feat(builder): add HTMX dashboard, hivemind integration, and robust enum parsing

README.md

@@ -1,108 +1,252 @@
 ---
-title: Builder
+title: HF Builder
 sdk: docker
 pinned: false
 ---
 
-# Kaniko Image Builder
+# HF Builder
 
-Daemonless Docker image builder using Kaniko. Builds and pushes images to GHCR without requiring Docker daemon access.
+Daemonless Docker image builder for HuggingFace Spaces using [Kaniko](https://github.com/GoogleContainerTools/kaniko).
+
+## Features
+
+- **Build Tracking**: Unique build IDs, history, and metrics
+- **GitHub Webhooks**: Automatic builds on push with signature verification
+- **Notifications**: Slack, Discord, and custom webhook notifications
+- **Observability**: OpenTelemetry tracing, Prometheus metrics, structured logging
+- **Status Badge**: SVG badge for READMEs
+- **Request Tracing**: Trace IDs through logs and responses
+- **HTMX Dashboard**: Real-time web interface with live updates
+- **Hivemind Integration**: Connect to hivemind controller for distributed builds
+- **Task Runner**: go-task automation for common operations
+
+## Quick Start
+
+```bash
+# Install go-task
+brew install go-task
+
+# Run locally
+task dev
+
+# Check status
+task status
+
+# Trigger a build
+task build REPO_URL=https://github.com/owner/repo IMAGE=owner/repo
+```
 
 ## Configuration
 
-Set these as HuggingFace Secrets:
+### Core Settings
 
-| Secret | Required | Description |
-|--------|----------|-------------|
-| `REGISTRY_USER` | Yes | GitHub username |
-| `REGISTRY_PASSWORD` | Yes | GitHub PAT with `packages:write` scope |
-| `GITHUB_TOKEN` | For private repos | GitHub PAT for cloning private repositories |
-| `GITHUB_WEBHOOK_SECRET` | Recommended | Secret for validating GitHub webhook payloads |
-| `DEFAULT_IMAGE_NAME` | For webhooks | Default image name (e.g., `jonathanagustin/lawforge`) |
-| `UPSTASH_REDIS_REST_URL` | Optional | Redis URL for build queue |
-| `UPSTASH_REDIS_REST_TOKEN` | Optional | Redis token |
+| Secret | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `REGISTRY_URL` | No | `ghcr.io` | Container registry URL |
+| `REGISTRY_USER` | Yes | - | Registry username |
+| `REGISTRY_PASSWORD` | Yes | - | Registry password/token |
+| `GITHUB_TOKEN` | For private | - | Token for cloning |
+| `WEBHOOK_SECRET` | Recommended | - | GitHub webhook secret |
+| `DEFAULT_IMAGE` | No | - | Default image name |
+| `BUILD_TIMEOUT` | No | `1800` | Timeout in seconds |
+| `ENABLE_CACHE` | No | `false` | Enable Kaniko cache |
 
-## Usage
+### Notifications
 
-### Via GitHub Webhook (Automatic Builds)
+| Secret | Description |
+|--------|-------------|
+| `NOTIFICATION_URL` | Generic webhook URL for build results |
+| `SLACK_WEBHOOK_URL` | Slack incoming webhook URL |
+| `DISCORD_WEBHOOK_URL` | Discord webhook URL |
+| `NOTIFY_ON` | When to notify: `all`, `failure`, `success` (default: `failure`) |
 
-Set up automatic builds when you push to your repository:
+### Observability
 
-1. Go to your GitHub repo → **Settings** → **Webhooks** → **Add webhook**
-2. **Payload URL**: `https://jonathanagustin-builder.hf.space/webhook/github`
-3. **Content type**: `application/json`
-4. **Secret**: Same value as `GITHUB_WEBHOOK_SECRET` (generate with `openssl rand -hex 32`)
-5. **Events**: Select "Just the push event"
+| Secret | Description |
+|--------|-------------|
+| `LOG_FORMAT` | `text` or `json` (default: `text`) |
+| `OTEL_EXPORTER_OTLP_ENDPOINT` | OpenTelemetry collector endpoint |
+| `OTEL_SERVICE_NAME` | Service name for traces (default: `hf-builder`) |
 
-The builder will automatically:
-- Trigger on pushes to the default branch (main/master)
-- Only build when relevant files change (Dockerfile, src/**, pyproject.toml, etc.)
-- Skip builds for non-Docker-related changes (docs, tests, etc.)
+### Hivemind Integration
 
-#### File Patterns That Trigger Builds
+| Secret | Description |
+|--------|-------------|
+| `HIVEMIND_CONTROLLER_URL` | URL of the hivemind controller (enables worker mode) |
+| `HIVEMIND_POLL_INTERVAL` | Seconds between work polls (default: `30`) |
 
-```
-Dockerfile, docker/*, src/**/*.py, pyproject.toml, uv.lock, requirements*.txt, .dockerignore
+When `HIVEMIND_CONTROLLER_URL` is set, the builder:
+1. Registers itself with the controller as a "build" worker
+2. Polls for build work items
+3. Executes builds and reports completion/failure
+4. Sends heartbeats to indicate status
+
+## Web Dashboard
+
+The builder includes a real-time HTMX-powered dashboard at the root URL showing:
+
+- **Stats**: Status, completed/failed builds, success rate
+- **Current Build**: Active build with cancel button
+- **Build History**: Recent builds with status badges
+- **New Build Form**: Trigger builds from the UI
+- **Live Logs**: Real-time log streaming
+
+All panels auto-refresh via HTMX polling.
+
+## Status Badge
+
+Add to your README:
+
+```markdown
+![Build Status](https://your-space.hf.space/badge)
 ```
 
-#### Optional Webhook Headers
+Returns an SVG badge showing: `passing`, `failing`, `building`, or `no builds`.
 
-For per-repo configuration, add custom headers to your webhook:
+## Request Tracing
 
-| Header | Description |
-|--------|-------------|
-| `X-Builder-Token` | GitHub token for cloning private repos |
-| `X-Builder-Image` | Override image name (default: repo name) |
-| `X-Builder-Tags` | Comma-separated tags (default: "latest") |
+Every request gets a trace ID:
+- Pass `X-Request-ID` or `X-Trace-ID` header, or one is auto-generated
+- Response includes `X-Trace-ID` header
+- Logs include trace ID: `[HH:MM:SS] [trace123] message`
+- JSON logs include `trace_id` field
 
-### Via Web UI
+## Notifications
 
-Navigate to the Space and use the build form.
+### Slack
 
-### Via API
+Set `SLACK_WEBHOOK_URL` to receive formatted messages:
 
-```bash
-curl -X POST https://jonathanagustin-builder.hf.space/build \
-  -H "Content-Type: application/json" \
-  -d '{
-    "repo_url": "https://github.com/owner/repo",
-    "image_name": "owner/repo",
-    "branch": "main",
+```
+✅ Build SUCCESS
+owner/repo:latest
+ID: abc123 | Duration: 180.5s | Branch: main
+```
+
+### Discord
+
+Set `DISCORD_WEBHOOK_URL` to receive embedded messages with build details.
+
+### Custom Webhook
+
+Set `NOTIFICATION_URL` or pass `callback_url` in API request. Receives JSON:
+
+```json
+{
+  "build": {
+    "id": "abc123",
+    "status": "success",
+    "image": "ghcr.io/owner/repo",
     "tags": ["latest"],
-    "dockerfile": "Dockerfile"
-  }'
+    "duration_seconds": 180.5,
+    "trace_id": "xyz789"
+  },
+  "runner_id": "runner1",
+  "registry": "ghcr.io"
+}
 ```
 
-### Via Test Endpoint
+## OpenTelemetry
 
-Trigger a build without webhook signature validation:
+Set `OTEL_EXPORTER_OTLP_ENDPOINT` to enable distributed tracing.
+
+Traces include:
+- Span per build with `build.id`, `build.image`, `build.status`
+- Errors recorded as span events
+
+Works with:
+- Jaeger
+- Grafana Tempo
+- Honeycomb
+- Any OTLP-compatible backend
+
+## Prometheus Metrics
+
+`GET /api/metrics` returns:
 
