null = null;
+
+	function startEditingTitle() {
+		editTitleName = name;
+		isEditingTitle = true;
+		setTimeout(() => {
+			titleInputRef?.focus();
+			titleInputRef?.select();
+		}, 0);
+	}
+
+	function cancelEditingTitle() {
+		isEditingTitle = false;
+		editTitleName = '';
+	}
+
+	function saveEditingTitle() {
+		if (!editTitleName.trim() || editTitleName === name) {
+			cancelEditingTitle();
+			return;
+		}
+		name = editTitleName.trim();
+		isEditingTitle = false;
+	}
+
+	async function checkScannerSettings() {
+		if (!currentEnvId) {
+			return;
+		}
+		try {
+			const response = await fetch(`/api/settings/scanner?env=${currentEnvId}&settingsOnly=true`);
+			if (response.ok) {
+				const data = await response.json();
+				const settings = data.settings || data;
+			}
+		} catch (err) {
+			console.error('Failed to check scanner settings:', err);
+		}
+	}
+
+	async function fetchAutoUpdateSettings(containerName: string) {
+		try {
+			const envParam = currentEnvId ? `?env=${currentEnvId}` : '';
+			const [autoUpdateResponse] = await Promise.all([
+				fetch(`/api/auto-update/${encodeURIComponent(containerName)}${envParam}`),
+				checkScannerSettings()
+			]);
+			if (autoUpdateResponse.ok) {
+				const data = await autoUpdateResponse.json();
+				autoUpdateEnabled = data.enabled || false;
+				autoUpdateCronExpression = data.cronExpression || '0 3 * * *';
+				vulnerabilityCriteria = data.vulnerabilityCriteria || 'never';
+				originalAutoUpdate = {
+					enabled: autoUpdateEnabled,
+					cronExpression: autoUpdateCronExpression,
+					vulnerabilityCriteria: vulnerabilityCriteria
+				};
+			}
+		} catch (err) {
+			console.error('Failed to fetch auto-update settings:', err);
+		}
+	}
+
+	async function saveAutoUpdateSettings(containerName: string) {
+		try {
+			const envParam = currentEnvId ? `?env=${currentEnvId}` : '';
+			await fetch(`/api/auto-update/${encodeURIComponent(containerName)}${envParam}`, {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({
+					enabled: autoUpdateEnabled,
+					cronExpression: autoUpdateCronExpression,
+					vulnerabilityCriteria: vulnerabilityCriteria
+				})
+			});
+		} catch (err) {
+			console.error('Failed to save auto-update settings:', err);
+		}
+	}
+
+	function formatBytes(bytes: number): string {
+		if (bytes === 0) return '';
+		const k = 1024;
+		const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
+		const i = Math.floor(Math.log(bytes) / Math.log(k));
+		return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + sizes[i];
+	}
+
+	async function loadContainerData() {
+		loadingData = true;
+		try {
+			const response = await fetch(appendEnvParam(`/api/containers/${containerId}`, $currentEnvironment?.id));
+			const data = await response.json();
+
+			if (!response.ok || data.error) {
+				throw new Error(data.error || `Failed to fetch container: ${response.status}`);
+			}
+
+			// Parse basic container data
+			name = data.Name.replace(/^\//, '');
+			image = data.Config.Image;
+			command = data.Config.Cmd ? data.Config.Cmd.map((arg: string) =>
+				arg.includes(' ') ? `"${arg}"` : arg
+			).join(' ') : '';
+			restartPolicy = data.HostConfig.RestartPolicy?.Name || 'no';
+			restartMaxRetries = data.HostConfig.RestartPolicy?.MaximumRetryCount ?? '';
+
+			// Normalize network mode
+			const rawNetworkMode = data.HostConfig.NetworkMode || 'bridge';
+			if (['bridge', 'host', 'none', 'default'].includes(rawNetworkMode)) {
+				networkMode = rawNetworkMode === 'default' ? 'bridge' : rawNetworkMode;
+			} else {
+				networkMode = 'bridge';
+			}
+
+			// Parse port mappings
+			const ports = data.HostConfig.PortBindings || {};
+			portMappings = Object.keys(ports).length > 0
+				? Object.entries(ports).map(([containerPort, bindings]: [string, any]) => {
+						const [port, protocol] = containerPort.split('/');
+						return {
+							containerPort: port,
+							hostPort: bindings[0]?.HostPort || '',
+							protocol: protocol || 'tcp'
+						};
+				  })
+				: [{ hostPort: '', containerPort: '', protocol: 'tcp' }];
+
+			// Parse volume mappings
+			const binds = data.HostConfig.Binds || [];
+			volumeMappings = binds.length > 0
+				? binds.map((bind: string) => {
+						const [hostPath, containerPath, mode] = bind.split(':');
+						return {
+							hostPath,
+							containerPath,
+							mode: mode || 'rw'
+						};
+				  })
+				: [{ hostPath: '', containerPath: '', mode: 'rw' }];
+
+			// Parse environment variables
+			const env = data.Config.Env || [];
+			envVars = env.length > 0
+				? env
+						.filter((e: string) => !e.startsWith('PATH='))
+						.map((e: string) => {
+							const [key, ...valueParts] = e.split('=');
+							return { key, value: valueParts.join('=') };
+						})
+				: [{ key: '', value: '' }];
+
+			// Parse labels
+			const containerLabels = data.Config.Labels || {};
+			const labelEntries = Object.entries(containerLabels).filter(
+				([key]) => !key.startsWith('com.docker.')
+			);
+			labels = labelEntries.length > 0
+				? labelEntries.map(([key, value]) => ({ key, value: String(value) }))
+				: [{ key: '', value: '' }];
+
+			// Detect if container belongs to a compose stack
+			const composeProject = containerLabels['com.docker.compose.project'];
+			if (composeProject) {
+				isComposeContainer = true;
+				composeStackName = composeProject;
+			} else {
+				isComposeContainer = false;
+				composeStackName = '';
+			}
+
+			// Parse connected networks
+			const networks = data.NetworkSettings?.Networks || {};
+			selectedNetworks = Object.keys(networks);
+
+			// Parse advanced options - User
+			containerUser = data.Config.User || '';
+
+			// Parse advanced options - Privileged
+			privilegedMode = data.HostConfig.Privileged || false;
+
+			// Parse advanced options - Healthcheck
+			const healthcheck = data.Config.Healthcheck;
+			if (healthcheck && healthcheck.Test && healthcheck.Test.length > 0) {
+				healthcheckEnabled = true;
+				// Extract command from Test array (first element is usually CMD-SHELL or CMD)
+				if (healthcheck.Test[0] === 'CMD-SHELL') {
+					healthcheckCommand = healthcheck.Test.slice(1).join(' ');
+				} else if (healthcheck.Test[0] === 'CMD') {
+					healthcheckCommand = healthcheck.Test.slice(1).join(' ');
+				} else if (healthcheck.Test[0] === 'NONE') {
+					healthcheckEnabled = false;
+				} else {
+					healthcheckCommand = healthcheck.Test.join(' ');
+				}
+				healthcheckInterval = Math.floor((healthcheck.Interval || 30e9) / 1e9);
+				healthcheckTimeout = Math.floor((healthcheck.Timeout || 30e9) / 1e9);
+				healthcheckRetries = healthcheck.Retries || 3;
+				healthcheckStartPeriod = Math.floor((healthcheck.StartPeriod || 0) / 1e9);
+			}
+
+			// Parse advanced options - Resources
+			if (data.HostConfig.Memory) {
+				memoryLimit = formatBytes(data.HostConfig.Memory);
+			}
+			if (data.HostConfig.MemoryReservation) {
+				memoryReservation = formatBytes(data.HostConfig.MemoryReservation);
+			}
+			if (data.HostConfig.CpuShares && data.HostConfig.CpuShares !== 0) {
+				cpuShares = String(data.HostConfig.CpuShares);
+			}
+			if (data.HostConfig.NanoCpus) {
+				nanoCpus = String(data.HostConfig.NanoCpus / 1e9);
+			}
+			if (data.HostConfig.CpuQuota) {
+				cpuQuota = String(data.HostConfig.CpuQuota);
+			}
+			if (data.HostConfig.CpuPeriod) {
+				cpuPeriod = String(data.HostConfig.CpuPeriod);
+			}
+
+			// Parse advanced options - Capabilities
+			capAdd = data.HostConfig.CapAdd || [];
+			capDrop = data.HostConfig.CapDrop || [];
+
+			// Parse advanced options - Devices
+			const devices = data.HostConfig.Devices || [];
+			deviceMappings = devices.map((d: any) => ({
+				hostPath: d.PathOnHost || '',
+				containerPath: d.PathInContainer || '',
+				permissions: d.CgroupPermissions || 'rwm'
+			}));
+
+			// Parse advanced options - DNS
+			dnsServers = data.HostConfig.Dns || [];
+			dnsSearch = data.HostConfig.DnsSearch || [];
+			dnsOptions = data.HostConfig.DnsOptions || [];
+
+			// Parse advanced options - Security options
+			securityOptions = data.HostConfig.SecurityOpt || [];
+
+			// Parse advanced options - Ulimits
+			const ulimitsList = data.HostConfig.Ulimits || [];
+			ulimits = ulimitsList.map((u: any) => ({
+				name: u.Name || '',
+				soft: String(u.Soft || 0),
+				hard: String(u.Hard || 0)
+			}));
+
+			// Fetch available networks and auto-update settings
+			await fetchNetworks();
+			await fetchAutoUpdateSettings(name);
+
+			// Store original config for change detection
+			originalConfig = {
+				name,
+				image,
+				command,
+				restartPolicy,
+				networkMode,
+				portMappings: JSON.parse(JSON.stringify(portMappings)),
+				volumeMappings: JSON.parse(JSON.stringify(volumeMappings)),
+				envVars: JSON.parse(JSON.stringify(envVars)),
+				labels: JSON.parse(JSON.stringify(labels)),
+				selectedNetworks: [...selectedNetworks],
+				// Advanced options
+				containerUser,
+				privilegedMode,
+				healthcheckEnabled,
+				healthcheckCommand,
+				healthcheckInterval,
+				healthcheckTimeout,
+				healthcheckRetries,
+				healthcheckStartPeriod,
+				memoryLimit,
+				memoryReservation,
+				cpuShares,
+				nanoCpus,
+				cpuQuota,
+				cpuPeriod,
+				capAdd: [...capAdd],
+				capDrop: [...capDrop],
+				securityOptions: [...securityOptions],
+				deviceMappings: JSON.parse(JSON.stringify(deviceMappings)),
+				dnsServers: [...dnsServers],
+				dnsSearch: [...dnsSearch],
+				dnsOptions: [...dnsOptions],
+				ulimits: JSON.parse(JSON.stringify(ulimits))
+			};
+		} catch (err) {
+			error = 'Failed to load container data: ' + String(err);
+		} finally {
+			loadingData = false;
+			requestAnimationFrame(() => {
+				visible = true;
+				focusFirstInput();
+			});
+		}
+	}
+
+	// Check if container configuration has changed
+	function hasContainerConfigChanged(): boolean {
+		if (!originalConfig) return true;
+
+		// Basic options
+		if (name.trim() !== originalConfig.name) return true;
+		if (image.trim() !== originalConfig.image) return true;
+		if (command.trim() !== originalConfig.command) return true;
+		if (restartPolicy !== originalConfig.restartPolicy) return true;
+		if (networkMode !== originalConfig.networkMode) return true;
+
+		const currentPorts = portMappings.filter(p => p.containerPort && p.hostPort);
+		const originalPorts = originalConfig.portMappings.filter(p => p.containerPort && p.hostPort);
+		if (JSON.stringify(currentPorts) !== JSON.stringify(originalPorts)) return true;
+
+		const currentVolumes = volumeMappings.filter(v => v.hostPath && v.containerPath);
+		const originalVolumes = originalConfig.volumeMappings.filter(v => v.hostPath && v.containerPath);
+		if (JSON.stringify(currentVolumes) !== JSON.stringify(originalVolumes)) return true;
+
+		const currentEnvs = envVars.filter(e => e.key);
+		const originalEnvs = originalConfig.envVars.filter(e => e.key);
+		if (JSON.stringify(currentEnvs) !== JSON.stringify(originalEnvs)) return true;
+
+		const currentLabels = labels.filter(l => l.key);
+		const originalLabels = originalConfig.labels.filter(l => l.key);
+		if (JSON.stringify(currentLabels) !== JSON.stringify(originalLabels)) return true;
+
+		if (JSON.stringify([...selectedNetworks].sort()) !== JSON.stringify([...originalConfig.selectedNetworks].sort())) return true;
+
+		// Advanced options - User & Security
+		if (containerUser !== originalConfig.containerUser) return true;
+		if (privilegedMode !== originalConfig.privilegedMode) return true;
+		if (JSON.stringify([...capAdd].sort()) !== JSON.stringify([...originalConfig.capAdd].sort())) return true;
+		if (JSON.stringify([...capDrop].sort()) !== JSON.stringify([...originalConfig.capDrop].sort())) return true;
+		if (JSON.stringify([...securityOptions].sort()) !== JSON.stringify([...originalConfig.securityOptions].sort())) return true;
+
+		// Advanced options - Healthcheck
+		if (healthcheckEnabled !== originalConfig.healthcheckEnabled) return true;
+		if (healthcheckCommand !== originalConfig.healthcheckCommand) return true;
+		if (healthcheckInterval !== originalConfig.healthcheckInterval) return true;
+		if (healthcheckTimeout !== originalConfig.healthcheckTimeout) return true;
+		if (healthcheckRetries !== originalConfig.healthcheckRetries) return true;
+		if (healthcheckStartPeriod !== originalConfig.healthcheckStartPeriod) return true;
+
+		// Advanced options - Resources
+		if (memoryLimit !== originalConfig.memoryLimit) return true;
+		if (memoryReservation !== originalConfig.memoryReservation) return true;
+		if (cpuShares !== originalConfig.cpuShares) return true;
+		if (nanoCpus !== originalConfig.nanoCpus) return true;
+		if (cpuQuota !== originalConfig.cpuQuota) return true;
+		if (cpuPeriod !== originalConfig.cpuPeriod) return true;
+
+		// Advanced options - Devices
+		const currentDevices = deviceMappings.filter(d => d.hostPath && d.containerPath);
+		const originalDevices = originalConfig.deviceMappings.filter(d => d.hostPath && d.containerPath);
+		if (JSON.stringify(currentDevices) !== JSON.stringify(originalDevices)) return true;
+
+		// Advanced options - DNS
+		if (JSON.stringify([...dnsServers]) !== JSON.stringify([...originalConfig.dnsServers])) return true;
+		if (JSON.stringify([...dnsSearch]) !== JSON.stringify([...originalConfig.dnsSearch])) return true;
+		if (JSON.stringify([...dnsOptions]) !== JSON.stringify([...originalConfig.dnsOptions])) return true;
+
+		// Advanced options - Ulimits
+		const currentUlimits = ulimits.filter(u => u.name && u.soft && u.hard);
+		const originalUlimits = originalConfig.ulimits.filter(u => u.name && u.soft && u.hard);
+		if (JSON.stringify(currentUlimits) !== JSON.stringify(originalUlimits)) return true;
+
+		return false;
+	}
+
+	function hasAutoUpdateChanged(): boolean {
+		if (!originalAutoUpdate) return true;
+		return (
+			autoUpdateEnabled !== originalAutoUpdate.enabled ||
+			autoUpdateCronExpression !== originalAutoUpdate.cronExpression ||
+			vulnerabilityCriteria !== originalAutoUpdate.vulnerabilityCriteria
+		);
+	}
+
+	function serializeConfigWithoutName() {
+		return JSON.stringify({
+			image: image.trim(),
+			command: command.trim(),
+			restartPolicy,
+			networkMode,
+			portMappings: portMappings.filter(p => p.containerPort && p.hostPort),
+			volumeMappings: volumeMappings.filter(v => v.hostPath && v.containerPath),
+			envVars: envVars.filter(e => e.key),
+			labels: labels.filter(l => l.key),
+			selectedNetworks: [...selectedNetworks].sort()
+		});
+	}
+
+	function serializeOriginalConfigWithoutName() {
+		if (!originalConfig) return null;
+		return JSON.stringify({
+			image: originalConfig.image,
+			command: originalConfig.command,
+			restartPolicy: originalConfig.restartPolicy,
+			networkMode: originalConfig.networkMode,
+			portMappings: originalConfig.portMappings.filter(p => p.containerPort && p.hostPort),
+			volumeMappings: originalConfig.volumeMappings.filter(v => v.hostPath && v.containerPath),
+			envVars: originalConfig.envVars.filter(e => e.key),
+			labels: originalConfig.labels.filter(l => l.key),
+			selectedNetworks: [...originalConfig.selectedNetworks].sort()
+		});
+	}
+
+	function hasOnlyNameChanged(): boolean {
+		if (!originalConfig) return false;
+		if (name.trim() === originalConfig.name) return false;
+		return serializeConfigWithoutName() === serializeOriginalConfigWithoutName();
+	}
+
+	function hasConfigChangedBesidesName(): boolean {
+		if (!originalConfig) return false;
+		return serializeConfigWithoutName() !== serializeOriginalConfigWithoutName();
+	}
+
+	let showComposeRenameWarning = $derived(isComposeContainer && hasOnlyNameChanged());
+	let showComposeConfigWarning = $derived(isComposeContainer && hasConfigChangedBesidesName());
+
+	function parseMemory(value: string): number | undefined {
+		if (!value) return undefined;
+		const match = value.trim().toLowerCase().match(/^(\d+(?:\.\d+)?)\s*([kmgt]?b?)?$/);
+		if (!match) return undefined;
+		const num = parseFloat(match[1]);
+		const unit = match[2] || '';
+		switch (unit) {
+			case 'k': case 'kb': return Math.floor(num * 1024);
+			case 'm': case 'mb': return Math.floor(num * 1024 * 1024);
+			case 'g': case 'gb': return Math.floor(num * 1024 * 1024 * 1024);
+			case 't': case 'tb': return Math.floor(num * 1024 * 1024 * 1024 * 1024);
+			default: return Math.floor(num);
+		}
+	}
+
+	function parseNanoCpus(value: string): number | undefined {
+		if (!value) return undefined;
+		const num = parseFloat(value);
+		if (isNaN(num)) return undefined;
+		return Math.floor(num * 1e9);
+	}
+
+	async function handleSubmit(e: Event) {
+		e.preventDefault();
+		error = '';
+		errors = {};
+		statusMessage = '';
+
+		let hasErrors = false;
+		if (!name.trim()) {
+			errors.name = 'Container name is required';
+			hasErrors = true;
+		}
+
+		if (!image.trim()) {
+			errors.image = 'Image name is required';
+			hasErrors = true;
+		}
+
+		if (hasErrors) {
+			return;
+		}
+
+		loading = true;
+
+		const containerConfigChanged = hasContainerConfigChanged();
+		const autoUpdateChanged = hasAutoUpdateChanged();
+
+		if (!containerConfigChanged && !autoUpdateChanged) {
+			onClose();
+			loading = false;
+			return;
+		}
+
+		try {
+			// If only name changed, use the rename endpoint
+			if (hasOnlyNameChanged()) {
+				statusMessage = 'Renaming container...';
+
+				const response = await fetch(appendEnvParam(
+					`/api/containers/${containerId}/rename`,
+					$currentEnvironment?.id
+				), {
+					method: 'POST',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify({ name: name.trim() })
+				});
+
+				const result = await response.json();
+
+				if (!response.ok) {
+					error = result.error || 'Failed to rename container';
+					loading = false;
+					return;
+				}
+
+				statusMessage = 'Container renamed successfully!';
+
+				if (autoUpdateChanged) {
+					await saveAutoUpdateSettings(name.trim());
+				}
+
+				await new Promise(resolve => setTimeout(resolve, 500));
+				onSuccess();
+				onClose();
+				loading = false;
+				return;
+			}
+
+			// Full update required - recreate container
+			if (containerConfigChanged) {
+				statusMessage = 'Updating container...';
+
+				const ports: any = {};
+				portMappings
+					.filter((p) => p.containerPort && p.hostPort)
+					.forEach((p) => {
+						const key = `${p.containerPort}/${p.protocol}`;
+						ports[key] = { HostPort: String(p.hostPort) };
+					});
+
+				const volumeBinds = volumeMappings
+					.filter((v) => v.hostPath && v.containerPath)
+					.map((v) => `${v.hostPath}:${v.containerPath}:${v.mode}`);
+
+				const env = envVars
+					.filter((e) => e.key && e.value)
+					.map((e) => `${e.key}=${e.value}`);
+
+				const labelsObj: any = {};
+				labels
+					.filter((l) => l.key && l.value)
+					.forEach((l) => {
+						labelsObj[l.key] = l.value;
+					});
+
+				const cmd = command.trim() ? parseShellCommand(command.trim()) : undefined;
+
+				let healthcheck: any = undefined;
+				if (healthcheckEnabled && healthcheckCommand.trim()) {
+					healthcheck = {
+						test: ['CMD-SHELL', healthcheckCommand.trim()],
+						interval: healthcheckInterval * 1e9,
+						timeout: healthcheckTimeout * 1e9,
+						retries: healthcheckRetries,
+						startPeriod: healthcheckStartPeriod * 1e9
+					};
+				}
+
+				const devices = deviceMappings
+					.filter(d => d.hostPath && d.containerPath)
+					.map(d => ({
+						hostPath: d.hostPath,
+						containerPath: d.containerPath,
+						permissions: d.permissions || 'rwm'
+					}));
+
+				const ulimitsArray = ulimits
+					.filter(u => u.name && u.soft && u.hard)
+					.map(u => ({
+						name: u.name,
+						soft: parseInt(u.soft) || 0,
+						hard: parseInt(u.hard) || 0
+					}));
+
+				const payload = {
+					name: name.trim(),
+					image: image.trim(),
+					ports: Object.keys(ports).length > 0 ? ports : undefined,
+					volumeBinds: volumeBinds.length > 0 ? volumeBinds : undefined,
+					env: env.length > 0 ? env : undefined,
+					labels: Object.keys(labelsObj).length > 0 ? labelsObj : undefined,
+					cmd,
+					restartPolicy,
+					restartMaxRetries: restartPolicy === 'on-failure' && restartMaxRetries !== '' ? Number(restartMaxRetries) : undefined,
+					networkMode,
+					networks: selectedNetworks.length > 0 ? selectedNetworks : undefined,
+					startAfterUpdate,
+					user: containerUser.trim() || undefined,
+					privileged: privilegedMode || undefined,
+					healthcheck,
+					memory: parseMemory(memoryLimit),
+					memoryReservation: parseMemory(memoryReservation),
+					cpuShares: cpuShares ? parseInt(cpuShares) : undefined,
+					nanoCpus: parseNanoCpus(nanoCpus),
+					cpuQuota: cpuQuota ? parseInt(cpuQuota) : undefined,
+					cpuPeriod: cpuPeriod ? parseInt(cpuPeriod) : undefined,
+					capAdd: capAdd.length > 0 ? capAdd : undefined,
+					capDrop: capDrop.length > 0 ? capDrop : undefined,
+					devices: devices.length > 0 ? devices : undefined,
+					dns: dnsServers.length > 0 ? dnsServers : undefined,
+					dnsSearch: dnsSearch.length > 0 ? dnsSearch : undefined,
+					dnsOptions: dnsOptions.length > 0 ? dnsOptions : undefined,
+					securityOpt: securityOptions.length > 0 ? securityOptions : undefined,
+					ulimits: ulimitsArray.length > 0 ? ulimitsArray : undefined
+				};
+
+				const response = await fetch(appendEnvParam(`/api/containers/${containerId}/update`, $currentEnvironment?.id), {
+					method: 'POST',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify(payload)
+				});
+
+				const result = await response.json();
+
+				if (!response.ok) {
+					error = result.error || 'Failed to update container';
+					if (result.details) {
+						error += ': ' + result.details;
+					}
+					return;
+				}
+
+				statusMessage = 'Container updated successfully!';
+			}
+
+			if (autoUpdateChanged) {
+				if (!containerConfigChanged) {
+					statusMessage = 'Saving auto-update settings...';
+				}
+				await saveAutoUpdateSettings(name.trim());
+				if (!containerConfigChanged) {
+					statusMessage = 'Auto-update settings saved!';
+				}
+			}
+
+			await new Promise(resolve => setTimeout(resolve, 500));
+
+			onSuccess();
+			onClose();
+		} catch (err) {
+			error = 'Failed to update container: ' + String(err);
+		} finally {
+			loading = false;
+		}
+	}
+
+	function handleClose() {
+		onClose();
+	}
+
+	$effect(() => {
+		if (open && containerId && !hasLoadedData) {
+			visible = false;
+			loadingData = true;
+			name = ''; // Reset to prevent showing stale name in header
+			statusMessage = '';
+			error = '';
+			hasLoadedData = true;
+			loadContainerData();
+			fetchConfigSets();
+			selectedConfigSetId = '';
+		} else if (!open) {
+			loadingData = true;
+			visible = false;
+			hasLoadedData = false;
+		}
+	});
+</script>
+
+<Dialog.Root bind:open onOpenChange={(isOpen) => isOpen && focusFirstInput()}>
+	<Dialog.Content class="max-w-4xl w-full max-h-[90vh] p-0 flex flex-col overflow-hidden sm:max-h-[85vh]">
+		<Dialog.Header class="px-5 py-4 border-b bg-muted/30 shrink-0 sticky top-0 z-10">
+			<Dialog.Title class="text-base font-semibold flex items-center gap-1">
+				Edit container
+				{#if isEditingTitle}
+					<span class="ml-1">-</span>
+					<input
+						type="text"
+						bind:value={editTitleName}
+						bind:this={titleInputRef}
+						class="text-muted-foreground font-normal bg-muted border border-input rounded px-2 py-0.5 text-sm outline-none focus:ring-1 focus:ring-ring"
+						onkeydown={(e) => {
+							if (e.key === 'Enter') saveEditingTitle();
+							if (e.key === 'Escape') cancelEditingTitle();
+						}}
+					/>
+					<button
+						type="button"
+						onclick={saveEditingTitle}
+						title="Save"
+						class="p-0.5 rounded hover:bg-muted transition-colors"
+					>
+						<Check class="w-3 h-3 text-green-500 hover:text-green-600" />
+					</button>
+					<button
+						type="button"
+						onclick={cancelEditingTitle}
+						title="Cancel"
+						class="p-0.5 rounded hover:bg-muted transition-colors"
+					>
+						<X class="w-3 h-3 text-muted-foreground hover:text-foreground" />
+					</button>
+				{:else if name}
+					<span class="font-normal text-muted-foreground ml-1">- {name}</span>
+					<button
+						type="button"
+						onclick={startEditingTitle}
+						title="Rename container"
+						class="p-0.5 rounded hover:bg-muted transition-colors ml-0.5"
+					>
+						<Pencil class="w-3 h-3 text-muted-foreground hover:text-foreground" />
+					</button>
+				{/if}
+			</Dialog.Title>
+		</Dialog.Header>
+
+		{#if loadingData}
+			<div class="flex-1 flex items-center justify-center text-muted-foreground text-sm min-h-[200px]">
+				<Loader2 class="w-5 h-5 animate-spin mr-2" />
+				Loading container data...
+			</div>
+		{:else}
+			<div class="px-5 py-4 flex-1 overflow-y-auto">
+				<!-- Compose warning banners -->
+				{#if showComposeRenameWarning}
+					<div class="mb-4 px-3 py-2 text-xs text-amber-700 dark:text-amber-300 bg-amber-100/50 dark:bg-amber-900/30 rounded-md flex items-start gap-2">
+						<Layers class="w-4 h-4 shrink-0 mt-0.5" />
+						<span>This container is part of the <strong>{composeStackName}</strong> compose stack. Renaming it may cause issues with stack management.</span>
+					</div>
+				{/if}
+				{#if showComposeConfigWarning}
+					<div class="mb-4 px-3 py-2 text-xs text-amber-700 dark:text-amber-300 bg-amber-100/50 dark:bg-amber-900/30 rounded-md flex items-start gap-2">
+						<Layers class="w-4 h-4 shrink-0 mt-0.5" />
+						<span>This container is part of the <strong>{composeStackName}</strong> compose stack. Changes may be overwritten when the stack is redeployed.</span>
+					</div>
+				{/if}
+
+				<ContainerSettingsTab
+					mode="edit"
+					bind:name
+					bind:image
+					bind:command
+					bind:restartPolicy
+					bind:restartMaxRetries
+					bind:networkMode
+					startAfterCreate={startAfterUpdate}
+					bind:portMappings
+					bind:volumeMappings
+					bind:envVars
+					bind:labels
+					{availableNetworks}
+					bind:selectedNetworks
+					bind:containerUser
+					bind:privilegedMode
+					bind:healthcheckEnabled
+					bind:healthcheckCommand
+					bind:healthcheckInterval
+					bind:healthcheckTimeout
+					bind:healthcheckRetries
+					bind:healthcheckStartPeriod
+					bind:memoryLimit
+					bind:memoryReservation
+					bind:cpuShares
+					bind:nanoCpus
+					bind:cpuQuota
+					bind:cpuPeriod
+					bind:capAdd
+					bind:capDrop
+					bind:securityOptions
+					bind:deviceMappings
+					bind:dnsServers
+					bind:dnsSearch
+					bind:dnsOptions
+					bind:ulimits
+					bind:autoUpdateEnabled
+					bind:autoUpdateCronExpression
+					bind:vulnerabilityCriteria
+					{configSets}
+					bind:selectedConfigSetId
+					bind:errors
+				/>
+
+				{#if statusMessage}
+					<div class="mt-4 px-3 py-2 text-xs text-primary bg-primary/10 rounded-md">
+						{statusMessage}
+					</div>
+				{/if}
+
+				{#if error}
+					<div class="mt-4 px-3 py-2 text-xs text-destructive bg-destructive/10 rounded-md">
+						{error}
+					</div>
+				{/if}
+			</div>
+
+			<div class="flex justify-end gap-2 px-5 py-3 border-t bg-muted/30 shrink-0">
+				<Button type="button" variant="outline" onclick={handleClose} disabled={loading} size="sm">
+					Cancel
+				</Button>
+				<Button type="button" variant="secondary" disabled={loading} size="sm" onclick={handleSubmit}>
+					{#if loading}
+						<Loader2 class="w-4 h-4 mr-1 animate-spin" />
+						Updating...
+					{:else}
+						Update container
+					{/if}
+				</Button>
+			</div>
+		{/if}
+	</Dialog.Content>
+</Dialog.Root>
diff --git a/routes/containers/FileBrowserModal.svelte b/src/routes/containers/FileBrowserModal.svelte
similarity index 93%
rename from routes/containers/FileBrowserModal.svelte
rename to src/routes/containers/FileBrowserModal.svelte
index bb0253d..872d9a9 100644
--- a/routes/containers/FileBrowserModal.svelte
+++ b/src/routes/containers/FileBrowserModal.svelte
@@ -22,7 +22,7 @@
 </script>
 
 <Dialog.Root bind:open onOpenChange={handleOpenChange}>
-	<Dialog.Content class="max-w-4xl h-[80vh] flex flex-col">
+	<Dialog.Content class="max-w-4xl h-[90vh] sm:h-[80vh] flex flex-col">
 		<Dialog.Header>
 			<Dialog.Title class="flex items-center gap-2">
 				<FolderOpen class="w-5 h-5" />
diff --git a/routes/containers/FileBrowserPanel.svelte b/src/routes/containers/FileBrowserPanel.svelte
similarity index 96%
rename from routes/containers/FileBrowserPanel.svelte
rename to src/routes/containers/FileBrowserPanel.svelte
index 935deba..d6e87a6 100644
--- a/routes/containers/FileBrowserPanel.svelte
+++ b/src/routes/containers/FileBrowserPanel.svelte
@@ -69,9 +69,25 @@
 		initialPath?: string;
 		canEdit?: boolean;
 		onUsageChange?: (usage: VolumeUsageInfo[], isInUse: boolean) => void;
+		// File selection mode - when true, clicking a file selects it instead of opening viewer
+		selectMode?: boolean;
+		// Regex to filter which files can be selected (used with selectMode)
+		selectFilter?: RegExp;
+		// Callback when a file is selected (in selectMode)
+		onFileSelect?: (path: string, name: string) => void;
 	}
 
-	let { containerId, volumeName, envId, initialPath = '/', canEdit = true, onUsageChange }: Props = $props();
+	let {
+		containerId,
+		volumeName,
+		envId,
+		initialPath = '/',
+		canEdit = true,
+		onUsageChange,
+		selectMode = false,
+		selectFilter,
+		onFileSelect
+	}: Props = $props();
 
 	// For volume mode, track whether volume is in use (controls editing ability)
 	let volumeIsInUse = $state(false);
@@ -110,6 +126,15 @@
 	// Track if this container uses busybox (doesn't support --time-style=iso)
 	let useSimpleLs = $state(false);
 
+	// Selection mode state
+	let selectedFilePath = $state<string | null>(null);
+
+	// Check if a file matches the select filter (for highlighting)
+	function matchesSelectFilter(name: string): boolean {
+		if (!selectMode || !selectFilter) return false;
+		return selectFilter.test(name);
+	}
+
 	// Sort state
 	let sortField = $state<SortField>('name');
 	let sortDirection = $state<SortDirection>('asc');
@@ -696,6 +721,11 @@
 		if (entry.type === 'directory') {
 			const newPath = currentPath === '/' ? `/${entry.name}` : `${currentPath}/${entry.name}`;
 			navigateTo(newPath);
+		} else if (selectMode && entry.type === 'file') {
+			// In select mode, clicking a file selects it
+			const filePath = currentPath === '/' ? `/${entry.name}` : `${currentPath}/${entry.name}`;
+			selectedFilePath = filePath;
+			onFileSelect?.(filePath, entry.name);
 		}
 		// Symlinks are not navigable - target path is displayed for reference
 	}
@@ -924,8 +954,11 @@
 				<Table.Body>
 					{#each displayEntries() as entry (entry.name)}
 						{@const Icon = getIcon(entry)}
-						{@const isClickable = entry.type === 'directory'}
-						<Table.Row class="{isClickable ? 'cursor-pointer' : ''} hover:bg-muted/50 group">
+						{@const isClickable = entry.type === 'directory' || (selectMode && entry.type === 'file')}
+						{@const isSelectable = selectMode && entry.type === 'file' && matchesSelectFilter(entry.name)}
+						{@const filePath = currentPath === '/' ? `/${entry.name}` : `${currentPath}/${entry.name}`}
+						{@const isSelected = selectMode && selectedFilePath === filePath}
+						<Table.Row class="{isClickable ? 'cursor-pointer' : ''} hover:bg-muted/50 group {isSelected ? 'bg-primary/10 hover:bg-primary/15' : ''} {isSelectable ? 'border-l-2 border-l-primary' : ''}">
 							<Table.Cell class="py-1">
 								<button
 									type="button"
diff --git a/routes/dashboard/DraggableGrid.svelte b/src/routes/dashboard/DraggableGrid.svelte
similarity index 100%
rename from routes/dashboard/DraggableGrid.svelte
rename to src/routes/dashboard/DraggableGrid.svelte
diff --git a/routes/dashboard/EnvironmentTile.svelte b/src/routes/dashboard/EnvironmentTile.svelte
similarity index 92%
rename from routes/dashboard/EnvironmentTile.svelte
rename to src/routes/dashboard/EnvironmentTile.svelte
index bcaf811..1f170f3 100644
--- a/routes/dashboard/EnvironmentTile.svelte
+++ b/src/routes/dashboard/EnvironmentTile.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import * as Card from '$lib/components/ui/card';
-	import { Wifi, WifiOff, ShieldCheck, Activity, Cpu, Settings, Unplug, Icon, Route, UndoDot, CircleArrowUp, CircleFadingArrowUp } from 'lucide-svelte';
+	import { Wifi, WifiOff, ShieldCheck, Activity, Cpu, Settings, Unplug, Icon, Route, UndoDot, CircleArrowUp, CircleFadingArrowUp, Loader2 } from 'lucide-svelte';
 	import { whale } from '@lucide/lab';
 	import { getIconComponent } from '$lib/utils/icons';
 	import { goto } from '$app/navigation';
@@ -26,9 +26,10 @@
 		width?: number;
 		height?: number;
 		oneventsclick?: () => void;
+		showStacksBreakdown?: boolean;
 	}
 
-	let { stats, width = 1, height = 1, oneventsclick }: Props = $props();
+	let { stats, width = 1, height = 1, oneventsclick, showStacksBreakdown = true }: Props = $props();
 
 	const EnvIcon = $derived(getIconComponent(stats.icon));
 
@@ -45,10 +46,11 @@
 	// Helper flags
 	const isMini = $derived(is1x1 || is2x1);
 	const isWide = $derived(width >= 2);
-	// Show offline when online is explicitly false
-	// Only delay showing offline if online is undefined (truly unknown state during initial load)
+	// Show offline only when online is explicitly false (confirmed offline)
+	// Show connecting when online is undefined (initial load, not yet determined)
 	const isStillLoading = $derived(stats.loading && Object.values(stats.loading).some(v => v === true));
-	const showOffline = $derived(stats.online === false || (!stats.online && !isStillLoading));
+	const showOffline = $derived(stats.online === false);
+	const showConnecting = $derived(stats.online === undefined);
 </script>
 
