Initial commit

routes/api/git/credentials/+server.ts

@@ -0,0 +1,88 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import {
+	getGitCredentials,
+	createGitCredential,
+	type GitAuthType
+} from '$lib/server/db';
+import { authorize } from '$lib/server/authorize';
+
+export const GET: RequestHandler = async ({ cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'view')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const credentials = await getGitCredentials();
+		// Don't expose sensitive data in list view
+		const sanitized = credentials.map(cred => ({
+			id: cred.id,
+			name: cred.name,
+			authType: cred.authType,
+			username: cred.username,
+			hasPassword: !!cred.password,
+			hasSshKey: !!cred.sshPrivateKey,
+			createdAt: cred.createdAt,
+			updatedAt: cred.updatedAt
+		}));
+		return json(sanitized);
+	} catch (error) {
+		console.error('Failed to get git credentials:', error);
+		return json({ error: 'Failed to get git credentials' }, { status: 500 });
+	}
+};
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'create')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const data = await request.json();
+
+		if (!data.name || typeof data.name !== 'string') {
+			return json({ error: 'Name is required' }, { status: 400 });
+		}
+
+		const authType = (data.authType || 'none') as GitAuthType;
+		if (!['none', 'password', 'ssh'].includes(authType)) {
+			return json({ error: 'Invalid auth type' }, { status: 400 });
+		}
+
+		if (authType === 'password' && !data.password) {
+			return json({ error: 'Password is required for password authentication' }, { status: 400 });
+		}
+
+		if (authType === 'ssh' && !data.sshPrivateKey) {
+			return json({ error: 'SSH private key is required for SSH authentication' }, { status: 400 });
+		}
+
+		const credential = await createGitCredential({
+			name: data.name,
+			authType,
+			username: data.username,
+			password: data.password,
+			sshPrivateKey: data.sshPrivateKey,
+			sshPassphrase: data.sshPassphrase
+		});
+
+		return json({
+			id: credential.id,
+			name: credential.name,
+			authType: credential.authType,
+			username: credential.username,
+			hasPassword: !!credential.password,
+			hasSshKey: !!credential.sshPrivateKey,
+			createdAt: credential.createdAt,
+			updatedAt: credential.updatedAt
+		});
+	} catch (error: any) {
+		console.error('Failed to create git credential:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A credential with this name already exists' }, { status: 400 });
+		}
+		return json({ error: 'Failed to create git credential' }, { status: 500 });
+	}
+};