-```bash
-curl -X POST https://jonathanagustin-builder.hf.space/webhook/test \
-  -H "Content-Type: application/json" \
-  -d '{
-    "repo_url": "https://github.com/owner/repo",
-    "image_name": "owner/repo"
-  }'
+```
+# HELP hf_builder_builds_total Total builds
+# TYPE hf_builder_builds_total counter
+hf_builder_builds_total{status="success"} 42
+hf_builder_builds_total{status="failed"} 3
+
+# HELP hf_builder_build_duration_seconds Avg build duration
+# TYPE hf_builder_build_duration_seconds gauge
+hf_builder_build_duration_seconds 180.50
+
+# HELP hf_builder_success_rate Success rate
+# TYPE hf_builder_success_rate gauge
+hf_builder_success_rate 0.9333
 ```
 
-## Endpoints
+## API Endpoints
 
 | Endpoint | Method | Description |
 |----------|--------|-------------|
-| `/` | GET | Web UI |
-| `/api/status` | GET | Builder status JSON |
-| `/build` | POST | Trigger a build manually |
-| `/webhook/github` | POST | GitHub webhook endpoint |
-| `/webhook/test` | POST | Test build trigger (no signature) |
-| `/api/queue` | POST | Queue a build (requires Redis) |
-
-## How It Works
-
-1. **Webhook received**: GitHub sends push event to `/webhook/github`
-2. **Signature verified**: HMAC-SHA256 validation using `GITHUB_WEBHOOK_SECRET`
-3. **Files checked**: Only builds if Docker-relevant files changed
-4. **Repo cloned**: Uses `GITHUB_TOKEN` (or per-repo `X-Builder-Token`) for private repos
-5. **Image built**: Kaniko builds without Docker daemon
-6. **Image pushed**: Pushes to GHCR using `REGISTRY_USER`/`REGISTRY_PASSWORD`
-7. **Cleanup**: Temporary files removed
+| `/` | GET | Web dashboard (HTMX) |
+| `/health` | GET | Health check |
+| `/ready` | GET | Readiness check |
+| `/badge` | GET | SVG status badge |
+| `/api/status` | GET | Builder status |
+| `/api/metrics` | GET | Prometheus metrics |
+| `/api/history` | GET | Build history |
+| `/api/logs` | GET | Recent logs |
+| `/api/build` | POST | Trigger build |
+| `/api/build/{id}/cancel` | POST | Cancel build |
+| `/webhook/github` | POST | GitHub webhook |
+| `/webhook/test` | POST | Test endpoint |
+| `/stats-partial` | GET | Stats HTML partial |
+| `/current-partial` | GET | Current build HTML partial |
+| `/history-partial` | GET | History HTML partial |
+| `/logs-partial` | GET | Logs HTML partial |
+
+## Webhook Headers
+
+| Header | Description |
+|--------|-------------|
+| `X-Builder-Image` | Override image name |
+| `X-Builder-Tags` | Comma-separated tags |
+| `X-Builder-Token` | GitHub token |
+| `X-Builder-Platform` | Target platform |
+| `X-Builder-Args` | Build args: `K1=V1,K2=V2` |
+| `X-Builder-Callback` | Notification URL |
+
+## Task Runner
+
+The project includes a `Taskfile.yml` for [go-task](https://taskfile.dev/):
+
+```bash
+# Development
+task dev           # Run locally
+task dev:watch     # Run with auto-reload
+
+# Testing
+task lint          # Run linting
+task lint:fix      # Fix linting issues
+
+# Docker
+task docker:build  # Build Docker image
+task docker:run    # Run Docker image
+
+# API Operations
+task health        # Check health
+task status        # Get status
+task metrics       # Get metrics
+task history       # Get build history
+task logs          # Get recent logs
+
+# Build Operations
+task build REPO_URL=... IMAGE=...  # Trigger a build
+task build:cancel BUILD_ID=...     # Cancel a build
+
+# Hivemind
+task hivemind:register  # Register with controller
+task hivemind:heartbeat # Send heartbeat
+
+# Deployment
+task deploy:hf     # Deploy to HuggingFace
+```
+
+## License
+
+MIT

Taskfile.yml

@@ -0,0 +1,210 @@
+version: '3'
+
+vars:
+  REGISTRY: '{{.REGISTRY | default "ghcr.io"}}'
+  IMAGE_NAME: '{{.IMAGE_NAME | default "hf-builder"}}'
+
+tasks:
+  default:
+    desc: Show available tasks
+    cmds:
+      - task --list
+
+  # Development
+  dev:
+    desc: Run builder locally for development
+    env:
+      FLASK_DEBUG: "1"
+      LOG_FORMAT: text
+    cmds:
+      - python app.py
+
+  dev:watch:
+    desc: Run with auto-reload on file changes
+    deps: [check:deps]
+    cmds:
+      - watchmedo auto-restart --patterns="*.py" --recursive -- python app.py
+
+  # Testing
+  test:
+    desc: Run all tests
+    cmds:
+      - pytest tests/ -v
+
+  test:unit:
+    desc: Run unit tests only
+    cmds:
+      - pytest tests/unit/ -v
+
+  test:integration:
+    desc: Run integration tests (requires Docker)
+    cmds:
+      - pytest tests/integration/ -v
+
+  lint:
+    desc: Run linting
+    cmds:
+      - ruff check .
+      - ruff format --check .
+
+  lint:fix:
+    desc: Fix linting issues
+    cmds:
+      - ruff check --fix .
+      - ruff format .
+
+  # Docker
+  docker:build:
+    desc: Build Docker image locally
+    cmds:
+      - docker build -t {{.IMAGE_NAME}}:local .
+
+  docker:run:
+    desc: Run Docker image locally
+    deps: [docker:build]
+    env:
+      REGISTRY_URL: '{{.REGISTRY}}'
+    cmds:
+      - |
+        docker run --rm -it \
+          -p 7860:7860 \
+          -e REGISTRY_URL=$REGISTRY_URL \
+          -e REGISTRY_USER=$REGISTRY_USER \
+          -e REGISTRY_PASSWORD=$REGISTRY_PASSWORD \
+          {{.IMAGE_NAME}}:local
+
+  # Deployment
+  deploy:hf:
+    desc: Deploy to HuggingFace Space
+    vars:
+      SPACE: '{{.SPACE | default "drengskapur/hf-builder"}}'
+    cmds:
+      - echo "Deploying to {{.SPACE}}..."
+      - git push hf main
+
+  # Hivemind Integration
+  hivemind:register:
+    desc: Register this builder with hivemind controller
+    vars:
+      CONTROLLER_URL: '{{.CONTROLLER_URL | default "http://localhost:7860"}}'
+      BUILDER_ID: '{{.BUILDER_ID | default "builder-1"}}'
+    cmds:
+      - |
+        curl -X POST {{.CONTROLLER_URL}}/api/register \
+          -H "Content-Type: application/json" \
+          -d '{"worker_id": "{{.BUILDER_ID}}", "name": "Builder {{.BUILDER_ID}}", "capabilities": ["build"]}'
+
+  hivemind:heartbeat:
+    desc: Send heartbeat to hivemind controller
+    vars:
+      CONTROLLER_URL: '{{.CONTROLLER_URL | default "http://localhost:7860"}}'
+      BUILDER_ID: '{{.BUILDER_ID | default "builder-1"}}'
+    cmds:
+      - |
+        curl -X POST {{.CONTROLLER_URL}}/api/heartbeat \
+          -H "Content-Type: application/json" \
+          -d '{"worker_id": "{{.BUILDER_ID}}", "status": "idle"}'
+
+  # Health checks
+  health:
+    desc: Check builder health
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    cmds:
+      - curl -s {{.URL}}/health | jq .
+
+  status:
+    desc: Get builder status
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    cmds:
+      - curl -s {{.URL}}/api/status | jq .
+
+  metrics:
+    desc: Get Prometheus metrics
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    cmds:
+      - curl -s {{.URL}}/api/metrics
+
+  history:
+    desc: Get build history
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    cmds:
+      - curl -s {{.URL}}/api/history | jq .
+
+  logs:
+    desc: Get recent logs
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    cmds:
+      - curl -s {{.URL}}/api/logs | jq -r '.logs[]'
+
+  # Build triggers
+  build:
+    desc: Trigger a build via API
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    requires:
+      vars: [REPO_URL, IMAGE]
+    cmds:
+      - |
+        curl -X POST {{.URL}}/api/build \
+          -H "Content-Type: application/json" \
+          -d '{
+            "repo_url": "{{.REPO_URL}}",
+            "image_name": "{{.IMAGE}}",
+            "branch": "{{.BRANCH | default "main"}}",
+            "tags": ["{{.TAG | default "latest"}}"]
+          }'
+
+  build:cancel:
+    desc: Cancel a running build
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    requires:
+      vars: [BUILD_ID]
+    cmds:
+      - curl -X POST {{.URL}}/api/build/{{.BUILD_ID}}/cancel
+
+  # Webhook testing
+  webhook:test:
+    desc: Send a test webhook
+    vars:
+      URL: '{{.URL | default "http://localhost:7860"}}'
+    requires:
+      vars: [REPO_URL, IMAGE]
+    cmds:
+      - |
+        curl -X POST {{.URL}}/webhook/test \
+          -H "Content-Type: application/json" \
+          -d '{
+            "repo_url": "{{.REPO_URL}}",
+            "image_name": "{{.IMAGE}}",
+            "branch": "{{.BRANCH | default "main"}}"
+          }'
+
+  # Dependency management
+  deps:
+    desc: Install dependencies
+    cmds:
+      - pip install -r requirements.txt
+
+  deps:dev:
+    desc: Install dev dependencies
+    cmds:
+      - pip install -r requirements.txt pytest ruff watchdog
+
+  check:deps:
+    desc: Check if dependencies are installed
+    cmds:
+      - python -c "import flask; import git; import requests"
+    silent: true
+
+  # Cleanup
+  clean:
+    desc: Clean up temporary files
+    cmds:
+      - rm -rf __pycache__ .pytest_cache .ruff_cache
+      - find . -name "*.pyc" -delete

app.py

@@ -1,560 +1,1132 @@
 #!/usr/bin/env python3
-"""Docker image builder using Kaniko - no Docker daemon required.
-
-Builds Docker images and pushes to container registries (GHCR, Docker Hub, etc.)
-Can be triggered via API, GitHub webhooks, or run builds from a queue in Redis.
-
-Environment variables:
-  - REGISTRY_USER: Registry username (e.g., GitHub username for GHCR)
-  - REGISTRY_PASSWORD: Registry password/token (e.g., GitHub PAT with packages:write)
-  - REGISTRY_URL: Registry URL (default: ghcr.io)
-  - GITHUB_TOKEN: GitHub token for cloning private repos
-  - GITHUB_WEBHOOK_SECRET: Secret for validating GitHub webhook payloads
-  - UPSTASH_REDIS_REST_URL: Redis URL for build queue
-  - UPSTASH_REDIS_REST_TOKEN: Redis token
-
-Webhook setup:
-  1. Go to your GitHub repo → Settings → Webhooks → Add webhook
-  2. Payload URL: https://your-space.hf.space/webhook/github
-  3. Content type: application/json
-  4. Secret: Same value as GITHUB_WEBHOOK_SECRET
-  5. Events: Just the push event
+"""HF Builder - Daemonless Docker image builder using Kaniko.
+
+A HuggingFace Space that builds and pushes Docker images without requiring
+Docker daemon access. Supports GitHub webhooks for automatic builds.
+
+Features:
+- Build tracking with unique IDs and history
+- GitHub webhook integration with signature verification
+- Notification webhooks for build completion
+- Health/readiness endpoints for orchestration
+- Configurable build timeouts
+- Metrics tracking (duration, success rate)
+- OpenTelemetry tracing support
+- Slack/Discord notifications
+- Status badges
+
+Environment Variables:
+    # Registry
+    REGISTRY_URL: Container registry URL (default: ghcr.io)
+    REGISTRY_USER: Registry username
+    REGISTRY_PASSWORD: Registry password/token
+
+    # GitHub
+    GITHUB_TOKEN: Token for cloning private repositories
+    WEBHOOK_SECRET: Secret for validating GitHub webhook signatures
+
+    # Build
+    DEFAULT_IMAGE: Default image name for webhook builds
+    BUILD_TIMEOUT: Build timeout in seconds (default: 1800 = 30 min)
+    ENABLE_CACHE: Enable Kaniko cache (default: false)
+
+    # Notifications
+    NOTIFICATION_URL: URL to POST build results to
+    SLACK_WEBHOOK_URL: Slack webhook for notifications
+    DISCORD_WEBHOOK_URL: Discord webhook for notifications
+    NOTIFY_ON: When to notify: "all", "failure", "success" (default: failure)
+
+    # Observability (all open source)