 <Card.Root
@@ -84,10 +86,12 @@
 					<div class="min-w-0 overflow-hidden">
 						<div class="flex items-center gap-1.5">
 							<span class="font-medium text-sm truncate">{stats.name}</span>
-							{#if !showOffline}
-								<Wifi class="w-3 h-3 text-green-500 shrink-0" />
-							{:else}
+							{#if showConnecting}
+								<Loader2 class="w-3 h-3 text-muted-foreground animate-spin shrink-0" />
+							{:else if showOffline}
 								<WifiOff class="w-3 h-3 text-red-500 shrink-0" />
+							{:else}
+								<Wifi class="w-3 h-3 text-green-500 shrink-0" />
 							{/if}
 						</div>
 						<span class="text-xs text-muted-foreground truncate block" title={stats.connectionType === 'socket' ? (stats.socketPath || '/var/run/docker.sock') : stats.connectionType === 'hawser-edge' ? 'Edge connection' : (stats.port ? `${stats.host}:${stats.port}` : stats.host || 'Unknown host')}>
@@ -138,13 +142,13 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-hidden">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="space-y-2">
-					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 					<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 
@@ -178,10 +182,12 @@
 					<div class="min-w-0 overflow-hidden">
 						<div class="flex items-center gap-1.5">
 							<span class="font-medium text-sm truncate">{stats.name}</span>
-							{#if !showOffline}
-								<Wifi class="w-3 h-3 text-green-500 shrink-0" />
-							{:else}
+							{#if showConnecting}
+								<Loader2 class="w-3 h-3 text-muted-foreground animate-spin shrink-0" />
+							{:else if showOffline}
 								<WifiOff class="w-3 h-3 text-red-500 shrink-0" />
+							{:else}
+								<Wifi class="w-3 h-3 text-green-500 shrink-0" />
 							{/if}
 						</div>
 						<span class="text-xs text-muted-foreground truncate block" title={stats.connectionType === 'socket' ? (stats.socketPath || '/var/run/docker.sock') : stats.connectionType === 'hawser-edge' ? 'Edge connection' : (stats.port ? `${stats.host}:${stats.port}` : stats.host || 'Unknown host')}>
@@ -232,10 +238,12 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-hidden">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="flex gap-4">
 					<div class="space-y-2">
-						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 						<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 					</div>
 					{#if stats.recentEvents}
@@ -244,8 +252,6 @@
 						</div>
 					{/if}
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 
@@ -279,10 +285,12 @@
 				<div class="min-w-0 overflow-hidden">
 					<div class="flex items-center gap-1.5">
 						<span class="font-medium text-sm truncate">{stats.name}</span>
-						{#if !showOffline}
-							<Wifi class="w-3 h-3 text-green-500 shrink-0" />
-						{:else}
+						{#if showConnecting}
+							<Loader2 class="w-3 h-3 text-muted-foreground animate-spin shrink-0" />
+						{:else if showOffline}
 							<WifiOff class="w-3 h-3 text-red-500 shrink-0" />
+						{:else}
+							<Wifi class="w-3 h-3 text-green-500 shrink-0" />
 						{/if}
 					</div>
 					<span class="text-xs text-muted-foreground truncate block" title={stats.connectionType === 'socket' ? (stats.socketPath || '/var/run/docker.sock') : stats.connectionType === 'hawser-edge' ? 'Edge connection' : (stats.port ? `${stats.host}:${stats.port}` : stats.host || 'Unknown host')}>
@@ -333,18 +341,18 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-auto" style="max-height: calc(100% - 60px);">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="space-y-3">
-					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 					<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 					{#if stats.collectMetrics && stats.metrics}
 						<DashboardCpuMemoryBars metrics={stats.metrics} collectMetrics={stats.collectMetrics} />
 					{/if}
-					<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} />
+					<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} showStacksBreakdown={showStacksBreakdown} />
 					<DashboardEventsSummary today={stats.events.today} total={stats.events.total} />
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 
@@ -378,10 +386,12 @@
 				<div class="min-w-0 overflow-hidden">
 					<div class="flex items-center gap-1.5">
 						<span class="font-medium text-sm truncate">{stats.name}</span>
-						{#if !showOffline}
-							<Wifi class="w-3 h-3 text-green-500 shrink-0" />
-						{:else}
+						{#if showConnecting}
+							<Loader2 class="w-3 h-3 text-muted-foreground animate-spin shrink-0" />
+						{:else if showOffline}
 							<WifiOff class="w-3 h-3 text-red-500 shrink-0" />
+						{:else}
+							<Wifi class="w-3 h-3 text-green-500 shrink-0" />
 						{/if}
 					</div>
 					<span class="text-xs text-muted-foreground truncate block" title={stats.connectionType === 'socket' ? (stats.socketPath || '/var/run/docker.sock') : stats.connectionType === 'hawser-edge' ? 'Edge connection' : (stats.port ? `${stats.host}:${stats.port}` : stats.host || 'Unknown host')}>
@@ -432,21 +442,21 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-auto" style="max-height: calc(100% - 60px);">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="space-y-3">
-					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 					<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 					{#if stats.collectMetrics && stats.metrics}
 						<DashboardCpuMemoryBars metrics={stats.metrics} collectMetrics={stats.collectMetrics} />
 					{/if}
-					<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} />
+					<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} showStacksBreakdown={showStacksBreakdown} />
 					<DashboardEventsSummary today={stats.events.today} total={stats.events.total} />
 					{#if stats.recentEvents}
 						<DashboardRecentEvents events={stats.recentEvents} limit={8} onclick={oneventsclick} />
 					{/if}
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 
@@ -480,10 +490,12 @@
 				<div class="min-w-0 overflow-hidden">
 					<div class="flex items-center gap-1.5">
 						<span class="font-medium text-sm truncate">{stats.name}</span>
-						{#if !showOffline}
-							<Wifi class="w-3 h-3 text-green-500 shrink-0" />
-						{:else}
+						{#if showConnecting}
+							<Loader2 class="w-3 h-3 text-muted-foreground animate-spin shrink-0" />
+						{:else if showOffline}
 							<WifiOff class="w-3 h-3 text-red-500 shrink-0" />
+						{:else}
+							<Wifi class="w-3 h-3 text-green-500 shrink-0" />
 						{/if}
 					</div>
 					<span class="text-xs text-muted-foreground truncate block" title={stats.connectionType === 'socket' ? (stats.socketPath || '/var/run/docker.sock') : stats.connectionType === 'hawser-edge' ? 'Edge connection' : (stats.port ? `${stats.host}:${stats.port}` : stats.host || 'Unknown host')}>
@@ -534,22 +546,22 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-auto" style="max-height: calc(100% - 60px);">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="space-y-3">
-					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+					<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 					<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 					{#if stats.collectMetrics && stats.metrics}
 						<DashboardCpuMemoryBars metrics={stats.metrics} collectMetrics={stats.collectMetrics} />
 					{/if}
-					<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} />
+					<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} showStacksBreakdown={showStacksBreakdown} />
 					<DashboardEventsSummary today={stats.events.today} total={stats.events.total} />
 					{#if stats.recentEvents}
 						<DashboardRecentEvents events={stats.recentEvents} limit={8} onclick={oneventsclick} />
 					{/if}
-					<DashboardTopContainers containers={stats.topContainers} limit={8} loading={stats.loading?.topContainers} />
+					<DashboardTopContainers containers={stats.topContainers} limit={8} loading={stats.loading?.topContainers || showConnecting} />
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 
@@ -577,25 +589,25 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-auto" style="max-height: calc(100% - 60px);">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="grid grid-cols-2 gap-4">
 					<!-- Left column -->
 					<div class="space-y-3">
-						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 						<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 						{#if stats.metrics}
 							<DashboardCpuMemoryBars metrics={stats.metrics} collectMetrics={stats.collectMetrics} />
 						{/if}
-						<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} />
+						<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} showStacksBreakdown={showStacksBreakdown} />
 						<DashboardEventsSummary today={stats.events.today} total={stats.events.total} />
 					</div>
 					<!-- Right column -->
 					<div class="space-y-3 border-l border-border/50 pl-4">
-						<DashboardTopContainers containers={stats.topContainers} limit={8} loading={stats.loading?.topContainers} />
+						<DashboardTopContainers containers={stats.topContainers} limit={8} loading={stats.loading?.topContainers || showConnecting} />
 					</div>
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 
@@ -623,16 +635,18 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-auto" style="max-height: calc(100% - 60px);">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="grid grid-cols-2 gap-4">
 					<!-- Left column -->
 					<div class="space-y-3">
-						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 						<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 						{#if stats.metrics}
 							<DashboardCpuMemoryBars metrics={stats.metrics} collectMetrics={stats.collectMetrics} />
 						{/if}
-						<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} />
+						<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} showStacksBreakdown={showStacksBreakdown} />
 						<DashboardEventsSummary today={stats.events.today} total={stats.events.total} />
 						{#if stats.recentEvents}
 							<DashboardRecentEvents events={stats.recentEvents} limit={5} onclick={oneventsclick} />
@@ -640,14 +654,12 @@
 					</div>
 					<!-- Right column -->
 					<div class="space-y-3 border-l border-border/50 pl-4">
-						<DashboardTopContainers containers={stats.topContainers} limit={10} loading={stats.loading?.topContainers} />
+						<DashboardTopContainers containers={stats.topContainers} limit={10} loading={stats.loading?.topContainers || showConnecting} />
 						{#if stats.collectMetrics && stats.metrics && stats.metricsHistory}
 							<DashboardCpuMemoryCharts metricsHistory={stats.metricsHistory} metrics={stats.metrics} />
 						{/if}
 					</div>
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 
@@ -675,32 +687,32 @@
 		</Card.Header>
 		<DashboardLabels labels={stats.labels} />
 		<Card.Content class="overflow-auto" style="max-height: calc(100% - 60px);">
-			{#if !showOffline}
+			{#if showOffline}
+				<DashboardOfflineState error={stats.error} compact={isMini} />
+			{:else}
 				<div class="grid grid-cols-2 gap-4">
 					<!-- Left column -->
 					<div class="space-y-3">
-						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers} />
+						<DashboardContainerStats containers={stats.containers} loading={stats.loading?.containers || showConnecting} />
 						<DashboardHealthBanner unhealthy={stats.containers.unhealthy} restarting={stats.containers.restarting} />
 						{#if stats.metrics}
 							<DashboardCpuMemoryBars metrics={stats.metrics} collectMetrics={stats.collectMetrics} />
 						{/if}
-						<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} />
+						<DashboardResourceStats images={stats.images} volumes={stats.volumes} networks={stats.networks} stacks={stats.stacks} loading={stats.loading} showStacksBreakdown={showStacksBreakdown} />
 						<DashboardEventsSummary today={stats.events.today} total={stats.events.total} />
 						{#if stats.recentEvents}
 							<DashboardRecentEvents events={stats.recentEvents} limit={10} onclick={oneventsclick} />
 						{/if}
-						<DashboardTopContainers containers={stats.topContainers} limit={10} loading={stats.loading?.topContainers} />
+						<DashboardTopContainers containers={stats.topContainers} limit={10} loading={stats.loading?.topContainers || showConnecting} />
 					</div>
 					<!-- Right column -->
 					<div class="space-y-3 border-l border-border/50 pl-4">
 						{#if stats.collectMetrics && stats.metrics && stats.metricsHistory}
 							<DashboardCpuMemoryCharts metricsHistory={stats.metricsHistory} metrics={stats.metrics} />
 						{/if}
-						<DashboardDiskUsage imagesSize={stats.images.totalSize} volumesSize={stats.volumes.totalSize} containersSize={stats.containersSize} buildCacheSize={stats.buildCacheSize} showPieChart={true} loading={stats.loading?.diskUsage} />
+						<DashboardDiskUsage imagesSize={stats.images.totalSize} volumesSize={stats.volumes.totalSize} containersSize={stats.containersSize} buildCacheSize={stats.buildCacheSize} showPieChart={true} loading={stats.loading?.diskUsage || showConnecting} />
 					</div>
 				</div>
-			{:else}
-				<DashboardOfflineState error={stats.error} compact={isMini} />
 			{/if}
 		</Card.Content>
 	{/if}
diff --git a/routes/dashboard/EnvironmentTileSkeleton.svelte b/src/routes/dashboard/EnvironmentTileSkeleton.svelte
similarity index 100%
rename from routes/dashboard/EnvironmentTileSkeleton.svelte
rename to src/routes/dashboard/EnvironmentTileSkeleton.svelte
diff --git a/src/routes/dashboard/dashboard-connecting-state.svelte b/src/routes/dashboard/dashboard-connecting-state.svelte
new file mode 100644
index 0000000..c933e0a
--- /dev/null
+++ b/src/routes/dashboard/dashboard-connecting-state.svelte
@@ -0,0 +1,21 @@
+<script lang="ts">
+	import { Loader2 } from 'lucide-svelte';
+
+	interface Props {
+		compact?: boolean;
+	}
+
+	let { compact = false }: Props = $props();
+</script>
+
+{#if compact}
+	<div class="flex items-center gap-2 text-muted-foreground py-1">
+		<Loader2 class="w-4 h-4 animate-spin opacity-50" />
+		<span class="text-xs">Connecting...</span>
+	</div>
+{:else}
+	<div class="flex flex-col items-center justify-center py-8 text-muted-foreground">
+		<Loader2 class="w-8 h-8 mb-2 animate-spin opacity-50" />
+		<span class="text-sm">Connecting to environment...</span>
+	</div>
+{/if}
diff --git a/routes/dashboard/dashboard-container-stats.svelte b/src/routes/dashboard/dashboard-container-stats.svelte
similarity index 100%
rename from routes/dashboard/dashboard-container-stats.svelte
rename to src/routes/dashboard/dashboard-container-stats.svelte
diff --git a/routes/dashboard/dashboard-cpu-memory-bars.svelte b/src/routes/dashboard/dashboard-cpu-memory-bars.svelte
similarity index 100%
rename from routes/dashboard/dashboard-cpu-memory-bars.svelte
rename to src/routes/dashboard/dashboard-cpu-memory-bars.svelte
diff --git a/routes/dashboard/dashboard-cpu-memory-charts.svelte b/src/routes/dashboard/dashboard-cpu-memory-charts.svelte
similarity index 100%
rename from routes/dashboard/dashboard-cpu-memory-charts.svelte
rename to src/routes/dashboard/dashboard-cpu-memory-charts.svelte
diff --git a/routes/dashboard/dashboard-disk-usage.svelte b/src/routes/dashboard/dashboard-disk-usage.svelte
similarity index 100%
rename from routes/dashboard/dashboard-disk-usage.svelte
rename to src/routes/dashboard/dashboard-disk-usage.svelte
diff --git a/routes/dashboard/dashboard-events-summary.svelte b/src/routes/dashboard/dashboard-events-summary.svelte
similarity index 100%
rename from routes/dashboard/dashboard-events-summary.svelte
rename to src/routes/dashboard/dashboard-events-summary.svelte
diff --git a/routes/dashboard/dashboard-header.svelte b/src/routes/dashboard/dashboard-header.svelte
similarity index 90%
rename from routes/dashboard/dashboard-header.svelte
rename to src/routes/dashboard/dashboard-header.svelte
index c0ef83a..2bc35eb 100644
--- a/routes/dashboard/dashboard-header.svelte
+++ b/src/routes/dashboard/dashboard-header.svelte
@@ -11,7 +11,8 @@
 		Unplug,
 		Icon,
 		CircleArrowUp,
-		CircleFadingArrowUp
+		CircleFadingArrowUp,
+		Loader2
 	} from 'lucide-svelte';
 	import { whale } from '@lucide/lab';
 	import { getIconComponent } from '$lib/utils/icons';
@@ -27,7 +28,7 @@
 		port?: number | null;
 		icon: string;
 		socketPath?: string;
-		online: boolean;
+		online?: boolean; // undefined = connecting, false = offline, true = online
 		scannerEnabled: boolean;
 		collectActivity: boolean;
 		collectMetrics: boolean;
@@ -40,6 +41,10 @@
 		compact?: boolean;
 	}
 
+	// Derived states for connecting/offline
+	const showConnecting = $derived(online === undefined);
+	const showOffline = $derived(online === false);
+
 	let {
 		name,
 		host,
@@ -88,10 +93,12 @@
 		<div class="min-w-0 flex-1">
 			<div class="flex items-center gap-1.5">
 				<span class="font-medium text-sm truncate">{name}</span>
-				{#if online}
-					<Wifi class="w-3 h-3 text-green-500 shrink-0" />
-				{:else}
+				{#if showConnecting}
+					<Loader2 class="w-3 h-3 text-muted-foreground animate-spin shrink-0" />
+				{:else if showOffline}
 					<WifiOff class="w-3 h-3 text-red-500 shrink-0" />
+				{:else}
+					<Wifi class="w-3 h-3 text-green-500 shrink-0" />
 				{/if}
 			</div>
 			<span class="text-xs text-muted-foreground truncate block">{hostDisplay}</span>
@@ -124,10 +131,12 @@
 			<div class="min-w-0 flex-1">
 				<div class="flex items-center gap-1.5">
 					<span class="font-medium text-sm truncate">{name}</span>
-					{#if online}
-						<Wifi class="w-3 h-3 text-green-500 shrink-0" />
-					{:else}
+					{#if showConnecting}
+						<Loader2 class="w-3 h-3 text-muted-foreground animate-spin shrink-0" />
+					{:else if showOffline}
 						<WifiOff class="w-3 h-3 text-red-500 shrink-0" />
+					{:else}
+						<Wifi class="w-3 h-3 text-green-500 shrink-0" />
 					{/if}
 				</div>
 				<span class="text-xs text-muted-foreground truncate block">{hostDisplay}</span>
diff --git a/routes/dashboard/dashboard-health-banner.svelte b/src/routes/dashboard/dashboard-health-banner.svelte
similarity index 100%
rename from routes/dashboard/dashboard-health-banner.svelte
rename to src/routes/dashboard/dashboard-health-banner.svelte
diff --git a/routes/dashboard/dashboard-labels.svelte b/src/routes/dashboard/dashboard-labels.svelte
similarity index 100%
rename from routes/dashboard/dashboard-labels.svelte
rename to src/routes/dashboard/dashboard-labels.svelte
diff --git a/routes/dashboard/dashboard-offline-state.svelte b/src/routes/dashboard/dashboard-offline-state.svelte
similarity index 100%
rename from routes/dashboard/dashboard-offline-state.svelte
rename to src/routes/dashboard/dashboard-offline-state.svelte
diff --git a/routes/dashboard/dashboard-recent-events.svelte b/src/routes/dashboard/dashboard-recent-events.svelte
similarity index 100%
rename from routes/dashboard/dashboard-recent-events.svelte
rename to src/routes/dashboard/dashboard-recent-events.svelte
diff --git a/routes/dashboard/dashboard-resource-stats.svelte b/src/routes/dashboard/dashboard-resource-stats.svelte
similarity index 93%
rename from routes/dashboard/dashboard-resource-stats.svelte
rename to src/routes/dashboard/dashboard-resource-stats.svelte
index 5dd3457..321c15f 100644
--- a/routes/dashboard/dashboard-resource-stats.svelte
+++ b/src/routes/dashboard/dashboard-resource-stats.svelte
@@ -14,9 +14,10 @@
 		networks: { total: number };
 		stacks: { total: number; running: number; partial: number; stopped: number };
 		loading?: LoadingStates;
+		showStacksBreakdown?: boolean;
 	}
 
-	let { images, volumes, networks, stacks, loading }: Props = $props();
+	let { images, volumes, networks, stacks, loading, showStacksBreakdown = true }: Props = $props();
 
 	// Only show skeleton if loading AND we don't have data yet
 	// This prevents blinking when refreshing with existing data
@@ -46,7 +47,7 @@
 		{:else}
 			<span class="font-medium">
 				{stacks.total}
-				{#if stacks.total > 0}
+				{#if showStacksBreakdown && stacks.total > 0}
 					<span class="text-emerald-500">{stacks.running}</span>/<span class="text-amber-500">{stacks.partial}</span>/<span class="text-red-500">{stacks.stopped}</span>
 				{/if}
 			</span>
diff --git a/routes/dashboard/dashboard-status-icons.svelte b/src/routes/dashboard/dashboard-status-icons.svelte
similarity index 100%
rename from routes/dashboard/dashboard-status-icons.svelte
rename to src/routes/dashboard/dashboard-status-icons.svelte
diff --git a/routes/dashboard/dashboard-top-containers.svelte b/src/routes/dashboard/dashboard-top-containers.svelte
similarity index 100%
rename from routes/dashboard/dashboard-top-containers.svelte
rename to src/routes/dashboard/dashboard-top-containers.svelte
diff --git a/routes/dashboard/index.ts b/src/routes/dashboard/index.ts
similarity index 92%
rename from routes/dashboard/index.ts
rename to src/routes/dashboard/index.ts
index f49ca3d..6cd54f9 100644
--- a/routes/dashboard/index.ts
+++ b/src/routes/dashboard/index.ts
@@ -11,4 +11,5 @@ export { default as DashboardTopContainers } from './dashboard-top-containers.sv
 export { default as DashboardDiskUsage } from './dashboard-disk-usage.svelte';
 export { default as DashboardCpuMemoryCharts } from './dashboard-cpu-memory-charts.svelte';
 export { default as DashboardOfflineState } from './dashboard-offline-state.svelte';
+export { default as DashboardConnectingState } from './dashboard-connecting-state.svelte';
 export { default as DashboardStatusIcons } from './dashboard-status-icons.svelte';
diff --git a/routes/environments/+page.svelte b/src/routes/environments/+page.svelte
similarity index 100%
rename from routes/environments/+page.svelte
rename to src/routes/environments/+page.svelte
diff --git a/routes/images/+page.server.ts b/src/routes/images/+page.server.ts
similarity index 100%
rename from routes/images/+page.server.ts
rename to src/routes/images/+page.server.ts
diff --git a/routes/images/+page.svelte b/src/routes/images/+page.svelte
similarity index 87%
rename from routes/images/+page.svelte
rename to src/routes/images/+page.svelte
index fd428c6..ed9db55 100644
--- a/routes/images/+page.svelte
+++ b/src/routes/images/+page.svelte
@@ -7,7 +7,7 @@
 	import { Label } from '$lib/components/ui/label';
 	import * as Dialog from '$lib/components/ui/dialog';
 	import * as Select from '$lib/components/ui/select';
-	import { Trash2, Upload, RefreshCw, Play, Search, Layers, Server, ShieldCheck, CheckSquare, Square, Tag, Check, XCircle, Icon, AlertTriangle, X, Images, Copy, Download, ChevronRight, ChevronDown, Loader2 } from 'lucide-svelte';
+	import { Trash2, Upload, RefreshCw, Play, Search, Layers, Server, ShieldCheck, CheckSquare, Square, Tag, Check, XCircle, Icon, AlertTriangle, X, Images, Copy, Download, ChevronRight, ChevronDown, Loader2, ArrowUp, ArrowDown, ArrowUpDown, CircleDashed } from 'lucide-svelte';
 	import { broom, whale } from '@lucide/lab';
 	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
 	import BatchOperationModal from '$lib/components/BatchOperationModal.svelte';
@@ -46,10 +46,12 @@
 			imageId: string;
 			size: number;
 			created: number;
+			containers: number;
 		}>;
 		totalSize: number;
 		latestCreated: number;
 		imageIds: Set<string>;
+		containers: number;
 	}
 
 	// Check if a registry is Docker Hub
@@ -115,6 +117,8 @@
 	// Prune state
 	let confirmPrune = $state(false);
 	let pruneStatus = $state<'idle' | 'pruning' | 'success' | 'error'>('idle');
+	let confirmPruneUnused = $state(false);
+	let pruneUnusedStatus = $state<'idle' | 'pruning' | 'success' | 'error'>('idle');
 
 	// Multi-select state
 	let selectedImages = $state<Set<string>>(new Set());
@@ -179,7 +183,8 @@
 						tags: [],
 						totalSize: 0,
 						latestCreated: 0,
-						imageIds: new Set()
+						imageIds: new Set(),
+						containers: 0
 					});
 				}
 				const group = groups.get(key)!;
@@ -188,11 +193,13 @@
 					fullRef: image.id,
 					imageId: image.id,
 					size: image.size,
-					created: image.created
+					created: image.created,
+					containers: image.containers
 				});
 				group.totalSize = Math.max(group.totalSize, image.size);
 				group.latestCreated = Math.max(group.latestCreated, image.created);
 				group.imageIds.add(image.id);
+				group.containers += image.containers;
 			} else {
 				for (const fullTag of image.tags) {
 					const colonIndex = fullTag.lastIndexOf(':');
@@ -205,7 +212,8 @@
 							tags: [],
 							totalSize: 0,
 							latestCreated: 0,
-							imageIds: new Set()
+							imageIds: new Set(),
+							containers: 0
 						});
 					}
 
@@ -217,11 +225,16 @@
 							fullRef: fullTag,
 							imageId: image.id,
 							size: image.size,
-							created: image.created
+							created: image.created,
+							containers: image.containers
 						});
 					}
 					group.totalSize = Math.max(group.totalSize, image.size);
 					group.latestCreated = Math.max(group.latestCreated, image.created);
+					// Only add containers count once per unique image ID
+					if (!group.imageIds.has(image.id)) {
+						group.containers += image.containers;
+					}
 					group.imageIds.add(image.id);
 				}
 			}
@@ -432,7 +445,7 @@
 			const response = await fetch(appendEnvParam('/api/prune/images', envId), { method: 'POST' });
 			if (response.ok) {
 				pruneStatus = 'success';
-				toast.success('Unused images pruned');
+				toast.success('Dangling images pruned');
 				await fetchImages();
 			} else {
 				pruneStatus = 'error';
@@ -445,6 +458,26 @@
 		pendingTimeouts.push(setTimeout(() => { pruneStatus = 'idle'; }, 3000));
 	}
 
+	async function pruneUnusedImages() {
+		pruneUnusedStatus = 'pruning';
+		confirmPruneUnused = false;
+		try {
+			const response = await fetch(appendEnvParam('/api/prune/images?dangling=false', envId), { method: 'POST' });
+			if (response.ok) {
+				pruneUnusedStatus = 'success';
+				toast.success('Unused images pruned');
+				await fetchImages();
+			} else {
+				pruneUnusedStatus = 'error';
+				toast.error('Failed to prune unused images');
+			}
+		} catch (error) {
+			pruneUnusedStatus = 'error';
+			toast.error('Failed to prune unused images');
+		}
+		pendingTimeouts.push(setTimeout(() => { pruneUnusedStatus = 'idle'; }, 3000));
+	}
+
 	async function removeImage(id: string, tagName: string) {
 		deleteError = null;
 		try {
@@ -618,13 +651,16 @@
 				open={confirmPrune}
 				action="Prune"
 				itemType="dangling images"
-				title="Prune images"
+				title="Prune dangling images"
 				position="left"
 				onConfirm={pruneImages}
 				onOpenChange={(open) => confirmPrune = open}
 			>
 				{#snippet children({ open })}
-					<span class="inline-flex items-center gap-1.5 h-8 px-3 rounded-md text-sm bg-background shadow-xs border hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50 {pruneStatus === 'pruning' ? 'opacity-50 pointer-events-none' : ''}">
+					<span
+						class="inline-flex items-center gap-1.5 h-8 px-3 rounded-md text-sm bg-background shadow-xs border hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50 {pruneStatus === 'pruning' ? 'opacity-50 pointer-events-none' : ''}"
+						title="Remove untagged intermediate layers (dangling images)"
+					>
 						{#if pruneStatus === 'pruning'}
 							<RefreshCw class="w-3.5 h-3.5 animate-spin" />
 						{:else if pruneStatus === 'success'}
@@ -638,6 +674,33 @@
 					</span>
 				{/snippet}
 			</ConfirmPopover>
+			<ConfirmPopover
+				open={confirmPruneUnused}
+				action="Prune"
+				itemType="all unused images"
+				title="Prune unused images"
+				position="left"
+				onConfirm={pruneUnusedImages}
+				onOpenChange={(open) => confirmPruneUnused = open}
+			>
+				{#snippet children({ open })}
+					<span
+						class="inline-flex items-center gap-1.5 h-8 px-3 rounded-md text-sm bg-background shadow-xs border hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50 {pruneUnusedStatus === 'pruning' ? 'opacity-50 pointer-events-none' : ''}"
+						title="Remove ALL images not used by any container (including tagged images)"
+					>
+						{#if pruneUnusedStatus === 'pruning'}
+							<RefreshCw class="w-3.5 h-3.5 animate-spin" />
+						{:else if pruneUnusedStatus === 'success'}
+							<Check class="w-3.5 h-3.5 text-green-600" />
+						{:else if pruneUnusedStatus === 'error'}
+							<XCircle class="w-3.5 h-3.5 text-destructive" />
+						{:else}
+							<Icon iconNode={broom} class="w-3.5 h-3.5 text-amber-600" />
+						{/if}
+						Prune unused
+					</span>
+				{/snippet}
+			</ConfirmPopover>
 			{/if}
 			<Button size="sm" variant="outline" onclick={fetchImages}>Refresh</Button>
 		</div>
@@ -720,6 +783,25 @@
 							<Square class="w-3.5 h-3.5 text-muted-foreground" />
 						{/if}
 					</button>
+				{:else if column.sortable}
+					<button
+						type="button"
+						onclick={() => toggleSort(column.sortField ?? column.id)}
+						class="flex items-center gap-1 hover:text-foreground transition-colors w-full"
+					>
+						{column.label}
+						{#if sortState?.field === (column.sortField ?? column.id)}
+							{#if sortState.direction === 'asc'}
+								<ArrowUp class="w-3 h-3" />
+							{:else}
+								<ArrowDown class="w-3 h-3" />
+							{/if}
+						{:else}
+							<ArrowUpDown class="w-3 h-3 opacity-30" />
+						{/if}
+					</button>
+				{:else if column.id !== 'expand' && column.id !== 'actions'}
+					{column.label}
 				{/if}
 			{/snippet}
 			{#snippet cell(column, group, rowState)}
@@ -766,6 +848,16 @@
 								{group.tags[0].tag}
 							</span>
 						{/if}
+						{#if group.containers === 0}
+							<Badge variant="outline" class="text-2xs px-1.5 py-0 border-amber-500/50 text-amber-600 dark:text-amber-400 shadow-[0_0_4px_rgba(245,158,11,0.4)]">
+								Unused
+							</Badge>
+						{:else if group.tags.length > 1 && group.tags.some(t => t.containers === 0)}
+							<Badge variant="outline" class="text-2xs px-1.5 py-0 border-amber-500/30 text-amber-600/70 dark:text-amber-400/70 shadow-[0_0_3px_rgba(245,158,11,0.25)]" title="Some tags are unused">
+								<CircleDashed class="w-2.5 h-2.5 mr-0.5" />
+								Some unused
+							</Badge>
+						{/if}
 					</div>
 				{:else if column.id === 'tags'}
 					<Badge variant="secondary" class="text-xs">
@@ -848,6 +940,22 @@
 								<span class="text-muted-foreground">{formatSize(tagInfo.size)}</span>
 							{:else if column.id === 'created'}
 								<span class="text-muted-foreground">{formatImageDate(tagInfo.created)}</span>
+							{:else if column.id === 'used'}
+								{#if tagInfo.containers > 0}
+									<a
+										href="/containers?image={encodeURIComponent(tagInfo.fullRef)}"
+										class="text-muted-foreground hover:text-foreground hover:underline"
+										title="View containers using this image"
+									>
+										{tagInfo.containers} container{tagInfo.containers === 1 ? '' : 's'}
+									</a>
+								{:else if tagInfo.containers === 0}
+									<Badge variant="outline" class="text-2xs px-1.5 py-0 border-amber-500/50 text-amber-600 dark:text-amber-400 shadow-[0_0_4px_rgba(245,158,11,0.4)]">
+										Unused
+									</Badge>
+								{:else}
+									<span class="text-muted-foreground/50">—</span>
+								{/if}
 							{:else if column.id === 'actions'}
 								<div class="flex items-center gap-1">
 									{#if $canAccess('images', 'inspect')}
@@ -911,7 +1019,7 @@
 										<Tag class="w-3 h-3 text-muted-foreground hover:text-foreground" />
 									</button>
 									{/if}
-									{#if $canAccess('images', 'remove')}
+									{#if $canAccess('images', 'remove') && tagInfo.containers === 0}
 									<div class="relative">
 										<ConfirmPopover
 											open={confirmDeleteId === tagInfo.fullRef}
diff --git a/routes/images/ImageHistoryModal.svelte b/src/routes/images/ImageHistoryModal.svelte
similarity index 100%
rename from routes/images/ImageHistoryModal.svelte
rename to src/routes/images/ImageHistoryModal.svelte
diff --git a/routes/images/ImageLayersView.svelte b/src/routes/images/ImageLayersView.svelte
similarity index 100%
rename from routes/images/ImageLayersView.svelte
rename to src/routes/images/ImageLayersView.svelte
diff --git a/routes/images/ImagePullProgressPopover.svelte b/src/routes/images/ImagePullProgressPopover.svelte
similarity index 99%
rename from routes/images/ImagePullProgressPopover.svelte
rename to src/routes/images/ImagePullProgressPopover.svelte
index c3cb4aa..25cfb77 100644
--- a/routes/images/ImagePullProgressPopover.svelte
+++ b/src/routes/images/ImagePullProgressPopover.svelte
@@ -259,7 +259,7 @@
 	<Popover.Trigger asChild>
 		{@render children()}
 	</Popover.Trigger>
-	<Popover.Content class="w-[28rem] p-0 overflow-hidden flex flex-col max-h-96 z-[150]" align="end" sideOffset={8}>
+	<Popover.Content class="w-[28rem] p-0 overflow-hidden flex flex-col max-h-96 z-[200]" align="end" sideOffset={8}>
 		<!-- Sticky Header -->
 		<div class="p-3 border-b shrink-0 space-y-2">
 			<div class="flex items-center gap-2 text-sm font-medium min-w-0">
diff --git a/routes/images/ImageScanModal.svelte b/src/routes/images/ImageScanModal.svelte
similarity index 100%
rename from routes/images/ImageScanModal.svelte
rename to src/routes/images/ImageScanModal.svelte
diff --git a/routes/images/PushToRegistryModal.svelte b/src/routes/images/PushToRegistryModal.svelte
similarity index 100%
rename from routes/images/PushToRegistryModal.svelte
rename to src/routes/images/PushToRegistryModal.svelte
diff --git a/routes/images/ScanResultsView.svelte b/src/routes/images/ScanResultsView.svelte
similarity index 100%
rename from routes/images/ScanResultsView.svelte
rename to src/routes/images/ScanResultsView.svelte
diff --git a/routes/images/VulnerabilityScanModal.svelte b/src/routes/images/VulnerabilityScanModal.svelte
similarity index 100%
rename from routes/images/VulnerabilityScanModal.svelte
rename to src/routes/images/VulnerabilityScanModal.svelte
diff --git a/routes/login/+page.svelte b/src/routes/login/+page.svelte
similarity index 98%
rename from routes/login/+page.svelte
rename to src/routes/login/+page.svelte
index 039aafb..7a84821 100644
--- a/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -270,17 +270,14 @@
 							<Input
 								id="mfaToken"
 								type="text"
-								placeholder="Enter 6-digit code"
+								placeholder="Enter code"
 								bind:value={mfaToken}
 								required
 								disabled={loading}
 								autocomplete="one-time-code"
-								inputmode="numeric"
-								pattern="[0-9]*"
-								maxlength={6}
 							/>
 							<p class="text-xs text-muted-foreground">
-								Enter the code from your authenticator app
+								Enter the 6-digit code from your authenticator app, or use a backup code
 							</p>
 						</div>
 					{/if}
diff --git a/routes/logs/+page.svelte b/src/routes/logs/+page.svelte
similarity index 99%
rename from routes/logs/+page.svelte
rename to src/routes/logs/+page.svelte
index bdfe0c6..f32fad9 100644
--- a/routes/logs/+page.svelte
+++ b/src/routes/logs/+page.svelte
@@ -294,7 +294,8 @@ import type { FavoriteGroup } from '../api/preferences/favorite-groups/+server';
 		}
 
 		if (urlContainerId) {
-			// Single container from URL
+			// Single container from URL - always switch to single mode
+			layoutMode = 'single';
 			const container = fetchedContainers.find(c => c.id === urlContainerId || c.id.startsWith(urlContainerId));
 			if (container) {
 				selectContainer(container);
diff --git a/routes/logs/LogViewer.svelte b/src/routes/logs/LogViewer.svelte
similarity index 100%
rename from routes/logs/LogViewer.svelte
rename to src/routes/logs/LogViewer.svelte
diff --git a/routes/logs/LogsPanel.svelte b/src/routes/logs/LogsPanel.svelte
similarity index 100%
rename from routes/logs/LogsPanel.svelte
rename to src/routes/logs/LogsPanel.svelte
diff --git a/routes/networks/+page.svelte b/src/routes/networks/+page.svelte
similarity index 100%
rename from routes/networks/+page.svelte
rename to src/routes/networks/+page.svelte
diff --git a/routes/networks/ConnectContainerModal.svelte b/src/routes/networks/ConnectContainerModal.svelte
similarity index 100%
rename from routes/networks/ConnectContainerModal.svelte
rename to src/routes/networks/ConnectContainerModal.svelte
diff --git a/routes/networks/CreateNetworkModal.svelte b/src/routes/networks/CreateNetworkModal.svelte
similarity index 99%
rename from routes/networks/CreateNetworkModal.svelte
rename to src/routes/networks/CreateNetworkModal.svelte
index 5a108b5..fa28bb8 100644
--- a/routes/networks/CreateNetworkModal.svelte
+++ b/src/routes/networks/CreateNetworkModal.svelte
@@ -277,7 +277,7 @@
 				</Tabs.Trigger>
 			</Tabs.List>
 
-			<div class="min-h-[400px] mt-4">
+			<div class="min-h-[200px] sm:min-h-[300px] mt-4">
 				<!-- Basic Tab -->
 				<Tabs.Content value="basic" class="space-y-4 h-full overflow-y-auto">
 				<div class="space-y-2">
diff --git a/routes/networks/NetworkInspectModal.svelte b/src/routes/networks/NetworkInspectModal.svelte
similarity index 99%
rename from routes/networks/NetworkInspectModal.svelte
rename to src/routes/networks/NetworkInspectModal.svelte
index 5c9eb9c..983599d 100644
--- a/routes/networks/NetworkInspectModal.svelte
+++ b/src/routes/networks/NetworkInspectModal.svelte
@@ -61,7 +61,7 @@
 </script>
 
 <Dialog.Root bind:open>
-	<Dialog.Content class="max-w-4xl h-[90vh] flex flex-col">
+	<Dialog.Content class="max-w-4xl max-h-[90vh] flex flex-col">
 		<Dialog.Header class="shrink-0">
 			<Dialog.Title class="flex items-center gap-2">
 				<Network class="w-5 h-5" />
diff --git a/routes/profile/+page.svelte b/src/routes/profile/+page.svelte
similarity index 96%
rename from routes/profile/+page.svelte
rename to src/routes/profile/+page.svelte
index 1ab3b21..50b22aa 100644
--- a/routes/profile/+page.svelte
+++ b/src/routes/profile/+page.svelte
@@ -26,7 +26,6 @@
 	} from 'lucide-svelte';
 	import { authStore } from '$lib/stores/auth';
 	import * as Alert from '$lib/components/ui/alert';
-	import { licenseStore } from '$lib/stores/license';
 	import AvatarCropper from '$lib/components/AvatarCropper.svelte';
 	import * as Avatar from '$lib/components/ui/avatar';
 	import ChangePasswordModal from './ChangePasswordModal.svelte';
@@ -542,26 +541,19 @@
 									</p>
 								</div>
 							</div>
-							{#if $licenseStore.isEnterprise}
-								{#if profile.mfaEnabled}
-									<Button variant="outline" onclick={() => showDisableMfaModal = true}>
-										Disable MFA
-									</Button>
-								{:else}
-									<Button onclick={setupMfa} disabled={mfaLoading}>
-										{#if mfaLoading}
-											<RefreshCw class="w-4 h-4 mr-1 animate-spin" />
-										{:else}
-											<QrCode class="w-4 h-4 mr-1" />
-										{/if}
-										Setup MFA
-									</Button>
-								{/if}
+							{#if profile.mfaEnabled}
+								<Button variant="outline" onclick={() => showDisableMfaModal = true}>
+									Disable MFA
+								</Button>
 							{:else}
-								<Badge variant="outline" class="gap-1 rounded-sm">
-									<Crown class="w-3 h-3" />
-									Enterprise
-								</Badge>
+								<Button onclick={setupMfa} disabled={mfaLoading}>
+									{#if mfaLoading}
+										<RefreshCw class="w-4 h-4 mr-1 animate-spin" />
+									{:else}
+										<QrCode class="w-4 h-4 mr-1" />
+									{/if}
+									Setup MFA
+								</Button>
 							{/if}
 						</div>
 					{:else}
diff --git a/routes/profile/ChangePasswordModal.svelte b/src/routes/profile/ChangePasswordModal.svelte
similarity index 100%
rename from routes/profile/ChangePasswordModal.svelte
rename to src/routes/profile/ChangePasswordModal.svelte
diff --git a/routes/profile/DisableMfaModal.svelte b/src/routes/profile/DisableMfaModal.svelte
similarity index 100%
rename from routes/profile/DisableMfaModal.svelte
rename to src/routes/profile/DisableMfaModal.svelte
diff --git a/src/routes/profile/MfaSetupModal.svelte b/src/routes/profile/MfaSetupModal.svelte
new file mode 100644
index 0000000..2241188
--- /dev/null
+++ b/src/routes/profile/MfaSetupModal.svelte
@@ -0,0 +1,206 @@
+<script lang="ts">
+	import { Button } from '$lib/components/ui/button';
+	import * as Dialog from '$lib/components/ui/dialog';
+	import { Label } from '$lib/components/ui/label';
+	import { Input } from '$lib/components/ui/input';
+	import { QrCode, RefreshCw, ShieldCheck, TriangleAlert, Copy, Download, Check } from 'lucide-svelte';
+	import * as Alert from '$lib/components/ui/alert';
+	import { focusFirstInput } from '$lib/utils';
+
+	interface Props {
+		open: boolean;
+		qrCode: string;
+		secret: string;
+		userId: number;
+		onClose: () => void;
+		onSuccess: () => void;
+	}
+
+	let { open = $bindable(), qrCode, secret, userId, onClose, onSuccess }: Props = $props();
+
+	let token = $state('');
+	let loading = $state(false);
+	let error = $state('');
+	let backupCodes = $state<string[]>([]);
+	let showBackupCodes = $state(false);
+	let copied = $state(false);
+
+	function resetForm() {
+		token = '';
+		error = '';
+		backupCodes = [];
+		showBackupCodes = false;
+		copied = false;
+	}
+
+	async function verifyAndEnableMfa() {
+		if (!token) {
+			error = 'Please enter the verification code';
+			return;
+		}
+
+		loading = true;
+		error = '';
+
+		try {
+			const response = await fetch(`/api/users/${userId}/mfa`, {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({ action: 'verify', token })
+			});
+
+			const data = await response.json();
+
+			if (response.ok) {
+				backupCodes = data.backupCodes || [];
+				showBackupCodes = true;
+			} else {
+				error = data.error || 'Invalid verification code';
+			}
+		} catch (e) {
+			error = 'Failed to verify MFA';
+		} finally {
+			loading = false;
+		}
+	}
+
+	function formatBackupCodes(): string {
+		return backupCodes.map((code, i) => `${i + 1}. ${code}`).join('\n');
+	}
+
+	async function copyBackupCodes() {
+		try {
+			await navigator.clipboard.writeText(formatBackupCodes());
+			copied = true;
+			setTimeout(() => copied = false, 2000);
+		} catch {
+			error = 'Failed to copy to clipboard';
+		}
+	}
+
+	function downloadBackupCodes() {
+		const content = `Dockhand MFA Backup Codes\n${'='.repeat(30)}\n\nThese codes can be used to sign in if you lose access to your authenticator app.\nEach code can only be used once.\n\n${formatBackupCodes()}\n\nGenerated: ${new Date().toISOString()}`;
+		const blob = new Blob([content], { type: 'text/plain' });
+		const url = URL.createObjectURL(blob);
+		const a = document.createElement('a');
+		a.href = url;
+		a.download = 'dockhand-backup-codes.txt';
+		document.body.appendChild(a);
+		a.click();
+		document.body.removeChild(a);
+		URL.revokeObjectURL(url);
+	}
+
+	function handleDone() {
+		onSuccess();
+		onClose();
+	}
+
+</script>
+
+<Dialog.Root bind:open onOpenChange={(o) => { if (o) { resetForm(); focusFirstInput(); } else if (!showBackupCodes) onClose(); }}>
+	<Dialog.Content class="max-w-md">
+		<Dialog.Header>
+			<Dialog.Title class="flex items-center gap-2">
+				{#if showBackupCodes}
+					<ShieldCheck class="w-5 h-5 text-green-500" />
+					MFA enabled successfully
+				{:else}
+					<QrCode class="w-5 h-5" />
+					Setup two-factor authentication
+				{/if}
+			</Dialog.Title>
+		</Dialog.Header>
+
+		{#if showBackupCodes}
+			<!-- Backup codes view -->
+			<div class="space-y-4">
+				<Alert.Root>
+					<TriangleAlert class="h-4 w-4" />
+					<Alert.Description>
+						Save these backup codes in a safe place. Each code can only be used once to sign in if you lose access to your authenticator app.
+					</Alert.Description>
+				</Alert.Root>
+
+				<div class="grid grid-cols-2 gap-2 p-3 bg-muted rounded-lg font-mono text-sm">
+					{#each backupCodes as code, i}
+						<div class="flex items-center gap-2">
+							<span class="text-muted-foreground w-4">{i + 1}.</span>
+							<span>{code}</span>
+						</div>
+					{/each}
+				</div>
+
+				<div class="flex gap-2">
+					<Button variant="outline" class="flex-1" onclick={copyBackupCodes}>
+						{#if copied}
+							<Check class="w-4 h-4 mr-1" />
+							Copied!
+						{:else}
+							<Copy class="w-4 h-4 mr-1" />
+							Copy codes
+						{/if}
+					</Button>
+					<Button variant="outline" class="flex-1" onclick={downloadBackupCodes}>
+						<Download class="w-4 h-4 mr-1" />
+						Download
+					</Button>
+				</div>
+			</div>
+			<Dialog.Footer>
+				<Button onclick={handleDone}>
+					<ShieldCheck class="w-4 h-4 mr-1" />
+					Done
+				</Button>
+			</Dialog.Footer>
+		{:else}
+			<!-- Setup view -->
+			<div class="space-y-4">
+				{#if error}
+					<Alert.Root variant="destructive">
+						<TriangleAlert class="h-4 w-4" />
+						<Alert.Description>{error}</Alert.Description>
+					</Alert.Root>
+				{/if}
+
+				<p class="text-sm text-muted-foreground">
+					Scan this QR code with your authenticator app (Google Authenticator, Authy, etc.)
+				</p>
+
+				{#if qrCode}
+					<div class="flex justify-center p-4 bg-white rounded-lg">
+						<img src={qrCode} alt="MFA QR Code" class="w-48 h-48" />
+					</div>
+				{/if}
+
+				<div class="space-y-2">
+					<Label class="text-xs text-muted-foreground">Or enter this code manually:</Label>
+					<code class="block p-2 bg-muted rounded text-sm font-mono break-all">{secret}</code>
+				</div>
+
+				<div class="space-y-2">
+					<Label>Verification code</Label>
+					<Input
+						bind:value={token}
+						placeholder="Enter 6-digit code"
+						maxlength={6}
+					/>
+					<p class="text-xs text-muted-foreground">
+						Enter the code from your authenticator app to verify setup
+					</p>
+				</div>
+			</div>
+			<Dialog.Footer>
+				<Button variant="outline" onclick={onClose}>Cancel</Button>
+				<Button onclick={verifyAndEnableMfa} disabled={loading || !token}>
+					{#if loading}
+						<RefreshCw class="w-4 h-4 mr-1 animate-spin" />
+					{:else}
+						<ShieldCheck class="w-4 h-4 mr-1" />
+					{/if}
+					Enable MFA
+				</Button>
+			</Dialog.Footer>
+		{/if}
+	</Dialog.Content>
+</Dialog.Root>
diff --git a/routes/registry/+page.svelte b/src/routes/registry/+page.svelte
similarity index 85%
rename from routes/registry/+page.svelte
rename to src/routes/registry/+page.svelte
index 65b7add..a7b5404 100644
--- a/routes/registry/+page.svelte
+++ b/src/routes/registry/+page.svelte
@@ -43,8 +43,13 @@
 
 	interface ExpandedImageState {
 		loading: boolean;
+		loadingMore: boolean;
 		error: string;
 		tags: TagInfo[];
+		total: number;
+		page: number;
+		pageSize: number;
+		hasNext: boolean;
 	}
 
 	let registries = $state<Registry[]>([]);
@@ -226,38 +231,100 @@
 			const { [imageName]: _, ...rest } = expandedImages;
 			expandedImages = rest;
 		} else {
-			// Expand and fetch tags
-			expandedImages = {
-				...expandedImages,
-				[imageName]: { loading: true, error: '', tags: [] }
-			};
+			// Expand and fetch first page
+			await fetchTagsPage(imageName, 1, true);
+		}
+	}
 