routes/api/git/credentials/[id]/+server.ts

@@ -0,0 +1,122 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import {
+	getGitCredential,
+	updateGitCredential,
+	deleteGitCredential,
+	type GitAuthType
+} from '$lib/server/db';
+import { authorize } from '$lib/server/authorize';
+
+export const GET: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'view')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid credential ID' }, { status: 400 });
+		}
+
+		const credential = await getGitCredential(id);
+		if (!credential) {
+			return json({ error: 'Credential not found' }, { status: 404 });
+		}
+
+		// Don't expose sensitive data
+		return json({
+			id: credential.id,
+			name: credential.name,
+			authType: credential.authType,
+			username: credential.username,
+			hasPassword: !!credential.password,
+			hasSshKey: !!credential.sshPrivateKey,
+			createdAt: credential.createdAt,
+			updatedAt: credential.updatedAt
+		});
+	} catch (error) {
+		console.error('Failed to get git credential:', error);
+		return json({ error: 'Failed to get git credential' }, { status: 500 });
+	}
+};
+
+export const PUT: RequestHandler = async ({ params, request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'edit')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid credential ID' }, { status: 400 });
+		}
+
+		const existing = await getGitCredential(id);
+		if (!existing) {
+			return json({ error: 'Credential not found' }, { status: 404 });
+		}
+
+		const data = await request.json();
+
+		if (data.authType && !['none', 'password', 'ssh'].includes(data.authType)) {
+			return json({ error: 'Invalid auth type' }, { status: 400 });
+		}
+
+		const credential = await updateGitCredential(id, {
+			name: data.name,
+			authType: data.authType as GitAuthType,
+			username: data.username,
+			password: data.password,
+			sshPrivateKey: data.sshPrivateKey,
+			sshPassphrase: data.sshPassphrase
+		});
+
+		if (!credential) {
+			return json({ error: 'Failed to update credential' }, { status: 500 });
+		}
+
+		return json({
+			id: credential.id,
+			name: credential.name,
+			authType: credential.authType,
+			username: credential.username,
+			hasPassword: !!credential.password,
+			hasSshKey: !!credential.sshPrivateKey,
+			createdAt: credential.createdAt,
+			updatedAt: credential.updatedAt
+		});
+	} catch (error: any) {
+		console.error('Failed to update git credential:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A credential with this name already exists' }, { status: 400 });
+		}
+		return json({ error: 'Failed to update git credential' }, { status: 500 });
+	}
+};
+
+export const DELETE: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'delete')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid credential ID' }, { status: 400 });
+		}
+
+		const deleted = await deleteGitCredential(id);
+		if (!deleted) {
+			return json({ error: 'Credential not found' }, { status: 404 });
+		}
+
+		return json({ success: true });
+	} catch (error) {
+		console.error('Failed to delete git credential:', error);
+		return json({ error: 'Failed to delete git credential' }, { status: 500 });
+	}
+};

routes/api/git/repositories/+server.ts

@@ -0,0 +1,70 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import {
+	getGitRepositories,
+	createGitRepository,
+	getGitCredentials
+} from '$lib/server/db';
+import { authorize } from '$lib/server/authorize';
+
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'view')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		// Note: envId parameter is kept for backwards compatibility but repositories
+		// are now global (not tied to environments). Use git stacks for env-specific deployments.
+		const repositories = await getGitRepositories();
+		return json(repositories);
+	} catch (error) {
+		console.error('Failed to get git repositories:', error);
+		return json({ error: 'Failed to get git repositories' }, { status: 500 });
+	}
+};
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'create')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const data = await request.json();
+
+		if (!data.name || typeof data.name !== 'string') {
+			return json({ error: 'Name is required' }, { status: 400 });
+		}
+
+		if (!data.url || typeof data.url !== 'string') {
+			return json({ error: 'Repository URL is required' }, { status: 400 });
+		}
+
+		// Validate credential if provided
+		if (data.credentialId) {
+			const credentials = await getGitCredentials();
+			const credential = credentials.find(c => c.id === data.credentialId);
+			if (!credential) {
+				return json({ error: 'Invalid credential ID' }, { status: 400 });
+			}
+		}
+
+		// Create repository with just the basic fields
+		// Deployment-specific config (composePath, autoUpdate, webhook) now belongs to git_stacks
+		const repository = await createGitRepository({
+			name: data.name,
+			url: data.url,
+			branch: data.branch || 'main',
+			credentialId: data.credentialId || null
+		});
+
+		return json(repository);
+	} catch (error: any) {
+		console.error('Failed to create git repository:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A repository with this name already exists' }, { status: 400 });
+		}
+		return json({ error: 'Failed to create git repository' }, { status: 500 });
+	}
+};