+    LOG_FORMAT: Log format - "text" or "json" (default: text)
+    OTEL_EXPORTER_OTLP_ENDPOINT: OpenTelemetry collector endpoint (Jaeger, Tempo, etc.)
+    OTEL_SERVICE_NAME: Service name for traces (default: hf-builder)
 """
 
+from __future__ import annotations
+
+import base64
+import contextvars
 import fnmatch
 import hashlib
 import hmac
 import json
 import os
+import re
 import shutil
 import subprocess
 import tempfile
 import threading
 import time
+import traceback
 import uuid
+from collections import deque
+from dataclasses import dataclass, field
 from datetime import datetime, timezone
+from enum import Enum
 from pathlib import Path
+from typing import Any, Callable
+from urllib.parse import urlparse
+
+from flask import Flask, abort, jsonify, render_template_string, request, Response, g
+import requests as http_requests
+
+# Trace ID context variable for request tracing
+trace_id_var: contextvars.ContextVar[str] = contextvars.ContextVar("trace_id", default="")
+
+# =============================================================================
+# Optional: OpenTelemetry
+# =============================================================================
+
+_tracer = None
+_meter = None
+
+def init_telemetry():
+    """Initialize OpenTelemetry if configured."""
+    global _tracer, _meter
+
+    endpoint = os.getenv("OTEL_EXPORTER_OTLP_ENDPOINT")
+    if not endpoint:
+        return
+
+    try:
+        from opentelemetry import trace, metrics
+        from opentelemetry.sdk.trace import TracerProvider
+        from opentelemetry.sdk.trace.export import BatchSpanProcessor
+        from opentelemetry.sdk.metrics import MeterProvider
+        from opentelemetry.sdk.metrics.export import PeriodicExportingMetricReader
+        from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter
+        from opentelemetry.exporter.otlp.proto.grpc.metric_exporter import OTLPMetricExporter
+        from opentelemetry.sdk.resources import Resource
+
+        service_name = os.getenv("OTEL_SERVICE_NAME", "hf-builder")
+        resource = Resource.create({"service.name": service_name})
+
+        # Tracing
+        trace_provider = TracerProvider(resource=resource)
+        trace_provider.add_span_processor(BatchSpanProcessor(OTLPSpanExporter(endpoint=endpoint)))
+        trace.set_tracer_provider(trace_provider)
+        _tracer = trace.get_tracer(__name__)
+
+        # Metrics
+        metric_reader = PeriodicExportingMetricReader(OTLPMetricExporter(endpoint=endpoint))
+        metrics.set_meter_provider(MeterProvider(resource=resource, metric_readers=[metric_reader]))
+        _meter = metrics.get_meter(__name__)
+
+        print(f"[OTEL] Initialized: {endpoint}")
+    except ImportError:
+        print("[OTEL] opentelemetry packages not installed")
+    except Exception as e:
+        print(f"[OTEL] Failed to initialize: {e}")
+
+
+def get_tracer():
+    return _tracer
+
+
+def get_meter():
+    return _meter
 
-from flask import Flask, jsonify, render_template_string, request, abort
-import git
 
 # =============================================================================
 # Configuration
 # =============================================================================
 
-RUNNER_ID = os.environ.get("RUNNER_ID", str(uuid.uuid4())[:8])
-RUNNER_NAME = os.environ.get("RUNNER_NAME", f"Builder {RUNNER_ID}")
-REGISTRY_URL = os.environ.get("REGISTRY_URL", "ghcr.io")
-REGISTRY_USER = os.environ.get("REGISTRY_USER", "")
-REGISTRY_PASSWORD = os.environ.get("REGISTRY_PASSWORD", "")
-GITHUB_TOKEN = os.environ.get("GITHUB_TOKEN", "")  # For cloning private repos
-GITHUB_WEBHOOK_SECRET = os.environ.get("GITHUB_WEBHOOK_SECRET", "")  # For webhook validation
-AUTO_START = os.environ.get("AUTO_START", "false").lower() == "true"
-
-# Default image name for webhook-triggered builds (owner/repo format)
-DEFAULT_IMAGE_NAME = os.environ.get("DEFAULT_IMAGE_NAME", "")
-
-# File patterns that should trigger a Docker rebuild when changed
-# Uses glob-style patterns
-BUILD_TRIGGER_PATTERNS = [
-    "Dockerfile",
-    "docker/*",
-    "docker/**/*",
-    "src/**/*.py",
-    "pyproject.toml",
-    "uv.lock",
-    "requirements*.txt",
-    ".dockerignore",
-]
-
-# Global state
-state = {
-    "status": "idle",
-    "current_build": None,
-    "builds_completed": 0,
-    "builds_failed": 0,
-    "last_build": None,
-    "logs": [],
-    "redis_connected": False,
-}
-state_lock = threading.Lock()
 
-app = Flask(__name__)
-redis_client = None
+class LogFormat(Enum):
+    TEXT = "text"
+    JSON = "json"
+
+
+class NotifyOn(Enum):
+    ALL = "all"
+    FAILURE = "failure"
+    SUCCESS = "success"
+
+
+@dataclass
+class Config:
+    """Application configuration from environment variables."""
+
+    registry_url: str = field(default_factory=lambda: os.getenv("REGISTRY_URL", "ghcr.io"))
+    registry_user: str = field(default_factory=lambda: os.getenv("REGISTRY_USER", ""))
+    registry_password: str = field(default_factory=lambda: os.getenv("REGISTRY_PASSWORD", ""))
+    github_token: str = field(default_factory=lambda: os.getenv("GITHUB_TOKEN", ""))
+    webhook_secret: str = field(default_factory=lambda: os.getenv("WEBHOOK_SECRET", ""))
+    default_image: str = field(default_factory=lambda: os.getenv("DEFAULT_IMAGE", ""))
+    runner_id: str = field(default_factory=lambda: os.getenv("RUNNER_ID", str(uuid.uuid4())[:8]))
+    build_timeout: int = field(default_factory=lambda: int(os.getenv("BUILD_TIMEOUT", "1800")))
+    enable_cache: bool = field(default_factory=lambda: os.getenv("ENABLE_CACHE", "").lower() == "true")
+    notification_url: str = field(default_factory=lambda: os.getenv("NOTIFICATION_URL", ""))
+    slack_webhook_url: str = field(default_factory=lambda: os.getenv("SLACK_WEBHOOK_URL", ""))
+    discord_webhook_url: str = field(default_factory=lambda: os.getenv("DISCORD_WEBHOOK_URL", ""))
+    notify_on: NotifyOn = field(default_factory=lambda: NotifyOn(os.getenv("NOTIFY_ON", "failure").lower()) if os.getenv("NOTIFY_ON", "failure").lower() in ("all", "failure", "success") else NotifyOn.FAILURE)
+    log_format: LogFormat = field(default_factory=lambda: LogFormat(os.getenv("LOG_FORMAT", "text").lower()) if os.getenv("LOG_FORMAT", "text").lower() in ("text", "json") else LogFormat.TEXT)
+    max_history: int = field(default_factory=lambda: int(os.getenv("MAX_HISTORY", "50")))
+
+    build_patterns: list[str] = field(default_factory=lambda: [
+        "Dockerfile", "Dockerfile.*", "docker/*", "docker/**/*",
+        "src/**/*.py", "pyproject.toml", "uv.lock", "requirements*.txt", ".dockerignore",
+    ])
+
+
+# =============================================================================
+# Build Models
+# =============================================================================
 
 
-def log(msg: str):
-    """Thread-safe logging."""
-    with state_lock:
-        ts = datetime.now().strftime("%H:%M:%S")
-        state["logs"].append(f"[{ts}] {msg}")
-        if len(state["logs"]) > 200:
-            state["logs"] = state["logs"][-200:]
-    print(f"[{ts}] {msg}")
+class BuildStatus(Enum):
+    PENDING = "pending"
+    RUNNING = "running"
+    SUCCESS = "success"
+    FAILED = "failed"
+    CANCELLED = "cancelled"
+    TIMEOUT = "timeout"
+
+
+@dataclass
+class BuildConfig:
+    """Configuration for a single build."""
+    repo_url: str
+    image_name: str
+    branch: str = "main"
+    dockerfile: str = "Dockerfile"
+    context_path: str = "."
+    tags: list[str] = field(default_factory=lambda: ["latest"])
+    build_args: dict[str, str] = field(default_factory=dict)
+    github_token: str | None = None
+    platform: str | None = None
+    trigger: str = "api"
+    callback_url: str | None = None
+
+
+@dataclass
+class Build:
+    """A build with tracking information."""
+    id: str
+    config: BuildConfig
+    status: BuildStatus = BuildStatus.PENDING
+    started_at: str | None = None
+    completed_at: str | None = None
+    duration_seconds: float | None = None
+    exit_code: int | None = None
+    error: str | None = None
+    trace_id: str | None = None
+
+    def to_dict(self) -> dict[str, Any]:
+        return {
+            "id": self.id,
+            "status": self.status.value,
+            "image": f"{config.registry_url}/{self.config.image_name}",
+            "tags": self.config.tags,
+            "branch": self.config.branch,
+            "trigger": self.config.trigger,
+            "started_at": self.started_at,
+            "completed_at": self.completed_at,
+            "duration_seconds": self.duration_seconds,
+            "exit_code": self.exit_code,
+            "error": self.error,
+            "trace_id": self.trace_id,
+        }
 
 
 # =============================================================================
-# Redis Integration
+# State Management
 # =============================================================================
 
-def init_redis():
-    """Initialize Redis for build queue."""
-    global redis_client
 
-    redis_url = os.environ.get("UPSTASH_REDIS_REST_URL", "")
-    redis_token = os.environ.get("UPSTASH_REDIS_REST_TOKEN", "")
+class BuildState:
+    """Thread-safe build state manager with history."""
+
+    def __init__(self, max_history: int = 50) -> None:
+        self._lock = threading.Lock()
+        self._current: Build | None = None
+        self._history: deque[Build] = deque(maxlen=max_history)
+        self._logs: deque[str] = deque(maxlen=500)
+        self._completed = 0
+        self._failed = 0
+        self._total_duration = 0.0
+        self._process: subprocess.Popen | None = None
+        self._ready = False
+        self._last_success_at: str | None = None
+        self._last_failure_at: str | None = None
+
+    def log(self, msg: str, level: str = "info", **extra: Any) -> None:
+        """Add a log message with optional trace ID."""
+        ts = datetime.now(timezone.utc)
+        ts_str = ts.strftime("%H:%M:%S")
+        trace_id = trace_id_var.get() or extra.get("trace_id", "")
+
+        if config.log_format == LogFormat.JSON:
+            log_entry = {
+                "ts": ts.isoformat(),
+                "level": level,
+                "msg": msg,
+                "runner": config.runner_id,
+                "trace_id": trace_id,
+                **{k: v for k, v in extra.items() if k != "trace_id"},
+            }
+            print(json.dumps(log_entry))
+            with self._lock:
+                self._logs.append(json.dumps(log_entry))
+        else:
+            prefix = f"[{ts_str}]"
+            if trace_id:
+                prefix += f" [{trace_id[:8]}]"
+            formatted = f"{prefix} {msg}"
+            print(formatted)
+            with self._lock:
+                self._logs.append(formatted)
+
+    def start_build(self, build: Build) -> None:
+        with self._lock:
+            build.status = BuildStatus.RUNNING
+            build.started_at = datetime.now(timezone.utc).isoformat()
+            build.trace_id = trace_id_var.get()
+            self._current = build
+
+    def finish_build(self, build: Build, status: BuildStatus, exit_code: int | None = None, error: str | None = None) -> None:
+        with self._lock:
+            build.status = status
+            build.completed_at = datetime.now(timezone.utc).isoformat()
+            build.exit_code = exit_code
+            build.error = error
+
+            if build.started_at:
+                start = datetime.fromisoformat(build.started_at)
+                end = datetime.fromisoformat(build.completed_at)
+                build.duration_seconds = (end - start).total_seconds()
+                self._total_duration += build.duration_seconds
+
+            if status == BuildStatus.SUCCESS:
+                self._completed += 1
+                self._last_success_at = build.completed_at
+            else:
+                self._failed += 1
+                self._last_failure_at = build.completed_at
+
+            self._history.appendleft(build)
+            self._current = None
+            self._process = None
+
+    def set_process(self, process: subprocess.Popen) -> None:
+        with self._lock:
+            self._process = process
+
+    def cancel_current(self) -> bool:
+        with self._lock:
+            if self._process and self._current:
+                try:
+                    self._process.terminate()
+                    return True
+                except Exception:
+                    return False
+        return False
 
-    if not redis_url or not redis_token:
-        log("Redis not configured - queue mode disabled")
-        return None
+    def set_ready(self, ready: bool = True) -> None:
+        with self._lock:
+            self._ready = ready
+
+    @property
+    def is_ready(self) -> bool:
+        with self._lock:
+            return self._ready
+
+    @property
+    def is_building(self) -> bool:
+        with self._lock:
+            return self._current is not None
+
+    @property
+    def current_build(self) -> Build | None:
+        with self._lock:
+            return self._current
+
+    @property
+    def logs(self) -> list[str]:
+        with self._lock:
+            return list(self._logs)[-100:]
+
+    def get_metrics(self) -> dict[str, Any]:
+        with self._lock:
+            total = self._completed + self._failed
+            return {
+                "builds_completed": self._completed,
+                "builds_failed": self._failed,
+                "builds_total": total,
+                "success_rate": self._completed / total if total > 0 else 0,
+                "avg_duration_seconds": self._total_duration / total if total > 0 else 0,
+                "last_success_at": self._last_success_at,
+                "last_failure_at": self._last_failure_at,
+            }
+
+    def get_history(self, limit: int = 10) -> list[dict]:
+        with self._lock:
+            return [b.to_dict() for b in list(self._history)[:limit]]
+
+    def to_dict(self) -> dict[str, Any]:
+        with self._lock:
+            return {
+                "status": "building" if self._current else "idle",
+                "current_build": self._current.to_dict() if self._current else None,
+                **self.get_metrics(),
+            }
 
-    try:
-        from upstash_redis import Redis
-        redis_client = Redis.from_env()
-        redis_client.ping()
-        with state_lock:
-            state["redis_connected"] = True
-        log("✓ Redis connected - queue mode enabled")
-        return redis_client
-    except Exception as e:
-        log(f"Redis connection failed: {e}")
-        return None
 
+# =============================================================================
+# Notifications
+# =============================================================================
 
-def get_next_build():
-    """Get next build from Redis queue."""
-    if not redis_client:
-        return None
 
-    try:
-        # Pop from build queue
-        build_json = redis_client.lpop("builds:queue")
-        if build_json:
-            return json.loads(build_json)
-    except Exception as e:
-        log(f"Queue error: {e}")
-    return None
+class Notifier:
+    """Send notifications to various channels."""
 
+    def __init__(self, cfg: Config, state: BuildState) -> None:
+        self.config = cfg
+        self.state = state
 
-def queue_build(build_config: dict) -> str:
-    """Add a build to the queue."""
-    build_id = str(uuid.uuid4())[:8]
-    build_config["id"] = build_id
-    build_config["queued_at"] = datetime.now(timezone.utc).isoformat()
+    def should_notify(self, status: BuildStatus) -> bool:
+        if self.config.notify_on == NotifyOn.ALL:
+            return True
+        if self.config.notify_on == NotifyOn.FAILURE and status not in (BuildStatus.SUCCESS,):
+            return True
+        if self.config.notify_on == NotifyOn.SUCCESS and status == BuildStatus.SUCCESS:
+            return True
+        return False
+
+    def notify(self, build: Build) -> None:
+        """Send notifications for a completed build."""
+        if not self.should_notify(build.status):
+            return
+
+        # Generic webhook
+        if self.config.notification_url or build.config.callback_url:
+            self._send_webhook(build)
 
-    if redis_client:
+        # Slack
+        if self.config.slack_webhook_url:
+            self._send_slack(build)
+
+        # Discord
+        if self.config.discord_webhook_url:
+            self._send_discord(build)
+
+    def _send_webhook(self, build: Build) -> None:
+        url = build.config.callback_url or self.config.notification_url
+        if not url:
+            return
         try:
-            redis_client.rpush("builds:queue", json.dumps(build_config))
-            log(f"Build {build_id} queued")
+            payload = {
+                "build": build.to_dict(),
+                "runner_id": self.config.runner_id,
+                "registry": self.config.registry_url,
+            }
+            http_requests.post(url, json=payload, timeout=10)
+            self.state.log(f"Notification sent to webhook", trace_id=build.trace_id)
         except Exception as e:
-            log(f"Failed to queue build: {e}")
-    return build_id
+            self.state.log(f"Webhook notification failed: {e}", level="warn")
+
+    def _send_slack(self, build: Build) -> None:
+        try:
+            color = "#22c55e" if build.status == BuildStatus.SUCCESS else "#ef4444"
+            status_emoji = ":white_check_mark:" if build.status == BuildStatus.SUCCESS else ":x:"
+
+            payload = {
+                "attachments": [{
+                    "color": color,
+                    "blocks": [
+                        {
+                            "type": "section",
+                            "text": {
+                                "type": "mrkdwn",
+                                "text": f"{status_emoji} *Build {build.status.value.upper()}*\n`{build.config.image_name}:{build.config.tags[0]}`"
+                            }
+                        },
+                        {
+                            "type": "context",
+                            "elements": [
+                                {"type": "mrkdwn", "text": f"*ID:* {build.id}"},
+                                {"type": "mrkdwn", "text": f"*Duration:* {build.duration_seconds:.1f}s" if build.duration_seconds else ""},
+                                {"type": "mrkdwn", "text": f"*Branch:* {build.config.branch}"},
+                            ]
+                        }
+                    ]
+                }]
+            }
+
+            if build.error:
+                payload["attachments"][0]["blocks"].append({
+                    "type": "section",
+                    "text": {"type": "mrkdwn", "text": f"```{build.error[:500]}```"}
+                })
+
+            http_requests.post(self.config.slack_webhook_url, json=payload, timeout=10)
+            self.state.log("Slack notification sent", trace_id=build.trace_id)
+        except Exception as e:
+            self.state.log(f"Slack notification failed: {e}", level="warn")
+
+    def _send_discord(self, build: Build) -> None:
+        try:
+            color = 0x22c55e if build.status == BuildStatus.SUCCESS else 0xef4444
+
+            embed = {
+                "title": f"Build {build.status.value.upper()}",
+                "color": color,
+                "fields": [
+                    {"name": "Image", "value": f"`{build.config.image_name}:{build.config.tags[0]}`", "inline": True},
+                    {"name": "Branch", "value": build.config.branch, "inline": True},
+                    {"name": "Build ID", "value": build.id, "inline": True},
+                ],
+                "timestamp": build.completed_at,
+            }
+
+            if build.duration_seconds:
+                embed["fields"].append({"name": "Duration", "value": f"{build.duration_seconds:.1f}s", "inline": True})
+
+            if build.error:
+                embed["fields"].append({"name": "Error", "value": f"```{build.error[:500]}```", "inline": False})
+
+            http_requests.post(self.config.discord_webhook_url, json={"embeds": [embed]}, timeout=10)
+            self.state.log("Discord notification sent", trace_id=build.trace_id)
+        except Exception as e:
+            self.state.log(f"Discord notification failed: {e}", level="warn")
 
 
 # =============================================================================
-# Docker Registry Auth
+# Validation
 # =============================================================================
 
-def setup_registry_auth():
-    """Configure Kaniko registry authentication."""
-    if not REGISTRY_USER or not REGISTRY_PASSWORD:
-        log("⚠️ Registry credentials not configured")
-        return False
 
-    # Create Docker config for Kaniko
-    docker_config_dir = Path("/kaniko/.docker")
-    docker_config_dir.mkdir(parents=True, exist_ok=True)
+def validate_url(url: str) -> tuple[bool, str]:
+    if not url:
+        return False, "URL is required"
+    try:
+        parsed = urlparse(url)
+        if parsed.scheme not in ("https", "http"):
+            return False, "URL must use https or http"
+        if not parsed.netloc:
+            return False, "Invalid URL format"
+        return True, ""
+    except Exception as e:
+        return False, f"Invalid URL: {e}"
 
-    import base64
-    auth = base64.b64encode(f"{REGISTRY_USER}:{REGISTRY_PASSWORD}".encode()).decode()
 
-    config = {
-        "auths": {
-            REGISTRY_URL: {"auth": auth},
-            f"https://{REGISTRY_URL}": {"auth": auth},
-        }
-    }
+def validate_image_name(name: str) -> tuple[bool, str]:
+    if not name:
+        return False, "Image name is required"
+    pattern = r"^[a-z0-9][a-z0-9._-]*/[a-z0-9][a-z0-9._-]*$"
+    if not re.match(pattern, name.lower()):
+        return False, "Image name must be in owner/repo format"
+    return True, ""
+
 
-    config_path = docker_config_dir / "config.json"
-    with open(config_path, "w") as f:
-        json.dump(config, f)
+def validate_tags(tags: list[str]) -> tuple[bool, str]:
+    if not tags:
+        return False, "At least one tag is required"
+    pattern = r"^[a-zA-Z0-9][a-zA-Z0-9._-]*$"
+    for tag in tags:
+        if not re.match(pattern, tag) or len(tag) > 128:
+            return False, f"Invalid tag: {tag}"
+    return True, ""
 
-    log(f"✓ Registry auth configured for {REGISTRY_URL}")
-    return True
+
+def mask_token(text: str, token: str | None) -> str:
+    if token and token in text:
+        return text.replace(token, "***")
+    return text
 
 
 # =============================================================================
-# Build Logic
+# Builder
 # =============================================================================
 
-def clone_repo(repo_url: str, branch: str = "main", target_dir: Path = None, github_token: str = None) -> Path:
-    """Clone a git repository, with optional GitHub token for private repos."""
-    if target_dir is None:
-        target_dir = Path(tempfile.mkdtemp())
 
-    # Use GitHub token if provided or from env, for private repos
-    token = github_token or GITHUB_TOKEN
-    auth_url = repo_url
+class KanikoBuilder:
+    def __init__(self, cfg: Config, state: BuildState, notifier: Notifier) -> None:
+        self.config = cfg
+        self.state = state
+        self.notifier = notifier
 
-    if token and "github.com" in repo_url:
-        # Insert token into URL for auth: https://TOKEN@github.com/...
-        auth_url = repo_url.replace("https://github.com", f"https://{token}@github.com")
-        log(f"Cloning {repo_url} ({branch}) [authenticated]...")
-    else:
-        log(f"Cloning {repo_url} ({branch})...")
+    def setup_registry_auth(self) -> bool:
+        if not self.config.registry_user or not self.config.registry_password:
+            self.state.log("Registry credentials not configured", level="warn")
+            return False
 
-    try:
-        git.Repo.clone_from(
-            auth_url,
-            target_dir,
-            branch=branch,
-            depth=1,
-            single_branch=True
-        )
-        log(f"✓ Cloned to {target_dir}")
-        return target_dir
-    except Exception as e:
-        log(f"✗ Clone failed: {e}")
-        raise
+        docker_config_dir = Path("/kaniko/.docker")
+        docker_config_dir.mkdir(parents=True, exist_ok=True)
 
+        auth = base64.b64encode(
+            f"{self.config.registry_user}:{self.config.registry_password}".encode()
+        ).decode()
 
-def build_and_push(
-    context_dir: str,
-    image_name: str,
-    dockerfile: str = "Dockerfile",
-    tags: list = None,
-    build_args: dict = None,
-) -> bool:
-    """Build Docker image using Kaniko and push to registry.
+        auth_config = {
+            "auths": {
+                self.config.registry_url: {"auth": auth},
+                f"https://{self.config.registry_url}": {"auth": auth},
+            }
+        }
 
-    Uses tar context to avoid Kaniko's 'failed to get files used from context'
-    bug with multi-stage Dockerfiles that use FROM <previous_stage>.
-    """
+        (docker_config_dir / "config.json").write_text(json.dumps(auth_config))
+        self.state.log(f"Registry auth configured for {self.config.registry_url}")
+        return True
 
-    if tags is None:
-        tags = ["latest"]
+    def clone_repo(self, build_config: BuildConfig) -> Path:
+        target_dir = Path(tempfile.mkdtemp())
+        token = build_config.github_token or self.config.github_token
+        repo_url = build_config.repo_url
 
-    full_image = f"{REGISTRY_URL}/{image_name}"
+        if token and "github.com" in repo_url:
+            repo_url = repo_url.replace("https://github.com", f"https://{token}@github.com")
+            self.state.log(f"Cloning {build_config.repo_url} ({build_config.branch}) [authenticated]")
+        else:
+            self.state.log(f"Cloning {build_config.repo_url} ({build_config.branch})")
 
-    log(f"Building {full_image}...")
-    log(f"  Context: {context_dir}")
-    log(f"  Dockerfile: {dockerfile}")
-    log(f"  Tags: {tags}")
+        try:
+            import git
+            git.Repo.clone_from(repo_url, target_dir, branch=build_config.branch, depth=1, single_branch=True)
+            self.state.log(f"Cloned to {target_dir}")
+            return target_dir
+        except Exception as e:
+            error_msg = mask_token(str(e), token)
+            self.state.log(f"Clone failed: {error_msg}", level="error")
+            raise RuntimeError(f"Clone failed: {error_msg}")
 
-    with state_lock:
-        state["status"] = "building"
-        state["current_build"] = {
-            "image": full_image,
-            "tags": tags,
-            "started_at": datetime.now(timezone.utc).isoformat(),
-        }
+    def build_and_push(self, build: Build) -> bool:
+        # Set trace ID for this build
+        trace_id_var.set(build.id)
 
-    # Create tar of context - this avoids Kaniko's dir:// context resolution bug
-    # that causes "failed to get files used from context" on multi-stage builds
-    tar_path = f"{context_dir}.tar.gz"
-    log(f"Creating tar context: {tar_path}")
-    try:
-        tar_result = subprocess.run(
-            ["tar", "-czf", tar_path, "-C", context_dir, "."],
-            capture_output=True,
-            text=True,
-            timeout=120,
-        )
-        if tar_result.returncode != 0:
-            log(f"✗ Failed to create tar: {tar_result.stderr}")
+        tracer = get_tracer()
+        span = None
+        if tracer:
+            span = tracer.start_span("build_and_push")
+            span.set_attribute("build.id", build.id)
+            span.set_attribute("build.image", build.config.image_name)
+
+        build_config = build.config
+        full_image = f"{self.config.registry_url}/{build_config.image_name}"
+
+        self.state.log(f"Building {full_image}", build_id=build.id)
+        self.state.start_build(build)
+
+        tmpdir = None
+        tar_path = None
+
+        try:
+            tmpdir = self.clone_repo(build_config)
+            context_dir = str(tmpdir / build_config.context_path) if build_config.context_path != "." else str(tmpdir)
+
+            tar_path = f"{context_dir}.tar.gz"
+            self.state.log("Creating tar context")
+            subprocess.run(["tar", "-czf", tar_path, "-C", context_dir, "."], capture_output=True, check=True, timeout=120)
+
+            cmd = [
+                "/kaniko/executor",
+                f"--context=tar://{tar_path}",
+                f"--dockerfile={build_config.dockerfile}",
+            ]
+
+            for tag in build_config.tags:
+                cmd.append(f"--destination={full_image}:{tag}")
+
+            for key, value in build_config.build_args.items():
+                cmd.append(f"--build-arg={key}={value}")
+
+            if build_config.platform:
+                cmd.append(f"--custom-platform={build_config.platform}")
+
+            cmd.extend([
+                f"--cache={'true' if self.config.enable_cache else 'false'}",
+                "--reproducible",
+                "--ignore-path=/product_uuid",
+                "--ignore-path=/sys",
+                "--log-format=text",
+                "--verbosity=info",
+            ])
+
+            self.state.log("Running Kaniko")
+
+            process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)
+            self.state.set_process(process)
+
+            def read_output():
+                for line in process.stdout:
+                    line = line.strip()
+                    if line:
+                        line = mask_token(line, self.config.github_token)
+                        line = mask_token(line, build_config.github_token)
+                        self.state.log(f"  {line[:150]}")
+
+            output_thread = threading.Thread(target=read_output, daemon=True)
+            output_thread.start()
+
+            try:
+                exit_code = process.wait(timeout=self.config.build_timeout)
+            except subprocess.TimeoutExpired:
+                process.kill()
+                self.state.log(f"Build timed out after {self.config.build_timeout}s", level="error")
+                self.state.finish_build(build, BuildStatus.TIMEOUT, error="Build timeout")
+                self.notifier.notify(build)
+                if span:
+                    span.set_attribute("build.status", "timeout")
+                    span.end()
+                return False
+
+            output_thread.join(timeout=5)
+
+            if exit_code == 0:
+                self.state.log(f"Build successful: {full_image}")
+                self.state.finish_build(build, BuildStatus.SUCCESS, exit_code=0)
+                if span:
+                    span.set_attribute("build.status", "success")
+            else:
+                self.state.log(f"Build failed with exit code {exit_code}", level="error")
+                self.state.finish_build(build, BuildStatus.FAILED, exit_code=exit_code)
+                if span:
+                    span.set_attribute("build.status", "failed")
+
+            self.notifier.notify(build)
+            if span:
+                span.end()
+            return exit_code == 0
+
+        except Exception as e:
+            error_msg = mask_token(str(e), self.config.github_token)
+            error_msg = mask_token(error_msg, build_config.github_token)
+            self.state.log(f"Build error: {error_msg}", level="error")
+            self.state.finish_build(build, BuildStatus.FAILED, error=error_msg)
+            self.notifier.notify(build)
+            if span:
+                span.set_attribute("build.status", "error")
+                span.record_exception(e)
+                span.end()
             return False
-        log(f"✓ Tar created")
-    except Exception as e:
-        log(f"✗ Tar error: {e}")
-        return False
 
-    # Build Kaniko command with tar context
-    cmd = [
-        "/kaniko/executor",
-        f"--context=tar://{tar_path}",
-        f"--dockerfile={dockerfile}",
-    ]
+        finally:
+            if tmpdir and tmpdir.exists():
+                shutil.rmtree(tmpdir, ignore_errors=True)
+            if tar_path and os.path.exists(tar_path):
+                os.remove(tar_path)
 
-    # Add destination tags
-    for tag in tags:
-        cmd.append(f"--destination={full_image}:{tag}")
-
-    # Add build args
-    if build_args:
-        for key, value in build_args.items():
-            cmd.append(f"--build-arg={key}={value}")
-
-    # Kaniko options
-    cmd.extend([
-        "--cache=false",
-        "--reproducible",
-        "--ignore-path=/product_uuid",
-        "--ignore-path=/sys",
-        "--log-format=text",
-        "--verbosity=debug",  # Get full error messages
-    ])
 
-    log(f"Executing: {' '.join(cmd[:5])}...")
+# =============================================================================
+# Webhook Handler
+# =============================================================================
 
-    try:
-        process = subprocess.Popen(
-            cmd,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.STDOUT,
-            text=True,
-        )
 
-        # Stream output
-        for line in process.stdout:
-            line = line.strip()
-            if line:
-                log(f"  {line[:100]}")
-
-        process.wait()
-
-        if process.returncode == 0:
-            log(f"✓ Build successful: {full_image}")
-            with state_lock:
-                state["builds_completed"] += 1
-                state["last_build"] = {
-                    "image": full_image,
-                    "tags": tags,
-                    "status": "success",
-                    "completed_at": datetime.now(timezone.utc).isoformat(),
-                }
+class WebhookHandler:
+    def __init__(self, cfg: Config, state: BuildState) -> None:
+        self.config = cfg
+        self.state = state
+
+    def verify_signature(self, payload: bytes, signature: str) -> bool:
+        if not self.config.webhook_secret:
+            self.state.log("WEBHOOK_SECRET not set - skipping verification", level="warn")
             return True
-        else:
-            log(f"✗ Build failed with exit code {process.returncode}")
-            with state_lock:
-                state["builds_failed"] += 1
-                state["last_build"] = {
-                    "image": full_image,
-                    "tags": tags,
-                    "status": "failed",
-                    "exit_code": process.returncode,
-                    "completed_at": datetime.now(timezone.utc).isoformat(),
-                }
+        if not signature or not signature.startswith("sha256="):
             return False
-
-    except Exception as e:
-        log(f"✗ Build error: {e}")
-        with state_lock:
-            state["builds_failed"] += 1
-        return False
-    finally:
-        with state_lock:
-            state["status"] = "idle"
-            state["current_build"] = None
-
-
-def build_and_push_git(
-    git_context: str,
-    image_name: str,
-    dockerfile: str = "Dockerfile",
-    context_subpath: str = None,
-    tags: list = None,
-    build_args: dict = None,
-) -> bool:
-    """Build Docker image using Kaniko with git context source."""
-
-    if tags is None:
-        tags = ["latest"]
-
-    full_image = f"{REGISTRY_URL}/{image_name}"
-
-    # Mask token in logs
-    safe_context = git_context
-    if "@github.com" in git_context:
-        safe_context = git_context.split("@")[0][:10] + "...@github.com" + git_context.split("@github.com")[1]
-
-    log(f"Building {full_image}...")
-    log(f"  Git context: {safe_context}")
-    log(f"  Dockerfile: {dockerfile}")
-    log(f"  Tags: {tags}")
-
-    with state_lock:
-        state["status"] = "building"
-        state["current_build"] = {
-            "image": full_image,
+        expected = hmac.new(self.config.webhook_secret.encode(), payload, hashlib.sha256).hexdigest()
+        return hmac.compare_digest(f"sha256={expected}", signature)
+
+    def extract_changed_files(self, payload: dict) -> list[str]:
+        files = set()
+        for commit in payload.get("commits", []):
+            files.update(commit.get("added", []))
+            files.update(commit.get("modified", []))
+            files.update(commit.get("removed", []))
+        return list(files)
+
+    def should_trigger_build(self, changed_files: list[str]) -> tuple[bool, list[str]]:
+        matching = []
+        for filepath in changed_files:
+            for pattern in self.config.build_patterns:
+                if fnmatch.fnmatch(filepath, pattern):
+                    matching.append(filepath)
+                    break
+        return len(matching) > 0, matching
+
+    def parse_push_event(self, payload: dict, headers: dict) -> dict[str, Any]:
+        repo = payload.get("repository", {})
+        repo_url = repo.get("clone_url", "")
+        repo_name = repo.get("full_name", "")
+        default_branch = repo.get("default_branch", "main")
+
+        ref = payload.get("ref", "")
+        pushed_branch = ref.replace("refs/heads/", "") if ref.startswith("refs/heads/") else ""
+
+        self.state.log(f"Webhook: push to {repo_name}/{pushed_branch}")
+
+        if pushed_branch != default_branch:
+            return {"status": "ignored", "reason": f"not default branch ({default_branch})"}
+
+        changed_files = self.extract_changed_files(payload)
+        should_build, matching_files = self.should_trigger_build(changed_files)
+
+        if not should_build:
+            return {"status": "ignored", "reason": "no build-relevant files changed"}
+
+        image_name = headers.get("X-Builder-Image") or self.config.default_image or repo_name
+        tags_header = headers.get("X-Builder-Tags", "")
+        tags = [t.strip() for t in tags_header.split(",") if t.strip()] if tags_header else ["latest"]
+
+        build_args = {}
+        args_header = headers.get("X-Builder-Args", "")
+        if args_header:
+            for pair in args_header.split(","):
+                if "=" in pair:
+                    k, v = pair.split("=", 1)
+                    build_args[k.strip()] = v.strip()
+
+        return {
+            "status": "trigger",
+            "repo_url": repo_url,
+            "branch": pushed_branch,
+            "image_name": image_name,
             "tags": tags,
-            "started_at": datetime.now(timezone.utc).isoformat(),
+            "github_token": headers.get("X-Builder-Token"),
+            "platform": headers.get("X-Builder-Platform"),
+            "build_args": build_args,
+            "callback_url": headers.get("X-Builder-Callback"),
+            "matching_files": matching_files,
         }
 
-    # Build Kaniko command with git context
-    cmd = [
-        "/kaniko/executor",
-        f"--context={git_context}",
-        f"--dockerfile={dockerfile}",
+
+# =============================================================================
+# Flask App
+# =============================================================================
+
+config = Config()
+state = BuildState(max_history=config.max_history)
+notifier = Notifier(config, state)
+builder = KanikoBuilder(config, state, notifier)
+webhook_handler = WebhookHandler(config, state)
+
+app = Flask(__name__)
+
+
+@app.before_request
+def before_request():
+    """Set trace ID for each request."""
+    trace_id = request.headers.get("X-Request-ID") or request.headers.get("X-Trace-ID") or str(uuid.uuid4())[:8]
+    trace_id_var.set(trace_id)
+    g.trace_id = trace_id
+
+
+@app.after_request
+def after_request(response):
+    """Add trace ID to response headers."""
+    response.headers["X-Trace-ID"] = g.get("trace_id", "")
+    return response
+
+
+def create_build(build_config: BuildConfig) -> Build:
+    return Build(id=str(uuid.uuid4())[:8], config=build_config)
+
+
+# Health endpoints
+@app.route("/health")
+def health():
+    return jsonify({"status": "healthy", "runner_id": config.runner_id})
+
+
+@app.route("/ready")
+def ready():
+    if state.is_ready:
+        return jsonify({"status": "ready"})
+    return jsonify({"status": "not_ready"}), 503
+
+
+# Status badge
+@app.route("/badge")
+def badge():
+    """SVG status badge for READMEs."""
+    metrics = state.get_metrics()
+    if state.is_building:
+        color, text = "#f59e0b", "building"
+    elif metrics["builds_total"] == 0:
+        color, text = "#737373", "no builds"
+    elif metrics["last_failure_at"] and (not metrics["last_success_at"] or metrics["last_failure_at"] > metrics["last_success_at"]):
+        color, text = "#ef4444", "failing"
+    else:
+        color, text = "#22c55e", "passing"
+
+    svg = f'''<svg xmlns="http://www.w3.org/2000/svg" width="90" height="20">
+      <rect width="90" height="20" rx="3" fill="#555"/>
+      <rect x="45" width="45" height="20" rx="3" fill="{color}"/>
+      <rect x="45" width="4" height="20" fill="{color}"/>
+      <text x="22" y="14" fill="#fff" font-family="sans-serif" font-size="11" text-anchor="middle">build</text>
+      <text x="67" y="14" fill="#fff" font-family="sans-serif" font-size="11" text-anchor="middle">{text}</text>
+    </svg>'''
+    return Response(svg, mimetype="image/svg+xml", headers={"Cache-Control": "no-cache"})
+
+
+# API endpoints
+@app.route("/api/status")
+def api_status():
+    return jsonify({"runner_id": config.runner_id, "registry": config.registry_url, "trace_id": g.get("trace_id"), **state.to_dict()})
+
+
+@app.route("/api/metrics")
+def api_metrics():
+    metrics = state.get_metrics()
+    lines = [
+        f'# HELP hf_builder_builds_total Total builds',
+        f'# TYPE hf_builder_builds_total counter',
+        f'hf_builder_builds_total{{status="success"}} {metrics["builds_completed"]}',
+        f'hf_builder_builds_total{{status="failed"}} {metrics["builds_failed"]}',
+        f'# HELP hf_builder_build_duration_seconds Avg build duration',
+        f'# TYPE hf_builder_build_duration_seconds gauge',
+        f'hf_builder_build_duration_seconds {metrics["avg_duration_seconds"]:.2f}',
+        f'# HELP hf_builder_success_rate Success rate',
+        f'# TYPE hf_builder_success_rate gauge',
+        f'hf_builder_success_rate {metrics["success_rate"]:.4f}',
     ]
+    return Response("\n".join(lines), mimetype="text/plain")
 
-    if context_subpath:
-        cmd.append(f"--context-sub-path={context_subpath}")
 
-    # Add destination tags
-    for tag in tags:
-        cmd.append(f"--destination={full_image}:{tag}")
-
-    # Add build args
-    if build_args:
-        for key, value in build_args.items():
-            cmd.append(f"--build-arg={key}={value}")
-
-    # Kaniko options
-    cmd.extend([
-        "--cache=false",
-        "--reproducible",
-        "--ignore-path=/product_uuid",
-        "--ignore-path=/sys",
-        "--log-format=text",
-        "--verbosity=debug",
-    ])
+@app.route("/api/history")
+def api_history():
+    limit = request.args.get("limit", 10, type=int)
+    return jsonify({"builds": state.get_history(limit)})
 
-    log(f"Executing kaniko with git context...")
 
-    try:
-        process = subprocess.Popen(
-            cmd,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.STDOUT,
-            text=True,
-        )
+@app.route("/api/logs")
+def api_logs():
+    return jsonify({"logs": state.logs})
 
-        for line in process.stdout:
-            line = line.strip()
-            if line:
-                # Mask any tokens in output
-                if GITHUB_TOKEN and GITHUB_TOKEN in line:
-                    line = line.replace(GITHUB_TOKEN, "***")
-                log(f"  {line[:100]}")
-
-        process.wait()
-
-        if process.returncode == 0:
-            log(f"✓ Build successful: {full_image}")
-            with state_lock:
-                state["builds_completed"] += 1
-                state["last_build"] = {
-                    "image": full_image,
-                    "tags": tags,
-                    "status": "success",
-                    "completed_at": datetime.now(timezone.utc).isoformat(),
-                }
-            return True
-        else:
-            log(f"✗ Build failed with exit code {process.returncode}")
-            with state_lock:
-                state["builds_failed"] += 1
-                state["last_build"] = {
-                    "image": full_image,
-                    "tags": tags,
-                    "status": "failed",
-                    "exit_code": process.returncode,
-                    "completed_at": datetime.now(timezone.utc).isoformat(),
-                }
-            return False
 
-    except Exception as e:
-        log(f"✗ Build error: {e}")
-        with state_lock:
-            state["builds_failed"] += 1
-        return False
-    finally:
-        with state_lock:
-            state["status"] = "idle"
-            state["current_build"] = None
-
-
-def run_build(build_config: dict) -> bool:
-    """Run a build from config."""
-    repo_url = build_config.get("repo_url")
-    branch = build_config.get("branch", "main")
-    image_name = build_config.get("image_name")
-    dockerfile = build_config.get("dockerfile", "Dockerfile")
-    context_path = build_config.get("context_path", ".")
-    tags = build_config.get("tags", ["latest"])
-    build_args = build_config.get("build_args", {})
-    github_token = build_config.get("github_token")  # Optional per-build token
-    # Default to tar context (clone + tar) for reliability with multi-stage builds
-    use_git_context = build_config.get("use_git_context", False)
-
-    if not repo_url or not image_name:
-        log("✗ Missing repo_url or image_name")
-        return False
+@app.route("/api/build", methods=["POST"])
+def api_build():
+    if state.is_building:
+        return jsonify({"error": "Build in progress", "current": state.current_build.to_dict()}), 409
 
-    # Option: Use git context source (Kaniko handles clone internally)
-    # Note: git context can have issues with multi-stage builds, prefer tar context
-    if use_git_context and "github.com" in repo_url:
-        token = github_token or GITHUB_TOKEN
-        if token:
-            git_context = repo_url.replace("https://github.com", f"git://{token}@github.com")
-        else:
-            git_context = repo_url.replace("https://github.com", "git://github.com")
-        git_context = f"{git_context}#refs/heads/{branch}"
-
-        if context_path and context_path != ".":
-            return build_and_push_git(
-                git_context=git_context,
-                image_name=image_name,
-                dockerfile=dockerfile,
-                context_subpath=context_path,
-                tags=tags,
-                build_args=build_args,
-            )
-        else:
-            return build_and_push_git(
-                git_context=git_context,
-                image_name=image_name,
-                dockerfile=dockerfile,
-                tags=tags,
-                build_args=build_args,
-            )
+    data = request.json or {}
 
-    # Default: clone repo, create tar context (most reliable for multi-stage builds)
-    tmpdir = None
-    tar_path = None
-    try:
-        tmpdir = clone_repo(repo_url, branch, github_token=github_token)
-        context_dir = str(tmpdir / context_path) if context_path != "." else str(tmpdir)
+    valid, err = validate_url(data.get("repo_url", ""))
+    if not valid:
+        return jsonify({"error": err}), 400
 
-        tar_path = f"{context_dir}.tar.gz"  # Track for cleanup
-        return build_and_push(
-            context_dir=context_dir,
-            image_name=image_name,
-            dockerfile=dockerfile,
-            tags=tags,
-            build_args=build_args,
-        )
+    valid, err = validate_image_name(data.get("image_name", ""))
+    if not valid:
+        return jsonify({"error": err}), 400
 
-    finally:
-        # Cleanup: remove cloned repo and tar file
-        if tmpdir and tmpdir.exists():
-            shutil.rmtree(tmpdir, ignore_errors=True)
-        if tar_path and os.path.exists(tar_path):
-            os.remove(tar_path)
+    tags = data.get("tags", ["latest"])
+    valid, err = validate_tags(tags)
+    if not valid:
+        return jsonify({"error": err}), 400
 
+    build_config = BuildConfig(
+        repo_url=data["repo_url"],
+        image_name=data["image_name"],
+        branch=data.get("branch", "main"),
+        dockerfile=data.get("dockerfile", "Dockerfile"),
+        context_path=data.get("context_path", "."),
+        tags=tags,
+        build_args=data.get("build_args", {}),
+        github_token=data.get("github_token"),
+        platform=data.get("platform"),
+        trigger="api",
+        callback_url=data.get("callback_url"),
+    )
 
-# =============================================================================
-# Queue Worker
-# =============================================================================
+    build = create_build(build_config)
+    threading.Thread(target=builder.build_and_push, args=(build,), daemon=True).start()
+
+    return jsonify({"status": "started", "build_id": build.id, "trace_id": g.get("trace_id"), "image": f"{config.registry_url}/{build_config.image_name}"}), 202
 
-def queue_worker():
-    """Process builds from the queue."""
-    log("Queue worker started")
 
-    while True:
-        if state["status"] == "idle":
-            build = get_next_build()
-            if build:
-                log(f"Processing queued build: {build.get('id')}")
-                run_build(build)
+@app.route("/api/build/<build_id>/cancel", methods=["POST"])
+def api_cancel(build_id: str):
+    current = state.current_build
+    if not current or current.id != build_id:
+        return jsonify({"error": "Build not found or not running"}), 404
+    if state.cancel_current():
+        return jsonify({"status": "cancelled", "build_id": build_id})
+    return jsonify({"error": "Failed to cancel"}), 500
 
-        time.sleep(5)
+
+# Webhook endpoints
+@app.route("/webhook/github", methods=["POST"])
+def webhook_github():
+    signature = request.headers.get("X-Hub-Signature-256", "")
+    if not webhook_handler.verify_signature(request.data, signature):
+        abort(401, "Invalid signature")
+
+    event = request.headers.get("X-GitHub-Event", "")
+    if event == "ping":
+        return jsonify({"status": "pong"})
+    if event != "push":
+        return jsonify({"status": "ignored", "reason": f"event: {event}"})
+
+    payload = request.json
+    if not payload:
+        abort(400, "Missing payload")
+
+    headers = {k: request.headers.get(k, "") for k in ["X-Builder-Image", "X-Builder-Tags", "X-Builder-Token", "X-Builder-Platform", "X-Builder-Args", "X-Builder-Callback"]}
+    result = webhook_handler.parse_push_event(payload, headers)
+
+    if result["status"] != "trigger":
+        return jsonify(result)
+    if state.is_building:
+        return jsonify({"status": "busy"}), 409
+
+    build_config = BuildConfig(
+        repo_url=result["repo_url"], image_name=result["image_name"], branch=result["branch"],
+        tags=result["tags"], github_token=result.get("github_token"), platform=result.get("platform"),
+        build_args=result.get("build_args", {}), trigger="webhook", callback_url=result.get("callback_url"),
+    )
+
+    build = create_build(build_config)
+    threading.Thread(target=builder.build_and_push, args=(build,), daemon=True).start()
+
+    return jsonify({"status": "started", "build_id": build.id, "trace_id": g.get("trace_id")}), 202
+
+
+@app.route("/webhook/test", methods=["POST"])
+def webhook_test():
+    if state.is_building:
+        return jsonify({"error": "Build in progress"}), 409
+
+    data = request.json or {}
+    if not data.get("repo_url") or not data.get("image_name"):
+        return jsonify({"error": "repo_url and image_name required"}), 400
+
+    build_config = BuildConfig(repo_url=data["repo_url"], image_name=data["image_name"], branch=data.get("branch", "main"), tags=data.get("tags", ["latest"]), trigger="test")
+    build = create_build(build_config)
+    threading.Thread(target=builder.build_and_push, args=(build,), daemon=True).start()
+
+    return jsonify({"status": "started", "build_id": build.id, "trace_id": g.get("trace_id")}), 202
 
 
 # =============================================================================
-# Web UI
+# Web UI - HTMX Interface
 # =============================================================================
 
+
+def render_stats_html() -> str:
+    """Render stats cards."""
+    metrics = state.get_metrics()
+    status = "building" if state.is_building else "idle"
+    return f"""
+<div class="stat-card">
+    <div class="stat-label">Status</div>
+    <div class="stat-value" style="display: flex; align-items: center; gap: 0.5rem;">
+        <span class="dot {'building' if status == 'building' else 'idle'}"></span>
+        {status.upper()}
+    </div>
+</div>
+<div class="stat-card">
+    <div class="stat-label">Completed</div>
+    <div class="stat-value success">{metrics['builds_completed']}</div>
+</div>
+<div class="stat-card">
+    <div class="stat-label">Failed</div>
+    <div class="stat-value failed">{metrics['builds_failed']}</div>
+</div>
+<div class="stat-card">
+    <div class="stat-label">Success Rate</div>
+    <div class="stat-value">{metrics['success_rate']*100:.0f}%</div>
+</div>
+"""
+
+
+def render_current_build_html() -> str:
+    """Render current build status."""
+    current = state.current_build
+    if not current:
+        return '<div class="empty">No active build</div>'
+
+    elapsed = ""
+    if current.started_at:
+        start = datetime.fromisoformat(current.started_at)
+        elapsed = f"{(datetime.now(timezone.utc) - start).total_seconds():.0f}s"
+
+    return f"""
+<div class="build-item active">
+    <div class="build-status">
+        <span class="dot building"></span>
+        <span class="build-id">{current.id}</span>
+    </div>
+    <div class="build-info">
+        <div class="build-image">{current.config.image_name}:{current.config.tags[0]}</div>
+        <div class="build-meta">
+            <span>{current.config.branch}</span>
+            <span>{current.config.trigger}</span>
+            {f'<span>{elapsed}</span>' if elapsed else ''}
+        </div>
+    </div>
+    <button class="btn btn-sm btn-danger" hx-post="/api/build/{current.id}/cancel" hx-swap="none">Cancel</button>
+</div>
+"""
+
+
+def render_history_html() -> str:
+    """Render build history."""
+    history = state.get_history(8)
+    if not history:
+        return '<div class="empty">No builds yet</div>'
+
+    html = ""
+    for build in history:
+        status = build["status"]
+        status_class = "success" if status == "success" else "failed" if status in ("failed", "timeout", "cancelled") else ""
+        duration = f'{build["duration_seconds"]:.1f}s' if build.get("duration_seconds") else "-"
+        image_short = build["image"].split("/")[-1] if build.get("image") else "-"
+
+        html += f"""
+<div class="build-item">
+    <div class="build-status">
+        <span class="badge {status_class}">{status}</span>
+        <span class="build-id">{build['id']}</span>
+    </div>
+    <div class="build-info">
+        <div class="build-image">{image_short}</div>
+        <div class="build-meta">
+            <span>{build.get('branch', '-')}</span>
+            <span>{build.get('trigger', '-')}</span>
+            <span>{duration}</span>
+        </div>
+    </div>
+</div>
+"""
+    return html
+
+
+def render_logs_html() -> str:
+    """Render logs."""
+    logs = state.logs
+    return "".join(f'<div class="log-line">{line}</div>' for line in logs[-60:])
+
+
+@app.route("/")
+def index():
+    return render_template_string(HTML_TEMPLATE,
+        config=config,
+        stats_html=render_stats_html(),