-			try {
-				let url = `/api/registry/tags?image=${encodeURIComponent(imageName)}`;
-				if (selectedRegistryId) {
-					url += `&registry=${selectedRegistryId}`;
-				}
+	async function loadMoreTags(imageName: string) {
+		const state = expandedImages[imageName];
+		if (!state || state.loading || state.loadingMore || !state.hasNext) return;
+		await fetchTagsPage(imageName, state.page + 1, false);
+	}
 
-				const response = await fetch(url);
-				if (response.ok) {
-					const tags = await response.json();
-					expandedImages = {
-						...expandedImages,
-						[imageName]: { loading: false, error: '', tags }
-					};
-				} else {
-					const data = await response.json();
-					expandedImages = {
-						...expandedImages,
-						[imageName]: { loading: false, error: data.error || 'Failed to fetch tags', tags: [] }
-					};
-				}
-			} catch (error: any) {
+	async function fetchTagsPage(imageName: string, page: number, isFirstLoad: boolean) {
+		const currentState = expandedImages[imageName];
+
+		expandedImages = {
+			...expandedImages,
+			[imageName]: {
+				loading: isFirstLoad,
+				loadingMore: !isFirstLoad,
+				error: '',
+				tags: currentState?.tags || [],
+				total: currentState?.total || 0,
+				page: currentState?.page || 0,
+				pageSize: 20,
+				hasNext: currentState?.hasNext || false
+			}
+		};
+
+		try {
+			let url = `/api/registry/tags?image=${encodeURIComponent(imageName)}&page=${page}&pageSize=20`;
+			if (selectedRegistryId) {
+				url += `&registry=${selectedRegistryId}`;
+			}
+
+			const response = await fetch(url);
+			if (response.ok) {
+				const data = await response.json();
+				const prevState = expandedImages[imageName];
+				const existingTags = isFirstLoad ? [] : (prevState?.tags || []);
 				expandedImages = {
 					...expandedImages,
-					[imageName]: { loading: false, error: error.message || 'Failed to fetch tags', tags: [] }
+					[imageName]: {
+						loading: false,
+						loadingMore: false,
+						error: '',
+						tags: [...existingTags, ...data.tags],
+						total: data.total,
+						page: data.page,
+						pageSize: data.pageSize,
+						hasNext: data.hasNext
+					}
+				};
+			} else {
+				const data = await response.json();
+				expandedImages = {
+					...expandedImages,
+					[imageName]: {
+						...expandedImages[imageName],
+						loading: false,
+						loadingMore: false,
+						error: data.error || 'Failed to fetch tags'
+					}
 				};
 			}
+		} catch (error: any) {
+			expandedImages = {
+				...expandedImages,
+				[imageName]: {
+					...expandedImages[imageName],
+					loading: false,
+					loadingMore: false,
+					error: error.message || 'Failed to fetch tags'
+				}
+			};
+		}
+	}
+
+	function handleTagsWheel(event: WheelEvent, imageName: string) {
+		const target = event.currentTarget as HTMLElement;
+
+		// Prevent page scroll when at top/bottom of tags list
+		const atTop = target.scrollTop === 0;
+		const atBottom = target.scrollHeight - target.scrollTop - target.clientHeight < 1;
+
+		if ((atTop && event.deltaY < 0) || (atBottom && event.deltaY > 0)) {
+			event.preventDefault();
+		}
+
+		// Load more when near bottom
+		const state = expandedImages[imageName];
+		if (!state || !state.hasNext || state.loading || state.loadingMore) return;
+
+		if (target.scrollHeight - target.scrollTop - target.clientHeight < 50) {
+			loadMoreTags(imageName);
 		}
 	}
 
@@ -328,7 +395,8 @@
 						...expandedImages,
 						[imageName]: {
 							...state,
-							tags: state.tags.filter(t => t.name !== tag)
+							tags: state.tags.filter(t => t.name !== tag),
+							total: Math.max(0, state.total - 1)
 						}
 					};
 				}
@@ -514,9 +582,9 @@
 											{expandState.error}
 										</div>
 									{:else if expandState?.tags && expandState.tags.length > 0}
-										<div class="max-h-64 overflow-y-auto">
+										<div class="max-h-64 overflow-y-auto overscroll-contain" onwheel={(e) => handleTagsWheel(e, result.name)}>
 											<table class="text-xs">
-												<thead class="text-muted-foreground sticky top-0 bg-muted/50">
+												<thead class="text-muted-foreground sticky top-0 bg-background z-10">
 													<tr>
 														<th class="text-left py-1 px-2 pr-4 font-medium">Tag</th>
 														<th class="text-left py-1 px-2 pr-4 font-medium">Size</th>
@@ -590,7 +658,20 @@
 													{/each}
 												</tbody>
 											</table>
+											<!-- Loading more indicator -->
+											{#if expandState.loadingMore}
+												<div class="flex items-center justify-center py-2 text-xs text-muted-foreground">
+													<Loader2 class="w-3 h-3 animate-spin mr-2" />
+													Loading more...
+												</div>
+											{/if}
 										</div>
+										<!-- Tags count -->
+										{#if expandState.total > 0}
+											<div class="text-xs text-muted-foreground pt-1">
+												{expandState.tags.length} of {expandState.total} tags loaded
+											</div>
+										{/if}
 									{:else}
 										<div class="text-xs text-muted-foreground py-2">
 											No tags found
diff --git a/routes/registry/CopyToRegistryModal.svelte b/src/routes/registry/CopyToRegistryModal.svelte
similarity index 100%
rename from routes/registry/CopyToRegistryModal.svelte
rename to src/routes/registry/CopyToRegistryModal.svelte
diff --git a/routes/registry/ImagePullModal.svelte b/src/routes/registry/ImagePullModal.svelte
similarity index 100%
rename from routes/registry/ImagePullModal.svelte
rename to src/routes/registry/ImagePullModal.svelte
diff --git a/routes/schedules/+page.svelte b/src/routes/schedules/+page.svelte
similarity index 100%
rename from routes/schedules/+page.svelte
rename to src/routes/schedules/+page.svelte
diff --git a/routes/settings/+page.svelte b/src/routes/settings/+page.svelte
similarity index 100%
rename from routes/settings/+page.svelte
rename to src/routes/settings/+page.svelte
diff --git a/routes/settings/about/AboutTab.svelte b/src/routes/settings/about/AboutTab.svelte
similarity index 98%
rename from routes/settings/about/AboutTab.svelte
rename to src/routes/settings/about/AboutTab.svelte
index 802e389..c2547b5 100644
--- a/routes/settings/about/AboutTab.svelte
+++ b/src/routes/settings/about/AboutTab.svelte
@@ -3,7 +3,7 @@
 	import * as Card from '$lib/components/ui/card';
 	import { Badge } from '$lib/components/ui/badge';
 	import { Input } from '$lib/components/ui/input';
-	import { Box, Images, HardDrive, Network, Cpu, Server, Crown, Building2, Layers, Clock, Code, Package, ExternalLink, Search, FileText, Tag, Sparkles, Bug, ChevronDown, ChevronRight, Plug, ScrollText, Shield, MessageSquarePlus, GitBranch, Coffee } from 'lucide-svelte';
+	import { Box, Images, HardDrive, Network, Cpu, Server, Crown, Building2, Layers, Clock, Code, Package, ExternalLink, Search, FileText, Tag, Sparkles, Bug, ChevronDown, ChevronRight, Plug, ScrollText, Shield, MessageSquarePlus, GitBranch, Coffee, Monitor, Cog, MemoryStick, Database } from 'lucide-svelte';
 	import * as Tabs from '$lib/components/ui/tabs';
 	import { onMount, onDestroy } from 'svelte';
 	import { licenseStore } from '$lib/stores/license';
@@ -198,6 +198,7 @@
 			nodeVersion: string;
 			platform: string;
 			arch: string;
+			kernel: string;
 			memory: {
 				heapUsed: number;
 				heapTotal: number;
@@ -438,7 +439,7 @@
 							</div>
 						{/if}
 						{#if serverUptime !== null}
-							<div class="flex items-center gap-1">
+							<div class="flex items-center gap-1 min-w-[8.5rem]">
 								<Clock class="w-3 h-3 shrink-0" />
 								<span class="tabular-nums">Uptime {formatUptime(serverUptime)}</span>
 							</div>
@@ -558,10 +559,13 @@
 										</span>
 									{/if}
 									<span class="text-muted-foreground/50">|</span>
-									<span class="text-muted-foreground">Platform</span>
+									<Server class="w-3 h-3 text-muted-foreground" />
 									<span>{systemInfo.runtime.platform}/{systemInfo.runtime.arch}</span>
 									<span class="text-muted-foreground/50">|</span>
-									<span class="text-muted-foreground">Memory</span>
+									<Cpu class="w-3 h-3 text-muted-foreground" />
+									<span>{systemInfo.runtime.kernel}</span>
+									<span class="text-muted-foreground/50">|</span>
+									<MemoryStick class="w-3 h-3 text-muted-foreground" />
 									<span>{formatBytes(systemInfo.runtime.memory.rss)}</span>
 								</div>
 								{#if systemInfo.runtime.container.inContainer}
@@ -585,7 +589,7 @@
 						<!-- Database Info -->
 						<div class="space-y-1.5">
 							<div class="flex items-center gap-2 text-xs font-medium text-muted-foreground">
-								<HardDrive class="w-3.5 h-3.5" />
+								<Database class="w-3.5 h-3.5" />
 								Database
 							</div>
 							<div class="text-sm pl-5 space-y-1">
diff --git a/routes/settings/about/LicenseModal.svelte b/src/routes/settings/about/LicenseModal.svelte
similarity index 100%
rename from routes/settings/about/LicenseModal.svelte
rename to src/routes/settings/about/LicenseModal.svelte
diff --git a/routes/settings/about/PrivacyModal.svelte b/src/routes/settings/about/PrivacyModal.svelte
similarity index 100%
rename from routes/settings/about/PrivacyModal.svelte
rename to src/routes/settings/about/PrivacyModal.svelte
diff --git a/routes/settings/auth/AuthTab.svelte b/src/routes/settings/auth/AuthTab.svelte
similarity index 100%
rename from routes/settings/auth/AuthTab.svelte
rename to src/routes/settings/auth/AuthTab.svelte
diff --git a/routes/settings/auth/ldap/LdapModal.svelte b/src/routes/settings/auth/ldap/LdapModal.svelte
similarity index 100%
rename from routes/settings/auth/ldap/LdapModal.svelte
rename to src/routes/settings/auth/ldap/LdapModal.svelte
diff --git a/routes/settings/auth/ldap/LdapSubTab.svelte b/src/routes/settings/auth/ldap/LdapSubTab.svelte
similarity index 100%
rename from routes/settings/auth/ldap/LdapSubTab.svelte
rename to src/routes/settings/auth/ldap/LdapSubTab.svelte
diff --git a/routes/settings/auth/oidc/OidcModal.svelte b/src/routes/settings/auth/oidc/OidcModal.svelte
similarity index 100%
rename from routes/settings/auth/oidc/OidcModal.svelte
rename to src/routes/settings/auth/oidc/OidcModal.svelte
diff --git a/routes/settings/auth/oidc/SsoSubTab.svelte b/src/routes/settings/auth/oidc/SsoSubTab.svelte
similarity index 100%
rename from routes/settings/auth/oidc/SsoSubTab.svelte
rename to src/routes/settings/auth/oidc/SsoSubTab.svelte
diff --git a/routes/settings/auth/roles/RoleModal.svelte b/src/routes/settings/auth/roles/RoleModal.svelte
similarity index 100%
rename from routes/settings/auth/roles/RoleModal.svelte
rename to src/routes/settings/auth/roles/RoleModal.svelte
diff --git a/routes/settings/auth/roles/RolesSubTab.svelte b/src/routes/settings/auth/roles/RolesSubTab.svelte
similarity index 100%
rename from routes/settings/auth/roles/RolesSubTab.svelte
rename to src/routes/settings/auth/roles/RolesSubTab.svelte
diff --git a/routes/settings/auth/users/UserModal.svelte b/src/routes/settings/auth/users/UserModal.svelte
similarity index 99%
rename from routes/settings/auth/users/UserModal.svelte
rename to src/routes/settings/auth/users/UserModal.svelte
index 3868419..f8d96a4 100644
--- a/routes/settings/auth/users/UserModal.svelte
+++ b/src/routes/settings/auth/users/UserModal.svelte
@@ -235,7 +235,7 @@
 				toast.success('User created');
 			} else {
 				const data = await response.json();
-				formError = data.error || 'Failed to create user';
+				formError = data.details ? `${data.error}: ${data.details}` : (data.error || 'Failed to create user');
 				toast.error(formError);
 			}
 		} catch {
diff --git a/routes/settings/auth/users/UsersSubTab.svelte b/src/routes/settings/auth/users/UsersSubTab.svelte
similarity index 100%
rename from routes/settings/auth/users/UsersSubTab.svelte
rename to src/routes/settings/auth/users/UsersSubTab.svelte
diff --git a/routes/settings/config-sets/ConfigSetModal.svelte b/src/routes/settings/config-sets/ConfigSetModal.svelte
similarity index 100%
rename from routes/settings/config-sets/ConfigSetModal.svelte
rename to src/routes/settings/config-sets/ConfigSetModal.svelte
diff --git a/routes/settings/config-sets/ConfigSetsTab.svelte b/src/routes/settings/config-sets/ConfigSetsTab.svelte
similarity index 100%
rename from routes/settings/config-sets/ConfigSetsTab.svelte
rename to src/routes/settings/config-sets/ConfigSetsTab.svelte
diff --git a/routes/settings/environments/EnvironmentModal.svelte b/src/routes/settings/environments/EnvironmentModal.svelte
similarity index 98%
rename from routes/settings/environments/EnvironmentModal.svelte
rename to src/routes/settings/environments/EnvironmentModal.svelte
index b04f2f7..c0ccfd7 100644
--- a/routes/settings/environments/EnvironmentModal.svelte
+++ b/src/routes/settings/environments/EnvironmentModal.svelte
@@ -415,6 +415,10 @@
 			newLabelInput = '';
 			formPublicIp = environment.publicIp || '';
 			modalTab = 'general';
+			// Reset token state for this environment (important when switching between envs)
+			hawserToken = null;
+			generatedToken = null;
+			pendingToken = null;
 			// Load scanner settings, notifications, update check settings, and timezone
 			loadScannerSettings(environment.id);
 			loadEnvNotifications(environment.id);
@@ -825,6 +829,11 @@
 		}
 	}
 
+	// Reload only availability/versions without overwriting user's unsaved settings changes
+	async function reloadScannerAvailability(envId?: number) {
+		await loadScannerVersionsAsync(envId);
+	}
+
 	async function saveScannerSettings(envId?: number) {
 		try {
 			const response = await fetch('/api/settings/scanner', {
@@ -930,7 +939,8 @@
 		checkingGrypeUpdate = true;
 		grypeUpdateStatus = 'idle';
 		try {
-			const response = await fetch('/api/settings/scanner?checkUpdates=true');
+			const envParam = environment?.id ? `&env=${environment.id}` : '';
+			const response = await fetch(`/api/settings/scanner?checkUpdates=true${envParam}`);
 			const data = await response.json();
 			if (data.updates) {
 				grypeUpdateStatus = data.updates.grype?.hasUpdate ? 'update-available' : 'up-to-date';
@@ -947,7 +957,8 @@
 		checkingTrivyUpdate = true;
 		trivyUpdateStatus = 'idle';
 		try {
-			const response = await fetch('/api/settings/scanner?checkUpdates=true');
+			const envParam = environment?.id ? `&env=${environment.id}` : '';
+			const response = await fetch(`/api/settings/scanner?checkUpdates=true${envParam}`);
 			const data = await response.json();
 			if (data.updates) {
 				trivyUpdateStatus = data.updates.trivy?.hasUpdate ? 'update-available' : 'up-to-date';
@@ -1198,7 +1209,7 @@
 </script>
 
 <Dialog.Root bind:open onOpenChange={(o) => { if (o) focusFirstInput(); else onClose(); }}>
-	<Dialog.Content class="max-w-2xl min-h-[800px] max-h-[90vh] flex flex-col overflow-hidden">
+	<Dialog.Content class="max-w-2xl max-h-[90vh] flex flex-col overflow-hidden">
 		<Dialog.Header class="flex-shrink-0 border-b pb-4">
 			<Dialog.Title class="flex items-center gap-2">
 				{#if !isEditing}
@@ -1362,7 +1373,7 @@
 											<HelpCircle class="w-3.5 h-3.5" />
 										</button>
 									</Popover.Trigger>
-									<Popover.Content class="w-80 text-sm" side="right">
+									<Popover.Content class="w-80 text-sm z-[200]" side="right">
 										<div class="space-y-3">
 											<div class="flex items-start gap-2">
 												<Unplug class="w-4 h-4 mt-0.5 text-cyan-500 shrink-0" />
@@ -2112,7 +2123,7 @@
 											{/if}
 											{#if !loadingScannerVersions}
 												{#if !scannerAvailability.grype}
-													<ImagePullProgressPopover imageName="anchore/grype:latest" envId={environment?.id} onComplete={() => loadScannerSettings(environment?.id)}>
+													<ImagePullProgressPopover imageName="anchore/grype:latest" envId={environment?.id} onComplete={() => reloadScannerAvailability(environment?.id)}>
 														<button class="inline-flex items-center text-2xs px-1.5 py-0 h-4 rounded-full border bg-muted/50 hover:bg-muted text-muted-foreground hover:text-foreground transition-colors">
 															<Download class="w-2.5 h-2.5 mr-0.5" />
 															Pull
@@ -2189,7 +2200,7 @@
 											{/if}
 											{#if !loadingScannerVersions}
 												{#if !scannerAvailability.trivy}
-													<ImagePullProgressPopover imageName="aquasec/trivy:latest" envId={environment?.id} onComplete={() => loadScannerSettings(environment?.id)}>
+													<ImagePullProgressPopover imageName="aquasec/trivy:latest" envId={environment?.id} onComplete={() => reloadScannerAvailability(environment?.id)}>
 														<button class="inline-flex items-center text-2xs px-1.5 py-0 h-4 rounded-full border bg-muted/50 hover:bg-muted text-muted-foreground hover:text-foreground transition-colors">
 															<Download class="w-2.5 h-2.5 mr-0.5" />
 															Pull
diff --git a/routes/settings/environments/EnvironmentsTab.svelte b/src/routes/settings/environments/EnvironmentsTab.svelte
similarity index 100%
rename from routes/settings/environments/EnvironmentsTab.svelte
rename to src/routes/settings/environments/EnvironmentsTab.svelte
diff --git a/routes/settings/environments/EventTypesEditor.svelte b/src/routes/settings/environments/EventTypesEditor.svelte
similarity index 100%
rename from routes/settings/environments/EventTypesEditor.svelte
rename to src/routes/settings/environments/EventTypesEditor.svelte
diff --git a/routes/settings/general/GeneralTab.svelte b/src/routes/settings/general/GeneralTab.svelte
similarity index 75%
rename from routes/settings/general/GeneralTab.svelte
rename to src/routes/settings/general/GeneralTab.svelte
index 8a794e8..e1d8758 100644
--- a/routes/settings/general/GeneralTab.svelte
+++ b/src/routes/settings/general/GeneralTab.svelte
@@ -8,8 +8,8 @@
 	import { TogglePill, ToggleSwitch } from '$lib/components/ui/toggle-pill';
 	import CronEditor from '$lib/components/cron-editor.svelte';
 	import TimezoneSelector from '$lib/components/TimezoneSelector.svelte';
-	import { Eye, Bell, Database, Calendar, ShieldCheck, FileText, AlertTriangle, HelpCircle, Globe } from 'lucide-svelte';
-	import { appSettings, type DateFormat, type DownloadFormat } from '$lib/stores/settings';
+	import { Eye, Bell, Database, Calendar, ShieldCheck, FileText, AlertTriangle, HelpCircle, Globe, Activity, Clock } from 'lucide-svelte';
+	import { appSettings, type DateFormat, type DownloadFormat, type EventCollectionMode } from '$lib/stores/settings';
 	import { canAccess, authStore } from '$lib/stores/auth';
 	import { toast } from 'svelte-sonner';
 	import ThemeSelector from '$lib/components/ThemeSelector.svelte';
@@ -32,6 +32,9 @@
 	let eventCleanupEnabled = $derived($appSettings.eventCleanupEnabled);
 	let logBufferSizeKb = $derived($appSettings.logBufferSizeKb);
 	let defaultTimezone = $derived($appSettings.defaultTimezone);
+	let eventCollectionMode = $derived($appSettings.eventCollectionMode);
+	let eventPollInterval = $derived($appSettings.eventPollInterval);
+	let metricsCollectionInterval = $derived($appSettings.metricsCollectionInterval);
 
 	const dateFormatOptions: { value: DateFormat; label: string; example: string }[] = [
 		{ value: 'DD.MM.YYYY', label: 'DD.MM.YYYY', example: '31.12.2024' },
@@ -93,6 +96,27 @@
 		appSettings.setLogBufferSizeKb(value);
 		toast.success('Log buffer size updated');
 	}
+
+	function handleEventCollectionModeChange(value: string | undefined) {
+		if (value === 'stream' || value === 'poll') {
+			appSettings.setEventCollectionMode(value);
+			toast.success(`Event collection mode: ${value}`);
+		}
+	}
+
+	function handleEventPollIntervalChange(selected: { value: number } | undefined) {
+		if (selected?.value) {
+			appSettings.setEventPollInterval(selected.value);
+			toast.success(`Event poll interval: ${selected.value / 1000}s`);
+		}
+	}
+
+	function handleMetricsIntervalChange(selected: { value: number } | undefined) {
+		if (selected?.value) {
+			appSettings.setMetricsCollectionInterval(selected.value);
+			toast.success(`Metrics interval: ${selected.value / 1000}s`);
+		}
+	}
 </script>
 
 <div class="flex-1 min-h-0 overflow-y-auto">
@@ -362,7 +386,107 @@
 					</Card.Title>
 				</Card.Header>
 				<Card.Content class="space-y-4">
-					<div class="space-y-1">
+					<div class="space-y-3">
+						<div>
+							<div class="flex items-center gap-2">
+								<Label>Activity event collection mode</Label>
+								<Tooltip.Root>
+									<Tooltip.Trigger>
+										<HelpCircle class="w-3.5 h-3.5 text-muted-foreground" />
+									</Tooltip.Trigger>
+									<Tooltip.Content class="w-80">
+										<p class="text-xs">
+											<strong>Stream:</strong> Continuous event stream from Docker, instant notifications, higher CPU usage<br />
+											<strong>Poll:</strong> Periodic checks for new events, slight notification delay, lower CPU usage
+										</p>
+									</Tooltip.Content>
+								</Tooltip.Root>
+							</div>
+							<div class="flex items-center gap-4 mt-2">
+								<label class="flex items-center gap-2 cursor-pointer">
+									<input
+										type="radio"
+										name="eventCollectionMode"
+										value="stream"
+										checked={(eventCollectionMode || 'stream') === 'stream'}
+										onchange={() => handleEventCollectionModeChange('stream')}
+										disabled={!$canAccess('settings', 'edit')}
+										class="accent-primary w-4 h-4"
+									/>
+									<Activity class="w-3.5 h-3.5" />
+									<span class="text-sm">Stream</span>
+								</label>
+								<label class="flex items-center gap-2 cursor-pointer">
+									<input
+										type="radio"
+										name="eventCollectionMode"
+										value="poll"
+										checked={(eventCollectionMode || 'stream') === 'poll'}
+										onchange={() => handleEventCollectionModeChange('poll')}
+										disabled={!$canAccess('settings', 'edit')}
+										class="accent-primary w-4 h-4"
+									/>
+									<Clock class="w-3.5 h-3.5" />
+									<span class="text-sm">Poll</span>
+								</label>
+
+								<span class="text-xs text-muted-foreground {(eventCollectionMode || 'stream') === 'poll' ? '' : 'invisible'}">every</span>
+								<Select.Root
+									type="single"
+									value={String(eventPollInterval || 60000)}
+									onValueChange={(v) => v && handleEventPollIntervalChange({ value: parseInt(v) })}
+									disabled={!$canAccess('settings', 'edit') || (eventCollectionMode || 'stream') !== 'poll'}
+								>
+									<Select.Trigger class="w-24 h-8 {(eventCollectionMode || 'stream') === 'poll' ? '' : 'invisible'}">
+										{(eventPollInterval || 60000) === 30000 ? '30s' : (eventPollInterval || 60000) === 60000 ? '60s' : (eventPollInterval || 60000) === 120000 ? '120s' : '300s'}
+									</Select.Trigger>
+									<Select.Content>
+										<Select.Item value="30000">30s</Select.Item>
+										<Select.Item value="60000">60s</Select.Item>
+										<Select.Item value="120000">120s</Select.Item>
+										<Select.Item value="300000">300s</Select.Item>
+									</Select.Content>
+								</Select.Root>
+							</div>
+						</div>
+					</div>
+
+					<div class="space-y-1 pt-2 border-t">
+						<div class="flex items-center gap-2">
+							<Label for="metrics-interval">Metrics collection interval</Label>
+							<Tooltip.Root>
+								<Tooltip.Trigger>
+									<HelpCircle class="w-3.5 h-3.5 text-muted-foreground" />
+								</Tooltip.Trigger>
+								<Tooltip.Content class="w-80">
+									<p class="text-xs">
+										How often to collect CPU/memory metrics from running containers. Lower intervals
+										provide more frequent updates but increase CPU usage.
+									</p>
+								</Tooltip.Content>
+							</Tooltip.Root>
+						</div>
+						<div class="flex items-center gap-2 mt-2">
+							<Select.Root
+								type="single"
+								value={String(metricsCollectionInterval || 30000)}
+								onValueChange={(v) => v && handleMetricsIntervalChange({ value: parseInt(v) })}
+								disabled={!$canAccess('settings', 'edit')}
+							>
+								<Select.Trigger class="w-24 h-8">
+									{(metricsCollectionInterval || 30000) === 10000 ? '10s' : (metricsCollectionInterval || 30000) === 30000 ? '30s' : (metricsCollectionInterval || 30000) === 60000 ? '60s' : '120s'}
+								</Select.Trigger>
+								<Select.Content>
+									<Select.Item value="10000">10s</Select.Item>
+									<Select.Item value="30000">30s</Select.Item>
+									<Select.Item value="60000">60s</Select.Item>
+									<Select.Item value="120000">120s</Select.Item>
+								</Select.Content>
+							</Select.Root>
+						</div>
+					</div>
+
+					<div class="space-y-1 pt-2 border-t">
 						<div class="flex items-center gap-3">
 							<Label for="schedule-retention">Schedule execution cleanup</Label>
 							<TogglePill
diff --git a/src/routes/settings/general/ScanResultsModal.svelte b/src/routes/settings/general/ScanResultsModal.svelte
new file mode 100644
index 0000000..52bcad0
--- /dev/null
+++ b/src/routes/settings/general/ScanResultsModal.svelte
@@ -0,0 +1,601 @@
+<script lang="ts">
+	import * as Dialog from '$lib/components/ui/dialog';
+	import * as Select from '$lib/components/ui/select';
+	import { Button } from '$lib/components/ui/button';
+	import { Badge } from '$lib/components/ui/badge';
+	import { Checkbox } from '$lib/components/ui/checkbox';
+	import { Label } from '$lib/components/ui/label';
+	import { Search, FolderOpen, CheckCircle2, SkipForward, AlertCircle, FileText, Import, Loader2, Play, HelpCircle } from 'lucide-svelte';
+	import * as Tooltip from '$lib/components/ui/tooltip';
+	import { toast } from 'svelte-sonner';
+	import { onMount } from 'svelte';
+	import { getIconComponent } from '$lib/utils/icons';
+
+	interface RunningStackInfo {
+		envId: number;
+		envName: string;
+		containerCount: number;
+	}
+
+	interface DiscoveredStack {
+		name: string;
+		composePath: string;
+		envPath: string | null;
+		sourceDir?: string;
+		runningOn?: RunningStackInfo[];
+	}
+
+	interface AdoptedStack {
+		name: string;
+		envId: number;
+	}
+
+	interface ScanResult {
+		adopted: string[];
+		skipped: DiscoveredStack[];
+		errors: { path: string; error: string }[];
+		discovered: DiscoveredStack[];
+	}
+
+	interface Environment {
+		id: number;
+		name: string;
+		icon: string;
+	}
+
+	interface Props {
+		open: boolean;
+		result: ScanResult | null;
+		scannedPaths: string[];
+		onclose: () => void;
+		onAdopted?: () => void; // Callback when stacks are adopted
+	}
+
+	let { open = $bindable(), result, scannedPaths, onclose, onAdopted }: Props = $props();
+
+	// Selection state - maps composePath to environmentId
+	let stackSelections = $state<Map<string, number>>(new Map());
+	let adopting = $state(false);
+
+	// Track adopted stacks with their environment (for display)
+	let adoptedStacks = $state<AdoptedStack[]>([]);
+
+	// Environment state
+	let environments = $state<Environment[]>([]);
+	let defaultEnvId = $state<number | null>(null);
+	let loadingEnvs = $state(true);
+
+	// Load environments on mount
+	onMount(async () => {
+		try {
+			const response = await fetch('/api/environments');
+			if (response.ok) {
+				environments = await response.json();
+				// Default to first environment
+				if (environments.length > 0) {
+					defaultEnvId = environments[0].id;
+				}
+			}
+		} catch (err) {
+			console.error('Failed to load environments:', err);
+		} finally {
+			loadingEnvs = false;
+		}
+	});
+
+	// Track if we've initialized selections for this modal session
+	let hasInitialized = $state(false);
+
+	// Reset selection when modal opens with new results (only on initial open)
+	$effect(() => {
+		if (open && result && defaultEnvId !== null && !hasInitialized) {
+			// Pre-select all discovered stacks
+			// Auto-select the environment where stack is already running, otherwise use default
+			const newSelections = new Map<string, number>();
+			for (const stack of result.discovered) {
+				const runningEnvId = stack.runningOn?.[0]?.envId;
+				newSelections.set(stack.composePath, runningEnvId ?? defaultEnvId);
+			}
+			stackSelections = newSelections;
+			hasInitialized = true;
+		}
+		// Reset tracker when modal closes
+		if (!open) {
+			hasInitialized = false;
+			adoptedStacks = [];
+		}
+	});
+
+	const selectedCount = $derived(stackSelections.size);
+
+	const allSelected = $derived(
+		result?.discovered.length > 0 &&
+		stackSelections.size === result.discovered.length
+	);
+
+	const someSelected = $derived(
+		stackSelections.size > 0 &&
+		result?.discovered.length > 0 &&
+		stackSelections.size < result.discovered.length
+	);
+
+	const defaultEnv = $derived(environments.find(e => e.id === defaultEnvId));
+	const defaultEnvName = $derived(defaultEnv?.name || 'Select environment');
+	const DefaultEnvIcon = $derived(defaultEnv ? getIconComponent(defaultEnv.icon || 'globe') : null);
+
+	function isSelected(composePath: string): boolean {
+		return stackSelections.has(composePath);
+	}
+
+	function getStackEnvId(composePath: string): number | null {
+		return stackSelections.get(composePath) ?? null;
+	}
+
+	function getStackEnv(composePath: string): Environment | null {
+		const envId = stackSelections.get(composePath);
+		return envId ? environments.find(e => e.id === envId) ?? null : null;
+	}
+
+	function toggleStack(composePath: string) {
+		const newMap = new Map(stackSelections);
+		if (newMap.has(composePath)) {
+			newMap.delete(composePath);
+		} else if (defaultEnvId !== null) {
+			newMap.set(composePath, defaultEnvId);
+		}
+		stackSelections = newMap;
+	}
+
+	function setStackEnv(composePath: string, envId: number) {
+		const newMap = new Map(stackSelections);
+		newMap.set(composePath, envId);
+		stackSelections = newMap;
+	}
+
+	function toggleAll() {
+		if (!result || defaultEnvId === null) return;
+
+		if (allSelected) {
+			stackSelections = new Map();
+		} else {
+			const newSelections = new Map<string, number>();
+			for (const stack of result.discovered) {
+				// Preserve existing env selection or use default
+				const existingEnv = stackSelections.get(stack.composePath);
+				newSelections.set(stack.composePath, existingEnv ?? defaultEnvId);
+			}
+			stackSelections = newSelections;
+		}
+	}
+
+	function applyDefaultEnvToAll() {
+		if (!result || defaultEnvId === null) return;
+		const newMap = new Map<string, number>();
+		for (const [path] of stackSelections) {
+			newMap.set(path, defaultEnvId);
+		}
+		stackSelections = newMap;
+	}
+
+	async function handleAdopt() {
+		if (!result || stackSelections.size === 0) return;
+
+		// Group stacks by environment
+		const stacksByEnv = new Map<number, DiscoveredStack[]>();
+		for (const [composePath, envId] of stackSelections) {
+			const stack = result.discovered.find(d => d.composePath === composePath);
+			if (stack) {
+				if (!stacksByEnv.has(envId)) {
+					stacksByEnv.set(envId, []);
+				}
+				stacksByEnv.get(envId)!.push(stack);
+			}
+		}
+
+		adopting = true;
+		let totalAdopted: AdoptedStack[] = [];
+		let totalFailed: { name: string; error: string }[] = [];
+
+		try {
+			// Adopt each group to its environment
+			for (const [envId, stacks] of stacksByEnv) {
+				const response = await fetch('/api/stacks/adopt', {
+					method: 'POST',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify({
+						stacks,
+						environmentId: envId
+					})
+				});
+
+				const data = await response.json();
+
+				if (!response.ok) {
+					// Add all stacks in this batch as failed
+					for (const stack of stacks) {
+						totalFailed.push({ name: stack.name, error: data.error || 'Failed to adopt' });
+					}
+				} else {
+					// Track adopted stacks with their environment
+					for (const name of (data.adopted || [])) {
+						totalAdopted.push({ name, envId });
+					}
+					totalFailed.push(...(data.failed || []));
+				}
+			}
+
+			if (totalAdopted.length > 0) {
+				toast.success(`Adopted ${totalAdopted.length} stack(s)`);
+			}
+			if (totalFailed.length > 0) {
+				toast.error(`Failed to adopt ${totalFailed.length} stack(s)`);
+			}
+
+			// Update the result to reflect adopted stacks
+			const adoptedNames = new Set(totalAdopted.map(s => s.name));
+			const adoptedPaths = new Set(
+				result.discovered
+					.filter(d => stackSelections.has(d.composePath) && adoptedNames.has(d.name))
+					.map(d => d.composePath)
+			);
+
+			// Add to local adopted stacks list (with env info)
+			adoptedStacks = [...adoptedStacks, ...totalAdopted];
+
+			result = {
+				...result,
+				adopted: [...result.adopted, ...totalAdopted.map(s => s.name)],
+				discovered: result.discovered.filter(d => !adoptedPaths.has(d.composePath))
+			};
+
+			// Clear selections for adopted stacks
+			const newSelections = new Map(stackSelections);
+			for (const path of adoptedPaths) {
+				newSelections.delete(path);
+			}
+			stackSelections = newSelections;
+
+			// Notify parent of adoption
+			onAdopted?.();
+
+		} catch (err) {
+			toast.error('Failed to adopt stacks');
+		} finally {
+			adopting = false;
+		}
+	}
+</script>
+
+<Dialog.Root bind:open onOpenChange={(isOpen) => !isOpen && onclose()}>
+	<Dialog.Content class="max-w-4xl max-h-[80vh] overflow-hidden flex flex-col">
+		<Dialog.Header>
+			<Dialog.Title class="flex items-center gap-2">
+				<Search class="w-5 h-5" />
+				External stack scan results
+			</Dialog.Title>
+			<Dialog.Description>
+				Scanned {scannedPaths.length} configured path{scannedPaths.length !== 1 ? 's' : ''} for Docker Compose files
+			</Dialog.Description>
+		</Dialog.Header>
+
+		{#if result}
+			<!-- Sticky header with summary and environment selector -->
+			<div class="space-y-3 py-2 border-b bg-background">
+				<!-- Summary -->
+				<div class="flex items-center gap-4 p-3 rounded-lg bg-muted/50">
+					<div class="flex items-center gap-2">
+						<FolderOpen class="w-4 h-4 text-muted-foreground" />
+						<span class="text-sm font-medium">{result.discovered.length + result.skipped.length + adoptedStacks.length} found</span>
+					</div>
+					{#if result.discovered.length > 0}
+						<div class="flex items-center gap-1.5 text-blue-600 dark:text-blue-500">
+							<Import class="w-4 h-4" />
+							<span class="text-sm">{result.discovered.length} new</span>
+						</div>
+					{/if}
+					{#if adoptedStacks.length > 0}
+						<div class="flex items-center gap-1.5 text-green-600 dark:text-green-500">
+							<CheckCircle2 class="w-4 h-4" />
+							<span class="text-sm">{adoptedStacks.length} adopted</span>
+						</div>
+					{/if}
+					{#if result.skipped.length > 0}
+						<div class="flex items-center gap-1.5 text-muted-foreground">
+							<SkipForward class="w-4 h-4" />
+							<span class="text-sm">{result.skipped.length} already adopted</span>
+						</div>
+					{/if}
+					{#if result.errors.length > 0}
+						<div class="flex items-center gap-1.5 text-destructive">
+							<AlertCircle class="w-4 h-4" />
+							<span class="text-sm">{result.errors.length} errors</span>
+						</div>
+					{/if}
+				</div>
+
+				<!-- Default environment selector (apply to all) - only show when multiple environments -->
+				{#if result.discovered.length > 0}
+					{#if loadingEnvs}
+						<div class="flex items-center gap-3 p-3 rounded-lg border bg-muted/30">
+							<Label class="text-sm font-medium shrink-0">Adopt to:</Label>
+							<div class="flex items-center gap-2 text-muted-foreground">
+								<Loader2 class="w-4 h-4 animate-spin" />
+								<span class="text-sm">Loading...</span>
+							</div>
+						</div>
+					{:else if environments.length === 0}
+						<div class="flex items-center gap-3 p-3 rounded-lg border bg-muted/30">
+							<p class="text-sm text-destructive">No environments configured</p>
+						</div>
+					{:else if environments.length > 1}
+						<div class="flex items-center gap-3 p-3 rounded-lg border bg-muted/30">
+							<Label class="text-sm font-medium shrink-0">Adopt to:</Label>
+							<Select.Root
+								type="single"
+								value={defaultEnvId?.toString()}
+								onValueChange={(v) => {
+									defaultEnvId = v ? parseInt(v) : null;
+								}}
+							>
+								<Select.Trigger class="w-[220px]">
+									{#if DefaultEnvIcon}
+										<DefaultEnvIcon class="w-4 h-4 mr-2 shrink-0" />
+									{/if}
+									<span class="truncate">{defaultEnvName}</span>
+								</Select.Trigger>
+								<Select.Content>
+									{#each environments as env}
+										{@const EnvIcon = getIconComponent(env.icon || 'globe')}
+										<Select.Item value={env.id.toString()}>
+											<div class="flex items-center gap-2">
+												<EnvIcon class="w-4 h-4 shrink-0" />
+												<span>{env.name}</span>
+											</div>
+										</Select.Item>
+									{/each}
+								</Select.Content>
+							</Select.Root>
+							<Button variant="outline" size="sm" onclick={applyDefaultEnvToAll} disabled={stackSelections.size === 0}>
+								Apply to all
+							</Button>
+						</div>
+					{/if}
+				{/if}
+			</div>
+
+			<!-- Scrollable content -->
+			<div class="flex-1 overflow-y-auto space-y-4 py-2">
+				<!-- Discovered stacks (available for import) -->
+				{#if result.discovered.length > 0}
+					<div class="space-y-2">
+						<div class="flex items-center justify-between">
+							<h4 class="text-sm font-medium flex items-center gap-2 text-blue-600 dark:text-blue-500">
+								<Import class="w-4 h-4" />
+								Available for adoption
+							</h4>
+							<button
+								type="button"
+								class="flex items-center gap-2 text-xs text-muted-foreground hover:text-foreground transition-colors"
+								onclick={toggleAll}
+							>
+								<Checkbox checked={allSelected} indeterminate={someSelected} />
+								<span>{allSelected ? 'Deselect all' : 'Select all'}</span>
+							</button>
+						</div>
+						<div class="space-y-1.5">
+							{#each result.discovered as stack}
+								{@const stackEnvId = getStackEnvId(stack.composePath)}
+								{@const stackEnv = stackEnvId ? environments.find(e => e.id === stackEnvId) : null}
+								<div
+									class="flex items-start gap-3 p-2 rounded-md border transition-colors
+										{isSelected(stack.composePath)
+											? 'bg-blue-500/10 border-blue-500/30'
+											: 'bg-muted/30 border-transparent hover:bg-muted/50'}"
+								>
+									<button
+										type="button"
+										class="pt-0.5 shrink-0"
+										onclick={() => toggleStack(stack.composePath)}
+									>
+										<Checkbox checked={isSelected(stack.composePath)} />
+									</button>
+									<button
+										type="button"
+										class="flex-1 min-w-0 text-left"
+										onclick={() => toggleStack(stack.composePath)}
+									>
+										<div class="flex items-center gap-2 flex-wrap">
+											<p class="text-sm font-medium">{stack.name}</p>
+											{#if stack.runningOn && stack.runningOn.length > 0}
+												<Badge variant="outline" class="text-xs text-green-600 dark:text-green-500 border-green-300 dark:border-green-600 gap-1">
+													<Play class="w-3 h-3" />
+													Running on {stack.runningOn.map(r => r.envName).join(', ')}
+													<Tooltip.Root>
+														<Tooltip.Trigger>
+															<HelpCircle class="w-3 h-3 opacity-60" />
+														</Tooltip.Trigger>
+														<Tooltip.Content class="max-w-sm">
+															<p class="text-xs">This stack is already running (detected via Docker's <code class="bg-muted px-1 rounded">com.docker.compose.project</code> label). Adopting will allow you to manage it through Dockhand.</p>
+														</Tooltip.Content>
+													</Tooltip.Root>
+												</Badge>
+											{/if}
+										</div>
+										<code class="text-xs text-muted-foreground block truncate" title={stack.composePath}>{stack.composePath}</code>
+										{#if stack.envPath}
+											<p class="text-xs text-muted-foreground flex items-center gap-1 mt-0.5">
+												<FileText class="w-3 h-3" />
+												.env file detected
+											</p>
+										{/if}
+									</button>
+									<!-- Per-stack environment selector - only show when multiple environments -->
+									{#if isSelected(stack.composePath) && environments.length > 1}
+										<div class="shrink-0 flex items-center gap-2" onclick={(e) => e.stopPropagation()}>
+											<!-- Note if importing to different environment than running -->
+											{#if stack.runningOn && stack.runningOn.length > 0 && !stack.runningOn.some(r => r.envId === stackEnvId)}
+												<Badge variant="outline" class="text-xs text-amber-600 dark:text-amber-500 border-amber-300 dark:border-amber-600 gap-1">
+													Running elsewhere
+													<Tooltip.Root>
+														<Tooltip.Trigger>
+															<HelpCircle class="w-3 h-3 opacity-60" />
+														</Tooltip.Trigger>
+														<Tooltip.Content class="max-w-sm">
+															<p class="text-xs">This stack is running on a different environment ({stack.runningOn?.map(r => r.envName).join(', ')}). You can still adopt it here, but it won't affect the running containers.</p>
+														</Tooltip.Content>
+													</Tooltip.Root>
+												</Badge>
+											{/if}
+											<Select.Root
+												type="single"
+												value={stackEnvId?.toString() || ''}
+												onValueChange={(v) => {
+													if (v) setStackEnv(stack.composePath, parseInt(v));
+												}}
+											>
+												<Select.Trigger class="h-8 w-[220px] text-xs">
+													{#if getStackEnv(stack.composePath)}
+														{@const StackIcon = getIconComponent(getStackEnv(stack.composePath)?.icon || 'globe')}
+														<StackIcon class="w-3.5 h-3.5 mr-1.5 shrink-0" />
+													{/if}
+													<span class="truncate">{getStackEnv(stack.composePath)?.name || 'Select'}</span>
+												</Select.Trigger>
+												<Select.Content>
+													{#each environments as env}
+														{@const EnvIcon = getIconComponent(env.icon || 'globe')}
+														<Select.Item value={env.id.toString()}>
+															<div class="flex items-center gap-2">
+																<EnvIcon class="w-3.5 h-3.5 shrink-0" />
+																<span>{env.name}</span>
+															</div>
+														</Select.Item>
+													{/each}
+												</Select.Content>
+											</Select.Root>
+										</div>
+									{/if}
+								</div>
+							{/each}
+						</div>
+					</div>
+				{/if}
+
+				<!-- Adopted stacks (just adopted in this session) -->
+				{#if adoptedStacks.length > 0}
+					<div class="space-y-2">
+						<h4 class="text-sm font-medium flex items-center gap-2 text-green-600 dark:text-green-500">
+							<CheckCircle2 class="w-4 h-4" />
+							Adopted stacks
+						</h4>
+						<div class="space-y-1.5">
+							{#each adoptedStacks as adopted}
+								{@const env = environments.find(e => e.id === adopted.envId)}
+								{@const EnvIcon = env ? getIconComponent(env.icon || 'globe') : null}
+								<div class="flex items-center gap-2 p-2 rounded-md bg-green-500/10 border border-green-500/20">
+									<CheckCircle2 class="w-4 h-4 text-green-600 dark:text-green-500 shrink-0" />
+									<p class="text-sm font-medium flex-1">{adopted.name}</p>
+									{#if env}
+										<div class="flex items-center gap-1.5 text-xs text-muted-foreground shrink-0">
+											{#if EnvIcon}
+												<EnvIcon class="w-3.5 h-3.5" />
+											{/if}
+											<span>{env.name}</span>
+										</div>
+									{/if}
+								</div>
+							{/each}
+						</div>
+					</div>
+				{/if}
+
+				<!-- Skipped stacks (already adopted) -->
+				{#if result.skipped.length > 0}
+					<div class="space-y-2">
+						<h4 class="text-sm font-medium flex items-center gap-2 text-muted-foreground">
+							<SkipForward class="w-4 h-4" />
+							Already adopted
+						</h4>
+						<div class="space-y-1.5">
+							{#each result.skipped as stack}
+								<div class="flex items-start gap-2 p-2 rounded-md bg-muted/50">
+									<SkipForward class="w-4 h-4 text-muted-foreground shrink-0 mt-0.5" />
+									<div class="flex-1 min-w-0">
+										<p class="text-sm font-medium">{stack.name}</p>
+										<code class="text-xs text-muted-foreground block truncate" title={stack.composePath}>{stack.composePath}</code>
+									</div>
+								</div>
+							{/each}
+						</div>
+					</div>
+				{/if}
+
+				<!-- Errors -->
+				{#if result.errors.length > 0}
+					<div class="space-y-2">
+						<h4 class="text-sm font-medium flex items-center gap-2 text-destructive">
+							<AlertCircle class="w-4 h-4" />
+							Errors
+						</h4>
+						<div class="space-y-1.5">
+							{#each result.errors as error}
+								<div class="flex items-start gap-2 p-2 rounded-md bg-destructive/10 border border-destructive/20">
+									<AlertCircle class="w-4 h-4 text-destructive shrink-0 mt-0.5" />
+									<div class="flex-1 min-w-0">
+										<code class="text-xs block truncate" title={error.path}>{error.path}</code>
+										<p class="text-xs text-destructive">{error.error}</p>
+									</div>
+								</div>
+							{/each}
+						</div>
+					</div>
+				{/if}
+
+				<!-- No results message -->
+				{#if result.discovered.length === 0 && result.skipped.length === 0 && result.adopted.length === 0 && result.errors.length === 0}
+					<div class="text-center py-8 text-muted-foreground">
+						<FolderOpen class="w-12 h-12 mx-auto mb-3 opacity-50" />
+						<p class="text-sm">No Docker Compose files found in the configured paths.</p>
+						<p class="text-xs mt-1">Make sure your paths contain docker-compose.yml, compose.yml, or similar files.</p>
+					</div>
+				{/if}
+
+				<!-- Scanned paths -->
+				<div class="space-y-2 pt-2 border-t">
+					<h4 class="text-xs font-medium text-muted-foreground uppercase tracking-wide">Scanned paths</h4>
+					<div class="space-y-1">
+						{#each scannedPaths as path}
+							<code class="text-xs text-muted-foreground block">{path}</code>
+						{/each}
+					</div>
+				</div>
+			</div>
+		{/if}
+
+		<Dialog.Footer class="flex items-center justify-between">
+			<div class="text-xs text-muted-foreground">
+				{#if selectedCount > 0}
+					{selectedCount} stack{selectedCount !== 1 ? 's' : ''} selected
+				{/if}
+			</div>
+			<div class="flex items-center gap-2">
+				<Button variant="outline" onclick={() => { open = false; onclose(); }}>Close</Button>
+				{#if result && result.discovered.length > 0}
+					<Button
+						onclick={handleAdopt}
+						disabled={selectedCount === 0 || adopting}
+					>
+						{#if adopting}
+							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+							Adopting...
+						{:else}
+							<Import class="w-4 h-4 mr-2" />
+							Adopt selected
+						{/if}
+					</Button>
+				{:else if adoptedStacks.length > 0}
+					<Button href="/stacks">View stacks</Button>
+				{/if}
+			</div>
+		</Dialog.Footer>
+	</Dialog.Content>
+</Dialog.Root>
diff --git a/routes/settings/git/GitCredentialModal.svelte b/src/routes/settings/git/GitCredentialModal.svelte
similarity index 100%
rename from routes/settings/git/GitCredentialModal.svelte
rename to src/routes/settings/git/GitCredentialModal.svelte
diff --git a/routes/settings/git/GitCredentialsTab.svelte b/src/routes/settings/git/GitCredentialsTab.svelte
similarity index 100%
rename from routes/settings/git/GitCredentialsTab.svelte
rename to src/routes/settings/git/GitCredentialsTab.svelte
diff --git a/routes/settings/git/GitRepositoriesTab.svelte b/src/routes/settings/git/GitRepositoriesTab.svelte
similarity index 100%
rename from routes/settings/git/GitRepositoriesTab.svelte
rename to src/routes/settings/git/GitRepositoriesTab.svelte
diff --git a/routes/settings/git/GitRepositoryModal.svelte b/src/routes/settings/git/GitRepositoryModal.svelte
similarity index 100%
rename from routes/settings/git/GitRepositoryModal.svelte
rename to src/routes/settings/git/GitRepositoryModal.svelte
diff --git a/routes/settings/git/GitTab.svelte b/src/routes/settings/git/GitTab.svelte
similarity index 100%
rename from routes/settings/git/GitTab.svelte
rename to src/routes/settings/git/GitTab.svelte
diff --git a/routes/settings/license/LicenseTab.svelte b/src/routes/settings/license/LicenseTab.svelte
similarity index 100%
rename from routes/settings/license/LicenseTab.svelte
rename to src/routes/settings/license/LicenseTab.svelte
diff --git a/routes/settings/notifications/NotificationModal.svelte b/src/routes/settings/notifications/NotificationModal.svelte
similarity index 91%
rename from routes/settings/notifications/NotificationModal.svelte
rename to src/routes/settings/notifications/NotificationModal.svelte
index a619064..b6ece14 100644
--- a/routes/settings/notifications/NotificationModal.svelte
+++ b/src/routes/settings/notifications/NotificationModal.svelte
@@ -7,7 +7,8 @@
 	import { Badge } from '$lib/components/ui/badge';
 	import { TogglePill } from '$lib/components/ui/toggle-pill';
 	import { Checkbox } from '$lib/components/ui/checkbox';
-	import { Plus, Check, RefreshCw, Mail, Zap, Info, Send, CheckCircle2, XCircle, Key, ChevronDown } from 'lucide-svelte';
+	import { Plus, Check, RefreshCw, Mail, Zap, Info, Send, CheckCircle2, XCircle, Key, ChevronDown, HelpCircle } from 'lucide-svelte';
+	import * as Tooltip from '$lib/components/ui/tooltip';
 	import { toast } from 'svelte-sonner';
 	import { focusFirstInput } from '$lib/utils';
 