routes/api/git/repositories/[id]/+server.ts

@@ -0,0 +1,112 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import {
+	getGitRepository,
+	updateGitRepository,
+	deleteGitRepository,
+	getGitCredentials
+} from '$lib/server/db';
+import { deleteRepositoryFiles } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const GET: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'view')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const repository = await getGitRepository(id);
+		if (!repository) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		return json(repository);
+	} catch (error) {
+		console.error('Failed to get git repository:', error);
+		return json({ error: 'Failed to get git repository' }, { status: 500 });
+	}
+};
+
+export const PUT: RequestHandler = async ({ params, request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'edit')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const existing = await getGitRepository(id);
+		if (!existing) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		const data = await request.json();
+
+		// Validate credential if provided
+		if (data.credentialId) {
+			const credentials = await getGitCredentials();
+			const credential = credentials.find(c => c.id === data.credentialId);
+			if (!credential) {
+				return json({ error: 'Invalid credential ID' }, { status: 400 });
+			}
+		}
+
+		// Update only the basic repository fields
+		// Deployment-specific config (composePath, autoUpdate, webhook) now belongs to git_stacks
+		const repository = await updateGitRepository(id, {
+			name: data.name,
+			url: data.url,
+			branch: data.branch,
+			credentialId: data.credentialId
+		});
+
+		if (!repository) {
+			return json({ error: 'Failed to update repository' }, { status: 500 });
+		}
+
+		return json(repository);
+	} catch (error: any) {
+		console.error('Failed to update git repository:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A repository with this name already exists' }, { status: 400 });
+		}
+		return json({ error: 'Failed to update git repository' }, { status: 500 });
+	}
+};
+
+export const DELETE: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('git', 'delete')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		// Delete repository files first
+		deleteRepositoryFiles(id);
+
+		const deleted = await deleteGitRepository(id);
+		if (!deleted) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		return json({ success: true });
+	} catch (error) {
+		console.error('Failed to delete git repository:', error);
+		return json({ error: 'Failed to delete git repository' }, { status: 500 });
+	}
+};

routes/api/git/repositories/[id]/deploy/+server.ts

@@ -0,0 +1,24 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitRepository } from '$lib/server/db';
+import { deployFromRepository } from '$lib/server/git';
+
+export const POST: RequestHandler = async ({ params }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const repository = await getGitRepository(id);
+		if (!repository) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		const result = await deployFromRepository(id);
+		return json(result);
+	} catch (error: any) {
+		console.error('Failed to deploy from git repository:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};

routes/api/git/repositories/[id]/sync/+server.ts

@@ -0,0 +1,45 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitRepository } from '$lib/server/db';
+import { syncRepository, checkForUpdates } from '$lib/server/git';
+
+export const POST: RequestHandler = async ({ params }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const repository = await getGitRepository(id);
+		if (!repository) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		const result = await syncRepository(id);
+		return json(result);
+	} catch (error: any) {
+		console.error('Failed to sync git repository:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};
+
+export const GET: RequestHandler = async ({ params }) => {
+	// Check for updates without syncing
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const repository = await getGitRepository(id);
+		if (!repository) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		const result = await checkForUpdates(id);
+		return json(result);
+	} catch (error: any) {
+		console.error('Failed to check for updates:', error);
+		return json({ hasUpdates: false, error: error.message }, { status: 500 });
+	}
+};

routes/api/git/repositories/[id]/test/+server.ts

@@ -0,0 +1,24 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitRepository } from '$lib/server/db';
+import { testRepository } from '$lib/server/git';
+
+export const POST: RequestHandler = async ({ params }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const repository = await getGitRepository(id);
+		if (!repository) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		const result = await testRepository(id);
+		return json(result);
+	} catch (error: any) {
+		console.error('Failed to test git repository:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};

routes/api/git/repositories/test/+server.ts

@@ -0,0 +1,41 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { testRepositoryConfig } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+/**
+ * POST /api/git/repositories/test
+ * Test a git repository configuration before saving.
+ * Uses stored credentials via credentialId.
+ *
+ * Body: {
+ *   url: string;           // Repository URL to test
+ *   branch: string;        // Branch name to verify
+ *   credentialId?: number; // Optional credential ID from database
+ * }
+ */
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+	if (auth.authEnabled && !await auth.can('settings', 'manage')) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const body = await request.json();
+
+		if (!body.url || typeof body.url !== 'string') {
+			return json({ error: 'Repository URL is required' }, { status: 400 });
+		}
+
+		const result = await testRepositoryConfig({
+			url: body.url,
+			branch: body.branch || 'main',
+			credentialId: body.credentialId ?? null
+		});
+
+		return json(result);
+	} catch (error) {
+		console.error('Failed to test repository:', error);
+		return json({ success: false, error: 'Failed to test repository' }, { status: 500 });
+	}
+};