@@ -45,6 +46,7 @@
 	let formSmtpHost = $state('');
 	let formSmtpPort = $state(587);
 	let formSmtpSecure = $state(false);
+	let formSmtpSkipTlsVerify = $state(false);
 	let formSmtpUsername = $state('');
 	let formSmtpPassword = $state('');
 	let formSmtpFromEmail = $state('');
@@ -68,6 +70,7 @@
 		formSmtpHost = '';
 		formSmtpPort = 587;
 		formSmtpSecure = false;
+		formSmtpSkipTlsVerify = false;
 		formSmtpUsername = '';
 		formSmtpPassword = '';
 		formSmtpFromEmail = '';
@@ -98,6 +101,7 @@
 					formSmtpHost = notification.config.host || '';
 					formSmtpPort = notification.config.port || 587;
 					formSmtpSecure = notification.config.secure || false;
+					formSmtpSkipTlsVerify = notification.config.skipTlsVerify || false;
 					formSmtpUsername = notification.config.username || '';
 					formSmtpPassword = '';
 					formSmtpFromEmail = notification.config.from_email || '';
@@ -133,6 +137,7 @@
 				host: formSmtpHost.trim(),
 				port: formSmtpPort,
 				secure: formSmtpSecure,
+				skipTlsVerify: formSmtpSkipTlsVerify || undefined,
 				username: formSmtpUsername.trim() || undefined,
 				password: formSmtpPassword || undefined,
 				from_email: formSmtpFromEmail.trim(),
@@ -339,7 +344,20 @@
 
 			{#if formType === 'smtp'}
 				<div class="space-y-4 border-t pt-4 min-h-[380px]">
-					<p class="text-xs font-semibold uppercase tracking-wider text-muted-foreground">SMTP configuration</p>
+					<div class="flex items-center gap-2">
+						<p class="text-xs font-semibold uppercase tracking-wider text-muted-foreground">SMTP configuration</p>
+						<Tooltip.Root>
+							<Tooltip.Trigger>
+								<HelpCircle class="w-3.5 h-3.5 text-muted-foreground hover:text-foreground cursor-help" />
+							</Tooltip.Trigger>
+							<Tooltip.Portal>
+								<Tooltip.Content side="right" class="w-80">
+									<p class="text-xs"><span class="font-semibold">Gmail:</span> smtp.gmail.com, port 587, TLS/SSL off. Use an App Password.</p>
+									<p class="text-xs mt-1"><span class="font-semibold">Outlook:</span> smtp.office365.com, port 587, TLS/SSL off.</p>
+								</Tooltip.Content>
+							</Tooltip.Portal>
+						</Tooltip.Root>
+					</div>
 					<div class="grid grid-cols-3 gap-4">
 						<div class="space-y-2 col-span-2">
 							<Label for="notif-smtp-host">SMTP host *</Label>
@@ -350,9 +368,15 @@
 							<Input id="notif-smtp-port" type="number" bind:value={formSmtpPort} />
 						</div>
 					</div>
-					<div class="flex items-center gap-2">
-						<Label>TLS/SSL</Label>
-						<TogglePill bind:checked={formSmtpSecure} onLabel="Yes" offLabel="No" />
+					<div class="flex items-center gap-4">
+						<div class="flex items-center gap-2">
+							<Label>TLS/SSL</Label>
+							<TogglePill bind:checked={formSmtpSecure} onLabel="Yes" offLabel="No" />
+						</div>
+						<div class="flex items-center gap-2">
+							<Label class="text-muted-foreground">Skip TLS verify</Label>
+							<TogglePill bind:checked={formSmtpSkipTlsVerify} onLabel="Yes" offLabel="No" />
+						</div>
 					</div>
 					<div class="grid grid-cols-2 gap-4">
 						<div class="space-y-2">
diff --git a/routes/settings/notifications/NotificationsTab.svelte b/src/routes/settings/notifications/NotificationsTab.svelte
similarity index 100%
rename from routes/settings/notifications/NotificationsTab.svelte
rename to src/routes/settings/notifications/NotificationsTab.svelte
diff --git a/routes/settings/registries/RegistriesTab.svelte b/src/routes/settings/registries/RegistriesTab.svelte
similarity index 100%
rename from routes/settings/registries/RegistriesTab.svelte
rename to src/routes/settings/registries/RegistriesTab.svelte
diff --git a/routes/settings/registries/RegistryModal.svelte b/src/routes/settings/registries/RegistryModal.svelte
similarity index 100%
rename from routes/settings/registries/RegistryModal.svelte
rename to src/routes/settings/registries/RegistryModal.svelte
diff --git a/routes/stacks/+page.svelte b/src/routes/stacks/+page.svelte
similarity index 89%
rename from routes/stacks/+page.svelte
rename to src/routes/stacks/+page.svelte
index d2b939d..8afe99b 100644
--- a/routes/stacks/+page.svelte
+++ b/src/routes/stacks/+page.svelte
@@ -1,18 +1,20 @@
 <script lang="ts">
 	import { onMount, onDestroy } from 'svelte';
 	import { goto } from '$app/navigation';
+	import { page } from '$app/stores';
 	import { toast } from 'svelte-sonner';
 	import { Badge } from '$lib/components/ui/badge';
 	import { Button } from '$lib/components/ui/button';
 	import { Input } from '$lib/components/ui/input';
 	import * as Tooltip from '$lib/components/ui/tooltip';
 	import MultiSelectFilter from '$lib/components/MultiSelectFilter.svelte';
-	import { Play, Square, Trash2, Plus, ArrowBigDown, Search, Pencil, GitBranch, RefreshCw, Loader2, FileCode, Box, RotateCcw, ScrollText, Terminal, Eye, Network, HardDrive, Heart, HeartPulse, HeartOff, ChevronsUpDown, ChevronsDownUp, ExternalLink, Rocket, AlertTriangle, X, Layers, Pause, CircleDashed, Skull, FolderOpen, Variable, Clock, RotateCw } from 'lucide-svelte';
+	import { Play, Square, Trash2, Plus, ArrowBigDown, Search, Pencil, ExternalLink, GitBranch, RefreshCw, Loader2, FileCode, Box, RotateCcw, ScrollText, Terminal, Eye, Network, HardDrive, Heart, HeartPulse, HeartOff, ChevronsUpDown, ChevronsDownUp, Rocket, AlertTriangle, X, Layers, Pause, CircleDashed, Skull, FolderOpen, Variable, Clock, RotateCw, Import } from 'lucide-svelte';
 	import ConfirmPopover from '$lib/components/ConfirmPopover.svelte';
 	import BatchOperationModal from '$lib/components/BatchOperationModal.svelte';
 	import type { ComposeStackInfo, ContainerStats } from '$lib/types';
 	import StackModal from './StackModal.svelte';
 	import GitStackModal from './GitStackModal.svelte';
+	import ImportStackModal from './ImportStackModal.svelte';
 	import GitDeployProgressPopover from './GitDeployProgressPopover.svelte';
 	import ContainerInspectModal from '../containers/ContainerInspectModal.svelte';
 	import FileBrowserModal from '../containers/FileBrowserModal.svelte';
@@ -23,12 +25,13 @@
 	import PageHeader from '$lib/components/PageHeader.svelte';
 	import { DataGrid } from '$lib/components/data-grid';
 	import type { DataGridSortState } from '$lib/components/data-grid/types';
+	import { ErrorDialog } from '$lib/components/ui/error-dialog';
 
 	type SortField = 'name' | 'containers' | 'status' | 'cpu' | 'memory';
 	type SortDirection = 'asc' | 'desc';
 
 	let stacks = $state<ComposeStackInfo[]>([]);
-	let stackSources = $state<Record<string, { sourceType: string; repository?: any; gitStack?: any }>>({});
+	let stackSources = $state<Record<string, { sourceType: string; composePath?: string | null; repository?: any; gitStack?: any }>>({});
 	let stackEnvVarCounts = $state<Record<string, number>>({});
 	let gitStacks = $state<any[]>([]);
 	let gitRepositories = $state<any[]>([]);
@@ -41,6 +44,7 @@
 	let showCreateModal = $state(false);
 	let showEditModal = $state(false);
 	let showGitModal = $state(false);
+	let showImportModal = $state(false);
 	let editingStackName = $state('');
 	let editingGitStack = $state<any>(null);
 	let envId = $state<number | null>(null);
@@ -280,14 +284,13 @@
 	let confirmPauseContainerId = $state<string | null>(null);
 
 	// Operation error state (for stack and container operations)
-	let operationError = $state<{ id: string; message: string } | null>(null);
-	let errorTimeouts: ReturnType<typeof setTimeout>[] = [];
+	let operationError = $state<{ id: string; title: string; message: string } | null>(null);
 
-	function clearErrorAfterDelay(id: string) {
-		const timeoutId = setTimeout(() => {
-			if (operationError?.id === id) operationError = null;
-		}, 5000);
-		errorTimeouts.push(timeoutId);
+	// Error dialog state (for showing detailed errors)
+	let errorDialogData = $state<{ title: string; message: string } | null>(null);
+
+	function showErrorDialog(title: string, message: string) {
+		errorDialogData = { title, message };
 	}
 
 	// Container inspect modal state
@@ -552,9 +555,19 @@
 				return;
 			}
 
-			const dockerStacks = await stacksRes.json();
-			const sourcesData = await sourcesRes.json();
-			const gitStacksData = await gitStacksRes.json();
+			// Safe JSON parsing - handle potential non-JSON responses
+			const safeJson = async (res: Response, fallback: any) => {
+				try {
+					return await res.json();
+				} catch {
+					console.warn(`[Stacks] Failed to parse response from ${res.url}`);
+					return fallback;
+				}
+			};
+
+			const dockerStacks = await safeJson(stacksRes, []);
+			const sourcesData = await safeJson(sourcesRes, {});
+			const gitStacksData = await safeJson(gitStacksRes, []);
 
 			// Debug logging
 			if (gitStacksData?.error) {
@@ -565,37 +578,24 @@
 			stackSources = sourcesData && !sourcesData.error ? sourcesData : {};
 			gitStacks = Array.isArray(gitStacksData) ? gitStacksData : [];
 
-			// Create a set of docker stack names for quick lookup
-			const dockerStackNames = new Set(dockerStacks.map((s: ComposeStackInfo) => s.name));
-
-			// Add undeployed git stacks as placeholder entries
-			const undeployedGitStacks: ComposeStackInfo[] = gitStacks
-				.filter((gs: any) => !dockerStackNames.has(gs.stackName))
-				.map((gs: any) => ({
-					name: gs.stackName,
-					status: 'not deployed',
-					containers: [],
-					containerDetails: [],
-					configFile: gs.composePath,
-					workingDir: ''
-				}));
-
-			// Add gitStack to all git-based stacks (both deployed and undeployed)
+			// Add gitStack details to all git-based stacks
+			// Note: The API already includes undeployed stacks from the database,
+			// so we just need to attach the gitStack object for additional metadata
 			for (const gs of gitStacks) {
 				if (!stackSources[gs.stackName]) {
-					// Undeployed git stack - create new source entry
+					// Git stack not in sources yet - create source entry
 					stackSources[gs.stackName] = {
 						sourceType: 'git',
 						repository: gs.repository,
 						gitStack: gs
 					};
 				} else if (stackSources[gs.stackName].sourceType === 'git') {
-					// Deployed git stack - add gitStack to existing source
+					// Git stack already in sources - add gitStack object
 					stackSources[gs.stackName].gitStack = gs;
 				}
 			}
 
-			stacks = [...dockerStacks, ...undeployedGitStacks];
+			stacks = dockerStacks;
 
 			// Fetch env var counts for internal and git stacks (in background, don't block UI)
 			const allStackNames = stacks.map(s => s.name);
@@ -671,18 +671,16 @@
 			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(name)}/start`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: name, message: data.error || 'Failed to start stack' };
-				toast.error(`Failed to start ${name}`);
-				clearErrorAfterDelay(name);
+				const errorMsg = data.error || 'Failed to start stack';
+				showErrorDialog(`Failed to start ${name}`, errorMsg);
 				return;
 			}
 			toast.success(`Started ${name}`);
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to start stack:', error);
-			operationError = { id: name, message: 'Failed to start stack' };
-			toast.error(`Failed to start ${name}`);
-			clearErrorAfterDelay(name);
+			const errorMsg = error instanceof Error ? error.message : 'Failed to start stack';
+			showErrorDialog(`Failed to start ${name}`, errorMsg);
 		} finally {
 			stackActionLoading = null;
 		}
@@ -695,18 +693,16 @@
 			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(name)}/stop`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: name, message: data.error || 'Failed to stop stack' };
-				toast.error(`Failed to stop ${name}`);
-				clearErrorAfterDelay(name);
+				const errorMsg = data.error || 'Failed to stop stack';
+				showErrorDialog(`Failed to stop ${name}`, errorMsg);
 				return;
 			}
 			toast.success(`Stopped ${name}`);
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to stop stack:', error);
-			operationError = { id: name, message: 'Failed to stop stack' };
-			toast.error(`Failed to stop ${name}`);
-			clearErrorAfterDelay(name);
+			const errorMsg = error instanceof Error ? error.message : 'Failed to stop stack';
+			showErrorDialog(`Failed to stop ${name}`, errorMsg);
 		} finally {
 			stackActionLoading = null;
 		}
@@ -719,18 +715,16 @@
 			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(name)}/restart`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: name, message: data.error || 'Failed to restart stack' };
-				toast.error(`Failed to restart ${name}`);
-				clearErrorAfterDelay(name);
+				const errorMsg = data.error || 'Failed to restart stack';
+				showErrorDialog(`Failed to restart ${name}`, errorMsg);
 				return;
 			}
 			toast.success(`Restarted ${name}`);
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to restart stack:', error);
-			operationError = { id: name, message: 'Failed to restart stack' };
-			toast.error(`Failed to restart ${name}`);
-			clearErrorAfterDelay(name);
+			const errorMsg = error instanceof Error ? error.message : 'Failed to restart stack';
+			showErrorDialog(`Failed to restart ${name}`, errorMsg);
 		} finally {
 			stackActionLoading = null;
 		}
@@ -741,20 +735,28 @@
 		stackActionLoading = name;
 		try {
 			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(name)}/down`, envId), { method: 'POST' });
+			// Log raw response for debugging
+			const rawText = await response.text();
+			console.log(`[downStack] Response status: ${response.status}, raw body:`, rawText);
+
 			if (!response.ok) {
-				const data = await response.json();
-				operationError = { id: name, message: data.error || 'Failed to bring down stack' };
-				toast.error(`Failed to bring down ${name}`);
-				clearErrorAfterDelay(name);
+				let errorMsg = 'Failed to bring down stack';
+				try {
+					const data = JSON.parse(rawText);
+					errorMsg = data.error || errorMsg;
+				} catch {
+					// Response may not be valid JSON
+					errorMsg = rawText || errorMsg;
+				}
+				showErrorDialog(`Failed to bring down ${name}`, errorMsg);
 				return;
 			}
 			toast.success(`Brought down ${name}`);
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to bring down stack:', error);
-			operationError = { id: name, message: 'Failed to bring down stack' };
-			toast.error(`Failed to bring down ${name}`);
-			clearErrorAfterDelay(name);
+			const errorMsg = error instanceof Error ? error.message : 'Failed to bring down stack';
+			showErrorDialog(`Failed to bring down ${name}`, errorMsg);
 		} finally {
 			stackActionLoading = null;
 		}
@@ -779,18 +781,16 @@
 			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(name)}?force=true`, envId), { method: 'DELETE' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: name, message: data.error || 'Failed to remove stack' };
-				toast.error(`Failed to remove ${name}`);
-				clearErrorAfterDelay(name);
+				const errorMsg = data.error || 'Failed to remove stack';
+				showErrorDialog(`Failed to remove ${name}`, errorMsg);
 				return;
 			}
 			toast.success(`Removed ${name}`);
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to remove stack:', error);
-			operationError = { id: name, message: 'Failed to remove stack' };
-			toast.error(`Failed to remove ${name}`);
-			clearErrorAfterDelay(name);
+			const errorMsg = error instanceof Error ? error.message : 'Failed to remove stack';
+			showErrorDialog(`Failed to remove ${name}`, errorMsg);
 		}
 	}
 
@@ -835,8 +835,9 @@
 			const response = await fetch(appendEnvParam(`/api/containers/${containerId}/start`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: containerId, message: data.error || 'Failed to start container' };
-				toast.error('Failed to start container');
+				const errorMsg = data.error || 'Failed to start container';
+				operationError = { id: containerId, message: errorMsg };
+				toast.error(errorMsg);
 				clearErrorAfterDelay(containerId);
 				return;
 			}
@@ -844,8 +845,9 @@
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to start container:', error);
-			operationError = { id: containerId, message: 'Failed to start container' };
-			toast.error('Failed to start container');
+			const errorMsg = error instanceof Error ? error.message : 'Failed to start container';
+			operationError = { id: containerId, message: errorMsg };
+			toast.error(errorMsg);
 			clearErrorAfterDelay(containerId);
 		} finally {
 			containerActionLoading = null;
@@ -859,8 +861,9 @@
 			const response = await fetch(appendEnvParam(`/api/containers/${containerId}/stop`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: containerId, message: data.error || 'Failed to stop container' };
-				toast.error('Failed to stop container');
+				const errorMsg = data.error || 'Failed to stop container';
+				operationError = { id: containerId, message: errorMsg };
+				toast.error(errorMsg);
 				clearErrorAfterDelay(containerId);
 				return;
 			}
@@ -868,8 +871,9 @@
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to stop container:', error);
-			operationError = { id: containerId, message: 'Failed to stop container' };
-			toast.error('Failed to stop container');
+			const errorMsg = error instanceof Error ? error.message : 'Failed to stop container';
+			operationError = { id: containerId, message: errorMsg };
+			toast.error(errorMsg);
 			clearErrorAfterDelay(containerId);
 		} finally {
 			containerActionLoading = null;
@@ -883,8 +887,9 @@
 			const response = await fetch(appendEnvParam(`/api/containers/${containerId}/restart`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: containerId, message: data.error || 'Failed to restart container' };
-				toast.error('Failed to restart container');
+				const errorMsg = data.error || 'Failed to restart container';
+				operationError = { id: containerId, message: errorMsg };
+				toast.error(errorMsg);
 				clearErrorAfterDelay(containerId);
 				return;
 			}
@@ -892,8 +897,9 @@
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to restart container:', error);
-			operationError = { id: containerId, message: 'Failed to restart container' };
-			toast.error('Failed to restart container');
+			const errorMsg = error instanceof Error ? error.message : 'Failed to restart container';
+			operationError = { id: containerId, message: errorMsg };
+			toast.error(errorMsg);
 			clearErrorAfterDelay(containerId);
 		} finally {
 			containerActionLoading = null;
@@ -907,8 +913,9 @@
 			const response = await fetch(appendEnvParam(`/api/containers/${containerId}/pause`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: containerId, message: data.error || 'Failed to pause container' };
-				toast.error('Failed to pause container');
+				const errorMsg = data.error || 'Failed to pause container';
+				operationError = { id: containerId, message: errorMsg };
+				toast.error(errorMsg);
 				clearErrorAfterDelay(containerId);
 				return;
 			}
@@ -916,8 +923,9 @@
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to pause container:', error);
-			operationError = { id: containerId, message: 'Failed to pause container' };
-			toast.error('Failed to pause container');
+			const errorMsg = error instanceof Error ? error.message : 'Failed to pause container';
+			operationError = { id: containerId, message: errorMsg };
+			toast.error(errorMsg);
 			clearErrorAfterDelay(containerId);
 		} finally {
 			containerActionLoading = null;
@@ -932,8 +940,9 @@
 			const response = await fetch(appendEnvParam(`/api/containers/${containerId}/unpause`, envId), { method: 'POST' });
 			if (!response.ok) {
 				const data = await response.json();
-				operationError = { id: containerId, message: data.error || 'Failed to unpause container' };
-				toast.error('Failed to unpause container');
+				const errorMsg = data.error || 'Failed to unpause container';
+				operationError = { id: containerId, message: errorMsg };
+				toast.error(errorMsg);
 				clearErrorAfterDelay(containerId);
 				return;
 			}
@@ -941,8 +950,9 @@
 			await fetchStacks();
 		} catch (error) {
 			console.error('Failed to unpause container:', error);
-			operationError = { id: containerId, message: 'Failed to unpause container' };
-			toast.error('Failed to unpause container');
+			const errorMsg = error instanceof Error ? error.message : 'Failed to unpause container';
+			operationError = { id: containerId, message: errorMsg };
+			toast.error(errorMsg);
 			clearErrorAfterDelay(containerId);
 		} finally {
 			containerActionLoading = null;
@@ -1013,6 +1023,13 @@
 		loadExpandedState();
 		loadStatusFilter();
 
+		// Check for search query param from URL (e.g., from container stack link)
+		const urlSearch = $page.url.searchParams.get('search');
+		if (urlSearch) {
+			searchInput = urlSearch;
+			searchQuery = urlSearch;
+		}
+
 		// Initial fetch is handled by $effect - no need to duplicate here
 
 		// Listen for tab visibility changes to refresh when user returns
@@ -1047,8 +1064,6 @@
 	onDestroy(() => {
 		document.removeEventListener('visibilitychange', handleVisibilityChange);
 		document.removeEventListener('resume', handleVisibilityChange);
-		errorTimeouts.forEach(id => clearTimeout(id));
-		errorTimeouts = [];
 	});
 </script>
 
@@ -1104,6 +1119,10 @@
 					<Plus class="w-3.5 h-3.5 mr-1" />
 					Create
 				</Button>
+				<Button size="sm" variant="outline" onclick={() => showImportModal = true}>
+					<Import class="w-3.5 h-3.5 mr-1" />
+					Adopt
+				</Button>
 			{/if}
 		</div>
 	</div>
@@ -1244,10 +1263,7 @@
 				sortDirection = state.direction;
 			}}
 			onRowClick={(stack, e) => {
-				const hasContainers = stack.containers && stack.containers.length > 0;
-				if (hasContainers) {
-					toggleExpand(stack.name);
-				}
+				toggleExpand(stack.name);
 			}}
 			rowClass={(stack) => {
 				const isExp = expandedStacks.has(stack.name);
@@ -1258,7 +1274,19 @@
 			{#snippet cell(column, stack, rowState)}
 				{@const source = getStackSource(stack.name)}
 				{#if column.id === 'name'}
-					<span class="font-medium text-xs">{stack.name}</span>
+					{#if source.sourceType !== 'git'}
+						<!-- Internal stacks (including those needing file location) are clickable -->
+						<button
+							type="button"
+							class="font-medium text-xs hover:text-primary hover:underline cursor-pointer text-left"
+							onclick={() => editStack(stack.name)}
+						>
+							{stack.name}
+						</button>
+					{:else}
+						<!-- Git stacks open in GitStackModal instead -->
+						<span class="font-medium text-xs">{stack.name}</span>
+					{/if}
 					{#if stackEnvVarCounts[stack.name]}
 						<Tooltip.Root>
 							<Tooltip.Trigger>
@@ -1274,41 +1302,45 @@
 					{/if}
 				{:else if column.id === 'source'}
 					{#if source.sourceType === 'git'}
-						<Tooltip.Root>
-							<Tooltip.Trigger>
-								<span class="inline-flex items-center gap-1 text-xs px-1.5 py-0.5 rounded-sm bg-purple-100 text-purple-800 dark:bg-purple-900 dark:text-purple-200 shadow-sm">
-									<GitBranch class="w-3 h-3" />
-									Git
-								</span>
-							</Tooltip.Trigger>
-							<Tooltip.Content>
-								{#if source.repository}
-									{source.repository.url} ({source.repository.branch})
-								{:else}
-									Deployed from Git repository
-								{/if}
-							</Tooltip.Content>
-						</Tooltip.Root>
+						<span
+							class="inline-flex items-center justify-center gap-1 text-xs px-1.5 py-0.5 rounded-sm bg-purple-100 text-purple-800 dark:bg-purple-900 dark:text-purple-200 shadow-sm min-w-[5.5rem]"
+							title={source.repository ? `${source.repository.url} (${source.repository.branch})` : 'Deployed from Git repository'}
+						>
+							<GitBranch class="w-3 h-3" />
+							Git
+						</span>
 					{:else if source.sourceType === 'internal'}
-						<Tooltip.Root>
-							<Tooltip.Trigger>
-								<span class="inline-flex items-center gap-1 text-xs px-1.5 py-0.5 rounded-sm bg-blue-100 text-blue-800 dark:bg-blue-900 dark:text-blue-200 shadow-sm">
-									<FileCode class="w-3 h-3" />
-									Internal
-								</span>
-							</Tooltip.Trigger>
-							<Tooltip.Content class="whitespace-nowrap">Created in Dockhand</Tooltip.Content>
-						</Tooltip.Root>
+						<span
+							class="inline-flex items-center justify-center gap-1 text-xs px-1.5 py-0.5 rounded-sm bg-blue-100 text-blue-800 dark:bg-blue-900 dark:text-blue-200 shadow-sm min-w-[5.5rem]"
+							title="Managed by Dockhand"
+						>
+							<FileCode class="w-3 h-3" />
+							Internal
+						</span>
 					{:else}
+						<span
+							class="inline-flex items-center justify-center gap-1 text-xs px-1.5 py-0.5 rounded-sm bg-gray-100 text-gray-800 dark:bg-gray-800 dark:text-gray-200 shadow-sm min-w-[5.5rem]"
+							title="File location unknown"
+						>
+							<ExternalLink class="w-3 h-3" />
+							Untracked
+						</span>
+					{/if}
+				{:else if column.id === 'location'}
+					{#if source.composePath}
+						{@const dirPath = source.composePath.replace(/\/[^/]+$/, '')}
 						<Tooltip.Root>
-							<Tooltip.Trigger>
-								<span class="inline-flex items-center gap-1 text-xs px-1.5 py-0.5 rounded-sm bg-gray-100 text-gray-800 dark:bg-gray-800 dark:text-gray-200 shadow-sm">
-									<ExternalLink class="w-3 h-3" />
-									External
+							<Tooltip.Trigger class="w-full text-left">
+								<span class="text-xs text-muted-foreground block truncate">
+									{dirPath}
 								</span>
 							</Tooltip.Trigger>
-							<Tooltip.Content class="whitespace-nowrap">Created outside Dockhand</Tooltip.Content>
+							<Tooltip.Content class="max-w-md">
+								<code class="text-xs">{source.composePath}</code>
+							</Tooltip.Content>
 						</Tooltip.Root>
+					{:else}
+						<span class="text-xs text-muted-foreground/50">—</span>
 					{/if}
 				{:else if column.id === 'containers'}
 					<div class="flex items-center gap-1">
@@ -1468,23 +1500,24 @@
 								</GitDeployProgressPopover>
 							{/if}
 							{#if $canAccess('stacks', 'edit')}
-								{#if source.sourceType === 'internal'}
+								{#if source.sourceType === 'git' && source.gitStack}
 									<button
 										type="button"
-										onclick={() => editStack(stack.name)}
-										title="Edit"
+										onclick={() => openGitModal(source.gitStack)}
+										title="Edit git stack"
 										class="p-1 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
 									>
-										<Pencil class="w-3 h-3 text-muted-foreground hover:text-blue-500" />
+										<Pencil class="w-3 h-3 text-muted-foreground hover:text-purple-500" />
 									</button>
-								{:else if source.sourceType === 'git' && source.gitStack}
+								{:else}
+									<!-- Internal stacks (including those needing file location) -->
 									<button
 										type="button"
-										onclick={() => openGitModal(source.gitStack)}
-										title="Edit git stack"
+										onclick={() => editStack(stack.name)}
+										title="Edit"
 										class="p-1 rounded hover:bg-muted transition-colors opacity-70 hover:opacity-100 cursor-pointer"
 									>
-										<Pencil class="w-3 h-3 text-muted-foreground hover:text-purple-500" />
+										<Pencil class="w-3 h-3 text-muted-foreground hover:text-blue-500" />
 									</button>
 								{/if}
 							{/if}
@@ -1868,6 +1901,13 @@
 							{/each}
 						</div>
 					</div>
+				{:else}
+					<div class="p-4 pl-12 shadow-inner bg-muted/30">
+						<div class="flex items-center justify-center gap-2 py-4 text-muted-foreground text-sm">
+							<Box class="w-4 h-4" />
+							<span>No containers</span>
+						</div>
+					</div>
 				{/if}
 			{/snippet}
 		</DataGrid>
@@ -1907,6 +1947,12 @@
 	onSaved={fetchStacks}
 />
 
+<ImportStackModal
+	bind:open={showImportModal}
+	onClose={() => showImportModal = false}
+	onAdopted={fetchStacks}
+/>
+
 <ContainerInspectModal
 	bind:open={showInspectModal}
 	containerId={inspectContainerId}
@@ -1932,3 +1978,12 @@
 	onClose={() => showBatchOpModal = false}
 	onComplete={handleBatchComplete}
 />
+
+{#if errorDialogData}
+	<ErrorDialog
+		open={true}
+		title={errorDialogData.title}
+		message={errorDialogData.message}
+		onClose={() => errorDialogData = null}
+	/>
+{/if}
diff --git a/routes/stacks/ComposeGraphViewer.svelte b/src/routes/stacks/ComposeGraphViewer.svelte
similarity index 100%
rename from routes/stacks/ComposeGraphViewer.svelte
rename to src/routes/stacks/ComposeGraphViewer.svelte
diff --git a/src/routes/stacks/FilesystemBrowser.svelte b/src/routes/stacks/FilesystemBrowser.svelte
new file mode 100644
index 0000000..22feab2
--- /dev/null
+++ b/src/routes/stacks/FilesystemBrowser.svelte
@@ -0,0 +1,394 @@
+<script lang="ts">
+	import * as Dialog from '$lib/components/ui/dialog';
+	import { Button } from '$lib/components/ui/button';
+	import { Badge } from '$lib/components/ui/badge';
+	import { Loader2, FolderOpen, File, FileText, ChevronRight, ArrowUp, AlertCircle, FolderPlus, Search, Import } from 'lucide-svelte';
+	import type { Component } from 'svelte';
+	import RecentLocationsPanel from './RecentLocationsPanel.svelte';
+
+	export interface FileEntry {
+		name: string;
+		path: string;
+		type: 'file' | 'directory' | 'symlink';
+		size: number;
+		mtime: string;
+		mode: string;
+	}
+
+	interface Props {
+		open: boolean;
+		title?: string;
+		/** Optional icon component to display before the title */
+		icon?: Component<{ class?: string }>;
+		description?: string;
+		initialPath?: string;
+		selectFilter?: RegExp;
+		selectMode?: 'file' | 'directory' | 'file_or_directory' | 'adopt';
+		/** For adopt mode: filter to highlight (e.g., /\.ya?ml$/i for compose files) */
+		highlightFilter?: RegExp;
+		/** For adopt mode: called when user clicks on a matching file */
+		onFilePreview?: (entry: FileEntry) => void;
+		/** For adopt mode: called when user clicks "Scan this folder" */
+		onScanDirectory?: (path: string) => void;
+		/** For adopt mode: show loading state on scan button */
+		scanning?: boolean;
+		onSelect: (path: string, name: string) => void;
+		onClose: () => void;
+	}
+
+	let {
+		open = $bindable(false),
+		title = 'Select file',
+		icon,
+		description,
+		initialPath = '/',
+		selectFilter,
+		selectMode = 'file',
+		highlightFilter,
+		onFilePreview,
+		onScanDirectory,
+		scanning = false,
+		onSelect,
+		onClose
+	}: Props = $props();
+
+	let currentPath = $state<string | null>(null);
+	let entries = $state<FileEntry[]>([]);
+	let loading = $state(false);
+	let error = $state<string | null>(null);
+
+	// Track selected file
+	let selectedPath = $state<string | null>(null);
+	let selectedName = $state<string | null>(null);
+
+	// Reference to recent locations panel
+	let recentLocationsPanel = $state<{ addLocation: (path: string) => Promise<void>; getFirstLocation: () => string | null } | null>(null);
+
+	// Expose methods for parent to call
+	export function getCurrentPath(): string | null {
+		return currentPath;
+	}
+
+	export function addRecentLocation(path: string): Promise<void> {
+		return recentLocationsPanel?.addLocation(path) ?? Promise.resolve();
+	}
+
+	// Load directory when dialog opens
+	$effect(() => {
+		if (open && !currentPath) {
+			// Wait a tick for the panel to load, then use first location or initialPath
+			setTimeout(() => {
+				const firstLocation = recentLocationsPanel?.getFirstLocation();
+				loadDirectory(firstLocation || initialPath);
+			}, 50);
+		}
+	});
+
+	function handleRecentSelect(path: string) {
+		loadDirectory(path);
+	}
+
+	async function loadDirectory(path: string) {
+		loading = true;
+		error = null;
+
+		try {
+			const res = await fetch(`/api/system/files?path=${encodeURIComponent(path)}`);
+			const data = await res.json();
+
+			if (!res.ok) {
+				error = data.error || 'Failed to load directory';
+				return;
+			}
+
+			currentPath = data.path;
+			entries = data.entries;
+		} catch (e) {
+			error = e instanceof Error ? e.message : 'Failed to load directory';
+		} finally {
+			loading = false;
+		}
+	}
+
+	function handleEntryClick(entry: FileEntry, doubleClick: boolean = false) {
+		if (selectMode === 'adopt') {
+			// Adopt mode: click on directory navigates, click on highlighted file triggers preview
+			if (entry.type === 'directory') {
+				loadDirectory(entry.path);
+			} else if (highlightFilter?.test(entry.name) && onFilePreview) {
+				onFilePreview(entry);
+			}
+			return;
+		}
+
+		if (entry.type === 'directory') {
+			if (selectMode === 'file_or_directory' && !doubleClick) {
+				// Single click on directory in file_or_directory mode - select it
+				selectedPath = entry.path;
+				selectedName = entry.name;
+			} else {
+				// Double click or other modes - navigate into directory
+				selectedPath = null;
+				selectedName = null;
+				loadDirectory(entry.path);
+			}
+		} else if (selectMode === 'file' || selectMode === 'file_or_directory') {
+			// Select file
+			selectedPath = entry.path;
+			selectedName = entry.name;
+		}
+	}
+
+	function handleGoUp() {
+		if (!currentPath || currentPath === '/') return;
+
+		const parent = currentPath.replace(/\/[^/]+$/, '') || '/';
+		selectedPath = null;
+		selectedName = null;
+		loadDirectory(parent);
+	}
+
+	function handleConfirm() {
+		if (selectMode === 'directory' && currentPath) {
+			// In directory mode, select the current directory
+			const name = currentPath === '/' ? '/' : currentPath.split('/').pop() || '';
+			onSelect(currentPath, name);
+			handleClose();
+		} else if (selectedPath && selectedName) {
+			// In file or file_or_directory mode, select the selected item
+			onSelect(selectedPath, selectedName);
+			handleClose();
+		} else if (selectMode === 'file_or_directory' && currentPath) {
+			// In file_or_directory mode with nothing selected, use current directory
+			const name = currentPath === '/' ? '/' : currentPath.split('/').pop() || '';
+			onSelect(currentPath, name);
+			handleClose();
+		}
+	}
+
+	function handleClose() {
+		currentPath = null;
+		entries = [];
+		selectedPath = null;
+		selectedName = null;
+		error = null;
+		open = false;
+		onClose();
+	}
+
+	function handleScan() {
+		if (currentPath && onScanDirectory) {
+			onScanDirectory(currentPath);
+		}
+	}
+
+	function isSelectable(entry: FileEntry): boolean {
+		if (selectMode === 'adopt') {
+			// In adopt mode, nothing is "selectable" in the traditional sense
+			return false;
+		}
+		if (selectMode === 'directory') {
+			return entry.type === 'directory';
+		}
+		if (selectMode === 'file_or_directory') {
+			// Directories are always selectable, files must match filter
+			if (entry.type === 'directory') return true;
+			if (!selectFilter) return true;
+			return selectFilter.test(entry.name);
+		}
+		// File mode
+		if (entry.type === 'directory') return false;
+		if (!selectFilter) return true;
+		return selectFilter.test(entry.name);
+	}
+
+	function isHighlighted(entry: FileEntry): boolean {
+		if (entry.type === 'directory') return false;
+		if (!highlightFilter) return false;
+		return highlightFilter.test(entry.name);
+	}
+
+	function formatSize(bytes: number): string {
+		if (bytes < 1024) return `${bytes} B`;
+		if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+		return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+	}
+
+	const canGoUp = $derived(currentPath && currentPath !== '/');
+
+	// In directory mode, only show directories; otherwise show all
+	const filteredEntries = $derived(
+		selectMode === 'directory'
+			? entries.filter(e => e.type === 'directory')
+			: entries
+	);
+
+	const isAdoptMode = $derived(selectMode === 'adopt');
+</script>
+
+<Dialog.Root bind:open onOpenChange={(isOpen) => { if (!isOpen) handleClose(); }}>
+	<Dialog.Content class="max-w-4xl h-[80vh] flex flex-col {isAdoptMode ? 'p-0 gap-0' : ''}">
+		<Dialog.Header class={isAdoptMode ? 'px-6 py-4 border-b shrink-0' : ''}>
+			<Dialog.Title class="flex items-center gap-2">
+				{#if icon}
+					<svelte:component this={icon} class="w-5 h-5" />
+				{/if}
+				{title}
+			</Dialog.Title>
+			{#if description}
+				<Dialog.Description>{description}</Dialog.Description>
+			{/if}
+		</Dialog.Header>
+
+		<div class="flex-1 overflow-hidden flex {isAdoptMode ? 'min-h-0' : ''}">
+			<!-- Recent locations sidebar -->
+			<RecentLocationsPanel
+				bind:this={recentLocationsPanel}
+				{currentPath}
+				onSelect={handleRecentSelect}
+			/>
+
+			<!-- Main browser area -->
+			<div class="flex-1 flex flex-col min-h-0">
+				<!-- Path bar -->
+				<div class="flex items-center gap-2 px-4 py-2 border-b bg-muted/30">
+					<button
+						type="button"
+						class="p-1 rounded hover:bg-muted disabled:opacity-40 disabled:cursor-not-allowed"
+						disabled={!canGoUp}
+						onclick={handleGoUp}
+						title="Go up"
+					>
+						<ArrowUp class="w-4 h-4" />
+					</button>
+					<code class="text-xs bg-muted px-2 py-1 rounded truncate flex-1">{currentPath || '/'}</code>
+					{#if isAdoptMode}
+						<Button
+							variant="default"
+							size="sm"
+							onclick={handleScan}
+							disabled={scanning || !currentPath}
+						>
+							{#if scanning}
+								<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+								Scanning...
+							{:else}
+								<Search class="w-4 h-4 mr-2" />
+								Scan this folder
+							{/if}
+						</Button>
+					{/if}
+				</div>
+
+				<!-- File list -->
+				<div class="flex-1 overflow-auto">
+				{#if loading}
+					<div class="flex items-center justify-center py-12">
+						<Loader2 class="w-6 h-6 animate-spin text-muted-foreground" />
+					</div>
+				{:else if error}
+					<div class="flex flex-col items-center justify-center py-12 px-4 text-center">
+						<div class="w-16 h-16 rounded-full bg-red-100 dark:bg-red-900/30 flex items-center justify-center mb-4">
+							<AlertCircle class="w-8 h-8 text-red-500" />
+						</div>
+						<p class="text-red-600 dark:text-red-400 font-medium">Unable to browse files</p>
+						<p class="text-sm text-muted-foreground mt-1">{error}</p>
+						<Button variant="outline" size="sm" class="mt-4" onclick={() => currentPath && loadDirectory(currentPath)}>
+							Retry
+						</Button>
+					</div>
+				{:else if filteredEntries.length === 0}
+					<div class="flex flex-col items-center justify-center py-12 text-muted-foreground">
+						<FolderOpen class="w-12 h-12 mb-3 opacity-50" />
+						<p>{selectMode === 'directory' ? 'No subdirectories' : 'Directory is empty'}</p>
+					</div>
+				{:else}
+					<div class="divide-y">
+						{#each filteredEntries as entry}
+							{@const selectable = isSelectable(entry)}
+							{@const highlighted = isHighlighted(entry)}
+							<button
+								type="button"
+								class="w-full flex items-center gap-3 px-4 {isAdoptMode ? 'py-1.5' : 'py-2'} hover:bg-muted/50 text-left transition-colors
+									{entry.type === 'directory' ? 'cursor-pointer' : (selectable || highlighted) ? 'cursor-pointer' : 'opacity-50 cursor-not-allowed'}
+									{selectedPath === entry.path ? 'bg-blue-50 dark:bg-blue-900/20' : ''}"
+								onclick={() => (entry.type === 'directory' || selectable || highlighted) && handleEntryClick(entry, false)}
+								ondblclick={() => entry.type === 'directory' && handleEntryClick(entry, true)}
+								disabled={entry.type !== 'directory' && !selectable && !highlighted}
+							>
+								{#if entry.type === 'directory'}
+									<FolderOpen class="w-4 h-4 text-blue-500 shrink-0" />
+								{:else if highlighted}
+									<FileText class="w-4 h-4 text-green-500 shrink-0" />
+								{:else}
+									<File class="w-4 h-4 text-zinc-400 shrink-0 {selectable ? 'text-green-500' : ''}" />
+								{/if}
+								<span class="flex-1 truncate {isAdoptMode ? 'text-xs' : 'text-sm'} {(selectable || highlighted) && entry.type !== 'directory' ? 'text-green-600 dark:text-green-400 font-medium' : ''}">
+									{entry.name}
+								</span>
+								{#if highlighted && isAdoptMode}
+									<Badge variant="secondary" class="text-xs">Compose file</Badge>
+								{:else if entry.type !== 'directory' && !isAdoptMode}
+									<span class="text-xs text-muted-foreground">{formatSize(entry.size)}</span>
+								{/if}
+								{#if entry.type === 'directory'}
+									<ChevronRight class="w-4 h-4 text-muted-foreground" />
+								{/if}
+							</button>
+						{/each}
+					</div>
+				{/if}
+				</div>
+			</div>
+		</div>
+
+		{#if !isAdoptMode}
+			<Dialog.Footer class="border-t pt-4">
+				{#if selectMode === 'directory'}
+					<div class="flex-1 flex items-center gap-2 min-w-0">
+						<span class="text-xs text-muted-foreground shrink-0">Selected:</span>
+						<code class="text-xs font-mono bg-muted px-2 py-1 rounded truncate" title={currentPath || '/'}>{currentPath || '/'}</code>
+					</div>
+				{:else if selectMode === 'file_or_directory'}
+					<div class="flex-1 flex items-center gap-2 min-w-0">
+						{#if selectedPath}
+							<span class="text-xs text-muted-foreground shrink-0">Selected:</span>
+							<code class="text-xs font-mono bg-muted px-2 py-1 rounded truncate" title={selectedPath}>{selectedPath}</code>
+						{:else}
+							<span class="text-xs text-muted-foreground">Click to select file or folder, double-click to enter folder</span>
+						{/if}
+					</div>
+				{:else if selectedPath}
+					<div class="flex-1 flex items-center gap-2 min-w-0">
+						<span class="text-xs text-muted-foreground shrink-0">Selected:</span>
+						<code class="text-xs font-mono bg-muted px-2 py-1 rounded truncate" title={selectedPath}>{selectedPath}</code>
+					</div>
+				{:else}
+					<div class="flex-1 text-xs text-muted-foreground">
+						Click a file to select it
+					</div>
+				{/if}
+				<Button variant="outline" onclick={handleClose}>
+					Cancel
+				</Button>
+				{#if selectMode === 'directory'}
+					<Button onclick={handleConfirm}>
+						<FolderPlus class="w-4 h-4 mr-2" />
+						Select
+					</Button>
+				{:else if selectMode === 'file_or_directory'}
+					<Button onclick={handleConfirm}>
+						Select
+					</Button>
+				{:else}
+					<Button
+						disabled={!selectedPath}
+						onclick={handleConfirm}
+					>
+						Select
+					</Button>
+				{/if}
+			</Dialog.Footer>
+		{/if}
+	</Dialog.Content>
+</Dialog.Root>
diff --git a/routes/stacks/GitDeployProgressPopover.svelte b/src/routes/stacks/GitDeployProgressPopover.svelte
similarity index 99%
rename from routes/stacks/GitDeployProgressPopover.svelte
rename to src/routes/stacks/GitDeployProgressPopover.svelte
index 83f4a0f..2740062 100644
--- a/routes/stacks/GitDeployProgressPopover.svelte
+++ b/src/routes/stacks/GitDeployProgressPopover.svelte
@@ -175,7 +175,7 @@
 		{@render children()}
 	</Popover.Trigger>
 	<Popover.Content
-		class="w-80 p-0 overflow-hidden flex flex-col"
+		class="w-80 p-0 overflow-hidden flex flex-col z-[200]"
 		align="end"
 		sideOffset={8}
 		interactOutsideBehavior={overallStatus !== 'idle' ? 'ignore' : 'close'}
diff --git a/routes/stacks/GitStackModal.svelte b/src/routes/stacks/GitStackModal.svelte
similarity index 82%
rename from routes/stacks/GitStackModal.svelte
rename to src/routes/stacks/GitStackModal.svelte
index 93baa84..3d53581 100644
--- a/routes/stacks/GitStackModal.svelte
+++ b/src/routes/stacks/GitStackModal.svelte
@@ -1,16 +1,25 @@
 <script lang="ts">
+	import { onMount, onDestroy } from 'svelte';
 	import { Button } from '$lib/components/ui/button';
 	import * as Dialog from '$lib/components/ui/dialog';
 	import * as Select from '$lib/components/ui/select';
 	import { Label } from '$lib/components/ui/label';
 	import { Input } from '$lib/components/ui/input';
 	import { TogglePill } from '$lib/components/ui/toggle-pill';
-	import { Loader2, GitBranch, RefreshCw, Webhook, Rocket, RefreshCcw, Copy, Check, FolderGit2, Github, Key, KeyRound, Lock, FileText } from 'lucide-svelte';
+	import { Loader2, GitBranch, RefreshCw, Webhook, Rocket, RefreshCcw, Copy, Check, FolderGit2, Github, Key, KeyRound, Lock, FileText, HelpCircle, GripVertical, X } from 'lucide-svelte';
+	import * as Tooltip from '$lib/components/ui/tooltip';
 	import CronEditor from '$lib/components/cron-editor.svelte';
 	import StackEnvVarsPanel from '$lib/components/StackEnvVarsPanel.svelte';
 	import { type EnvVar, type ValidationResult } from '$lib/components/StackEnvVarsEditor.svelte';
 	import { toast } from 'svelte-sonner';
 	import { focusFirstInput } from '$lib/utils';
+	import { useSidebar } from '$lib/components/ui/sidebar/context.svelte';
+
+	// Get sidebar state to adjust modal positioning
+	const sidebar = useSidebar();
+
+	// localStorage key for persisted split ratio
+	const STORAGE_KEY_SPLIT = 'dockhand-git-stack-modal-split';
 
 	interface GitCredential {
 		id: number;
@@ -91,6 +100,11 @@
 	let loadingFileVars = $state(false);
 	let existingSecretKeys = $state<Set<string>>(new Set());
 
+	// Resizable split panel state
+	let splitRatio = $state(60); // percentage for form panel
+	let isDraggingSplit = $state(false);
+	let containerRef: HTMLDivElement | null = $state(null);
+
 	// Derived state for merged variables and sources
 	const envVarSources = $derived<Record<string, 'file' | 'override'>>(() => {
 		const sources: Record<string, 'file' | 'override'> = {};
@@ -123,6 +137,48 @@
 	// Derived state for selected repository
 	let selectedRepo = $derived(formRepositoryId ? repositories.find(r => r.id === formRepositoryId) : null);
 
+	onMount(() => {
+		// Load saved split ratio
+		const savedSplit = localStorage.getItem(STORAGE_KEY_SPLIT);
+		if (savedSplit) {
+			const ratio = parseFloat(savedSplit);
+			if (!isNaN(ratio) && ratio >= 30 && ratio <= 80) {
+				splitRatio = ratio;
+			}
+		}
+
+		// Add global mouse event listeners for split dragging
+		window.addEventListener('mousemove', handleMouseMove);
+		window.addEventListener('mouseup', handleMouseUp);
+	});
+
+	onDestroy(() => {
+		window.removeEventListener('mousemove', handleMouseMove);
+		window.removeEventListener('mouseup', handleMouseUp);
+	});
+
+	// Split panel drag handlers
+	function startSplitDrag(e: MouseEvent) {
+		e.preventDefault();
+		isDraggingSplit = true;
+	}
+
+	function handleMouseMove(e: MouseEvent) {
+		if (isDraggingSplit && containerRef) {
+			const rect = containerRef.getBoundingClientRect();
+			const newRatio = ((e.clientX - rect.left) / rect.width) * 100;
+			splitRatio = Math.max(30, Math.min(80, newRatio));
+		}
+	}
+
+	function handleMouseUp() {
+		if (isDraggingSplit) {
+			isDraggingSplit = false;
+			// Save split ratio
+			localStorage.setItem(STORAGE_KEY_SPLIT, splitRatio.toString());
+		}
+	}
+
 	function generateWebhookSecret(): string {
 		const array = new Uint8Array(24);
 		crypto.getRandomValues(array);
@@ -387,20 +443,40 @@
 </script>
 
 <Dialog.Root bind:open onOpenChange={(isOpen) => { if (isOpen) focusFirstInput(); }}>
-	<Dialog.Content class="max-w-6xl max-h-[90vh] flex flex-col overflow-hidden p-0">
-		<Dialog.Header class="shrink-0 px-6 pt-6 pb-4 border-b">
-			<Dialog.Title class="flex items-center gap-2">
-				<GitBranch class="w-5 h-5" />
-				{gitStack ? 'Edit git stack' : 'Deploy from Git'}
-			</Dialog.Title>
-			<Dialog.Description>
-				{gitStack ? 'Update git stack settings' : 'Deploy a compose stack from a Git repository'}
-			</Dialog.Description>
+	<Dialog.Content
+		class="max-w-none h-[95vh] flex flex-col p-0 gap-0 shadow-xl border-zinc-200 dark:border-zinc-700 {sidebar.state === 'collapsed' ? 'w-[calc(100vw-6rem)] ml-[1.5rem]' : 'w-[calc(100vw-12rem)] ml-[4.5rem]'}"
+		showCloseButton={false}
+	>
+		<Dialog.Header class="px-5 py-3 border-b border-zinc-200 dark:border-zinc-700 flex-shrink-0">
+			<div class="flex items-center justify-between">
+				<div class="flex items-center gap-3">
+					<div class="p-1.5 rounded-md bg-zinc-200 dark:bg-zinc-700">
+						<GitBranch class="w-4 h-4 text-zinc-600 dark:text-zinc-300" />
+					</div>
+					<div>
+						<Dialog.Title class="text-sm font-semibold text-zinc-800 dark:text-zinc-100">
+							{gitStack ? 'Edit git stack' : 'Deploy from Git'}
+						</Dialog.Title>
+						<Dialog.Description class="text-xs text-zinc-500 dark:text-zinc-400">
+							{gitStack ? 'Update git stack settings' : 'Deploy a compose stack from a Git repository'}
+						</Dialog.Description>
+					</div>
+				</div>
+
+				<!-- Close button -->
+				<button
+					onclick={onClose}
+					class="p-1.5 rounded-md text-zinc-400 dark:text-zinc-500 hover:text-zinc-600 dark:hover:text-zinc-300 hover:bg-zinc-200 dark:hover:bg-zinc-700 transition-colors"
+				>
+					<X class="w-4 h-4" />
+				</button>
+			</div>
 		</Dialog.Header>
 
-		<div class="flex-1 flex overflow-hidden">
+		<div bind:this={containerRef} class="flex-1 min-h-0 flex {isDraggingSplit ? 'select-none' : ''}">
 			<!-- Left column: Form fields -->
-			<div class="flex-1 overflow-y-auto space-y-4 py-4 px-6 border-r border-zinc-200 dark:border-zinc-700">
+			<div class="flex-shrink-0 flex flex-col min-w-0 overflow-y-auto" style="width: {splitRatio}%">
+				<div class="space-y-4 py-4 px-6">
 			<!-- Repository selection -->
 			{#if !gitStack}
 				<div class="space-y-3">
@@ -582,9 +658,23 @@
 				<p class="text-xs text-muted-foreground">Path to the compose file within the repository</p>
 			</div>
 
-			<!-- .env file path -->
+			<!-- Additional env file for variable substitution -->
 			<div class="space-y-2">
-				<Label for="env-file-path">.env file path</Label>
+				<div class="flex items-center gap-1.5">
+					<Label for="env-file-path">Additional .env file (optional)</Label>
+					<Tooltip.Root>
+						<Tooltip.Trigger>
+							<HelpCircle class="w-3.5 h-3.5 text-muted-foreground cursor-help" />
+						</Tooltip.Trigger>
+						<Tooltip.Content>
+							<div class="w-80">
+								<p class="text-xs">All files in the git repository are cloned automatically, including any files referenced by <code class="bg-muted px-1 rounded">env_file:</code> directives.</p>
+								<p class="text-xs mt-2">Only use this field for additional environment variables to be passed to Docker Compose.</p>
+								<p class="text-xs mt-2">The contents will be parsed and passed as shell environment variables.</p>
+							</div>
+						</Tooltip.Content>
+					</Tooltip.Root>
+				</div>
 				{#if gitStack && envFiles.length > 0}
 					<!-- Dropdown selector for existing stacks with discovered .env files -->
 					<Select.Root
@@ -633,7 +723,9 @@
 						placeholder=".env"
 					/>
 				{/if}
-				<p class="text-xs text-muted-foreground">Path to the .env file within the repository (optional)</p>
+				<p class="text-xs text-muted-foreground">
+				For variable substitution from a file outside the compose directory.
+			</p>
 			</div>
 
 			<!-- Auto-update section -->
@@ -740,25 +832,41 @@
 
 			<!-- Deploy now option (only for new stacks) -->
 			{#if !gitStack}
-				<div class="flex items-center gap-3">
-					<div class="flex items-center gap-2 flex-1">
-						<Rocket class="w-4 h-4 text-muted-foreground" />
-						<div class="flex-1">
-							<Label class="text-sm font-normal">Deploy now</Label>
-							<p class="text-xs text-muted-foreground">Clone and deploy the stack immediately</p>
+				<div class="space-y-3 p-3 bg-muted/50 rounded-md">
+					<div class="flex items-center gap-3">
+						<div class="flex items-center gap-2 flex-1">
+							<Rocket class="w-4 h-4 text-muted-foreground" />
+							<div class="flex-1">
+								<Label class="text-sm font-normal">Deploy now</Label>
+								<p class="text-xs text-muted-foreground">Clone and deploy the stack immediately</p>
+							</div>
 						</div>
+						<TogglePill bind:checked={formDeployNow} />
 					</div>
-					<TogglePill bind:checked={formDeployNow} />
 				</div>
 			{/if}
 
 			{#if formError}
 				<p class="text-sm text-destructive">{formError}</p>
 			{/if}
+				</div>
+			</div>
+
+			<!-- Resizable divider -->
+			<div
+				class="w-1 flex-shrink-0 bg-zinc-200 dark:bg-zinc-700 hover:bg-blue-400 dark:hover:bg-blue-500 cursor-col-resize transition-colors flex items-center justify-center group {isDraggingSplit ? 'bg-blue-500 dark:bg-blue-400' : ''}"
+				onmousedown={startSplitDrag}
+				role="separator"
+				aria-orientation="vertical"
+				tabindex="0"
+			>
+				<div class="w-4 h-8 flex items-center justify-center opacity-0 group-hover:opacity-100 transition-opacity {isDraggingSplit ? 'opacity-100' : ''}">
+					<GripVertical class="w-3 h-3 text-white" />
+				</div>
 			</div>
 
 			<!-- Right column: Environment Variables -->
-			<div class="w-[380px] flex-shrink-0 flex flex-col bg-zinc-50 dark:bg-zinc-800/50">
+			<div class="flex-1 min-w-0 flex flex-col overflow-hidden bg-zinc-50 dark:bg-zinc-800/50">
 				<StackEnvVarsPanel
 					bind:variables={envVars}
 					showSource={!!formEnvFilePath && gitStack !== null}
@@ -770,7 +878,7 @@
 			</div>
 		</div>
 