routes/api/git/stacks/+server.ts

@@ -0,0 +1,144 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import {
+	getGitStacks,
+	createGitStack,
+	getGitCredentials,
+	getGitRepository,
+	createGitRepository,
+	upsertStackSource
+} from '$lib/server/db';
+import { deployGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+import { registerSchedule } from '$lib/server/scheduler';
+import crypto from 'node:crypto';
+
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'view', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+
+		const stacks = await getGitStacks(envIdNum);
+		return json(stacks);
+	} catch (error) {
+		console.error('Failed to get git stacks:', error);
+		return json({ error: 'Failed to get git stacks' }, { status: 500 });
+	}
+};
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const data = await request.json();
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'create', data.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		if (!data.stackName || typeof data.stackName !== 'string') {
+			return json({ error: 'Stack name is required' }, { status: 400 });
+		}
+
+		// Either repositoryId or new repo details (url, branch) must be provided
+		let repositoryId = data.repositoryId;
+
+		if (!repositoryId) {
+			// Create a new repository if URL is provided
+			if (!data.url || typeof data.url !== 'string') {
+				return json({ error: 'Repository URL or existing repository ID is required' }, { status: 400 });
+			}
+
+			// Validate credential if provided
+			if (data.credentialId) {
+				const credentials = await getGitCredentials();
+				const credential = credentials.find(c => c.id === data.credentialId);
+				if (!credential) {
+					return json({ error: 'Invalid credential ID' }, { status: 400 });
+				}
+			}
+
+			// Create the repository first
+			const repoName = data.repoName || data.stackName;
+			try {
+				const repo = await createGitRepository({
+					name: repoName,
+					url: data.url,
+					branch: data.branch || 'main',
+					credentialId: data.credentialId || null
+				});
+				repositoryId = repo.id;
+			} catch (error: any) {
+				if (error.message?.includes('UNIQUE constraint failed')) {
+					return json({ error: 'A repository with this name already exists' }, { status: 400 });
+				}
+				throw error;
+			}
+		} else {
+			// Verify repository exists
+			const repo = await getGitRepository(repositoryId);
+			if (!repo) {
+				return json({ error: 'Repository not found' }, { status: 400 });
+			}
+		}
+
+		// Generate webhook secret if webhook is enabled
+		let webhookSecret = data.webhookSecret;
+		if (data.webhookEnabled && !webhookSecret) {
+			webhookSecret = crypto.randomBytes(32).toString('hex');
+		}
+
+		const gitStack = await createGitStack({
+			stackName: data.stackName,
+			environmentId: data.environmentId || null,
+			repositoryId: repositoryId,
+			composePath: data.composePath || 'docker-compose.yml',
+			envFilePath: data.envFilePath || null,
+			autoUpdate: data.autoUpdate || false,
+			autoUpdateSchedule: data.autoUpdateSchedule || 'daily',
+			autoUpdateCron: data.autoUpdateCron || '0 3 * * *',
+			webhookEnabled: data.webhookEnabled || false,
+			webhookSecret: webhookSecret
+		});
+
+		// Create stack_sources entry so the stack appears in the list immediately
+		await upsertStackSource({
+			stackName: data.stackName,
+			environmentId: data.environmentId || null,
+			sourceType: 'git',
+			gitRepositoryId: repositoryId,
+			gitStackId: gitStack.id
+		});
+
+		// Register schedule with croner if auto-update is enabled
+		if (gitStack.autoUpdate && gitStack.autoUpdateCron) {
+			await registerSchedule(gitStack.id, 'git_stack_sync', gitStack.environmentId);
+		}
+
+		// If deployNow is set, deploy immediately
+		if (data.deployNow) {
+			const deployResult = await deployGitStack(gitStack.id);
+			return json({
+				...gitStack,
+				deployResult: deployResult
+			});
+		}
+
+		return json(gitStack);
+	} catch (error: any) {
+		console.error('Failed to create git stack:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A git stack with this name already exists for this environment' }, { status: 400 });
+		}
+		return json({ error: 'Failed to create git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/+server.ts