-		<Dialog.Footer class="shrink-0 border-t px-6 py-4">
+		<Dialog.Footer class="px-5 py-2.5 border-t border-zinc-200 dark:border-zinc-700 flex-shrink-0">
 			<Button variant="outline" onclick={onClose}>Cancel</Button>
 			{#if gitStack}
 				<Button variant="outline" onclick={() => saveGitStack(true)} disabled={formSaving}>
diff --git a/src/routes/stacks/ImportStackModal.svelte b/src/routes/stacks/ImportStackModal.svelte
new file mode 100644
index 0000000..37f14db
--- /dev/null
+++ b/src/routes/stacks/ImportStackModal.svelte
@@ -0,0 +1,494 @@
+<script lang="ts">
+	import * as Dialog from '$lib/components/ui/dialog';
+	import { Button } from '$lib/components/ui/button';
+	import { Badge } from '$lib/components/ui/badge';
+	import { Checkbox } from '$lib/components/ui/checkbox';
+	import { Import, Loader2, Play, Info } from 'lucide-svelte';
+	import FilesystemBrowser, { type FileEntry } from './FilesystemBrowser.svelte';
+	import CodeEditor from '$lib/components/CodeEditor.svelte';
+	import { toast } from 'svelte-sonner';
+	import { currentEnvironment, environments } from '$lib/stores/environment';
+	import { getIconComponent } from '$lib/utils/icons';
+
+	interface DiscoveredStack {
+		name: string;
+		composePath: string;
+		envPath: string | null;
+		sourceDir?: string;
+		serviceCount?: number;
+		running?: boolean;
+		containerCount?: number;
+	}
+
+	interface Props {
+		open: boolean;
+		onClose: () => void;
+		onAdopted?: () => void;
+	}
+
+	let { open = $bindable(), onClose, onAdopted }: Props = $props();
+
+	// View state: 'browse' | 'results'
+	let view = $state<'browse' | 'results'>('browse');
+
+	// Reference to filesystem browser
+	let filesystemBrowser = $state<{ getCurrentPath: () => string | null; addRecentLocation: (path: string) => Promise<void> } | null>(null);
+
+	// Scan results state
+	let scanResults = $state<DiscoveredStack[]>([]);
+	let scanning = $state(false);
+
+	// Selection and adopt state
+	let stackSelections = $state<Map<string, boolean>>(new Map());
+	let adopting = $state(false);
+
+	// Preview dialog state (for single file click)
+	let showPreview = $state(false);
+	let previewFile = $state<FileEntry | null>(null);
+	let previewContent = $state<string | null>(null);
+	let previewServiceCount = $state<number>(0);
+	let loadingPreview = $state(false);
+
+	// Use current environment from store
+	const envId = $derived($currentEnvironment?.id ?? null);
+	const envName = $derived($currentEnvironment?.name ?? 'Unknown');
+	// Look up the icon from the environments list since currentEnvironment doesn't store it
+	const currentEnvData = $derived($environments.find(e => e.id === envId));
+	const envIcon = $derived(currentEnvData?.icon || 'globe');
+	const EnvIconComponent = $derived(getIconComponent(envIcon));
+
+	// Reset when modal closes
+	$effect(() => {
+		if (!open) {
+			view = 'browse';
+			scanResults = [];
+			stackSelections = new Map();
+			showPreview = false;
+			previewFile = null;
+			previewContent = null;
+			previewServiceCount = 0;
+		}
+	});
+
+	async function handleFilePreview(entry: FileEntry) {
+		previewFile = entry;
+		showPreview = true;
+		loadingPreview = true;
+		previewContent = null;
+		previewServiceCount = 0;
+
+		try {
+			const res = await fetch(`/api/system/files/content?path=${encodeURIComponent(entry.path)}`);
+			if (res.ok) {
+				const data = await res.json();
+				previewContent = data.content || '';
+				// Count services in the compose file
+				const serviceMatches = previewContent?.match(/^services:\s*\n((?:\s{2,}\w+:.*\n?)+)/m);
+				if (serviceMatches) {
+					const servicesBlock = serviceMatches[1];
+					const serviceNames = servicesBlock.match(/^\s{2}\w+:/gm);
+					previewServiceCount = serviceNames?.length || 0;
+				}
+			}
+		} catch (e) {
+			console.error('Failed to load preview:', e);
+		} finally {
+			loadingPreview = false;
+		}
+	}
+
+	function confirmAdoptFromPreview() {
+		if (previewFile) {
+			adoptSingleFile(previewFile);
+			showPreview = false;
+		}
+	}
+
+	async function handleScanDirectory(path: string) {
+		scanning = true;
+
+		try {
+			const res = await fetch('/api/stacks/scan', {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({ path })
+			});
+
+			const data = await res.json();
+
+			if (!res.ok) {
+				toast.error(data.error || 'Failed to scan directory');
+				return;
+			}
+
+			const discovered: DiscoveredStack[] = data.discovered || [];
+
+			// Detect running stacks on current environment
+			if (envId && discovered.length > 0) {
+				try {
+					const runningRes = await fetch(`/api/stacks?env=${envId}`);
+					if (runningRes.ok) {
+						const runningStacks: Array<{ name: string; containers?: any[] }> = await runningRes.json();
+						const runningMap = new Map(
+							runningStacks.map((s) => [s.name.toLowerCase(), s])
+						);
+
+						for (const stack of discovered) {
+							const runningStack = runningMap.get(stack.name.toLowerCase());
+							if (runningStack) {
+								stack.running = true;
+								stack.containerCount = runningStack.containers?.length || 0;
+							}
+						}
+					}
+				} catch (e) {
+					console.error('Failed to detect running stacks:', e);
+				}
+			}
+
+			scanResults = discovered;
+
+			if (discovered.length === 0) {
+				toast.info('No compose stacks found in this directory');
+			} else {
+				const selections = new Map<string, boolean>();
+				for (const stack of discovered) {
+					// Don't pre-select stacks that are already running on this environment
+					selections.set(stack.composePath, !stack.running);
+				}
+				stackSelections = selections;
+				view = 'results';
+			}
+
+			await filesystemBrowser?.addRecentLocation(path);
+
+		} catch (e) {
+			toast.error(e instanceof Error ? e.message : 'Failed to scan directory');
+		} finally {
+			scanning = false;
+		}
+	}
+
+	async function adoptSingleFile(entry: FileEntry) {
+		if (!envId) {
+			toast.error('No environment selected');
+			return;
+		}
+
+		adopting = true;
+
+		try {
+			const parentDir = entry.path.replace(/\/[^/]+$/, '');
+			const stackName = parentDir.split('/').pop() || 'adopted-stack';
+			const envFilePath = `${parentDir}/.env`;
+
+			const stack: DiscoveredStack = {
+				name: stackName,
+				composePath: entry.path,
+				envPath: envFilePath,
+				sourceDir: parentDir
+			};
+
+			const res = await fetch('/api/stacks/adopt', {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({
+					stacks: [stack],
+					environmentId: envId
+				})
+			});
+
+			const data = await res.json();
+
+			if (!res.ok) {
+				toast.error(data.error || 'Failed to adopt stack');
+				return;
+			}
+
+			if (data.adopted?.length > 0) {
+				toast.success(`Adopted stack "${data.adopted[0]}"`);
+				await filesystemBrowser?.addRecentLocation(parentDir);
+				onAdopted?.();
+				handleClose();
+			} else if (data.failed?.length > 0) {
+				toast.error(`Failed: ${data.failed[0].error}`);
+			}
+		} catch (e) {
+			toast.error(e instanceof Error ? e.message : 'Failed to adopt');
+		} finally {
+			adopting = false;
+		}
+	}
+
+	async function handleAdoptSelected() {
+		if (!envId || stackSelections.size === 0) return;
+
+		const selectedStacks = scanResults.filter(s => stackSelections.get(s.composePath));
+		if (selectedStacks.length === 0) return;
+
+		adopting = true;
+
+		try {
+			const res = await fetch('/api/stacks/adopt', {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({
+					stacks: selectedStacks,
+					environmentId: envId
+				})
+			});
+
+			const data = await res.json();
+
+			if (!res.ok) {
+				toast.error(data.error || 'Failed to adopt stacks');
+				return;
+			}
+
+			if (data.adopted?.length > 0) {
+				toast.success(`Adopted ${data.adopted.length} stack(s)`);
+				onAdopted?.();
+				handleClose();
+			}
+			if (data.failed?.length > 0) {
+				toast.error(`Failed to adopt ${data.failed.length} stack(s)`);
+			}
+		} catch (e) {
+			toast.error(e instanceof Error ? e.message : 'Failed to adopt');
+		} finally {
+			adopting = false;
+		}
+	}
+
+	function toggleStack(composePath: string) {
+		const newMap = new Map(stackSelections);
+		newMap.set(composePath, !newMap.get(composePath));
+		stackSelections = newMap;
+	}
+
+	function toggleAll() {
+		const allSelected = scanResults.every(s => stackSelections.get(s.composePath));
+		const newMap = new Map<string, boolean>();
+		for (const stack of scanResults) {
+			newMap.set(stack.composePath, !allSelected);
+		}
+		stackSelections = newMap;
+	}
+
+	function handleClose() {
+		open = false;
+		onClose();
+	}
+
+	function goBackToBrowse() {
+		view = 'browse';
+		scanResults = [];
+		stackSelections = new Map();
+	}
+
+	const selectedCount = $derived([...stackSelections.values()].filter(v => v).length);
+	const allSelected = $derived(scanResults.length > 0 && scanResults.every(s => stackSelections.get(s.composePath)));
+
+	// Browser title with environment info
+	const browserTitle = $derived.by(() => {
+		const envPart = envName ? ` · ${envName}` : '';
+		return `Adopt stacks${envPart}`;
+	});
+</script>
+
+{#if view === 'browse'}
+	<!-- File Browser View - using FilesystemBrowser component -->
+	<FilesystemBrowser
+		bind:this={filesystemBrowser}
+		bind:open
+		title={browserTitle}
+		icon={Import}
+		description="Browse to a compose file or scan a directory for stacks."
+		selectMode="adopt"
+		highlightFilter={/\.ya?ml$/i}
+		onFilePreview={handleFilePreview}
+		onScanDirectory={handleScanDirectory}
+		{scanning}
+		onSelect={() => {}}
+		onClose={handleClose}
+	/>
+{:else}
+	<!-- Scan Results View -->
+	<Dialog.Root bind:open onOpenChange={(o) => !o && handleClose()}>
+		<Dialog.Content class="max-w-4xl h-[80vh] flex flex-col p-0 gap-0">
+			<Dialog.Header class="px-6 py-4 border-b shrink-0">
+				<Dialog.Title class="flex items-center gap-2">
+					<Import class="w-5 h-5" />
+					Select stacks to adopt
+					<span class="text-muted-foreground">·</span>
+					<EnvIconComponent class="w-4 h-4 text-muted-foreground" />
+					<span class="text-muted-foreground font-normal">{envName}</span>
+				</Dialog.Title>
+				<Dialog.Description>
+					{scanResults.length} stack(s) found. Select which ones to adopt into {envName}.
+				</Dialog.Description>
+			</Dialog.Header>
+
+			<div class="flex-1 flex flex-col min-h-0">
+				<!-- Stack list -->
+				<div class="flex-1 overflow-y-auto p-4">
+					<div class="space-y-2">
+						{#each scanResults as stack}
+							{@const isSelected = stackSelections.get(stack.composePath)}
+							{@const countsMismatch = stack.running && stack.serviceCount && stack.containerCount !== stack.serviceCount}
+							<div
+								class="flex items-start gap-3 p-3 rounded-lg border {isSelected ? 'border-primary/50 bg-primary/5' : 'border-border'}"
+							>
+								<Checkbox
+									checked={isSelected}
+									onCheckedChange={() => toggleStack(stack.composePath)}
+									class="mt-0.5"
+								/>
+								<div class="flex-1 min-w-0">
+									<div class="flex items-center gap-2 flex-wrap">
+										<span class="font-medium truncate">{stack.name}</span>
+										{#if stack.serviceCount}
+											<Badge variant="outline" class="text-xs">
+												{stack.serviceCount} service{stack.serviceCount !== 1 ? 's' : ''}
+											</Badge>
+										{/if}
+										{#if stack.running}
+											<Badge variant="default" class="text-xs {countsMismatch ? 'bg-amber-600' : 'bg-green-600'}">
+												<Play class="w-3 h-3 mr-1" />
+												{stack.containerCount} running
+											</Badge>
+										{/if}
+									</div>
+									<p class="text-xs text-muted-foreground truncate mt-0.5" title={stack.composePath}>
+										{stack.composePath}
+									</p>
+									{#if stack.envPath}
+										<p class="text-xs text-muted-foreground truncate" title={stack.envPath}>
+											.env: {stack.envPath}
+										</p>
+									{/if}
+								</div>
+							</div>
+						{/each}
+					</div>
+				</div>
+				<!-- Adopt info -->
+				<div class="px-4 py-3 border-t shrink-0">
+					<div class="flex items-start gap-2.5 text-xs bg-zinc-100 dark:bg-zinc-800/50 border border-zinc-200 dark:border-zinc-700 rounded-md px-3 py-2.5">
+						<Info class="w-4 h-4 text-amber-500 shrink-0 mt-0.5" />
+						<span><span class="font-medium text-amber-600 dark:text-amber-400">What happens when you adopt:</span> <span class="text-zinc-600 dark:text-zinc-400">Dockhand will track these compose files, letting you edit, start, and stop the stacks from the UI. Your files stay in their current location.</span></span>
+					</div>
+				</div>
+			</div>
+
+			<!-- Footer -->
+			<div class="px-6 py-4 border-t flex items-center justify-between shrink-0">
+				<div class="flex items-center gap-3">
+					<Checkbox
+						checked={allSelected}
+						onCheckedChange={toggleAll}
+					/>
+					<span class="text-sm text-muted-foreground">
+						<span class="font-medium text-foreground">{selectedCount}</span> of {scanResults.length} selected
+					</span>
+				</div>
+				<div class="flex gap-2">
+					<Button variant="outline" onclick={goBackToBrowse}>
+						Back
+					</Button>
+					<Button variant="outline" onclick={handleClose}>
+						Cancel
+					</Button>
+					<Button
+						variant="default"
+						onclick={handleAdoptSelected}
+						disabled={adopting || selectedCount === 0}
+					>
+						{#if adopting}
+							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+							Adopting...
+						{:else}
+							<Import class="w-4 h-4 mr-2" />
+							Adopt {selectedCount} stack(s)
+						{/if}
+					</Button>
+				</div>
+			</div>
+		</Dialog.Content>
+	</Dialog.Root>
+{/if}
+
+<!-- Preview dialog for single file adopt -->
+<Dialog.Root bind:open={showPreview}>
+	<Dialog.Content class="max-w-3xl h-[70vh] flex flex-col p-0 gap-0">
+		<Dialog.Header class="px-5 py-4 border-b shrink-0">
+			<Dialog.Title class="flex items-center gap-2">
+				<Import class="w-5 h-5" />
+				Adopt this stack?
+			</Dialog.Title>
+			<Dialog.Description>
+				Review the compose file before adopting.
+			</Dialog.Description>
+		</Dialog.Header>
+
+		{#if previewFile}
+			<div class="flex-1 flex flex-col min-h-0 overflow-hidden">
+				<!-- Stack info bar -->
+				<div class="px-5 py-3 border-b bg-muted/30 flex items-center gap-4 shrink-0">
+					<div class="flex items-center gap-2">
+						<span class="text-sm text-muted-foreground">Stack:</span>
+						<span class="font-medium">{previewFile.path.replace(/\/[^/]+$/, '').split('/').pop() || 'unknown'}</span>
+						{#if previewServiceCount > 0}
+							<Badge variant="outline" class="text-xs">
+								{previewServiceCount} service{previewServiceCount !== 1 ? 's' : ''}
+							</Badge>
+						{/if}
+					</div>
+					<div class="flex-1 min-w-0">
+						<code class="text-xs bg-muted px-2 py-1 rounded truncate block">{previewFile.path}</code>
+					</div>
+				</div>
+
+				<!-- Preview content with syntax highlighting -->
+				<div class="flex-1 min-h-0 p-3">
+					{#if loadingPreview}
+						<div class="flex items-center justify-center h-full">
+							<Loader2 class="w-6 h-6 animate-spin text-muted-foreground" />
+						</div>
+					{:else if previewContent}
+						<CodeEditor
+							value={previewContent}
+							language="yaml"
+							theme="dark"
+							readonly={true}
+							class="h-full rounded-md overflow-hidden border border-zinc-200 dark:border-zinc-700"
+						/>
+					{/if}
+				</div>
+
+				<!-- Adopt info -->
+				<div class="px-5 py-3 border-t shrink-0">
+					<div class="flex items-start gap-2.5 text-xs bg-zinc-100 dark:bg-zinc-800/50 border border-zinc-200 dark:border-zinc-700 rounded-md px-3 py-2.5">
+						<Info class="w-4 h-4 text-amber-500 shrink-0 mt-0.5" />
+						<span><span class="font-medium text-amber-600 dark:text-amber-400">What happens when you adopt:</span> <span class="text-zinc-600 dark:text-zinc-400">Dockhand will track this compose file, letting you edit, start, and stop the stack from the UI. Your files stay in their current location.</span></span>
+					</div>
+				</div>
+			</div>
+		{/if}
+
+		<div class="px-5 py-3 border-t flex justify-end gap-2 shrink-0">
+			<Button variant="outline" onclick={() => showPreview = false}>
+				Cancel
+			</Button>
+			<Button onclick={confirmAdoptFromPreview} disabled={adopting}>
+				{#if adopting}
+					<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+					Adopting...
+				{:else}
+					<Import class="w-4 h-4 mr-2" />
+					Adopt stack
+				{/if}
+			</Button>
+		</div>
+	</Dialog.Content>
+</Dialog.Root>
diff --git a/src/routes/stacks/PathBarItem.svelte b/src/routes/stacks/PathBarItem.svelte
new file mode 100644
index 0000000..637f976
--- /dev/null
+++ b/src/routes/stacks/PathBarItem.svelte
@@ -0,0 +1,92 @@
+<script lang="ts">
+	import { Copy, Check, FolderOpen, FolderSync } from 'lucide-svelte';
+
+	interface Props {
+		label: string;
+		path: string | null;
+		placeholder: string;
+		onCopy: () => void;
+		onBrowse: () => void;
+		onChangeLocation?: () => void; // Optional: relocate entire folder
+		defaultText?: string;
+		isSuggested?: boolean;
+		copied?: boolean;
+		sourceHint?: string; // e.g., "Using default location"
+	}
+
+	let {
+		label,
+		path,
+		placeholder,
+		onCopy,
+		onBrowse,
+		onChangeLocation,
+		defaultText = 'Default location',
+		isSuggested = false,
+		copied = false,
+		sourceHint
+	}: Props = $props();
+
+	// Truncate long paths - only truncate if really necessary
+	function truncatePath(pathStr: string, maxLength: number = 80): { truncated: string; full: string } {
+		if (!pathStr || pathStr.length <= maxLength) return { truncated: pathStr, full: pathStr };
+
+		const parts = pathStr.split('/');
+		const filename = parts.pop() || '';
+		const parent = parts.pop() || '';
+		const grandparent = parts.pop() || '';
+
+		// Try to show more context: .../{grandparent}/{parent}/{filename}
+		let truncated = `.../${grandparent}/${parent}/${filename}`;
+		if (truncated.length > maxLength) {
+			// Fall back to just parent/filename
+			truncated = `.../${parent}/${filename}`;
+		}
+		return { truncated, full: pathStr };
+	}
+
+	const displayPath = $derived(path ? truncatePath(path) : { truncated: '', full: '' });
+</script>
+
+<div class="flex flex-col gap-0.5">
+<div class="flex items-center gap-2 text-xs text-zinc-500 dark:text-zinc-400">
+	<span class="font-medium text-zinc-600 dark:text-zinc-300 shrink-0">{label}</span>
+	<code
+		class="flex-1 min-w-0 truncate font-mono h-6 leading-6 {!path || isSuggested ? 'text-zinc-400 dark:text-zinc-500 italic' : ''}"
+		title={displayPath.full}
+	>
+		{displayPath.truncated || defaultText}
+	</code>
+	<button
+		onclick={onBrowse}
+		class="p-1 rounded transition-colors shrink-0 hover:bg-zinc-200 dark:hover:bg-zinc-700"
+		title={`Browse for ${label.toLowerCase()}`}
+	>
+		<FolderOpen class="w-3.5 h-3.5" />
+	</button>
+	{#if onChangeLocation}
+		<button
+			onclick={onChangeLocation}
+			class="p-1 rounded transition-colors shrink-0 hover:bg-zinc-200 dark:hover:bg-zinc-700"
+			title="Change location"
+		>
+			<FolderSync class="w-3.5 h-3.5" />
+		</button>
+	{/if}
+	<button
+		onclick={onCopy}
+		class="p-1 rounded hover:bg-zinc-200 dark:hover:bg-zinc-700 transition-colors shrink-0 {!path ? 'opacity-40 cursor-not-allowed' : ''}"
+		title="Copy path"
+		disabled={!path}
+	>
+		{#if copied}
+			<Check class="w-3.5 h-3.5 text-green-500" />
+		{:else}
+			<Copy class="w-3.5 h-3.5" />
+		{/if}
+	</button>
+</div>
+{#if sourceHint}
+	<span class="text-[10px] text-zinc-400 dark:text-zinc-500 pl-[4.5rem]">{sourceHint}</span>
+{/if}
+</div>
diff --git a/src/routes/stacks/RecentLocationsPanel.svelte b/src/routes/stacks/RecentLocationsPanel.svelte
new file mode 100644
index 0000000..277cc7e
--- /dev/null
+++ b/src/routes/stacks/RecentLocationsPanel.svelte
@@ -0,0 +1,120 @@
+<script lang="ts">
+	import { FolderOpen, X, Home } from 'lucide-svelte';
+
+	interface Props {
+		currentPath?: string | null;
+		onSelect: (path: string) => void;
+	}
+
+	let {
+		currentPath = null,
+		onSelect
+	}: Props = $props();
+
+	let locations = $state<string[]>([]);
+	let defaultBasePath = $state<string | null>(null);
+
+	// Load recent locations and default base path on mount
+	$effect(() => {
+		loadLocations();
+		loadDefaultBasePath();
+	});
+
+	async function loadDefaultBasePath() {
+		try {
+			const response = await fetch('/api/stacks/base-path');
+			if (response.ok) {
+				const data = await response.json();
+				defaultBasePath = data.basePath;
+			}
+		} catch (e) {
+			console.error('Failed to load default base path:', e);
+		}
+	}
+
+	async function loadLocations() {
+		try {
+			const response = await fetch('/api/settings/general');
+			if (response.ok) {
+				const settings = await response.json();
+				locations = settings.externalStackPaths || [];
+			}
+		} catch (e) {
+			console.error('Failed to load recent locations:', e);
+		}
+	}
+
+	async function saveLocations(newLocations: string[]) {
+		try {
+			await fetch('/api/settings/general', {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({ externalStackPaths: newLocations })
+			});
+		} catch (e) {
+			console.error('Failed to save recent locations:', e);
+		}
+	}
+
+	async function handleRemove(path: string) {
+		const newLocations = locations.filter(p => p !== path);
+		locations = newLocations;
+		await saveLocations(newLocations);
+	}
+
+	export async function addLocation(path: string) {
+		if (!path || locations.includes(path)) return;
+		const newLocations = [path, ...locations].slice(0, 10);
+		locations = newLocations;
+		await saveLocations(newLocations);
+	}
+
+	export function getFirstLocation(): string | null {
+		return locations[0] || null;
+	}
+</script>
+
+<div class="w-56 border-r p-3 overflow-y-auto shrink-0">
+	<h3 class="text-xs font-medium text-muted-foreground uppercase tracking-wider mb-2">Locations</h3>
+	<div class="space-y-1">
+		<!-- Default Dockhand location (always shown, not removable) -->
+		{#if defaultBasePath}
+			<button
+				type="button"
+				class="w-full flex items-center gap-2 px-2 py-1.5 rounded text-xs hover:bg-muted text-left {currentPath === defaultBasePath ? 'bg-muted' : ''}"
+				onclick={() => onSelect(defaultBasePath!)}
+			>
+				<Home class="w-4 h-4 shrink-0 text-sky-500" />
+				<span class="truncate" title={defaultBasePath}>Dockhand default</span>
+			</button>
+		{/if}
+
+		<!-- Recent locations -->
+		{#each locations.filter(l => l !== defaultBasePath) as location}
+			<div class="group flex items-center gap-1">
+				<button
+					type="button"
+					class="flex-1 flex items-center gap-2 px-2 py-1.5 rounded text-xs hover:bg-muted text-left truncate {currentPath === location ? 'bg-muted' : ''}"
+					onclick={() => onSelect(location)}
+				>
+					<FolderOpen class="w-4 h-4 shrink-0 text-muted-foreground" />
+					<span class="truncate" title={location}>{location.split('/').pop() || location}</span>
+				</button>
+				<button
+					type="button"
+					class="p-1 opacity-0 group-hover:opacity-100 hover:bg-muted rounded transition-opacity"
+					onclick={() => handleRemove(location)}
+					title="Remove from recent"
+				>
+					<X class="w-3 h-3 text-muted-foreground" />
+				</button>
+			</div>
+		{/each}
+
+		{#if !defaultBasePath && locations.length === 0}
+			<p class="text-xs text-muted-foreground italic px-2">
+				No locations yet. Browse folders to add them here.
+			</p>
+		{/if}
+	</div>
+</div>
diff --git a/src/routes/stacks/StackModal.svelte b/src/routes/stacks/StackModal.svelte
new file mode 100644
index 0000000..2bccc78
--- /dev/null
+++ b/src/routes/stacks/StackModal.svelte
@@ -0,0 +1,1695 @@
+<script lang="ts">
+	import { onMount, onDestroy, tick } from 'svelte';
+	import * as Dialog from '$lib/components/ui/dialog';
+	import { Button } from '$lib/components/ui/button';
+	import { Input } from '$lib/components/ui/input';
+	import { Label } from '$lib/components/ui/label';
+	import CodeEditor, { type VariableMarker } from '$lib/components/CodeEditor.svelte';
+	import StackEnvVarsPanel from '$lib/components/StackEnvVarsPanel.svelte';
+	import { type EnvVar, type ValidationResult } from '$lib/components/StackEnvVarsEditor.svelte';
+	import { Layers, Save, Play, Code, GitGraph, Loader2, AlertCircle, X, Sun, Moon, TriangleAlert, GripVertical, FolderOpen, Copy, Check, MapPin, ArrowRight, ArrowDown, Info, Box, FolderSync } from 'lucide-svelte';
+	import type { Component } from 'svelte';
+	import FilesystemBrowser from './FilesystemBrowser.svelte';
+	import PathBarItem from './PathBarItem.svelte';
+	import * as Tooltip from '$lib/components/ui/tooltip';
+	import * as Select from '$lib/components/ui/select';
+	import { Badge } from '$lib/components/ui/badge';
+	import { currentEnvironment, appendEnvParam } from '$lib/stores/environment';
+	import { appSettings } from '$lib/stores/settings';
+	import { focusFirstInput } from '$lib/utils';
+	import * as Alert from '$lib/components/ui/alert';
+	import { ErrorDialog } from '$lib/components/ui/error-dialog';
+	import ComposeGraphViewer from './ComposeGraphViewer.svelte';
+	import { useSidebar } from '$lib/components/ui/sidebar/context.svelte';
+
+	// Get sidebar state to adjust modal positioning
+	const sidebar = useSidebar();
+
+	// localStorage key for persisted split ratio
+	const STORAGE_KEY_SPLIT = 'dockhand-stack-modal-split';
+
+	interface Props {
+		open: boolean;
+		mode: 'create' | 'edit';
+		stackName?: string; // Required for edit mode, optional for create
+		onClose: () => void;
+		onSuccess: () => void; // Called after create or save
+	}
+
+	let { open = $bindable(), mode, stackName = '', onClose, onSuccess }: Props = $props();
+
+	// Form state
+	let newStackName = $state('');
+	let loading = $state(false);
+	let saving = $state(false);
+	let savingWithRestart = $state(false); // Track which save action is in progress
+	let error = $state<string | null>(null);
+	let loadError = $state<string | null>(null);
+	let errors = $state<{ stackName?: string; compose?: string }>({});
+	let composeContent = $state('');
+	let activeTab = $state<'editor' | 'graph'>('editor');
+	let showConfirmClose = $state(false);
+	let editorTheme = $state<'light' | 'dark'>('dark');
+
+	// Environment variables state
+	let envVars = $state<EnvVar[]>([]);
+	let rawEnvContent = $state(''); // Raw .env file content (comments preserved)
+	let envValidation = $state<ValidationResult | null>(null);
+	let validating = $state(false);
+	let existingSecretKeys = $state<Set<string>>(new Set());
+	let hadExistingDbVars = $state(false); // Track if DB had any vars on load (for proper cleanup)
+
+	// Simple dirty flag - only set when user touches something
+	let isDirty = $state(false);
+
+	// Error dialog state
+	let operationError = $state<{ title: string; message: string; details?: string } | null>(null);
+
+
+	// ─── Path State (Simplified) ─────────────────────────────────────────────────
+	// Working paths: what we're currently editing (always strings, never null)
+	let workingComposePath = $state('');
+	let workingEnvPath = $state('');
+
+	// Original paths: loaded from server (for dirty/change detection in edit mode)
+	let originalComposePath = $state<string | null>(null);
+	let originalEnvPath = $state<string | null>(null);
+
+	// Auto-computed path from API (for create mode - tracks what the default would be)
+	let autoComputedComposePath = $state('');
+
+	// Path source info (for hint display)
+	let pathSource = $state<'default' | 'custom' | 'browsed' | null>(null);
+
+	// UI state
+	let composePathCopied = $state(false);
+	let envPathCopied = $state(false);
+	let needsFileLocation = $state(false);
+
+	// Container info for untracked stacks
+	let stackContainers = $state<{ name: string; state: string; image: string }[]>([]);
+
+	// Derived: has user customized the compose path from auto-computed default?
+	const isComposePathCustom = $derived(
+		workingComposePath !== '' && workingComposePath !== autoComputedComposePath
+	);
+
+	// Derived: suggested env path when workingEnvPath is empty
+	const suggestedEnvPath = $derived(
+		!workingEnvPath && workingComposePath
+			? workingComposePath.replace(/\/[^/]+$/, '/.env')
+			: null
+	);
+
+	// Derived: display path for env (actual or suggested)
+	const displayEnvPath = $derived(workingEnvPath || suggestedEnvPath || '');
+
+	// Derived: is env path just a suggestion (not explicitly set)?
+	const isEnvPathSuggested = $derived(!workingEnvPath && !!suggestedEnvPath);
+
+	// Derived: source hint text for the path bar (only in create mode)
+	const pathSourceHint = $derived.by(() => {
+		if (mode !== 'create' || !workingComposePath) return undefined;
+		switch (pathSource) {
+			case 'browsed':
+				return 'Custom location';
+			case 'custom':
+				return 'Using saved location';
+			case 'default':
+				return 'Using default location';
+			default:
+				return undefined;
+		}
+	});
+
+	// Path change confirmation dialog state
+	let showPathChangeConfirm = $state(false);
+	let pathChangeOldDir = $state<string | null>(null); // Old directory to move files from
+	let pathChangeFileCount = $state(0); // Number of files in old directory
+	let pendingSaveRestart = $state(false); // Whether user clicked "Save & restart" vs "Save"
+
+	// Browse confirmation dialog state (when selecting different file would replace content)
+	let showBrowseConfirm = $state(false);
+	let pendingBrowsePath = $state<string | null>(null);
+	let pendingBrowseName = $state<string | null>(null);
+
+	// Single file browser with dynamic config
+	let showFileBrowser = $state(false);
+	let fileBrowserConfig = $state<{
+		title: string;
+		icon?: Component<{ class?: string }>;
+		selectFilter?: RegExp;
+		selectMode: 'file' | 'directory' | 'file_or_directory';
+		onSelect: (path: string, name: string) => void;
+	}>({
+		title: '',
+		icon: undefined,
+		selectFilter: /.*/,
+		selectMode: 'file',
+		onSelect: () => {}
+	});
+
+	function openComposeBrowser() {
+		// For untracked stacks (needsFileLocation), only allow selecting files
+		// For tracked stacks, allow both files and directories
+		const isUntracked = needsFileLocation;
+		fileBrowserConfig = {
+			title: isUntracked ? 'Select compose file' : 'Select compose file or directory',
+			selectFilter: /\.ya?ml$/,
+			selectMode: isUntracked ? 'file' : 'file_or_directory',
+			onSelect: handleComposeSelect
+		};
+		showFileBrowser = true;
+	}
+
+	function openEnvBrowser() {
+		fileBrowserConfig = {
+			title: 'Select environment file or directory',
+			selectFilter: /\.env($|\.)/,  // matches .env, .env.local, app.env, etc.
+			selectMode: 'file_or_directory',
+			onSelect: handleEnvSelect
+		};
+		showFileBrowser = true;
+	}
+
+	function openChangeLocationBrowser() {
+		const displayName = mode === 'edit' ? stackName : newStackName;
+		fileBrowserConfig = {
+			title: `Relocate ${displayName}`,
+			icon: FolderSync,
+			selectMode: 'directory',
+			onSelect: handleChangeLocation
+		};
+		showFileBrowser = true;
+	}
+
+	// State for change location confirmation
+	let pendingNewLocation = $state<string | null>(null);
+	let pendingNewComposePath = $state<string | null>(null);
+	let pendingNewEnvPath = $state<string | null>(null);
+	let showChangeLocationConfirm = $state(false);
+	let changeLocationFileCount = $state(0);
+	let changeLocationOldDir = $state<string | null>(null);
+	let movingLocation = $state(false);
+
+	async function handleChangeLocation(selectedDir: string, _name: string) {
+		showFileBrowser = false;
+
+		// Get the current compose filename
+		const currentComposePath = workingComposePath;
+		const composeFilename = currentComposePath ? currentComposePath.split('/').pop() : 'docker-compose.yml';
+
+		// Build new paths: create a subfolder with the stack name inside selected directory
+		const displayName = mode === 'edit' ? stackName : newStackName;
+		const newDir = `${selectedDir}/${displayName}`;
+		const newComposePath = `${newDir}/${composeFilename}`;
+		const newEnvPath = workingEnvPath ? `${newDir}/.env` : '';
+
+		// Check if old directory has files to move
+		const envId = $currentEnvironment?.id ?? null;
+		try {
+			const response = await fetch(
+				appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/check-path-change`, envId),
+				{
+					method: 'POST',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify({ newComposePath })
+				}
+			);
+
+			if (response.ok) {
+				const data = await response.json();
+				if (data.hasChanges && data.oldDir && data.fileCount > 0) {
+					// Show confirmation dialog
+					pendingNewLocation = newDir;
+					pendingNewComposePath = newComposePath;
+					pendingNewEnvPath = newEnvPath;
+					changeLocationOldDir = data.oldDir;
+					changeLocationFileCount = data.fileCount;
+					showChangeLocationConfirm = true;
+					return;
+				}
+			}
+		} catch (e) {
+			console.warn('Failed to check path changes:', e);
+		}
+
+		// No files to move, just update paths
+		workingComposePath = newComposePath;
+		workingEnvPath = newEnvPath;
+		isDirty = true;
+	}
+
+	function cancelChangeLocation() {
+		showChangeLocationConfirm = false;
+		pendingNewLocation = null;
+		pendingNewComposePath = null;
+		pendingNewEnvPath = null;
+		changeLocationOldDir = null;
+		changeLocationFileCount = 0;
+	}
+
+	async function confirmChangeLocation() {
+		if (!pendingNewComposePath || !changeLocationOldDir) return;
+
+		movingLocation = true;
+		const envId = $currentEnvironment?.id ?? null;
+
+		try {
+			// Call API to move files
+			const response = await fetch(
+				appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/relocate`, envId),
+				{
+					method: 'POST',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify({
+						oldDir: changeLocationOldDir,
+						newComposePath: pendingNewComposePath,
+						newEnvPath: pendingNewEnvPath || undefined
+					})
+				}
+			);
+
+			if (!response.ok) {
+				const data = await response.json();
+				throw new Error(data.error || 'Failed to move files');
+			}
+
+			const result = await response.json();
+
+			// Update paths
+			workingComposePath = pendingNewComposePath;
+			workingEnvPath = pendingNewEnvPath || '';
+			originalComposePath = pendingNewComposePath;
+			originalEnvPath = pendingNewEnvPath || null;
+
+			// Reload content from new location
+			if (result.composeContent) {
+				composeContent = result.composeContent;
+			}
+			if (result.envVars) {
+				envVars = result.envVars;
+			}
+			if (result.rawEnvContent !== undefined) {
+				rawEnvContent = result.rawEnvContent;
+			}
+
+			// Reset dirty flag since we just reloaded
+			isDirty = false;
+
+		} catch (e: any) {
+			operationError = {
+				title: 'Failed to move files',
+				message: e.message || 'An error occurred while moving files'
+			};
+		} finally {
+			movingLocation = false;
+			showChangeLocationConfirm = false;
+			pendingNewLocation = null;
+			pendingNewComposePath = null;
+			pendingNewEnvPath = null;
+			changeLocationOldDir = null;
+			changeLocationFileCount = 0;
+		}
+	}
+
+	// Generic copy function that returns a reset callback
+	function copyToClipboard(text: string | null, setCopied: (v: boolean) => void) {
+		if (text) {
+			navigator.clipboard.writeText(text);
+			setCopied(true);
+			setTimeout(() => setCopied(false), 2000);
+		}
+	}
+
+	// Parse env vars from raw content
+	function parseEnvVarsFromRaw(content: string) {
+		const vars: EnvVar[] = [];
+		const lines = content.split('\n');
+		for (const line of lines) {
+			const trimmed = line.trim();
+			if (!trimmed || trimmed.startsWith('#')) continue;
+			const eqIndex = trimmed.indexOf('=');
+			if (eqIndex > 0) {
+				const key = trimmed.substring(0, eqIndex);
+				const value = trimmed.substring(eqIndex + 1);
+				vars.push({ key, value, isSecret: false });
+			}
+		}
+		envVars = vars;
+	}
+
+	// Handle compose file selection from browser
+	async function handleComposeSelect(path: string, name: string) {
+		const isDirectory = !path.match(/\.ya?ml$/i);
+
+		// If selecting a file in edit mode with existing content, show confirmation
+		if (mode === 'edit' && !isDirectory && composeContent.trim()) {
+			// Check if it's the same file (no confirmation needed)
+			const normalizedPath = path.endsWith('/') ? path.slice(0, -1) : path;
+			if (normalizedPath !== workingComposePath) {
+				pendingBrowsePath = path;
+				pendingBrowseName = name;
+				showBrowseConfirm = true;
+				showFileBrowser = false;
+				return;
+			}
+		}
+
+		// Continue with file selection
+		await proceedWithComposeSelect(path, name);
+	}
+
+	// Proceed with compose file selection (after optional confirmation)
+	async function proceedWithComposeSelect(path: string, name: string) {
+		// Check if it's a directory (no extension or doesn't end with .yml/.yaml)
+		const isDirectory = !path.match(/\.ya?ml$/i);
+		const baseDir = path.endsWith('/') ? path.slice(0, -1) : path;
+		let finalPath = path;
+
+		if (isDirectory) {
+			const stackName = newStackName.trim();
+			if (stackName) {
+				// If we have a stack name, include the subfolder
+				finalPath = `${baseDir}/${stackName}/docker-compose.yml`;
+			} else {
+				// No stack name yet - just show the selected directory
+				finalPath = `${baseDir}/`;
+			}
+		}
+
+		workingComposePath = finalPath;
+		pathSource = 'browsed';
+		showFileBrowser = false;
+
+		// Auto-suggest .env in the same directory (only if we have a full path)
+		if (!isDirectory || newStackName.trim()) {
+			const dir = finalPath.replace(/\/[^/]+$/, '');
+			if (!workingEnvPath) {
+				workingEnvPath = `${dir}/.env`;
+			}
+		}
+
+		// Load compose file content when selecting a file (not directory)
+		if (!isDirectory) {
+			await loadFilesFromLocalFilesystem(finalPath, workingEnvPath || suggestedEnvPath || '');
+		}
+		isDirty = true;
+	}
+
+	// Cancel browse confirmation
+	function cancelBrowseConfirm() {
+		showBrowseConfirm = false;
+		pendingBrowsePath = null;
+		pendingBrowseName = null;
+	}
+
+	// Confirm browse and load the new file
+	async function confirmBrowseAndLoad() {
+		showBrowseConfirm = false;
+		if (pendingBrowsePath && pendingBrowseName) {
+			await proceedWithComposeSelect(pendingBrowsePath, pendingBrowseName);
+		}
+		pendingBrowsePath = null;
+		pendingBrowseName = null;
+	}
+
+	// Handle env file selection from browser
+	async function handleEnvSelect(path: string, name: string) {
+		// Check if it's a directory (no extension or doesn't contain .env)
+		const isDirectory = !path.match(/\.env($|\.)/i);
+		let finalPath = path;
+		if (isDirectory) {
+			// Append default env filename
+			finalPath = path.endsWith('/') ? `${path}.env` : `${path}/.env`;
+		}
+
+		workingEnvPath = finalPath;
+		showFileBrowser = false;
+
+		// Load env content when selecting a file (not directory)
+		if (!isDirectory) {
+			try {
+				const envResponse = await fetch(`/api/system/files/content?path=${encodeURIComponent(finalPath)}`);
+				if (envResponse.ok) {
+					const envData = await envResponse.json();
+					rawEnvContent = envData.content || '';
+					parseEnvVarsFromRaw(rawEnvContent);
+				} else {
+					rawEnvContent = '';
+				}
+			} catch (e) {
+				console.error('Failed to load env file:', e);
+			}
+		}
+		isDirty = true;
+	}
+
+	// Load files from local filesystem (when user selects paths)
+	async function loadFilesFromLocalFilesystem(composeFilePath: string, envFilePath: string) {
+		try {
+			// Load compose file
+			const composeResponse = await fetch(`/api/system/files/content?path=${encodeURIComponent(composeFilePath)}`);
+			if (composeResponse.ok) {
+				const composeData = await composeResponse.json();
+				composeContent = composeData.content || '';
+				workingComposePath = composeFilePath;
+				// Clear the needsFileLocation flag since we now have content
+				needsFileLocation = false;
+				stackContainers = [];
+			} else {
+				const err = await composeResponse.json();
+				console.error('Failed to load compose file:', err.error);
+			}
+
+			// Try to load .env file (only set workingEnvPath if it exists)
+			if (envFilePath) {
+				const envResponse = await fetch(`/api/system/files/content?path=${encodeURIComponent(envFilePath)}`);
+				if (envResponse.ok) {
+					const envData = await envResponse.json();
+					rawEnvContent = envData.content || '';
+					workingEnvPath = envFilePath;
+					parseEnvVarsFromRaw(rawEnvContent);
+				} else {
+					// .env file not found - clear env path
+					rawEnvContent = '';
+					workingEnvPath = '';
+				}
+			}
+		} catch (e) {
+			console.error('Failed to load files:', e);
+		}
+	}
+
+	// CodeEditor reference for explicit marker updates
+	let codeEditorRef: CodeEditor | null = $state(null);
+
+	// ComposeGraphViewer reference for resize on panel toggle
+	let graphViewerRef: ComposeGraphViewer | null = $state(null);
+
+	// EnvVarsPanel reference for sync before save
+	let envVarsPanelRef: StackEnvVarsPanel | null = $state(null);
+
+	// Resizable split panel state
+	let splitRatio = $state(60); // percentage for compose panel
+	let isDraggingSplit = $state(false);
+	let containerRef: HTMLDivElement | null = $state(null);
+
+	// Debounce timer for validation
+	let validateTimer: ReturnType<typeof setTimeout> | null = null;
+
+	const defaultCompose = `version: "3.8"
+
+services:
+  app:
+    image: nginx:alpine
+    ports:
+      - "8080:80"
+    environment:
+      - APP_ENV=\${APP_ENV:-production}
+    volumes:
+      - ./html:/usr/share/nginx/html:ro
+    restart: unless-stopped
+
+# Add more services as needed
+# networks:
+#   default:
+#     driver: bridge
+`;
+
+	// Count of defined environment variables (with non-empty keys)
+	const envVarCount = $derived(envVars.filter(v => v.key.trim()).length);
+
+	// Build a lookup map from envVars for quick access
+	const envVarMap = $derived.by(() => {
+		const map = new Map<string, { value: string; isSecret: boolean }>();
+		for (const v of envVars) {
+			if (v.key.trim()) {
+				map.set(v.key.trim(), { value: v.value, isSecret: v.isSecret });
+			}
+		}
+		return map;
+	});
+
+	// Compute variable markers for the code editor (with values for overlay)
+	const variableMarkers = $derived.by<VariableMarker[]>(() => {
+		if (!envValidation) return [];
+
+		const markers: VariableMarker[] = [];
+
+		// Add missing required variables
+		for (const name of envValidation.missing) {
+			const env = envVarMap.get(name);
+			markers.push({
+				name,
+				type: 'missing',
+				value: env?.value,
+				isSecret: env?.isSecret
+			});
+		}
+
+		// Add defined required variables
+		for (const name of envValidation.required) {
+			if (!envValidation.missing.includes(name)) {
+				const env = envVarMap.get(name);
+				markers.push({
+					name,
+					type: 'required',
+					value: env?.value,
+					isSecret: env?.isSecret
+				});
+			}
+		}
+
+		// Add optional variables
+		for (const name of envValidation.optional) {
+			const env = envVarMap.get(name);
+			markers.push({
+				name,
+				type: 'optional',
+				value: env?.value,
+				isSecret: env?.isSecret
+			});
+		}
+
+		return markers;
+	});
+
+	// Stable callback for compose content changes - avoids stale closure issues
+	function handleComposeChange(value: string) {
+		composeContent = value;
+		isDirty = true;
+		debouncedValidate();
+	}
+
+	// Debounced validation to avoid too many API calls while typing
+	function debouncedValidate() {
+		if (validateTimer) clearTimeout(validateTimer);
+		validateTimer = setTimeout(() => {
+			validateEnvVars();
+		}, 1000);
+	}
+
+	// Explicitly push markers to the editor (immediate=true since this is called after validation)
+	function updateEditorMarkers() {
+		if (!codeEditorRef) return;
+		codeEditorRef.updateVariableMarkers(variableMarkers, true);
+	}
+
+	// Mark dirty when env vars change
+	function markDirty() {
+		isDirty = true;
+	}
+
+	// Display title
+	const displayName = $derived(mode === 'edit' ? stackName : (newStackName || 'New stack'));
+
+	onMount(() => {
+		// Load saved editor theme, or fall back to app theme / system preference
+		const savedEditorTheme = localStorage.getItem('dockhand-editor-theme');
+		if (savedEditorTheme === 'dark' || savedEditorTheme === 'light') {
+			editorTheme = savedEditorTheme;
+		} else {
+			const appTheme = localStorage.getItem('theme');
+			if (appTheme === 'dark' || appTheme === 'light') {
+				editorTheme = appTheme;
+			} else {
+				// Fallback to system preference
+				editorTheme = window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light';
+			}
+		}
+
+		// Load saved split ratio
+		const savedSplit = localStorage.getItem(STORAGE_KEY_SPLIT);
+		if (savedSplit) {
+			const ratio = parseFloat(savedSplit);
+			if (!isNaN(ratio) && ratio >= 30 && ratio <= 80) {
+				splitRatio = ratio;
+			}
+		}
+
+		// Add global mouse event listeners for split dragging
+		window.addEventListener('mousemove', handleMouseMove);
+		window.addEventListener('mouseup', handleMouseUp);
+	});
+
+	onDestroy(() => {
+		window.removeEventListener('mousemove', handleMouseMove);
+		window.removeEventListener('mouseup', handleMouseUp);
+	});
+
+	// Split panel drag handlers
+	function startSplitDrag(e: MouseEvent) {
+		e.preventDefault();
+		isDraggingSplit = true;
+	}
+
+	function handleMouseMove(e: MouseEvent) {
+		if (isDraggingSplit && containerRef) {
+			const rect = containerRef.getBoundingClientRect();
+			const newRatio = ((e.clientX - rect.left) / rect.width) * 100;
+			splitRatio = Math.max(30, Math.min(80, newRatio));
+		}
+	}
+
+	function handleMouseUp() {
+		if (isDraggingSplit) {
+			isDraggingSplit = false;
+			// Save split ratio
+			localStorage.setItem(STORAGE_KEY_SPLIT, splitRatio.toString());
+		}
+	}
+
+	async function loadComposeFile() {
+		if (mode !== 'edit' || !stackName) return;
+
+		loading = true;
+		loadError = null;
+		error = null;
+		needsFileLocation = false;
+
+		try {
+			const envId = $currentEnvironment?.id ?? null;
+
+			// Load compose file
+			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/compose`, envId));
+			const data = await response.json();
+
+			if (!response.ok) {
+				// Check if this stack needs file location selection
+				if (data.needsFileLocation) {
+					needsFileLocation = true;
+					// Initialize paths from response (may have suggested paths)
+					workingComposePath = data.composePath || '';
+					workingEnvPath = data.envPath || '';
+					// Show empty editors - user can browse for files
+					composeContent = '';
+					rawEnvContent = '';
+					loadError = null;
+					loading = false; // Important: stop loading spinner
+
+					// Fetch containers for this stack to show what's running
+					try {
+						const stacksRes = await fetch(appendEnvParam('/api/stacks', envId));
+						if (stacksRes.ok) {
+							const stacks = await stacksRes.json();
+							const thisStack = stacks.find((s: any) => s.name === stackName);
+							if (thisStack?.containerDetails) {
+								stackContainers = thisStack.containerDetails.map((c: any) => ({
+									name: c.name || 'unknown',
+									state: c.state || 'unknown',
+									image: c.image || 'unknown'
+								}));
+							}
+						}
+					} catch (e) {
+						console.error('Failed to fetch stack containers:', e);
+					}
+					return;
+				}
+				throw new Error(data.error || 'Failed to load compose file');
+			}
+
+			composeContent = data.content;
+			// Set working paths
+			workingComposePath = data.composePath || '';
+			workingEnvPath = data.envPath || '';
+			// Track original paths for detecting changes
+			originalComposePath = data.composePath || null;
+			originalEnvPath = data.envPath || null;
+
+			// Load both env endpoints in parallel, then process results together
+			const [envResponse, rawEnvResponse] = await Promise.all([
+				fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/env`, envId)),
+				fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/env/raw`, envId))
+			]);
+
+			// Process env vars from DB
+			let loadedVars: EnvVar[] = [];
+			if (envResponse.ok) {
+				const envData = await envResponse.json();
+				loadedVars = envData.variables || [];
+				hadExistingDbVars = loadedVars.length > 0;
+				existingSecretKeys = new Set(
+					loadedVars.filter(v => v.isSecret && v.key.trim()).map(v => v.key.trim())
+				);
+			}
+
+			// Process raw .env file content
+			let loadedRawContent = '';
+			if (rawEnvResponse.ok) {
+				const rawEnvData = await rawEnvResponse.json();
+				loadedRawContent = rawEnvData.content || '';
+			}
+
+			// Pass data directly to syncAfterLoad - no tick() needed
+			// This sets both envVars and rawEnvContent synchronously via the panel
+			loading = false;
+			await tick(); // Wait for panel ref to be available
+			envVarsPanelRef?.syncAfterLoad(loadedVars, loadedRawContent);
+			isDirty = false;
+
+		} catch (e: any) {
+			loadError = e.message;
+			loading = false;
+		}
+	}
+
+	async function validateEnvVars() {
+		const content = composeContent || defaultCompose;
+		if (!content.trim()) return;
+
+		validating = true;
+		try {
+			const envId = $currentEnvironment?.id ?? null;
+			// Use 'new' as placeholder stack name for new stacks
+			const stackNameForValidation = mode === 'edit' ? stackName : (newStackName.trim() || 'new');
+			// Pass current UI env vars for validation
+			const currentVars = envVars.filter(v => v.key.trim()).map(v => v.key.trim());
+			const response = await fetch(appendEnvParam(`/api/stacks/${encodeURIComponent(stackNameForValidation)}/env/validate`, envId), {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify({ compose: content, variables: currentVars })
+			});
+
+			if (response.ok) {
+				envValidation = await response.json();
+				// Explicitly update markers in the editor after validation
+				// Use setTimeout to ensure derived variableMarkers has updated
+				setTimeout(() => updateEditorMarkers(), 0);
+			}
+		} catch (e) {
+			console.error('Failed to validate env vars:', e);
+		} finally {
+			validating = false;
+		}
+	}
+
+	function toggleEditorTheme() {
+		editorTheme = editorTheme === 'light' ? 'dark' : 'light';
+		localStorage.setItem('dockhand-editor-theme', editorTheme);
+	}
+
+	function handleGraphContentChange(newContent: string) {
+		composeContent = newContent;
+	}
+
+	async function handleCreate(start: boolean = false) {
+		errors = {};
+		let hasErrors = false;
+
+		if (!newStackName.trim()) {
+			errors.stackName = 'Stack name is required';
+			hasErrors = true;
+		}
+
+		const content = composeContent || defaultCompose;
+		if (!content.trim()) {
+			errors.compose = 'Compose file content is required';
+			hasErrors = true;
+		}
+
+		if (hasErrors) return;
+
+		saving = true;
+		error = null;
+
+		// Prepare env vars for creating - syncs variables and rawContent
+		const prepared = envVarsPanelRef?.prepareForSave() || { rawContent: '', variables: [] };
+
+		try {
+			const envId = $currentEnvironment?.id ?? null;
+
+			// Build request body
+			const requestBody: Record<string, unknown> = {
+				name: newStackName.trim(),
+				compose: content,
+				start,
+				// Send raw env content (non-secrets only, preserves comments/formatting)
+				rawEnvContent: prepared.rawContent.trim() ? prepared.rawContent : undefined,
+				// Also send parsed vars for DB secret tracking (includes secrets)
+				envVars: prepared.variables.length > 0 ? prepared.variables.map(v => ({
+					key: v.key.trim(),
+					value: v.value,
+					isSecret: v.isSecret
+				})) : undefined
+			};
+
+			// Include custom paths if specified
+			if (workingComposePath.trim()) {
+				requestBody.composePath = workingComposePath.trim();
+			}
+			// Use working env path or suggested path
+			const envPathToSave = workingEnvPath.trim() || suggestedEnvPath || '';
+			if (envPathToSave) {
+				requestBody.envPath = envPathToSave;
+			}
+
+			// Create the stack
+			const response = await fetch(appendEnvParam('/api/stacks', envId), {
+				method: 'POST',
+				headers: { 'Content-Type': 'application/json' },
+				body: JSON.stringify(requestBody)
+			});
+
+			if (!response.ok) {
+				const data = await response.json();
+				throw new Error(data.error || 'Failed to create stack');
+			}
+
+			onSuccess();
+			handleClose();
+		} catch (e: any) {
+			operationError = {
+				title: 'Failed to create stack',
+				message: e.message || 'An error occurred while creating the stack',
+				details: e.details
+			};
+		} finally {
+			saving = false;
+		}
+	}
+
+	async function handleSave(restart = false, moveFromDir: string | null = null) {
+		errors = {};
+
+		// Validate compose content (unless file location is needed and we have a path)
+		if (!composeContent.trim() && !workingComposePath.trim()) {
+			errors.compose = 'Compose file content or path is required';
+			return;
+		}
+
+		// If file location is needed, require a compose path
+		if (needsFileLocation && !workingComposePath.trim()) {
+			errors.compose = 'Please select a compose file location';
+			return;
+		}
+
+		const envId = $currentEnvironment?.id ?? null;
+
+		// Check if directory has changed (edit mode only, and not already confirmed)
+		if (mode === 'edit' && !moveFromDir) {
+			const newComposePath = workingComposePath.trim() || null;
+
+			// Only check if compose path changed (which means directory changed)
+			if (newComposePath && originalComposePath && newComposePath !== originalComposePath) {
+				try {
+					const checkResponse = await fetch(
+						appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/check-path-change`, envId),
+						{
+							method: 'POST',
+							headers: { 'Content-Type': 'application/json' },
+							body: JSON.stringify({ newComposePath })
+						}
+					);
+					if (checkResponse.ok) {
+						const checkData = await checkResponse.json();
+						if (checkData.hasChanges && checkData.oldDir && checkData.fileCount > 0) {
+							// Show confirmation dialog
+							pathChangeOldDir = checkData.oldDir;
+							pathChangeFileCount = checkData.fileCount;
+							pendingSaveRestart = restart;
+							showPathChangeConfirm = true;
+							return;
+						}
+					}
+				} catch (e) {
+					console.warn('Failed to check path changes:', e);
+					// Continue with save even if check fails
+				}
+			}
+		}
+
+		saving = true;
+		savingWithRestart = restart;
+		error = null;
+
+		// Prepare env vars for saving - syncs variables and rawContent
+		const prepared = envVarsPanelRef?.prepareForSave() || { rawContent: '', variables: [] };
+
+		// Resolve env path (use working or suggested)
+		const envPathToSave = workingEnvPath.trim() || suggestedEnvPath || '';
+
+		try {
+			// Build request body - include paths if they've been set/changed
+			const requestBody: Record<string, unknown> = {
+				content: composeContent,
+				restart
+			};
+
+			// Include compose path if set (either custom path or user selected)
+			if (workingComposePath.trim()) {
+				requestBody.composePath = workingComposePath.trim();
+			}
+
+			// Include env path - empty string means "no env file", null/undefined means "use default"
+			if (envPathToSave) {
+				requestBody.envPath = envPathToSave;
+			}
+
+			// Include old paths for file move/rename operations
+			if (originalComposePath && workingComposePath.trim() && originalComposePath !== workingComposePath.trim()) {
+				requestBody.oldComposePath = originalComposePath;
+			}
+			if (originalEnvPath && envPathToSave && originalEnvPath !== envPathToSave) {
+				requestBody.oldEnvPath = originalEnvPath;
+			}
+
+			// Include old directory to move files from if user confirmed
+			if (moveFromDir) {
+				requestBody.moveFromDir = moveFromDir;
+			}
+
+			// Save compose file (with optional paths)
+			const response = await fetch(
+				appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/compose`, envId),
+				{
+					method: 'PUT',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify(requestBody)
+				}
+			);
+
+			const data = await response.json();
+
+			if (!response.ok) {
+				throw new Error(data.error || 'Failed to save compose file');
+			}
+
+			// Save raw content to .env file (non-secrets only, comments preserved)
+			const rawEnvResponse = await fetch(
+				appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/env/raw`, envId),
+				{
+					method: 'PUT',
+					headers: { 'Content-Type': 'application/json' },
+					body: JSON.stringify({ content: prepared.rawContent })
+				}
+			);
+
+			if (!rawEnvResponse.ok) {
+				const rawEnvError = await rawEnvResponse.json().catch(() => ({ error: 'Failed to save environment file' }));
+				throw new Error(rawEnvError.error || 'Failed to save environment file');
+			}
+
+			// Save ALL vars to DB (includes secrets with real values)
+			const definedVars = prepared.variables;
+			if (definedVars.length > 0 || hadExistingDbVars) {
+				const envResponse = await fetch(
+					appendEnvParam(`/api/stacks/${encodeURIComponent(stackName)}/env`, envId),
+					{
+						method: 'PUT',
+						headers: { 'Content-Type': 'application/json' },
+						body: JSON.stringify({
+							variables: definedVars.map(v => ({
+								key: v.key.trim(),
+								value: v.value,
+								isSecret: v.isSecret
+							}))
+						})
+					}
+				);
+
+				if (!envResponse.ok) {
+					// Log but don't fail - DB stores secret metadata
+					console.warn('Failed to save environment variable metadata to database');
+				}
+
+				hadExistingDbVars = definedVars.length > 0;
+				existingSecretKeys = new Set(
+					definedVars.filter(v => v.isSecret && v.key.trim()).map(v => v.key.trim())
+				);
+			}
+
+			isDirty = false; // Reset dirty flag after successful save
+			onSuccess();
+
+			if (!restart) {
+				// Show success briefly then close
+				setTimeout(() => handleClose(), 500);
+			} else {
+				handleClose();
+			}
+		} catch (e: any) {
+			operationError = {
+				title: restart ? 'Failed to apply stack' : 'Failed to save stack',
+				message: e.message || (restart ? 'An error occurred while applying the stack' : 'An error occurred while saving the stack'),
+				details: e.details
+			};
+		} finally {
+			saving = false;
+		}
+	}
+
+	// Handle path change confirmation - move files to new location and proceed
+	function confirmPathChangeAndMove() {
+		showPathChangeConfirm = false;
+		handleSave(pendingSaveRestart, pathChangeOldDir);
+	}
+
+	// Handle path change - keep old files and proceed (just save without moving)
+	function confirmPathChangeKeepFiles() {
+		showPathChangeConfirm = false;
+		// Pass empty string to skip move check this time (not null, which means "not checked yet")
+		handleSave(pendingSaveRestart, '');
+	}
+
+	function tryClose() {
+		if (isDirty) {
+			showConfirmClose = true;
+		} else {
+			handleClose();
+		}
+	}
+
+	function handleClose() {
+		// Clear any pending validation timer
+		if (validateTimer) {
+			clearTimeout(validateTimer);
+			validateTimer = null;
+		}
+		// Reset all state
+		newStackName = '';
+		error = null;
+		loadError = null;
+		rawEnvContent = '';
+		errors = {};
+		composeContent = '';
+		envVars = [];
+		envValidation = null;
+		isDirty = false;
+		existingSecretKeys = new Set();
+		hadExistingDbVars = false;
+		activeTab = 'editor';
+		showConfirmClose = false;
+		codeEditorRef = null;
+		operationError = null;
+		// Reset path state
+		workingComposePath = '';
+		workingEnvPath = '';
+		originalComposePath = null;
+		originalEnvPath = null;
+		autoComputedComposePath = '';
+		pathSource = null;
+		needsFileLocation = false;
+		stackContainers = [];
+		showFileBrowser = false;
+		// Reset path change confirmation state
+		showPathChangeConfirm = false;
+		pathChangeOldDir = null;
+		pathChangeFileCount = 0;
+		pendingSaveRestart = false;
+		// Reset browse confirmation state
+		showBrowseConfirm = false;
+		pendingBrowsePath = null;
+		pendingBrowseName = null;
+		onClose();
+	}
+
+	function discardAndClose() {
+		showConfirmClose = false;
+		handleClose();
+	}
+
+	// Initialize when dialog opens - ONLY ONCE per open
+	let hasInitialized = $state(false);
+	$effect(() => {
+		if (open && !hasInitialized) {
+			hasInitialized = true;
+			if (mode === 'edit' && stackName) {
+				loadComposeFile().then(() => {
+					// Auto-validate after loading
+					validateEnvVars();
+				});
+			} else if (mode === 'create') {
+				// Set default compose content for create mode
+				composeContent = defaultCompose;
+				isDirty = false; // Reset dirty flag for new modal
+				loading = false;
+				// Auto-validate default compose
+				validateEnvVars();
+			}
+		} else if (!open) {
+			hasInitialized = false; // Reset when modal closes
+		}
+	});
+
+	// Re-validate when envVars change (adding/removing variables affects missing/defined status)
+	$effect(() => {
+		// Track envVars changes (this triggers on any modification to envVars array)
+		const vars = envVars;
+		if (!open || !envValidation) return;
+
+		// Debounce to avoid too many API calls while typing
+		const timeout = setTimeout(() => {
+			validateEnvVars();
+		}, 800);
+
+		return () => clearTimeout(timeout);
+	});
+
+	// Auto-update default paths when stack name changes in create mode
+	$effect(() => {
+		if (mode !== 'create' || !open) return;
+		// Don't overwrite if user has browsed and selected a path
+		if (pathSource === 'browsed') return;
+
+		const name = newStackName.trim();
+		const location = $appSettings.primaryStackLocation;
+
+		if (!name) {
+			// Clear paths when no name
+			workingComposePath = '';
+			workingEnvPath = '';
+			autoComputedComposePath = '';
+			pathSource = null;
+			return;
+		}
+
+		// Fetch the actual absolute path from the backend
+		const envId = $currentEnvironment?.id ?? null;
+		const fetchDefaultPath = async () => {
+			try {
+				const params = new URLSearchParams({ name });
+				if (envId) params.set('env', String(envId));
+				if (location) {
+					params.set('location', location);
+				}
+				const response = await fetch(`/api/stacks/default-path?${params}`);
+				if (response.ok) {
+					const data = await response.json();
+					// Check if user has customized before updating auto-computed
+					// Compare current working path against OLD auto path (before we update it)
+					const userHasCustomized = workingComposePath !== '' &&
+						workingComposePath !== autoComputedComposePath;
+					// Track the auto-computed path
+					autoComputedComposePath = data.composePath;
+					// Only update working paths if user hasn't customized
+					if (!userHasCustomized) {
+						workingComposePath = data.composePath;
+						workingEnvPath = data.envPath;
+						pathSource = data.source || 'default';
+					}
+				}
+			} catch (e) {
+				console.error('Failed to fetch default path:', e);
+			}
+		};
+		fetchDefaultPath();
+	});
+</script>
+
+<Dialog.Root
+	bind:open
+	onOpenChange={(isOpen) => {
+		if (isOpen) {
+			focusFirstInput();
+		} else {
+			// Prevent closing if there are unsaved changes - show confirmation instead
+			if (isDirty) {
+				// Re-open the dialog and show confirmation
+				open = true;
+				showConfirmClose = true;
+			} else {
+				// No unsaved changes - reset state
+				handleClose();
+			}
+		}
+	}}
+>
+	<Dialog.Content
+		class="max-w-none h-[95vh] flex flex-col p-0 gap-0 shadow-xl border-zinc-200 dark:border-zinc-700 {sidebar.state === 'collapsed' ? 'w-[calc(100vw-6rem)] ml-[1.5rem]' : 'w-[calc(100vw-12rem)] ml-[4.5rem]'}"
+		showCloseButton={false}
+	>
+		<Dialog.Header class="px-5 py-3 border-b border-zinc-200 dark:border-zinc-700 flex-shrink-0">
+			<div class="flex items-center justify-between">
+				<div class="flex items-center gap-3">
+					<div class="flex items-center gap-2">
+						<div class="p-1.5 rounded-md bg-zinc-200 dark:bg-zinc-700">
+							<Layers class="w-4 h-4 text-zinc-600 dark:text-zinc-300" />
+						</div>
+						<div>
+							<Dialog.Title class="text-sm font-semibold text-zinc-800 dark:text-zinc-100">
+								{#if mode === 'create'}
+									Create compose stack
+								{:else}
+									{stackName}
+								{/if}
+							</Dialog.Title>
+							<Dialog.Description class="text-xs text-zinc-500 dark:text-zinc-400">
+								{#if mode === 'create'}
+									Create a new Docker Compose stack
+								{:else}
+									Edit compose file and environment variables
+								{/if}
+							</Dialog.Description>
+						</div>
+					</div>
+				</div>
+
+				<div class="flex items-center gap-2">
+					<!-- View toggle -->
+					<div class="flex items-center gap-0.5 bg-zinc-200 dark:bg-zinc-700 rounded-md p-0.5">
+						<button
+							class="flex items-center gap-1.5 px-2.5 py-1 rounded text-xs transition-colors {activeTab === 'editor' ? 'bg-white dark:bg-zinc-900 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
+							onclick={() => activeTab = 'editor'}
+						>
+							<Code class="w-3.5 h-3.5" />
+							Editor
+						</button>
+						<button
+							class="flex items-center gap-1.5 px-2.5 py-1 rounded text-xs transition-colors {activeTab === 'graph' ? 'bg-white dark:bg-zinc-900 text-zinc-800 dark:text-zinc-100 shadow-sm' : 'text-zinc-500 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-200'}"
+							onclick={() => activeTab = 'graph'}
+						>
+							<GitGraph class="w-3.5 h-3.5" />
+							Graph
+						</button>
+					</div>
+
+					<!-- Theme toggle (only in editor mode) -->
+					{#if activeTab === 'editor'}
+						<button
+							onclick={toggleEditorTheme}
+							class="p-1.5 rounded-md text-zinc-400 dark:text-zinc-500 hover:text-zinc-600 dark:hover:text-zinc-300 hover:bg-zinc-200 dark:hover:bg-zinc-700 transition-colors"
+							title={editorTheme === 'light' ? 'Switch to dark theme' : 'Switch to light theme'}
+						>
+							{#if editorTheme === 'light'}
+								<Moon class="w-4 h-4" />
+							{:else}
+								<Sun class="w-4 h-4" />
+							{/if}
+						</button>
+					{/if}
+
+					<!-- Close button -->
+					<button
+						onclick={tryClose}
+						class="p-1.5 rounded-md text-zinc-400 dark:text-zinc-500 hover:text-zinc-600 dark:hover:text-zinc-300 hover:bg-zinc-200 dark:hover:bg-zinc-700 transition-colors"
+					>
+						<X class="w-4 h-4" />
+					</button>
+				</div>
+			</div>
+		</Dialog.Header>
+
+		<div class="flex-1 overflow-hidden flex flex-col min-h-0">
+			{#if errors.compose}
+				<Alert.Root variant="destructive" class="mx-6 mt-4">
+					<TriangleAlert class="h-4 w-4" />
+					<Alert.Description>{errors.compose}</Alert.Description>
+				</Alert.Root>
+			{/if}
+
+			{#if mode === 'edit' && loading}
+				<div class="flex-1 flex items-center justify-center">
+					<div class="flex items-center gap-3 text-zinc-400 dark:text-zinc-500">
+						<Loader2 class="w-5 h-5 animate-spin" />
+						<span>Loading compose file...</span>
+					</div>
+				</div>
+			{:else}
+				<!-- Stack name and location inputs (create mode only) -->
+				{#if mode === 'create'}
+					<div class="px-6 py-4 border-b border-zinc-200 dark:border-zinc-700">
+						<div class="flex gap-4 items-start">
+							<div class="flex-1 max-w-xs space-y-1">
+								<Label for="stack-name">Stack name</Label>
+								<Input
+									id="stack-name"
+									bind:value={newStackName}
+									placeholder="my-stack"
+									class={errors.stackName ? 'border-destructive focus-visible:ring-destructive' : ''}
+									oninput={() => errors.stackName = undefined}
+								/>
+								{#if errors.stackName}
+									<p class="text-xs text-destructive">{errors.stackName}</p>
+								{/if}
+							</div>
+						</div>
+					</div>
+				{/if}
+
+				<!-- File location needed banner -->
+				{#if mode === 'edit' && needsFileLocation}
+					<div class="px-4 py-3 border-b border-zinc-200 dark:border-zinc-700 bg-amber-50/50 dark:bg-amber-950/20">
+						<div class="flex items-start gap-3">
+							<AlertCircle class="w-4 h-4 shrink-0 text-amber-500 mt-0.5" />
+							<div class="flex-1 min-w-0">
+								<p class="text-sm text-zinc-600 dark:text-zinc-400 mb-2">
+									<span class="font-medium text-amber-800 dark:text-amber-300">Untracked stack.</span> Select the compose file location to start managing this stack with Dockhand.
+								</p>
+								{#if stackContainers.length > 0}
+									<div class="text-xs text-zinc-500 dark:text-zinc-400">
+										<span class="font-medium text-zinc-700 dark:text-zinc-300">Running containers:</span>
+										<div class="mt-1.5 flex flex-wrap gap-1.5">
+											{#each stackContainers as container}
+												<span class="inline-flex items-center gap-1.5 px-2 py-0.5 rounded-full text-xs {container.state === 'running' ? 'bg-green-100 text-green-800 dark:bg-green-900/40 dark:text-green-300' : 'bg-zinc-100 text-zinc-600 dark:bg-zinc-800 dark:text-zinc-400'}">
+													<Box class="w-3 h-3" />
+													{container.name}
+												</span>
+											{/each}
+										</div>
+									</div>
+								{/if}
+							</div>
+						</div>
+					</div>
+				{/if}
+
+				<!-- Content area -->
+				<div bind:this={containerRef} class="flex-1 min-h-0 flex flex-col {isDraggingSplit ? 'select-none' : ''}">
+					{#if activeTab === 'editor'}
+						<!-- Path bars row -->
+						<div class="flex border-b border-zinc-200 dark:border-zinc-700 bg-zinc-50 dark:bg-zinc-800/30">
+							<!-- Compose path -->
+							<div class="flex-shrink-0 px-4 py-2" style="width: {splitRatio}%">
+								<PathBarItem
+									label="Compose file"
+									path={workingComposePath || null}
+									placeholder="/path/to/docker-compose.yml"
+									copied={composePathCopied}
+									onCopy={() => copyToClipboard(workingComposePath, (v) => composePathCopied = v)}
+									onBrowse={openComposeBrowser}
+									onChangeLocation={mode === 'edit' && !needsFileLocation ? openChangeLocationBrowser : undefined}
+									defaultText={mode === 'create' ? 'Enter stack name above' : 'Not specified'}
+									sourceHint={pathSourceHint}
+								/>
+							</div>
+							<!-- Divider spacer -->
+							<div class="w-1 flex-shrink-0"></div>
+							<!-- Env path -->
+							<div class="flex-1 min-w-0 px-4 py-2 bg-zinc-100/50 dark:bg-zinc-800/50">
+								<PathBarItem
+									label="Env file"
+									path={displayEnvPath || null}
+									selectedPath={workingEnvPath || suggestedEnvPath || ''}
+									placeholder="/path/to/.env (optional)"
+									copied={envPathCopied}
+									onCopy={() => copyToClipboard(displayEnvPath, (v) => envPathCopied = v)}
+									onBrowse={openEnvBrowser}
+									isEditable={true}
+									isCustom={!!workingEnvPath}
+									defaultText={mode === 'create' ? 'Enter stack name above' : 'Not specified'}
+									isSuggested={isEnvPathSuggested}
+									onPathChange={(value) => {
+										workingEnvPath = value;
+										isDirty = true;
+									}}
+								/>
+							</div>
+						</div>
+						<!-- Editor panels row -->
+						<div class="flex-1 min-h-0 flex">
+							<!-- Compose editor panel -->
+							<div class="flex-shrink-0 flex flex-col min-w-0" style="width: {splitRatio}%">
+								{#if open}
+									<div class="flex-1 p-3 min-h-0">
+										{#if needsFileLocation && !composeContent}
+											<!-- Empty state for untracked stacks -->
+											<div class="h-full rounded-md border border-dashed border-zinc-300 dark:border-zinc-600 bg-zinc-50 dark:bg-zinc-800/30 flex flex-col items-center justify-center text-center px-8">
+												<FolderOpen class="w-12 h-12 text-zinc-300 dark:text-zinc-600 mb-4" />
+												<h3 class="text-sm font-medium text-zinc-700 dark:text-zinc-300 mb-2">No compose file selected</h3>
+												<p class="text-xs text-zinc-500 dark:text-zinc-400 mb-4 max-w-sm">
+													Browse to locate the compose file for this stack. The editor will load the file contents once selected.
+												</p>
+												<Button variant="outline" size="sm" onclick={openComposeBrowser}>
+													<FolderOpen class="w-4 h-4 mr-2" />
+													Browse for compose file
+												</Button>
+												<!-- Info box explaining what happens -->
+												<div class="mt-6 max-w-md flex items-start gap-2.5 text-xs bg-zinc-100 dark:bg-zinc-800/50 border border-zinc-200 dark:border-zinc-700 rounded-md px-3 py-2.5 text-left">
+													<Info class="w-4 h-4 text-amber-500 shrink-0 mt-0.5" />
+													<span><span class="font-medium text-amber-600 dark:text-amber-400">What happens when you select a file:</span> <span class="text-zinc-600 dark:text-zinc-400">Dockhand will track this compose file, letting you edit, start, and stop the stack from the UI. Your files stay in their current location.</span></span>
+												</div>
+											</div>
+										{:else}
+											<CodeEditor
+												bind:this={codeEditorRef}
+												value={composeContent}
+												language="yaml"
+												theme={editorTheme}
+												onchange={handleComposeChange}
+												variableMarkers={variableMarkers}
+												class="h-full rounded-md overflow-hidden border border-zinc-200 dark:border-zinc-700"
+											/>
+										{/if}
+									</div>
+								{/if}
+							</div>
+							<!-- Resizable divider -->
+							<div
+								class="w-1 flex-shrink-0 bg-zinc-200 dark:bg-zinc-700 hover:bg-blue-400 dark:hover:bg-blue-500 cursor-col-resize transition-colors flex items-center justify-center group {isDraggingSplit ? 'bg-blue-500 dark:bg-blue-400' : ''}"
+								onmousedown={startSplitDrag}
+								role="separator"
+								aria-orientation="vertical"
+								tabindex="0"
+							>
+								<div class="w-4 h-8 flex items-center justify-center opacity-0 group-hover:opacity-100 transition-opacity {isDraggingSplit ? 'opacity-100' : ''}">
+									<GripVertical class="w-3 h-3 text-white" />
+								</div>
+							</div>
+							<!-- Environment variables panel -->
+							<div class="flex-1 min-w-0 flex flex-col overflow-hidden bg-zinc-50 dark:bg-zinc-800/50">
+								<StackEnvVarsPanel
+									bind:this={envVarsPanelRef}
+									bind:variables={envVars}
+									bind:rawContent={rawEnvContent}
+									validation={envValidation}
+									existingSecretKeys={mode === 'edit' ? existingSecretKeys : new Set()}
+									onchange={() => { markDirty(); debouncedValidate(); }}
+									theme={editorTheme}
+									infoText="These variables will be written to a .env file in the stack directory."
+								/>
+							</div>
+						</div>
+					{:else if activeTab === 'graph'}
+						<!-- Graph tab: Full width -->
+						<ComposeGraphViewer
+							bind:this={graphViewerRef}
+							composeContent={composeContent || defaultCompose}
+							class="h-full flex-1"
+							onContentChange={handleGraphContentChange}
+						/>
+					{/if}
+				</div>
+			{/if}
+		</div>
+
+		<!-- Footer -->
+		<div class="px-5 py-2.5 border-t border-zinc-200 dark:border-zinc-700 flex items-center justify-between flex-shrink-0">
+			<div class="text-xs text-zinc-500 dark:text-zinc-400">
+				{#if isDirty}
+					<span class="text-amber-600 dark:text-amber-500">Unsaved changes</span>
+				{:else}
+					No changes
+				{/if}
+			</div>
+
+			<div class="flex items-center gap-2">
+				<Button variant="outline" onclick={tryClose} disabled={saving}>
+					Cancel
+				</Button>
+
+				{#if mode === 'create'}
+					<!-- Create mode buttons -->
+					<Button variant="outline" onclick={() => handleCreate(false)} disabled={saving}>
+						{#if saving}
+							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+							Creating...
+						{:else}
+							<Save class="w-4 h-4 mr-2" />
+							Create
+						{/if}
+					</Button>
+					<Button onclick={() => handleCreate(true)} disabled={saving}>
+						{#if saving}
+							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+							Starting...
+						{:else}
+							<Play class="w-4 h-4 mr-2" />
+							Create & Start
+						{/if}
+					</Button>
+				{:else}
+					<!-- Edit mode buttons -->
+					<Button variant="outline" class="w-24" onclick={() => handleSave(false)} disabled={saving || loading || (needsFileLocation && !workingComposePath.trim())}>
+						{#if saving && !savingWithRestart}
+							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+							Saving...
+						{:else}
+							<Save class="w-4 h-4 mr-2" />
+							Save
+						{/if}
+					</Button>
+					<Button class="w-36" onclick={() => handleSave(true)} disabled={saving || loading || (needsFileLocation && !workingComposePath.trim())}>
+						{#if saving && savingWithRestart}
+							<Loader2 class="w-4 h-4 mr-2 animate-spin" />
+							Restarting...
+						{:else}
+							<Play class="w-4 h-4 mr-2" />
+							Save & restart
+						{/if}
+					</Button>
+				{/if}
+			</div>
+		</div>
+	</Dialog.Content>
+</Dialog.Root>
+
+<!-- Unsaved changes confirmation dialog -->
+<Dialog.Root bind:open={showConfirmClose}>
+	<Dialog.Content class="max-w-sm">
+		<Dialog.Header>
+			<Dialog.Title>Unsaved changes</Dialog.Title>
+			<Dialog.Description>
+				You have unsaved changes. Are you sure you want to close without saving?
+			</Dialog.Description>
+		</Dialog.Header>
+		<div class="flex justify-end gap-1.5 mt-4">
+			<Button variant="outline" size="sm" onclick={() => showConfirmClose = false}>
+				Continue editing
+			</Button>
+			<Button variant="destructive" size="sm" onclick={discardAndClose}>
+				Discard changes
+			</Button>
+		</div>
+	</Dialog.Content>
+</Dialog.Root>
+
+<!-- Path change confirmation dialog -->
+<Dialog.Root bind:open={showPathChangeConfirm}>
+	<Dialog.Content class="max-w-md">
+		<Dialog.Header>
+			<Dialog.Title>Move stack files?</Dialog.Title>
+			<Dialog.Description>
+				You've changed the stack location. There {pathChangeFileCount === 1 ? 'is' : 'are'} {pathChangeFileCount} file{pathChangeFileCount === 1 ? '' : 's'} in the old location that can be moved to the new location.
+			</Dialog.Description>
+		</Dialog.Header>
+		{#if pathChangeOldDir}
+			<div class="my-3 text-sm">
+				<div class="flex items-center gap-2 text-muted-foreground font-mono text-xs bg-muted/50 px-2 py-1 rounded">
+					<FolderOpen class="w-3.5 h-3.5 shrink-0 text-amber-500" />
+					{pathChangeOldDir}
+				</div>
+			</div>
+		{/if}
+		<p class="text-sm text-muted-foreground">
+			Would you like to move all files to the new location, or leave them in place?
+		</p>
+		<div class="flex justify-end gap-1.5 mt-4">
+			<Button variant="outline" size="sm" onclick={() => showPathChangeConfirm = false}>
+				Cancel
+			</Button>
+			<Button variant="secondary" size="sm" onclick={confirmPathChangeKeepFiles}>
+				Leave files
+			</Button>
+			<Button variant="default" size="sm" onclick={confirmPathChangeAndMove}>
+				<ArrowRight class="w-3.5 h-3.5 mr-1" />
+				Move files
+			</Button>
+		</div>
+	</Dialog.Content>
+</Dialog.Root>
+
+<!-- Browse confirmation dialog (when selecting different file would replace content) -->
+<Dialog.Root bind:open={showBrowseConfirm}>
+	<Dialog.Content class="max-w-lg">
+		<Dialog.Header>
+			<Dialog.Title>Replace editor content?</Dialog.Title>
+			<Dialog.Description>
+				Loading a different compose file will replace the current editor content.
+			</Dialog.Description>
+		</Dialog.Header>
+		<div class="my-3 space-y-2 text-sm">
+			<div class="flex items-start gap-2 text-muted-foreground">
+				<span class="text-xs font-medium text-zinc-500 shrink-0 pt-0.5">Current:</span>
+				<code class="text-xs font-mono bg-muted px-1.5 py-0.5 rounded break-all">
+					{workingComposePath || '(unsaved)'}
+				</code>
+			</div>
+			<div class="flex items-start gap-2">
+				<ArrowRight class="w-3.5 h-3.5 text-amber-500 shrink-0 mt-0.5" />
+				<span class="text-xs font-medium text-zinc-500 shrink-0 pt-0.5">New:</span>
+				<code class="text-xs font-mono bg-muted px-1.5 py-0.5 rounded break-all">
+					{pendingBrowsePath}
+				</code>
+			</div>
+		</div>
+		<div class="flex justify-end gap-1.5 mt-4">
+			<Button variant="outline" size="sm" onclick={cancelBrowseConfirm}>
+				Cancel
+			</Button>
+			<Button variant="default" size="sm" onclick={confirmBrowseAndLoad}>
+				Replace content
+			</Button>
+		</div>
+	</Dialog.Content>
+</Dialog.Root>
+
+<!-- Change location confirmation dialog -->
+<Dialog.Root bind:open={showChangeLocationConfirm}>
+	<Dialog.Content class="max-w-lg">
+		<Dialog.Header>
+			<Dialog.Title class="flex items-center gap-2">
+				<FolderSync class="w-5 h-5" />
+				Relocate stack?
+			</Dialog.Title>
+			<Dialog.Description>
+				All {changeLocationFileCount} file{changeLocationFileCount === 1 ? '' : 's'} in the stack folder will be moved.
+			</Dialog.Description>
+		</Dialog.Header>
+		<div class="my-3 space-y-1 text-sm">
+			<div class="flex items-start gap-2 text-muted-foreground">
+				<span class="text-xs font-medium text-zinc-500 shrink-0 w-10">From</span>
+				<code class="text-xs font-mono bg-muted px-1.5 py-0.5 rounded break-all">
+					{changeLocationOldDir}
+				</code>
+			</div>
+			<div class="flex justify-center py-3">
+				<ArrowDown class="w-4 h-4 text-amber-500" />
+			</div>
+			<div class="flex items-start gap-2">
+				<span class="text-xs font-medium text-zinc-500 shrink-0 w-10">To</span>
+				<code class="text-xs font-mono bg-muted px-1.5 py-0.5 rounded break-all">
+					{pendingNewLocation}
+				</code>
+			</div>
+		</div>
+		<div class="flex justify-end gap-1.5 mt-4">
+			<Button variant="outline" size="sm" onclick={cancelChangeLocation} disabled={movingLocation}>
+				Cancel
+			</Button>
+			<Button variant="default" size="sm" onclick={confirmChangeLocation} disabled={movingLocation}>
+				{#if movingLocation}
+					<Loader2 class="w-3.5 h-3.5 mr-1.5 animate-spin" />
+					Moving...
+				{:else}
+					<FolderSync class="w-3.5 h-3.5 mr-1" />
+					Move files
+				{/if}
+			</Button>
+		</div>
+	</Dialog.Content>
+</Dialog.Root>
+
+<!-- Error dialog for failed operations -->
+{#if operationError}
+	{@const errorDialogOpen = true}
+	<ErrorDialog
+		open={errorDialogOpen}
+		title={operationError.title}
+		message={operationError.message}
+		details={operationError.details}
+		onClose={() => operationError = null}
+	/>
+{/if}
+
+<!-- File browser for compose/env/location selection -->
+<FilesystemBrowser
+	bind:open={showFileBrowser}
+	title={fileBrowserConfig.title}
+	icon={fileBrowserConfig.icon}
+	selectFilter={fileBrowserConfig.selectFilter}
+	selectMode={fileBrowserConfig.selectMode}
+	onSelect={fileBrowserConfig.onSelect}
+	onClose={() => showFileBrowser = false}
+/>
diff --git a/src/routes/terminal/+page.svelte b/src/routes/terminal/+page.svelte
new file mode 100644
index 0000000..ebd6ca3
--- /dev/null
+++ b/src/routes/terminal/+page.svelte
@@ -0,0 +1,415 @@
+<script lang="ts">
+	import { page } from '$app/stores';
+	import PageHeader from '$lib/components/PageHeader.svelte';
+	import { Button } from '$lib/components/ui/button';
+	import { NoEnvironment } from '$lib/components/ui/empty-state';
+	import { Input } from '$lib/components/ui/input';
+	import { Label } from '$lib/components/ui/label';
+	import * as Select from '$lib/components/ui/select';
+	import { appendEnvParam, currentEnvironment, environments } from '$lib/stores/environment';
+	import type { ContainerInfo } from '$lib/types';
+	import { ChevronDown, Copy, RefreshCw, Search, Shell, Terminal as TerminalIcon, Trash2, Unplug, User, Zap } from 'lucide-svelte';
+	import { onDestroy, onMount } from 'svelte';
+	import AttachTerminal from '../attach/AttachTerminal.svelte';
+	import Terminal from './Terminal.svelte';
+
+	// Track if we've handled the initial container from URL
+	let initialContainerHandled = $state(false);
+
+	// Mode toggle
+	let mode = $state<'exec' | 'attach'>('exec');
+
+	let containers = $state<ContainerInfo[]>([]);
+	let selectedContainer = $state<ContainerInfo | null>(null);
+	let envId = $state<number | null>(null);
+
+	// Terminal component reference
+	let terminalComponent: ReturnType<typeof Terminal> | undefined;
+	let attachComponent: ReturnType<typeof AttachTerminal> | undefined;
+	let connected = $state(false);
+
+	// Shell/user options
+	let selectedShell = $state('/bin/bash');
+	let selectedUser = $state('root');
+	let terminalFontSize = $state(14);
+
+	const shellOptions = [
+		{ value: '/bin/bash', label: 'Bash' },
+		{ value: '/bin/sh', label: 'Shell (sh)' },
+		{ value: '/bin/zsh', label: 'Zsh' },
+		{ value: '/bin/ash', label: 'Ash (Alpine)' }
+	];
+
+	const userOptions = [
+		{ value: 'root', label: 'root' },
+		{ value: 'nobody', label: 'nobody' },
+		{ value: '', label: 'Container default' }
+	];
+
+	const fontSizeOptions = [10, 12, 14, 16, 18];
+
+	// Searchable dropdown state
+	let searchQuery = $state('');
+	let dropdownOpen = $state(false);
+
+	// Subscribe to environment changes
+	currentEnvironment.subscribe((env) => {
+		envId = env?.id ?? null;
+		if (env) {
+			fetchContainers();
+		}
+	});
+
+	// Filtered containers based on search
+	let filteredContainers = $derived(() => {
+		if (!searchQuery.trim()) return containers;
+		const query = searchQuery.toLowerCase();
+		return containers.filter((c) => c.name.toLowerCase().includes(query) || c.image.toLowerCase().includes(query));
+	});
+
+	async function fetchContainers() {
+		try {
+			const response = await fetch(appendEnvParam('/api/containers', envId));
+			const allContainers = await response.json();
+			// In exec mode, only show running containers
+			// In attach mode, only show running containers that are attachable
+			if (mode === 'attach') {
+				containers = allContainers.filter((c: ContainerInfo) => c.state === 'running' && c.attachable);
+			} else {
+				containers = allContainers.filter((c: ContainerInfo) => c.state === 'running');
+			}
+
+			// If selected container is no longer valid, clear selection
+			if (selectedContainer && !containers.find((c) => c.id === selectedContainer?.id)) {
+				clearSelection();
+			}
+		} catch (error) {
+			console.error('Failed to fetch containers:', error);
+		}
+	}
+
+	function selectContainer(container: ContainerInfo) {
+		// If already selected, do nothing
+		if (selectedContainer && selectedContainer.id === container.id) {
+			dropdownOpen = false;
+			return;
+		}
+
+		// Disconnect from previous container
+		if (selectedContainer) {
+			if (mode === 'exec' && terminalComponent) {
+				terminalComponent.dispose();
+				terminalComponent = undefined;
+			} else if (mode === 'attach' && attachComponent) {
+				attachComponent.dispose();
+			}
+		}
+		selectedContainer = container;
+		searchQuery = '';
+		dropdownOpen = false;
+	}
+
+	function clearSelection() {
+		if (mode === 'exec' && terminalComponent) {
+			terminalComponent.dispose();
+			terminalComponent = undefined;
+		} else if (mode === 'attach' && attachComponent) {
+			attachComponent.dispose();
+		}
+		selectedContainer = null;
+		searchQuery = '';
+		connected = false;
+	}
+
+	function handleInputFocus() {
+		dropdownOpen = true;
+	}
+
+	function handleInputBlur(e: FocusEvent) {
+		setTimeout(() => {
+			dropdownOpen = false;
+		}, 200);
+	}
+
+	function handleInputKeydown(e: KeyboardEvent) {
+		if (e.key === 'Enter') {
+			const filtered = filteredContainers();
+			if (filtered.length > 0) {
+				selectContainer(filtered[0]);
+			}
+		}
+	}
+
+	// Change font size
+	function changeFontSize(newSize: number) {
+		terminalFontSize = newSize;
+		if (mode === 'exec') {
+			terminalComponent?.setFontSize(newSize);
+		} else if (mode === 'attach') {
+			attachComponent?.setFontSize(newSize);
+		}
+	}
+
+	// Handle window resize
+	function handleResize() {
+		if (mode === 'exec') {
+			terminalComponent?.fit();
+		} else if (mode === 'attach') {
+			attachComponent?.fit();
+		}
+	}
+
+	onMount(async () => {
+		await fetchContainers();
+
+		// Check for container ID in URL query parameter
+		const urlContainerId = $page.url.searchParams.get('container');
+		if (urlContainerId && !initialContainerHandled) {
+			initialContainerHandled = true;
+			const container = containers.find((c) => c.id === urlContainerId || c.id.startsWith(urlContainerId));
+			if (container) {
+				selectContainer(container);
+			}
+		}
+
+		const containerInterval = setInterval(fetchContainers, 10000);
+
+		// Poll connected state from terminal component
+		const connectedPollInterval = setInterval(() => {
+			if (mode === 'exec' && terminalComponent) {
+				connected = terminalComponent.getConnected();
+			} else if (mode === 'attach' && attachComponent) {
+				connected = attachComponent.getConnected();
+			}
+		}, 500);
+
+		window.addEventListener('resize', handleResize);
+
+		return () => {
+			clearInterval(containerInterval);
+			clearInterval(connectedPollInterval);
+		};
+	});
+
+	onDestroy(() => {
+		window.removeEventListener('resize', handleResize);
+		terminalComponent?.dispose();
+		attachComponent?.dispose();
+	});
+</script>
+
+{#if $environments.length === 0 || !$currentEnvironment}
+	<div class="flex flex-col flex-1 min-h-0 h-full">
+		<PageHeader icon={TerminalIcon} title="Shell" class="h-9 mb-3" />
+		<NoEnvironment />
+	</div>
+{:else}
+	<div class="flex flex-col flex-1 min-h-0 h-full gap-3">
+		<!-- Header with container selector -->
+		<div class="flex items-center gap-4 flex-wrap">
+			<div class="flex items-center gap-3">
+				<PageHeader icon={TerminalIcon} title="Terminal" />
+				<div class="flex items-center rounded-lg bg-muted p-1">
+					<Button
+						size="sm"
+						variant="ghost"
+						onclick={() => {
+							mode = 'exec';
+							clearSelection();
+							fetchContainers();
+						}}
+						class="h-7 px-2.5 text-xs rounded gap-1.5 {mode === 'exec' ? 'text-foreground bg-accent/50' : 'text-muted-foreground hover:text-foreground'}"
+					>
+						<Shell class="w-3.5 h-3.5" />
+						<span>Exec</span>
+					</Button>
+					<div class="w-px h-4 bg-border"></div>
+					<Button
+						size="sm"
+						variant="ghost"
+						onclick={() => {
+							mode = 'attach';
+							clearSelection();
+							fetchContainers();
+						}}
+						class="h-7 px-2.5 text-xs rounded gap-1.5 {mode === 'attach' ? 'text-foreground bg-accent/50' : 'text-muted-foreground hover:text-foreground'}"
+					>
+						<Zap class="w-3.5 h-3.5" />
+						<span>Attach</span>
+					</Button>
+				</div>
+			</div>
+			<div class="relative flex-1 max-w-md min-w-50">
+				<!-- Search input - always visible, shows selected container or placeholder -->
+				<div class="relative">
+					<Search class="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
+					<Input
+						type="text"
+						placeholder={selectedContainer ? selectedContainer.name : mode === 'exec' ? 'Search running containers...' : 'Search containers...'}
+						bind:value={searchQuery}
+						onfocus={handleInputFocus}
+						onblur={handleInputBlur}
+						onkeydown={handleInputKeydown}
+						class="pl-10 pr-10 h-9 {selectedContainer && !searchQuery ? 'text-foreground' : ''}"
+					/>
+					<ChevronDown class="absolute right-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
+				</div>
+
+				<!-- Dropdown -->
+				{#if dropdownOpen}
+					<div class="absolute top-full left-0 right-0 mt-1 border rounded-md bg-popover shadow-lg z-50 max-h-64 overflow-auto">
+						{#if filteredContainers().length === 0}
+							<div class="px-3 py-2 text-sm text-muted-foreground">
+								{containers.length === 0 ? (mode === 'exec' ? 'No running containers' : 'No containers') : 'No matches found'}
+							</div>
+						{:else}
+							{#each filteredContainers() as container}
+								<button type="button" onclick={() => selectContainer(container)} class="w-full px-3 py-2 text-left text-sm hover:bg-muted transition-colors flex items-center gap-2 {selectedContainer?.id === container.id ? 'bg-muted' : ''}">
+									<span class="font-medium truncate">{container.name}</span>
+									<span class="text-muted-foreground text-xs truncate">({container.image})</span>
+									{#if selectedContainer?.id === container.id}
+										<span class="ml-auto text-xs text-primary">connected</span>
+									{/if}
+								</button>
+							{/each}
+						{/if}
+					</div>
+				{/if}
+			</div>
+
+			{#if selectedContainer}
+				<Button size="sm" variant="ghost" onclick={clearSelection} class="h-9 px-3 text-sm text-muted-foreground hover:text-foreground">
+					<Unplug class="w-4 h-4 mr-1.5" />
+					Disconnect
+				</Button>
+			{/if}
+
+			{#if !selectedContainer}
+				{#if mode === 'exec'}
+					<div class="flex items-center gap-2">
+						<Label class="text-sm text-muted-foreground">Shell:</Label>
+						<Select.Root type="single" bind:value={selectedShell}>
+							<Select.Trigger class="h-9 w-36">
+								<Shell class="w-4 h-4 mr-2 text-muted-foreground" />
+								<span>{shellOptions.find((o) => o.value === selectedShell)?.label || 'Select'}</span>
+							</Select.Trigger>
+							<Select.Content>
+								{#each shellOptions as option}
+									<Select.Item value={option.value} label={option.label}>
+										<Shell class="w-4 h-4 mr-2 text-muted-foreground" />
+										{option.label}
+									</Select.Item>
+								{/each}
+							</Select.Content>
+						</Select.Root>
+					</div>
+					<div class="flex items-center gap-2">
+						<Label class="text-sm text-muted-foreground">User:</Label>
+						<Select.Root type="single" bind:value={selectedUser}>
+							<Select.Trigger class="h-9 w-40">
+								<User class="w-4 h-4 mr-2 text-muted-foreground" />
+								<span>{userOptions.find((o) => o.value === selectedUser)?.label || 'Select'}</span>
+							</Select.Trigger>
+							<Select.Content>
+								{#each userOptions as option}
+									<Select.Item value={option.value} label={option.label}>
+										<User class="w-4 h-4 mr-2 text-muted-foreground" />
+										{option.label}
+									</Select.Item>
+								{/each}
+							</Select.Content>
+						</Select.Root>
+					</div>
+				{/if}
+			{/if}
+		</div>
+
+		<!-- Shell output - full height -->
+		<div class="flex-1 min-h-0 border rounded-lg bg-zinc-950 overflow-hidden flex flex-col">
+			{#if !selectedContainer}
+				<div class="flex items-center justify-center h-full text-muted-foreground">
+					<div class="text-center">
+						<TerminalIcon class="w-12 h-12 mx-auto mb-3 opacity-50" />
+						<p>Select a container to {mode === 'exec' ? 'open shell' : 'attach'}</p>
+					</div>
+				</div>
+			{:else}
+				<!-- Header bar inside black area -->
+				<div class="flex items-center justify-between px-3 py-1.5 border-b border-zinc-800 bg-zinc-900/50 shrink-0">
+					<div class="flex items-center gap-2">
+						{#if connected}
+							<span class="inline-flex items-center gap-1 text-xs text-green-500">
+								<span class="w-1.5 h-1.5 rounded-full bg-green-500 animate-pulse"></span>
+								{mode === 'exec' ? 'Connected' : 'Attached'}
+							</span>
+						{:else}
+							<span class="text-xs text-zinc-500">{mode === 'exec' ? 'Disconnected' : 'Detached'}</span>
+						{/if}
+					</div>
+					<div class="flex items-center gap-3">
+						<Select.Root type="single" value={String(terminalFontSize)} onValueChange={(v) => changeFontSize(Number(v))}>
+							<Select.Trigger class="h-5! py-0! w-14 bg-zinc-800 border-zinc-700 text-xs text-zinc-300 px-1.5 [&_svg]:size-3">
+								<span>{terminalFontSize}px</span>
+							</Select.Trigger>
+							<Select.Content>
+								{#each fontSizeOptions as size}
+									<Select.Item value={String(size)} label="{size}px" class="pe-2 [&>span:first-child]:hidden">{size}px</Select.Item>
+								{/each}
+							</Select.Content>
+						</Select.Root>
+						<button
+							onclick={() => {
+								if (mode === 'exec') terminalComponent?.copyOutput();
+								else attachComponent?.copyOutput();
+							}}
+							class="p-1 rounded hover:bg-zinc-800 transition-colors"
+							title="Copy output"
+						>
+							<Copy class="w-3 h-3 text-zinc-500 hover:text-zinc-300" />
+						</button>
+						<button
+							onclick={() => {
+								if (mode === 'exec') terminalComponent?.clear();
+								else attachComponent?.clear();
+							}}
+							class="p-1 rounded hover:bg-zinc-800 transition-colors"
+							title="Clear (Cmd+L)"
+						>
+							<Trash2 class="w-3 h-3 text-zinc-500 hover:text-zinc-300" />
+						</button>
+						<button
+							onclick={() => {
+								if (mode === 'exec') terminalComponent?.reconnect();
+								else attachComponent?.reconnect();
+							}}
+							class="p-1 rounded hover:bg-zinc-800 transition-colors"
+							title="Reconnect"
+						>
+							<RefreshCw class="w-3 h-3 text-zinc-500 hover:text-zinc-300" />
+						</button>
+					</div>
+				</div>
+				<div class="flex-1 min-h-0 w-full">
+					{#key `${selectedContainer.id}-${mode}`}
+						{#if mode === 'exec'}
+							<Terminal bind:this={terminalComponent} containerId={selectedContainer.id} containerName={selectedContainer.name} shell={selectedShell} user={selectedUser} {envId} fontSize={terminalFontSize} />
+						{:else if mode === 'attach'}
+							<AttachTerminal bind:this={attachComponent} containerId={selectedContainer.id} containerName={selectedContainer.name} {envId} fontSize={terminalFontSize} />
+						{/if}
+					{/key}
+				</div>
+			{/if}
+		</div>
+	</div>
+{/if}
+
+<style>
+	:global(.xterm) {
+		height: 100%;
+		padding: 8px;
+	}
+
+	:global(.xterm-viewport) {
+		overflow-y: auto !important;
+	}
+</style>
diff --git a/routes/terminal/Terminal.svelte b/src/routes/terminal/Terminal.svelte
similarity index 97%
rename from routes/terminal/Terminal.svelte
rename to src/routes/terminal/Terminal.svelte
index dd550ba..ebb3226 100644
--- a/routes/terminal/Terminal.svelte
+++ b/src/routes/terminal/Terminal.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
-	import { onMount, onDestroy } from 'svelte';
 	import { themeStore } from '$lib/stores/theme';
 	import { getMonospaceFont } from '$lib/themes';
+	import { onDestroy, onMount } from 'svelte';
 
 	// Dynamic imports for browser-only xterm
 	let TerminalClass: any;
@@ -180,7 +180,7 @@
 		// In dev mode (vite), connect directly to the WS server on port 5174
 		// In production, connect to the same port as the app
 		const isDev = import.meta.env.DEV;
-		const portPart = isDev ? ':5174' : (window.location.port ? `:${window.location.port}` : '');
+		const portPart = isDev ? ':5174' : window.location.port ? `:${window.location.port}` : '';
 		let wsUrl = `${protocol}//${wsHost}${portPart}/api/containers/${containerId}/exec?shell=${encodeURIComponent(shell)}&user=${encodeURIComponent(user)}`;
 		if (envId) {
 			wsUrl += `&envId=${envId}`;
diff --git a/routes/terminal/TerminalEmulator.svelte b/src/routes/terminal/TerminalEmulator.svelte
similarity index 100%
rename from routes/terminal/TerminalEmulator.svelte
rename to src/routes/terminal/TerminalEmulator.svelte
diff --git a/routes/terminal/TerminalPanel.svelte b/src/routes/terminal/TerminalPanel.svelte
similarity index 100%
rename from routes/terminal/TerminalPanel.svelte
rename to src/routes/terminal/TerminalPanel.svelte
diff --git a/routes/terminal/[id]/+page.svelte b/src/routes/terminal/[id]/+page.svelte
similarity index 100%
rename from routes/terminal/[id]/+page.svelte
rename to src/routes/terminal/[id]/+page.svelte
diff --git a/routes/volumes/+page.svelte b/src/routes/volumes/+page.svelte
similarity index 100%
rename from routes/volumes/+page.svelte
rename to src/routes/volumes/+page.svelte
diff --git a/routes/volumes/CloneVolumeModal.svelte b/src/routes/volumes/CloneVolumeModal.svelte
similarity index 100%
rename from routes/volumes/CloneVolumeModal.svelte
rename to src/routes/volumes/CloneVolumeModal.svelte
diff --git a/routes/volumes/CreateVolumeModal.svelte b/src/routes/volumes/CreateVolumeModal.svelte
similarity index 100%
rename from routes/volumes/CreateVolumeModal.svelte
rename to src/routes/volumes/CreateVolumeModal.svelte
diff --git a/routes/volumes/VolumeBrowserModal.svelte b/src/routes/volumes/VolumeBrowserModal.svelte
similarity index 97%
rename from routes/volumes/VolumeBrowserModal.svelte
rename to src/routes/volumes/VolumeBrowserModal.svelte
index 8ecfebb..66a13f3 100644
--- a/routes/volumes/VolumeBrowserModal.svelte
+++ b/src/routes/volumes/VolumeBrowserModal.svelte
@@ -50,7 +50,7 @@
 </script>
 