@@ -0,0 +1,112 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack, updateGitStack, deleteGitStack } from '$lib/server/db';
+import { deleteGitStackFiles, deployGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+import { registerSchedule, unregisterSchedule } from '$lib/server/scheduler';
+
+export const GET: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		return json(gitStack);
+	} catch (error) {
+		console.error('Failed to get git stack:', error);
+		return json({ error: 'Failed to get git stack' }, { status: 500 });
+	}
+};
+
+export const PUT: RequestHandler = async ({ params, request, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const existing = await getGitStack(id);
+		if (!existing) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'edit', existing.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const data = await request.json();
+		const updated = await updateGitStack(id, {
+			stackName: data.stackName,
+			composePath: data.composePath,
+			envFilePath: data.envFilePath,
+			autoUpdate: data.autoUpdate,
+			autoUpdateSchedule: data.autoUpdateSchedule,
+			autoUpdateCron: data.autoUpdateCron,
+			webhookEnabled: data.webhookEnabled,
+			webhookSecret: data.webhookSecret
+		});
+
+		// Register or unregister schedule with croner
+		if (updated.autoUpdate && updated.autoUpdateCron) {
+			await registerSchedule(id, 'git_stack_sync', updated.environmentId);
+		} else {
+			unregisterSchedule(id, 'git_stack_sync');
+		}
+
+		// If deployNow is set, deploy after saving
+		if (data.deployNow) {
+			const deployResult = await deployGitStack(id);
+			return json({
+				...updated,
+				deployResult
+			});
+		}
+
+		return json(updated);
+	} catch (error: any) {
+		console.error('Failed to update git stack:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A git stack with this name already exists for this environment' }, { status: 400 });
+		}
+		return json({ error: 'Failed to update git stack' }, { status: 500 });
+	}
+};
+
+export const DELETE: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const existing = await getGitStack(id);
+		if (!existing) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'remove', existing.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		// Unregister schedule from croner
+		unregisterSchedule(id, 'git_stack_sync');
+
+		// Delete git files first
+		deleteGitStackFiles(id);
+
+		// Delete from database
+		await deleteGitStack(id);
+
+		return json({ success: true });
+	} catch (error) {
+		console.error('Failed to delete git stack:', error);
+		return json({ error: 'Failed to delete git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/deploy-stream/+server.ts

@@ -0,0 +1,54 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { deployGitStackWithProgress } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const id = parseInt(params.id);
+	const gitStack = await getGitStack(id);
+
+	if (!gitStack) {
+		return new Response(JSON.stringify({ error: 'Git stack not found' }), {
+			status: 404,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'start', gitStack.environmentId || undefined)) {
+		return new Response(JSON.stringify({ error: 'Permission denied' }), {
+			status: 403,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	// Create a readable stream for SSE
+	const stream = new ReadableStream({
+		async start(controller) {
+			const encoder = new TextEncoder();
+
+			const sendEvent = (data: any) => {
+				controller.enqueue(encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
+			};
+
+			try {
+				await deployGitStackWithProgress(id, sendEvent);
+			} catch (error: any) {
+				sendEvent({ status: 'error', error: error.message || 'Unknown error' });
+			} finally {
+				controller.close();
+			}
+		}
+	});
+
+	return new Response(stream, {
+		headers: {
+			'Content-Type': 'text/event-stream',
+			'Cache-Control': 'no-cache',
+			'Connection': 'keep-alive'
+		}
+	});
+};

routes/api/git/stacks/[id]/deploy/+server.ts

@@ -0,0 +1,28 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { deployGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'start', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await deployGitStack(id);
+		return json(result);
+	} catch (error) {
+		console.error('Failed to deploy git stack:', error);
+		return json({ error: 'Failed to deploy git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/env-files/+server.ts

@@ -0,0 +1,75 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { listGitStackEnvFiles, readGitStackEnvFile } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+/**
+ * GET /api/git/stacks/[id]/env-files
+ * List all .env files in the git stack's repository.
+ * Returns: { files: string[] }
+ */
+export const GET: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await listGitStackEnvFiles(id);
+		if (result.error) {
+			return json({ files: [], error: result.error }, { status: 400 });
+		}
+
+		return json({ files: result.files });
+	} catch (error) {
+		console.error('Failed to list env files:', error);
+		return json({ error: 'Failed to list env files' }, { status: 500 });
+	}
+};
+
+/**
+ * POST /api/git/stacks/[id]/env-files
+ * Read and parse a specific .env file from the git stack's repository.
+ * Body: { path: string }
+ * Returns: { vars: Record<string, string> }
+ */
+export const POST: RequestHandler = async ({ params, cookies, request }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const body = await request.json();
+		if (!body.path || typeof body.path !== 'string') {
+			return json({ error: 'File path is required' }, { status: 400 });
+		}
+
+		const result = await readGitStackEnvFile(id, body.path);
+		if (result.error) {
+			return json({ vars: {}, error: result.error }, { status: 400 });
+		}
+
+		return json({ vars: result.vars });
+	} catch (error) {
+		console.error('Failed to read env file:', error);
+		return json({ error: 'Failed to read env file' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/sync/+server.ts

@@ -0,0 +1,28 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { syncGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'edit', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await syncGitStack(id);
+		return json(result);
+	} catch (error) {
+		console.error('Failed to sync git stack:', error);
+		return json({ error: 'Failed to sync git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/test/+server.ts

@@ -0,0 +1,28 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { testGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await testGitStack(id);
+		return json(result);
+	} catch (error) {
+		console.error('Failed to test git stack:', error);
+		return json({ error: 'Failed to test git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/webhook/+server.ts

@@ -0,0 +1,97 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { deployGitStack } from '$lib/server/git';
+import crypto from 'node:crypto';
+
+function verifySignature(payload: string, signature: string | null, secret: string): boolean {
+	if (!signature) return false;
+
+	// Support both GitHub and GitLab webhook signatures
+	// GitHub: sha256=<hash>
+	// GitLab: just the token value in X-Gitlab-Token header
+
+	if (signature.startsWith('sha256=')) {
+		const expectedSignature = 'sha256=' + crypto
+			.createHmac('sha256', secret)
+			.update(payload)
+			.digest('hex');
+		return crypto.timingSafeEqual(
+			Buffer.from(signature),
+			Buffer.from(expectedSignature)
+		);
+	}
+
+	// GitLab uses X-Gitlab-Token which should match exactly
+	return signature === secret;
+}
+
+export const POST: RequestHandler = async ({ params, request }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid stack ID' }, { status: 400 });
+		}
+
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		if (!gitStack.webhookEnabled) {
+			return json({ error: 'Webhook is not enabled for this stack' }, { status: 403 });
+		}
+
+		// Verify webhook secret if set
+		if (gitStack.webhookSecret) {
+			const payload = await request.text();
+			const githubSignature = request.headers.get('x-hub-signature-256');
+			const gitlabToken = request.headers.get('x-gitlab-token');
+
+			const signature = githubSignature || gitlabToken;
+
+			if (!verifySignature(payload, signature, gitStack.webhookSecret)) {
+				return json({ error: 'Invalid webhook signature' }, { status: 401 });
+			}
+		}
+
+		// Deploy the git stack (syncs and deploys only if there are changes)
+		const result = await deployGitStack(id, { force: false });
+		return json(result);
+	} catch (error: any) {
+		console.error('Webhook error:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};
+
+// Also support GET for simple polling/manual triggers
+export const GET: RequestHandler = async ({ params, url }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid stack ID' }, { status: 400 });
+		}
+
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		if (!gitStack.webhookEnabled) {
+			return json({ error: 'Webhook is not enabled for this stack' }, { status: 403 });
+		}
+
+		// Verify secret via query parameter for GET requests
+		const secret = url.searchParams.get('secret');
+		if (gitStack.webhookSecret && secret !== gitStack.webhookSecret) {
+			return json({ error: 'Invalid webhook secret' }, { status: 401 });
+		}
+
+		// Deploy the git stack (syncs and deploys only if there are changes)
+		const result = await deployGitStack(id, { force: false });
+		return json(result);
+	} catch (error: any) {
+		console.error('Webhook GET error:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};