 <Dialog.Root bind:open onOpenChange={handleOpenChange}>
-	<Dialog.Content class="max-w-4xl h-[80vh] flex flex-col">
+	<Dialog.Content class="max-w-4xl h-[90vh] sm:h-[80vh] flex flex-col">
 		<Dialog.Header>
 			<Dialog.Title class="flex items-center gap-2">
 				<HardDrive class="w-5 h-5" />
diff --git a/routes/volumes/VolumeInspectModal.svelte b/src/routes/volumes/VolumeInspectModal.svelte
similarity index 98%
rename from routes/volumes/VolumeInspectModal.svelte
rename to src/routes/volumes/VolumeInspectModal.svelte
index 9875d52..ae66005 100644
--- a/routes/volumes/VolumeInspectModal.svelte
+++ b/src/routes/volumes/VolumeInspectModal.svelte
@@ -48,7 +48,7 @@
 </script>
 
 <Dialog.Root bind:open>
-	<Dialog.Content class="max-w-4xl h-[90vh] flex flex-col">
+	<Dialog.Content class="max-w-4xl max-h-[90vh] flex flex-col">
 		<Dialog.Header class="shrink-0">
 			<Dialog.Title class="flex items-center gap-2">
 				<HardDrive class="w-5 h-5" />
diff --git a/svelte.config.js b/svelte.config.js
new file mode 100644
index 0000000..fb3570f
--- /dev/null
+++ b/svelte.config.js
@@ -0,0 +1,15 @@
+import adapter from 'svelte-adapter-bun';
+import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
+
+/** @type {import('@sveltejs/kit').Config} */
+const config = {
+	preprocess: vitePreprocess(),
+
+	kit: {
+		adapter: adapter({
+			out: 'build'
+		})
+	}
+};
+
+export default config;
diff --git a/tsconfig.json b/tsconfig.json
new file mode 100644
index 0000000..2c2ed3c
--- /dev/null
+++ b/tsconfig.json
@@ -0,0 +1,20 @@
+{
+	"extends": "./.svelte-kit/tsconfig.json",
+	"compilerOptions": {
+		"rewriteRelativeImportExtensions": true,
+		"allowJs": true,
+		"checkJs": true,
+		"esModuleInterop": true,
+		"forceConsistentCasingInFileNames": true,
+		"resolveJsonModule": true,
+		"skipLibCheck": true,
+		"sourceMap": true,
+		"strict": true,
+		"moduleResolution": "bundler"
+	}
+	// Path aliases are handled by https://svelte.dev/docs/kit/configuration#alias
+	// except $lib which is handled by https://svelte.dev/docs/kit/configuration#files
+	//
+	// To make changes to top-level options such as include and exclude, we recommend extending
+	// the generated config; see https://svelte.dev/docs/kit/configuration#typescript
+}
diff --git a/vite.config.ts b/vite.config.ts
new file mode 100644
index 0000000..2a48236
--- /dev/null
+++ b/vite.config.ts
@@ -0,0 +1,1028 @@
+import { sveltekit } from '@sveltejs/kit/vite';
+import tailwindcss from '@tailwindcss/vite';
+import { Database } from 'bun:sqlite';
+import { execSync } from 'child_process';
+import { existsSync } from 'fs';
+import { homedir } from 'os';
+import { join } from 'path';
+import { defineConfig, type Plugin } from 'vite';
+
+const WS_PORT = 5174;
+
+// ============ Docker Target Types ============
+
+interface DockerTarget {
+	type: 'unix' | 'tcp' | 'hawser-edge';
+	socket?: string;
+	host?: string;
+	port?: number;
+	hawserToken?: string;
+	environmentId?: number;
+}
+
+interface EnvironmentRow {
+	id: number;
+	is_local?: boolean | number;
+	connection_type?: string;
+	socket_path?: string;
+	host?: string;
+	port?: number;
+	hawser_token?: string;
+}
+
+// ============ Docker Target Resolution ============
+
+function resolveDockerTarget(
+	envId: number | undefined,
+	getEnvironment: (id: number) => EnvironmentRow | null,
+	defaultSocketPath: string
+): DockerTarget {
+	if (!envId) return { type: 'unix', socket: defaultSocketPath };
+
+	const env = getEnvironment(envId);
+	if (!env) return { type: 'unix', socket: defaultSocketPath };
+
+	const isLocal = typeof env.is_local === 'boolean' ? env.is_local : Boolean(env.is_local);
+	if (isLocal || env.connection_type === 'socket' || !env.connection_type) {
+		return { type: 'unix', socket: env.socket_path || defaultSocketPath };
+	}
+
+	if (env.connection_type === 'hawser-edge') {
+		return { type: 'hawser-edge', environmentId: envId };
+	}
+
+	return {
+		type: 'tcp',
+		host: env.host || 'localhost',
+		port: env.port || 2375,
+		hawserToken: env.connection_type === 'hawser-standard' ? env.hawser_token : undefined
+	};
+}
+
+// ============ Exec API Helpers ============
+
+function buildExecStartHttpRequest(execId: string, target: DockerTarget): string {
+	const body = JSON.stringify({ Detach: false, Tty: true });
+	const tokenHeader = target.type === 'tcp' && target.hawserToken
+		? `X-Hawser-Token: ${target.hawserToken}\r\n`
+		: '';
+	return `POST /exec/${execId}/start HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\n${tokenHeader}Connection: Upgrade\r\nUpgrade: tcp\r\nContent-Length: ${body.length}\r\n\r\n${body}`;
+}
+
+// ============ Attach API Helpers ===========
+
+function buildAttachHttpRequest(containerId: string, target: DockerTarget): string {
+	const tokenHeader =
+		target.type === 'tcp' && target.hawserToken ? `X-Hawser-Token: ${target.hawserToken}\r\n` : '';
+	return `POST /containers/${containerId}/attach?stream=1&stdout=1&stderr=1&stdin=1 HTTP/1.1\r\nHost: localhost\r\n${tokenHeader}Connection: Upgrade\r\nUpgrade: tcp\r\n\r\n`;
+}
+
+// ============ Stream Processing ============
+
+function processTerminalOutput(
+	data: string,
+	state: { headersStripped: boolean; isChunked: boolean }
+): string | null {
+	let text = data;
+
+	if (!state.headersStripped) {
+		if (text.toLowerCase().includes('transfer-encoding: chunked')) {
+			state.isChunked = true;
+		}
+		const headerEnd = text.indexOf('\r\n\r\n');
+		if (headerEnd > -1) {
+			text = text.slice(headerEnd + 4);
+			state.headersStripped = true;
+		} else if (text.startsWith('HTTP/')) {
+			return null;
+		}
+	}
+
+	if (state.isChunked && text) {
+		text = text.replace(/^[0-9a-fA-F]+\r\n/gm, '').replace(/\r\n$/g, '');
+	}
+
+	return text || null;
+}
+
+// ============ Hawser Edge Exec Messages ============
+
+function createExecStartMessage(execId: string, containerId: string, shell: string, user: string, cols = 120, rows = 30) {
+	return { type: 'exec_start', execId, containerId, cmd: shell, user, cols, rows };
+}
+
+function createExecInputMessage(execId: string, data: string) {
+	return { type: 'exec_input', execId, data: Buffer.from(data).toString('base64') };
+}
+
+function createExecResizeMessage(execId: string, cols: number, rows: number) {
+	return { type: 'exec_resize', execId, cols, rows };
+}
+
+function createExecEndMessage(execId: string, reason = 'user_closed') {
+	return { type: 'exec_end', execId, reason };
+}
+
+// Get build info
+function getGitCommit(): string | null {
+	// Check COMMIT file (created by CI/CD before docker build)
+	try {
+		if (existsSync('COMMIT')) {
+			const commit = require('fs').readFileSync('COMMIT', 'utf-8').trim();
+			if (commit && commit !== 'unknown') {
+				return commit;
+			}
+		}
+	} catch {
+		// ignore
+	}
+	// Fall back to git command (local dev)
+	try {
+		return execSync('git rev-parse --short HEAD').toString().trim();
+	} catch {
+		return null;
+	}
+}
+
+function getGitBranch(): string | null {
+	// Check BRANCH file (created by CI/CD before docker build)
+	try {
+		if (existsSync('BRANCH')) {
+			const branch = require('fs').readFileSync('BRANCH', 'utf-8').trim();
+			if (branch && branch !== 'unknown') {
+				return branch;
+			}
+		}
+	} catch {
+		// ignore
+	}
+	// Fall back to git command (local dev)
+	try {
+		return execSync('git rev-parse --abbrev-ref HEAD').toString().trim();
+	} catch {
+		return null;
+	}
+}
+
+function getGitTag(): string | null {
+	// First check env var (set by CI/CD via Docker build-arg)
+	if (process.env.APP_VERSION) {
+		return process.env.APP_VERSION;
+	}
+	// Check VERSION file (created by CI/CD before docker build)
+	try {
+		if (existsSync('VERSION')) {
+			const version = require('fs').readFileSync('VERSION', 'utf-8').trim();
+			if (version && version !== 'unknown') {
+				return version;
+			}
+		}
+	} catch {
+		// ignore
+	}
+	// Fall back to git tag (local dev)
+	try {
+		return execSync('git describe --tags --abbrev=0 2>/dev/null').toString().trim();
+	} catch {
+		return null;
+	}
+}
+
+// Plugin to externalize bun: protocol modules
+function bunExternals(): Plugin {
+	return {
+		name: 'bun-externals',
+		enforce: 'pre',
+		resolveId(source) {
+			if (source.startsWith('bun:')) {
+				return { id: source, external: true };
+			}
+			return null;
+		}
+	};
+}
+
+// Detect Docker socket path
+function detectDockerSocket(): string {
+	if (process.env.DOCKER_SOCKET && existsSync(process.env.DOCKER_SOCKET)) return process.env.DOCKER_SOCKET;
+	if (process.env.DOCKER_HOST?.startsWith('unix://')) {
+		const p = process.env.DOCKER_HOST.replace('unix://', '');
+		if (existsSync(p)) return p;
+	}
+	const candidates = [
+		'/var/run/docker.sock',
+		join(homedir(), '.docker/run/docker.sock'),
+		join(homedir(), '.orbstack/run/docker.sock'),
+		'/run/docker.sock'
+	];
+	for (const s of candidates) {
+		if (existsSync(s)) return s;
+	}
+	return '/var/run/docker.sock';
+}
+
+// Lazy database connection for environment lookup
+let _db: Database | null = null;
+function getDb(): Database | null {
+	if (!_db) {
+		// Database is in data/db/dockhand.db (same as main app)
+		const dbPath = join(process.cwd(), 'data', 'db', 'dockhand.db');
+		if (existsSync(dbPath)) {
+			_db = new Database(dbPath, { readonly: true });
+		}
+	}
+	return _db;
+}
+
+function getEnvironment(id: number): { host: string; port: number; is_local: boolean; connection_type?: string; hawser_token?: string } | null {
+	const db = getDb();
+	if (!db) return null;
+	const row = db.prepare('SELECT * FROM environments WHERE id = ?').get(id) as any;
+	return row ? { ...row, is_local: Boolean(row.is_local) } : null;
+}
+
+function getDockerTarget(envId?: number): DockerTarget {
+	const dockerSocketPath = detectDockerSocket();
+	return resolveDockerTarget(
+		envId,
+		(id) => getEnvironment(id) as EnvironmentRow | null,
+		dockerSocketPath
+	);
+}
+
+async function createExecForWs(containerId: string, cmd: string[], user: string, target: ReturnType<typeof getDockerTarget>): Promise<{ Id: string }> {
+	const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+	const fetchOpts: any = {
+		method: 'POST',
+		headers,
+		body: JSON.stringify({ AttachStdin: true, AttachStdout: true, AttachStderr: true, Tty: true, Cmd: cmd, User: user })
+	};
+	let url: string;
+	if (target.type === 'unix') {
+		url = 'http://localhost/containers/' + containerId + '/exec';
+		fetchOpts.unix = target.socket;
+	} else {
+		url = 'http://' + target.host + ':' + target.port + '/containers/' + containerId + '/exec';
+		if (target.hawserToken) {
+			headers['X-Hawser-Token'] = target.hawserToken;
+		}
+	}
+	const res = await fetch(url, fetchOpts);
+	if (!res.ok) throw new Error('Failed to create exec: ' + (await res.text()));
+	return res.json();
+}
+
+async function resizeExecForWs(execId: string, cols: number, rows: number, target: ReturnType<typeof getDockerTarget>): Promise<void> {
+	try {
+		const fetchOpts: any = { method: 'POST' };
+		let url: string;
+		if (target.type === 'unix') {
+			url = 'http://localhost/exec/' + execId + '/resize?h=' + rows + '&w=' + cols;
+			fetchOpts.unix = target.socket;
+		} else {
+			url = 'http://' + target.host + ':' + target.port + '/exec/' + execId + '/resize?h=' + rows + '&w=' + cols;
+			if (target.hawserToken) {
+				fetchOpts.headers = { 'X-Hawser-Token': target.hawserToken };
+			}
+		}
+		await fetch(url, fetchOpts);
+	} catch {
+		// Ignore resize errors
+	}
+}
+
+// Map to track Docker streams per WebSocket (keyed by unique connection ID)
+// Includes WebSocket reference for orphan detection
+const dockerStreams = new Map<string, { stream: any; execId: string; target: ReturnType<typeof getDockerTarget>; state: { isChunked: boolean }; ws: any }>();
+
+// Counter for unique WebSocket connection IDs
+let wsConnectionCounter = 0;
+
+// Map to track Edge exec sessions (execId -> frontend WebSocket)
+const edgeExecSessions = new Map<string, { ws: any; execId: string; environmentId: number }>();
+
+// Cleanup interval reference - only started in dev mode
+let cleanupInterval: ReturnType<typeof setInterval> | null = null;
+
+// Cleanup function for orphaned sessions
+function startCleanupInterval() {
+	if (cleanupInterval) return; // Already running
+
+	// Cleanup orphaned sessions every 5 minutes to prevent memory leaks
+	// Only removes sessions where the WebSocket is no longer open (readyState !== 1)
+	// This catches sessions where close handlers failed to fire
+	cleanupInterval = setInterval(() => {
+		let dockerCleaned = 0;
+		let edgeCleaned = 0;
+
+		for (const [connId, session] of dockerStreams.entries()) {
+			// readyState: 0=CONNECTING, 1=OPEN, 2=CLOSING, 3=CLOSED
+			if (session.ws?.readyState !== 1) {
+				try {
+					session.stream?.end?.();
+				} catch { /* ignore */ }
+				dockerStreams.delete(connId);
+				dockerCleaned++;
+			}
+		}
+
+		for (const [execId, session] of edgeExecSessions.entries()) {
+			if (session.ws?.readyState !== 1) {
+				edgeExecSessions.delete(execId);
+				edgeCleaned++;
+			}
+		}
+
+		if (dockerCleaned > 0 || edgeCleaned > 0) {
+			console.log(`[WS Cleanup] Removed ${dockerCleaned} orphaned docker streams, ${edgeCleaned} orphaned edge sessions`);
+		}
+	}, 5 * 60 * 1000);
+}
+
+// Hawser Edge connection types (mirrors hawser.ts)
+interface EdgeConnection {
+	ws: WebSocket;
+	environmentId: number;
+	agentId: string;
+	agentName: string;
+	agentVersion: string;
+	dockerVersion: string;
+	hostname: string;
+	capabilities: string[];
+	connectedAt: Date;
+	lastHeartbeat: Date;
+	pendingRequests: Map<string, { resolve: Function; reject: Function; timeout: NodeJS.Timeout }>;
+	pendingStreamRequests: Map<string, { onData: Function; onEnd: Function; onError: Function }>;
+	pingInterval?: ReturnType<typeof setInterval>; // Server-side ping to keep connection alive through proxies
+}
+
+// Container event from edge agent (matches hawser.ts)
+interface ContainerEventData {
+	containerId: string;
+	containerName?: string;
+	image?: string;
+	action: string;
+	actorAttributes?: Record<string, string>;
+	timestamp: string;
+}
+
+// Metrics data structure from Hawser agent
+interface HawserMetrics {
+	cpuUsage: number;
+	cpuCores: number;
+	memoryTotal: number;
+	memoryUsed: number;
+	memoryFree: number;
+	diskTotal: number;
+	diskUsed: number;
+	diskFree: number;
+	networkRxBytes: number;
+	networkTxBytes: number;
+}
+
+// Use globalThis to share connections with hawser.ts module
+declare global {
+	var __hawserEdgeConnections: Map<number, EdgeConnection> | undefined;
+	var __hawserSendMessage: ((envId: number, message: string) => boolean) | undefined;
+	var __hawserHandleContainerEvent: ((envId: number, event: ContainerEventData) => Promise<void>) | undefined;
+	var __hawserHandleMetrics: ((envId: number, metrics: HawserMetrics) => Promise<void>) | undefined;
+}
+const edgeConnections: Map<number, EdgeConnection> =
+	globalThis.__hawserEdgeConnections ?? (globalThis.__hawserEdgeConnections = new Map());
+
+// Function to send messages through the WebSocket (needed because ws.send must be called from vite context)
+globalThis.__hawserSendMessage = (envId: number, message: string): boolean => {
+	const conn = edgeConnections.get(envId);
+	if (!conn || !conn.ws) {
+		return false;
+	}
+
+	try {
+		conn.ws.send(message);
+		return true;
+	} catch (e) {
+		console.error(`[Hawser WS] sendMessage error:`, e);
+		return false;
+	}
+};
+
+// Map WebSocket to environmentId for quick lookup on close/message
+const wsToEnvId = new Map<any, number>();
+
+// WebSocket server for terminal connections and Hawser Edge in development mode
+function webSocketPlugin(): Plugin {
+	return {
+		name: 'websocket',
+		configureServer() {
+			// Start cleanup interval for dev mode only
+			startCleanupInterval();
+
+			const dockerSocketPath = detectDockerSocket();
+			console.log(`[Terminal WS] Detected Docker socket at: ${dockerSocketPath}`);
+
+			// Start a Bun.serve WebSocket server on a separate port
+			Bun.serve({
+				port: WS_PORT,
+				fetch(req, server) {
+					// Upgrade HTTP requests to WebSocket
+					if (server.upgrade(req, { data: { url: req.url } })) {
+						return; // Return nothing if upgrade succeeds
+					}
+					return new Response('WebSocket server', { status: 200 });
+				},
+				websocket: {
+					async open(ws) {
+						const url = new URL((ws.data as any).url, `http://localhost:${WS_PORT}`);
+
+						// Check if this is a Hawser Edge connection
+						if (url.pathname === '/api/hawser/connect') {
+							console.log('[Hawser WS] New connection pending authentication');
+							// Hawser connections wait for hello message to authenticate
+							return;
+						}
+
+						// Assign unique connection ID to this WebSocket
+						const connId = `ws-${++wsConnectionCounter}`;
+						(ws.data as any).connId = connId;
+
+						// Terminal connection handling
+						const pathParts = url.pathname.split('/');
+						const containerIdIndex = pathParts.indexOf('containers') + 1;
+						const containerId = pathParts[containerIdIndex];
+
+						const isAttach = url.pathname.includes('/attach');
+
+						const shell = url.searchParams.get('shell') || '/bin/sh';
+						const user = url.searchParams.get('user') || 'root';
+						const envIdParam = url.searchParams.get('envId');
+						const envId = envIdParam ? parseInt(envIdParam, 10) : undefined;
+
+						if (!containerId) {
+							ws.send(JSON.stringify({ type: 'error', message: 'No container ID' }));
+							ws.close();
+							return;
+						}
+
+						console.log(envId)
+						const target = getDockerTarget(envId);
+						const mode = isAttach ? 'attach' : 'exec';
+						console.log('[Terminal WS] Open connId:', connId, 'container:', containerId, 'target:', 'mode:', mode, target.type);
+
+						try {
+							// Handle Hawser Edge mode differently - use WebSocket protocol
+							if (target.type === 'hawser-edge') {
+								const conn = edgeConnections.get(target.environmentId);
+								if (!conn) {
+									ws.send(JSON.stringify({ type: 'error', message: 'Edge agent not connected' }));
+									ws.close();
+									return;
+								}
+
+								if(isAttach) {
+									// For attach, send attach_start message
+									const attachId = crypto.randomUUID();
+									console.log('[Terminal WS] Starting Edge attach:', attachId, 'container:', containerId);
+									edgeExecSessions.set(attachId, { ws, execId: attachId, environmentId: target.environmentId });
+
+									(ws.data as any).edgeExecId = attachId;
+									conn.ws.send(JSON.stringify({ type: 'attach', containerId, attachId }));
+									return;
+								}
+
+								// Generate unique exec ID
+								const execId = crypto.randomUUID();
+								console.log('[Terminal WS] Starting Edge exec:', execId, 'container:', containerId);
+
+								// Track this session
+								edgeExecSessions.set(execId, { ws, execId, environmentId: target.environmentId });
+								(ws.data as any).edgeExecId = execId;
+
+								// Send exec_start to the agent (using shared helper)
+								const execStartMsg = createExecStartMessage(execId, containerId, shell, user);
+								conn.ws.send(JSON.stringify(execStartMsg));
+								return;
+							}
+
+							let httpRequest: string
+							let execId: string;
+
+							if(isAttach) {
+								// Attach mode
+								execId = crypto.randomUUID();
+								httpRequest = buildAttachHttpRequest(containerId, target);
+								console.log("[Terminal WS] Attaching to container: ", containerId, "execId:", execId);
+							} else {
+								// Exec mode
+								const exec = await createExecForWs(containerId, [shell], user, target);
+								httpRequest = buildExecStartHttpRequest(exec.Id, target);
+								console.log("[Terminal WS] Created exec: ", exec.Id, "for container:", containerId);
+							}
+
+							// Track connection state (using object for mutability across closures)
+							let headersStripped = false;
+							const state = { isChunked: false };
+
+							// Create socket handler for Docker connection
+							const socketHandler = {
+								data(socket: any, data: Buffer) {
+									if (ws.readyState === 1) {
+										let text = new TextDecoder().decode(data);
+										// Skip HTTP headers in first response (only once)
+										if (!headersStripped) {
+											// Check for chunked encoding in headers
+											if (text.toLowerCase().includes('transfer-encoding: chunked')) {
+												state.isChunked = true;
+											}
+											const headerEnd = text.indexOf('\r\n\r\n');
+											if (headerEnd > -1) {
+												text = text.slice(headerEnd + 4);
+												headersStripped = true;
+											} else if (text.startsWith('HTTP/')) {
+												// Headers split across packets, skip this entire packet
+												return;
+											}
+										}
+										// Strip chunked encoding framing if detected
+										if (state.isChunked && text) {
+											// Remove chunk size lines (hex number followed by \r\n)
+											text = text.replace(/^[0-9a-fA-F]+\r\n/gm, '').replace(/\r\n$/g, '');
+										}
+										if (text) {
+											ws.send(JSON.stringify({ type: 'output', data: text }));
+										}
+									}
+								},
+								close() {
+									if (ws.readyState === 1) {
+										ws.send(JSON.stringify({ type: 'exit' }));
+										ws.close();
+									}
+								},
+								error() {},
+								open(socket: any) {
+									socket.write(httpRequest);
+								}
+							};
+
+							let dockerStream: any;
+							if (target.type === 'unix') {
+								dockerStream = await Bun.connect({ unix: target.socket, socket: socketHandler });
+							} else if (target.type === 'tcp') {
+								dockerStream = await Bun.connect({ hostname: target.host, port: target.port, socket: socketHandler });
+							}
+
+							dockerStreams.set(connId, { stream: dockerStream, execId, target, state, ws });
+							console.log('[Terminal WS] Stream stored for connId:', connId, 'total streams:', dockerStreams.size);
+						} catch (error: any) {
+							console.error('[Terminal WS] Error:', error.message);
+							ws.send(JSON.stringify({ type: 'error', message: error.message }));
+							ws.close();
+						}
+					},
+					async message(ws, message) {
+						const url = new URL((ws.data as any).url, `http://localhost:${WS_PORT}`);
+						const connId = (ws.data as any).connId as string | undefined;
+						console.log('[WS Message] connId:', connId, 'edgeExecId:', (ws.data as any)?.edgeExecId, 'pathname:', url.pathname.slice(0, 50));
+
+						// Handle Hawser Edge messages
+						if (url.pathname === '/api/hawser/connect') {
+							try {
+								// Debug: Log raw message info
+								const msgType = typeof message;
+								const msgLen = typeof message === 'string' ? message.length :
+									message instanceof ArrayBuffer ? message.byteLength :
+									(message as Buffer).length || 0;
+								console.log(`[Hawser WS] Received message: type=${msgType}, length=${msgLen}`);
+
+								// Convert message to string properly (handles both string and ArrayBuffer)
+								let messageStr: string;
+								if (typeof message === 'string') {
+									messageStr = message;
+								} else if (message instanceof ArrayBuffer) {
+									messageStr = new TextDecoder().decode(message);
+								} else if (Buffer.isBuffer(message)) {
+									messageStr = message.toString('utf-8');
+								} else {
+									// Uint8Array or similar
+									messageStr = new TextDecoder().decode(new Uint8Array(message as ArrayBuffer));
+								}
+
+								console.log(`[Hawser WS] Decoded string length: ${messageStr.length}`);
+								if (messageStr.length > 0) {
+									console.log(`[Hawser WS] First 200 chars: ${messageStr.slice(0, 200)}`);
+								}
+
+								const msg = JSON.parse(messageStr);
+								console.log(`[Hawser WS] Parsed message type: ${msg.type}`);
+								await handleHawserMessage(ws, msg);
+							} catch (error: any) {
+								console.error('[Hawser WS] Error handling message:', error.message);
+								// More detailed debug output
+								const msgType = typeof message;
+								const msgLen = typeof message === 'string' ? message.length :
+									message instanceof ArrayBuffer ? message.byteLength :
+									(message as Buffer).length || 0;
+								console.error(`[Hawser WS] Message details: type=${msgType}, length=${msgLen}`);
+								if (typeof message === 'string' && message.length > 0) {
+									console.error(`[Hawser WS] Message preview: ${message.slice(0, 500)}`);
+								} else if (message instanceof ArrayBuffer && message.byteLength > 0) {
+									const preview = new TextDecoder().decode(message.slice(0, 500));
+									console.error(`[Hawser WS] ArrayBuffer preview: ${preview}`);
+								} else if (Buffer.isBuffer(message) && message.length > 0) {
+									console.error(`[Hawser WS] Buffer preview: ${message.toString('utf-8').slice(0, 500)}`);
+								}
+								ws.send(JSON.stringify({ type: 'error', error: error.message }));
+							}
+							return;
+						}
+
+						// Check if this is an Edge exec session
+						const edgeExecId = (ws.data as any)?.edgeExecId;
+						if (edgeExecId) {
+							const session = edgeExecSessions.get(edgeExecId);
+							if (session) {
+								const conn = edgeConnections.get(session.environmentId);
+								if (conn) {
+									try {
+										const msg = JSON.parse(message.toString());
+										if (msg.type === 'input') {
+											// Forward input to agent (using shared helper)
+											conn.ws.send(JSON.stringify(createExecInputMessage(edgeExecId, msg.data)));
+										} else if (msg.type === 'resize') {
+											// Forward resize to agent (using shared helper)
+											conn.ws.send(JSON.stringify(createExecResizeMessage(edgeExecId, msg.cols, msg.rows)));
+										}
+									} catch (e) {
+										console.error('[Terminal WS] Error handling Edge message:', e);
+									}
+								}
+							}
+							return;
+						}
+
+						// Terminal message handling (direct Docker connection)
+						if (!connId) {
+							console.log('[Terminal WS] No connId for terminal message');
+							return;
+						}
+						const d = dockerStreams.get(connId);
+						if (!d) {
+							console.log('[Terminal WS] No stream for connId:', connId, 'streams:', [...dockerStreams.keys()]);
+							return;
+						}
+						console.log('[Terminal WS] Found stream for connId:', connId);
+
+						try {
+							const msg = JSON.parse(message.toString());
+							if (msg.type === 'input' && d.stream) {
+								// Always write raw input - chunked encoding only affects reading output
+								d.stream.write(msg.data);
+							} else if (msg.type === 'resize' && d.execId) {
+								resizeExecForWs(d.execId, msg.cols, msg.rows, d.target);
+							}
+						} catch {
+							// If not JSON, treat as raw input
+							if (d.stream) {
+								d.stream.write(message);
+							}
+						}
+					},
+					close(ws) {
+						// Check if it's a Hawser connection
+						const envId = wsToEnvId.get(ws);
+						if (envId) {
+							const conn = edgeConnections.get(envId);
+							if (conn) {
+								console.log(`[Hawser WS] Agent disconnected: ${conn.agentId}`);
+								// Clear server-side ping interval
+								if (conn.pingInterval) {
+									clearInterval(conn.pingInterval);
+									conn.pingInterval = undefined;
+								}
+								// Reject pending requests
+								for (const [, pending] of conn.pendingRequests) {
+									clearTimeout(pending.timeout);
+									pending.reject(new Error('Connection closed'));
+								}
+								// Clean up pending stream requests
+								for (const [, pending] of conn.pendingStreamRequests) {
+									pending.onEnd('Connection closed');
+								}
+								edgeConnections.delete(envId);
+							}
+							wsToEnvId.delete(ws);
+							return;
+						}
+
+						// Check if it's an Edge exec session
+						const edgeExecId = (ws.data as any)?.edgeExecId;
+						if (edgeExecId) {
+							const session = edgeExecSessions.get(edgeExecId);
+							if (session) {
+								// Send exec_end to agent (using shared helper)
+								const conn = edgeConnections.get(session.environmentId);
+								if (conn) {
+									conn.ws.send(JSON.stringify(createExecEndMessage(edgeExecId)));
+								}
+								edgeExecSessions.delete(edgeExecId);
+								console.log(`[Terminal WS] Edge exec session closed: ${edgeExecId}`);
+							}
+							return;
+						}
+
+						// Terminal connection cleanup (direct Docker)
+						const connId = (ws.data as any)?.connId as string | undefined;
+						if (connId) {
+							const d = dockerStreams.get(connId);
+							if (d?.stream) {
+								d.stream.end();
+							}
+							dockerStreams.delete(connId);
+						}
+					}
+				}
+			});
+
+			console.log(`[Terminal WS] WebSocket server running on port ${WS_PORT}`);
+		}
+	};
+}
+
+// Handle Hawser Edge protocol messages
+async function handleHawserMessage(ws: any, msg: any) {
+	if (msg.type === 'hello') {
+		// Validate token using the app's hawser module
+		// For dev mode, we'll do a simplified validation
+		console.log(`[Hawser WS] Hello from agent: ${msg.agentName} (${msg.agentId})`);
+
+		// In dev mode, we need to validate the token against the database
+		const db = getDb();
+		if (!db) {
+			ws.send(JSON.stringify({ type: 'error', error: 'Database not available' }));
+			ws.close();
+			return;
+		}
+
+		// Simple token validation (in production this would use argon2 verification)
+		// For dev mode, just check if a token exists for any environment
+		const tokens = db.prepare('SELECT * FROM hawser_tokens WHERE is_active = 1').all() as any[];
+
+		// For dev mode, accept any valid token format and use the first environment with a token
+		const token = tokens.find((t: any) => msg.token && msg.token.startsWith(t.token_prefix.slice(0, 4)));
+
+		if (!token) {
+			console.log('[Hawser WS] Invalid token');
+			ws.send(JSON.stringify({ type: 'error', error: 'Invalid token' }));
+			ws.close();
+			return;
+		}
+
+		const environmentId = token.environment_id;
+
+		// Update environment with agent info
+		try {
+			db.prepare(`UPDATE environments SET
+				hawser_last_seen = datetime('now'),
+				hawser_agent_id = ?,
+				hawser_agent_name = ?,
+				hawser_version = ?,
+				hawser_capabilities = ?
+			WHERE id = ?`).run(
+				msg.agentId,
+				msg.agentName,
+				msg.version,
+				JSON.stringify(msg.capabilities || []),
+				environmentId
+			);
+		} catch (e) {
+			// Read-only DB in dev mode, ignore
+		}
+
+		// Close any existing connection for this environment
+		const existing = edgeConnections.get(environmentId);
+		if (existing) {
+			const pendingCount = existing.pendingRequests.size;
+			const streamCount = existing.pendingStreamRequests.size;
+			console.log(
+				`[Hawser WS] Replacing existing connection for environment ${environmentId}. ` +
+				`Rejecting ${pendingCount} pending requests and ${streamCount} stream requests.`
+			);
+
+			// Reject all pending requests before closing
+			for (const [requestId, pending] of existing.pendingRequests) {
+				console.log(`[Hawser WS] Rejecting pending request ${requestId} due to connection replacement`);
+				clearTimeout(pending.timeout);
+				pending.reject(new Error('Connection replaced by new agent'));
+			}
+			for (const [requestId, pending] of existing.pendingStreamRequests) {
+				console.log(`[Hawser WS] Ending stream request ${requestId} due to connection replacement`);
+				pending.onEnd?.('Connection replaced by new agent');
+			}
+			existing.pendingRequests.clear();
+			existing.pendingStreamRequests.clear();
+
+			existing.ws.close(1000, 'Replaced by new connection');
+			wsToEnvId.delete(existing.ws);
+		}
+
+		// Store connection in shared map (accessible by hawser.ts via globalThis)
+		const connection: EdgeConnection = {
+			ws,
+			environmentId,
+			agentId: msg.agentId,
+			agentName: msg.agentName,
+			agentVersion: msg.version || 'unknown',
+			dockerVersion: msg.dockerVersion || 'unknown',
+			hostname: msg.hostname || 'unknown',
+			capabilities: msg.capabilities || [],
+			connectedAt: new Date(),
+			lastHeartbeat: new Date(),
+			pendingRequests: new Map(),
+			pendingStreamRequests: new Map()
+		};
+
+		edgeConnections.set(environmentId, connection);
+		wsToEnvId.set(ws, environmentId);
+
+		// Send welcome
+		ws.send(JSON.stringify({
+			type: 'welcome',
+			environmentId,
+			message: `Welcome ${msg.agentName}! Connected to Dockhand dev server.`
+		}));
+
+		// Start server-side ping interval to keep connection alive through Traefik/proxies
+		// Traefik has ~10s idle timeout, so we ping every 5 seconds
+		connection.pingInterval = setInterval(() => {
+			try {
+				ws.send(JSON.stringify({ type: 'ping', timestamp: Date.now() }));
+			} catch (e) {
+				// Connection likely closed, clear interval
+				if (connection.pingInterval) {
+					clearInterval(connection.pingInterval);
+					connection.pingInterval = undefined;
+				}
+			}
+		}, 5000);
+
+		console.log(`[Hawser WS] Agent ${msg.agentName} connected for environment ${environmentId}`);
+	} else if (msg.type === 'ping') {
+		// Agent sent ping - respond with pong to keep connection alive
+		const envId = wsToEnvId.get(ws);
+		if (envId) {
+			const conn = edgeConnections.get(envId);
+			if (conn) {
+				conn.lastHeartbeat = new Date();
+			}
+		}
+		ws.send(JSON.stringify({ type: 'pong', timestamp: Date.now() }));
+	} else if (msg.type === 'pong') {
+		// Heartbeat response - update last seen
+		const envId = wsToEnvId.get(ws);
+		if (envId) {
+			const conn = edgeConnections.get(envId);
+			if (conn) {
+				conn.lastHeartbeat = new Date();
+			}
+		}
+	} else if (msg.type === 'response') {
+		// Response to a request we sent
+		const envId = wsToEnvId.get(ws);
+		if (envId) {
+			const conn = edgeConnections.get(envId);
+			if (conn) {
+				const pending = conn.pendingRequests.get(msg.requestId);
+				if (pending) {
+					clearTimeout(pending.timeout);
+					conn.pendingRequests.delete(msg.requestId);
+
+					// Body is now a string (either plain text/JSON or base64-encoded binary)
+					// isBinary flag indicates if base64 decoding is needed
+					pending.resolve({
+						statusCode: msg.statusCode,
+						headers: msg.headers || {},
+						body: msg.body || '',
+						isBinary: msg.isBinary || false
+					});
+				}
+			}
+		}
+	} else if (msg.type === 'stream') {
+		// Streaming data from agent
+		const envId = wsToEnvId.get(ws);
+		if (!envId) {
+			console.warn(`[Hawser WS] Stream data from unknown WebSocket, requestId=${msg.requestId}`);
+			return;
+		}
+		const conn = edgeConnections.get(envId);
+		if (!conn) {
+			console.warn(`[Hawser WS] Stream data for unknown environment ${envId}, requestId=${msg.requestId}`);
+			return;
+		}
+		const pending = conn.pendingStreamRequests?.get(msg.requestId);
+		if (!pending) {
+			console.warn(`[Hawser WS] Stream data for unknown request ${msg.requestId} on env ${envId}`);
+			return;
+		}
+		pending.onData(msg.data, msg.stream);
+	} else if (msg.type === 'stream_end') {
+		// Stream ended
+		const envId = wsToEnvId.get(ws);
+		if (!envId) {
+			console.warn(`[Hawser WS] Stream end from unknown WebSocket, requestId=${msg.requestId}`);
+			return;
+		}
+		const conn = edgeConnections.get(envId);
+		if (!conn) {
+			console.warn(`[Hawser WS] Stream end for unknown environment ${envId}, requestId=${msg.requestId}`);
+			return;
+		}
+		const pending = conn.pendingStreamRequests.get(msg.requestId);
+		if (!pending) {
+			console.warn(`[Hawser WS] Stream end for unknown request ${msg.requestId} on env ${envId}`);
+			return;
+		}
+		conn.pendingStreamRequests.delete(msg.requestId);
+		pending.onEnd(msg.reason);
+	} else if (msg.type === 'metrics') {
+		// Metrics from agent - save to database for dashboard graphs
+		const envId = wsToEnvId.get(ws);
+		if (envId && msg.metrics) {
+			if (globalThis.__hawserHandleMetrics) {
+				globalThis.__hawserHandleMetrics(envId, msg.metrics).catch((err) => {
+					console.error(`[Hawser WS] Error saving metrics:`, err);
+				});
+			}
+		}
+	} else if (msg.type === 'exec_ready') {
+		// Exec session is ready
+		const session = edgeExecSessions.get(msg.execId);
+		if (session?.ws?.readyState === 1) {
+			console.log(`[Hawser WS] Exec ready: ${msg.execId}`);
+			// Frontend doesn't need explicit ready message, it's already waiting for output
+		}
+	} else if (msg.type === 'exec_output') {
+		// Terminal output from exec session
+		const session = edgeExecSessions.get(msg.execId);
+		if (session?.ws?.readyState === 1) {
+			// Decode base64 data
+			const data = Buffer.from(msg.data, 'base64').toString('utf-8');
+			session.ws.send(JSON.stringify({ type: 'output', data }));
+		}
+	} else if (msg.type === 'exec_end') {
+		// Exec session ended
+		const session = edgeExecSessions.get(msg.execId);
+		if (session) {
+			console.log(`[Hawser WS] Exec ended: ${msg.execId} (reason: ${msg.reason})`);
+			if (session.ws?.readyState === 1) {
+				session.ws.send(JSON.stringify({ type: 'exit' }));
+				session.ws.close();
+			}
+			edgeExecSessions.delete(msg.execId);
+		}
+	} else if (msg.type === 'container_event') {
+		// Container event from edge agent
+		const envId = wsToEnvId.get(ws);
+		if (envId && msg.event) {
+			// Call the global handler registered by hawser.ts
+			if (globalThis.__hawserHandleContainerEvent) {
+				globalThis.__hawserHandleContainerEvent(envId, msg.event).catch((err) => {
+					console.error('[Hawser WS] Error handling container event:', err);
+				});
+			}
+		}
+	} else if (msg.type === 'error' && msg.requestId) {
+		// Error might be for an exec session
+		const session = edgeExecSessions.get(msg.requestId);
+		if (session?.ws?.readyState === 1) {
+			console.error(`[Hawser WS] Exec error: ${msg.error}`);
+			session.ws.send(JSON.stringify({ type: 'error', message: msg.error }));
+			session.ws.close();
+			edgeExecSessions.delete(msg.requestId);
+		}
+	}
+}
+
+export default defineConfig({
+	plugins: [bunExternals(), tailwindcss(), sveltekit(), webSocketPlugin()],
+	define: {
+		__BUILD_DATE__: JSON.stringify(new Date().toISOString()),
+		__BUILD_COMMIT__: JSON.stringify(getGitCommit()),
+		__BUILD_BRANCH__: JSON.stringify(getGitBranch()),
+		__APP_VERSION__: JSON.stringify(getGitTag())
+	},
+	optimizeDeps: {
+		include: ['lucide-svelte', '@xterm/xterm', '@xterm/addon-fit']
+	},
+	build: {
+		target: 'esnext',
+		minify: 'esbuild',
+		sourcemap: false,
+		rollupOptions: {
+			external: [/^bun:/]
+		}
+	},
+	ssr: {
+		external: [/^bun:/]
+	}
+});