routes/api/git/webhook/[id]/+server.ts

@@ -0,0 +1,103 @@
+import { json, text } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitRepository } from '$lib/server/db';
+import { deployFromRepository } from '$lib/server/git';
+import crypto from 'node:crypto';
+
+function verifySignature(payload: string, signature: string | null, secret: string): boolean {
+	if (!signature) return false;
+
+	// Support both GitHub and GitLab webhook signatures
+	// GitHub: sha256=<hash>
+	// GitLab: just the token value in X-Gitlab-Token header
+
+	if (signature.startsWith('sha256=')) {
+		const expectedSignature = 'sha256=' + crypto
+			.createHmac('sha256', secret)
+			.update(payload)
+			.digest('hex');
+		return crypto.timingSafeEqual(
+			Buffer.from(signature),
+			Buffer.from(expectedSignature)
+		);
+	}
+
+	// GitLab uses X-Gitlab-Token which should match exactly
+	return signature === secret;
+}
+
+export const POST: RequestHandler = async ({ params, request }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const repository = await getGitRepository(id);
+		if (!repository) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		if (!repository.webhookEnabled) {
+			return json({ error: 'Webhook is not enabled for this repository' }, { status: 403 });
+		}
+
+		// Verify webhook secret if set
+		if (repository.webhookSecret) {
+			const payload = await request.text();
+			const githubSignature = request.headers.get('x-hub-signature-256');
+			const gitlabToken = request.headers.get('x-gitlab-token');
+
+			const signature = githubSignature || gitlabToken;
+
+			if (!verifySignature(payload, signature, repository.webhookSecret)) {
+				return json({ error: 'Invalid webhook signature' }, { status: 401 });
+			}
+		}
+
+		// Optionally check which branch was pushed (for GitHub)
+		// const body = await request.json();
+		// if (body.ref && body.ref !== `refs/heads/${repository.branch}`) {
+		//   return json({ message: 'Push was not to tracked branch, skipping' });
+		// }
+
+		// Deploy from repository
+		const result = await deployFromRepository(id);
+		return json(result);
+	} catch (error: any) {
+		console.error('Webhook error:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};
+
+// Also support GET for simple polling/manual triggers
+export const GET: RequestHandler = async ({ params, url }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid repository ID' }, { status: 400 });
+		}
+
+		const repository = await getGitRepository(id);
+		if (!repository) {
+			return json({ error: 'Repository not found' }, { status: 404 });
+		}
+
+		if (!repository.webhookEnabled) {
+			return json({ error: 'Webhook is not enabled for this repository' }, { status: 403 });
+		}
+
+		// Verify secret via query parameter for GET requests
+		const secret = url.searchParams.get('secret');
+		if (repository.webhookSecret && secret !== repository.webhookSecret) {
+			return json({ error: 'Invalid webhook secret' }, { status: 401 });
+		}
+
+		// Deploy from repository
+		const result = await deployFromRepository(id);
+		return json(result);
+	} catch (error: any) {
+		console.error('Webhook GET error:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};