+        current_html=render_current_build_html(),
+        history_html=render_history_html(),
+        logs_html=render_logs_html(),
+    )
+
+
+@app.route("/stats-partial")
+def stats_partial():
+    return render_stats_html()
+
+
+@app.route("/current-partial")
+def current_partial():
+    return render_current_build_html()
+
+
+@app.route("/history-partial")
+def history_partial():
+    return render_history_html()
+
+
+@app.route("/logs-partial")
+def logs_partial():
+    return render_logs_html()
+
+
 HTML_TEMPLATE = """
 <!DOCTYPE html>
 <html lang="en">
@@ -573,6 +1145,7 @@ HTML_TEMPLATE = """
             --accent: #f59e0b;
             --green: #4ade80;
             --red: #f87171;
+            --blue: #60a5fa;
         }
         * { box-sizing: border-box; margin: 0; padding: 0; }
         body {
@@ -580,67 +1153,143 @@ HTML_TEMPLATE = """
             background: var(--bg);
             color: var(--text);
             min-height: 100vh;
-            display: flex;
-            flex-direction: column;
         }
-        .main { flex: 1; padding: 2rem; max-width: 900px; margin: 0 auto; width: 100%; }
+        .main { max-width: 1200px; margin: 0 auto; padding: 2rem; }
+
+        /* Header */
         .header { margin-bottom: 2rem; }
         .header h1 { font-size: 1.5rem; font-weight: 600; letter-spacing: -0.025em; }
-        .header-meta { display: flex; flex-wrap: wrap; gap: 1rem; margin-top: 0.5rem; font-size: 0.8125rem; color: var(--text-muted); }
+        .header-meta {
+            display: flex;
+            gap: 1.5rem;
+            margin-top: 0.5rem;
+            font-size: 0.8125rem;
+            color: var(--text-muted);
+        }
+        .header-meta a { color: var(--accent); text-decoration: none; }
+        .header-meta a:hover { text-decoration: underline; }
+
+        /* Stats */
+        .stats { display: grid; grid-template-columns: repeat(4, 1fr); gap: 1rem; margin-bottom: 2rem; }
+        .stat-card {
+            background: var(--surface);
+            border: 1px solid var(--border);
+            border-radius: 0.75rem;
+            padding: 1.25rem;
+        }
+        .stat-label {
+            font-size: 0.75rem;
+            color: var(--text-muted);
+            text-transform: uppercase;
+            letter-spacing: 0.05em;
+            margin-bottom: 0.5rem;
+        }
+        .stat-value {
+            font-size: 1.75rem;
+            font-weight: 600;
+            font-variant-numeric: tabular-nums;
+        }
+        .stat-value.success { color: var(--green); }
+        .stat-value.failed { color: var(--red); }
 
-        .status-card {
+        /* Panels */
+        .panels { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; margin-bottom: 1rem; }
+        .panel {
             background: var(--surface);
             border: 1px solid var(--border);
             border-radius: 0.75rem;
-            padding: 1.5rem;
-            margin-bottom: 1rem;
+            overflow: hidden;
         }
-        .status-header {
+        .panel.full { grid-column: span 2; }
+        .panel-header {
             display: flex;
             justify-content: space-between;
             align-items: center;
-            margin-bottom: 1.5rem;
+            padding: 1rem 1.25rem;
+            border-bottom: 1px solid var(--border);
         }
-        .status-info { display: flex; align-items: center; gap: 0.75rem; }
+        .panel-title { font-size: 0.875rem; font-weight: 500; }
+        .panel-body { padding: 1rem 1.25rem; max-height: 320px; overflow-y: auto; }
+
+        /* Buttons */
+        .btn {
+            background: var(--accent);
+            color: var(--bg);
+            border: none;
+            padding: 0.5rem 1rem;
+            border-radius: 0.5rem;
+            font-size: 0.8125rem;
+            font-weight: 500;
+            cursor: pointer;
+            transition: opacity 0.15s;
+        }
+        .btn:hover { opacity: 0.9; }
+        .btn:disabled { opacity: 0.5; cursor: not-allowed; }
+        .btn-sm { padding: 0.25rem 0.75rem; font-size: 0.75rem; }
+        .btn-danger { background: var(--red); }
+        .btn-ghost {
+            background: transparent;
+            color: var(--text-muted);
+            border: 1px solid var(--border);
+        }
+        .btn-ghost:hover { background: var(--border); color: var(--text); }
+
+        /* Dot */
         .dot {
-            width: 10px;
-            height: 10px;
+            width: 8px;
+            height: 8px;
             border-radius: 50%;
             flex-shrink: 0;
         }
         .dot.idle { background: var(--text-muted); }
-        .dot.building { background: var(--accent); animation: pulse 1.5s infinite; }
+        .dot.building { background: var(--accent); animation: pulse 2s infinite; }
+        .dot.success { background: var(--green); }
+        .dot.failed { background: var(--red); }
         @keyframes pulse {
-            0%, 100% { opacity: 1; transform: scale(1); }
-            50% { opacity: 0.5; transform: scale(0.95); }
+            0%, 100% { opacity: 1; }
+            50% { opacity: 0.5; }
         }
-        .status-text { font-size: 0.875rem; font-weight: 500; text-transform: uppercase; letter-spacing: 0.025em; }
 
-        .stats { display: grid; grid-template-columns: repeat(3, 1fr); gap: 1rem; }
-        .stat { text-align: center; padding: 1rem; background: var(--bg); border-radius: 0.5rem; }
-        .stat-value { font-size: 1.75rem; font-weight: 600; font-variant-numeric: tabular-nums; }
-        .stat-value.success { color: var(--green); }
-        .stat-value.failed { color: var(--red); }
-        .stat-label { font-size: 0.6875rem; color: var(--text-muted); text-transform: uppercase; letter-spacing: 0.05em; margin-top: 0.25rem; }
-
-        .form-card {
-            background: var(--surface);
-            border: 1px solid var(--border);
-            border-radius: 0.75rem;
-            padding: 1.5rem;
-            margin-bottom: 1rem;
+        /* Build items */
+        .build-item {
+            display: flex;
+            align-items: center;
+            gap: 1rem;
+            padding: 0.75rem 0;
+            border-bottom: 1px solid var(--border);
         }
-        .form-title { font-size: 0.875rem; font-weight: 500; margin-bottom: 1.25rem; }
-        .form-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
-        .form-group { margin-bottom: 1rem; }
-        .form-group.full { grid-column: span 2; }
+        .build-item:last-child { border-bottom: none; }
+        .build-item.active { background: rgba(245, 158, 11, 0.05); margin: -0.5rem -0.25rem; padding: 0.75rem; border-radius: 0.5rem; }
+        .build-status { display: flex; align-items: center; gap: 0.5rem; min-width: 100px; }
+        .build-id { font-family: ui-monospace, monospace; font-size: 0.75rem; color: var(--text-muted); }
+        .build-info { flex: 1; min-width: 0; }
+        .build-image { font-size: 0.875rem; font-weight: 500; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
+        .build-meta { display: flex; gap: 1rem; font-size: 0.75rem; color: var(--text-muted); margin-top: 0.125rem; }
+
+        /* Badge */
+        .badge {
+            font-size: 0.6875rem;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.05em;
+            padding: 0.125rem 0.5rem;
+            border-radius: 0.25rem;
+            background: var(--border);
+            color: var(--text-muted);
+        }
+        .badge.success { background: rgba(74, 222, 128, 0.15); color: var(--green); }
+        .badge.failed { background: rgba(248, 113, 113, 0.15); color: var(--red); }
+
+        /* Form */
+        .form-grid { display: grid; gap: 1rem; }
+        .form-row { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
         .form-group label {
             display: block;
-            margin-bottom: 0.375rem;
-            color: var(--text-muted);
             font-size: 0.75rem;
+            color: var(--text-muted);
             text-transform: uppercase;
-            letter-spacing: 0.025em;
+            letter-spacing: 0.05em;
+            margin-bottom: 0.375rem;
         }
         .form-group input {
             width: 100%;
@@ -649,32 +1298,16 @@ HTML_TEMPLATE = """
             border: 1px solid var(--border);
             border-radius: 0.5rem;
             color: var(--text);
+            font-family: ui-monospace, monospace;
             font-size: 0.875rem;
-            font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, monospace;
-            transition: border-color 0.15s;
         }
         .form-group input:focus {
             outline: none;
             border-color: var(--accent);
         }
-        .form-group input::placeholder { color: var(--text-muted); opacity: 0.5; }
-
-        .btn {
-            background: var(--accent);
-            color: var(--bg);
-            border: none;
-            padding: 0.75rem 1.5rem;
-            border-radius: 0.5rem;
-            font-size: 0.875rem;
-            font-weight: 500;
-            cursor: pointer;
-            transition: opacity 0.15s, transform 0.15s;
-            width: 100%;
-        }
-        .btn:hover { opacity: 0.9; }
-        .btn:active { transform: scale(0.98); }
-        .btn:disabled { opacity: 0.4; cursor: not-allowed; }
+        .form-group input::placeholder { color: var(--text-muted); }
 
+        /* Logs */
         .logs-panel {
             background: var(--surface);
             border: 1px solid var(--border);
@@ -695,17 +1328,20 @@ HTML_TEMPLATE = """
             font-size: 0.75rem;
             line-height: 1.5;
             padding: 1rem;
-            max-height: 300px;
+            max-height: 220px;
             overflow-y: auto;
             background: var(--bg);
         }
-        .log-line { color: var(--text-muted); white-space: pre-wrap; word-break: break-all; }
+        .log-line { color: var(--text-muted); }
         .log-line:hover { color: var(--text); }
 
-        @media (max-width: 640px) {
-            .form-grid { grid-template-columns: 1fr; }
-            .form-group.full { grid-column: span 1; }
-            .stats { grid-template-columns: 1fr; }
+        .empty { color: var(--text-muted); font-size: 0.875rem; padding: 1rem 0; text-align: center; }
+
+        @media (max-width: 768px) {
+            .stats { grid-template-columns: repeat(2, 1fr); }
+            .panels { grid-template-columns: 1fr; }
+            .panel.full { grid-column: span 1; }
+            .form-row { grid-template-columns: 1fr; }
         }
     </style>
 </head>
@@ -714,74 +1350,78 @@ HTML_TEMPLATE = """
         <div class="header">
             <h1>Builder</h1>
             <div class="header-meta">
-                <span>{{ runner_id }}</span>
-                <span>{{ registry_url }}</span>
-                {% if redis_connected %}<span style="color: var(--green);">Redis</span>{% endif %}
+                <span>{{ config.runner_id }}</span>
+                <span>{{ config.registry_url }}</span>
+                <a href="/badge">badge</a>
+                <a href="/api/metrics">metrics</a>
             </div>
         </div>
 
-        <div class="status-card" id="status-panel" hx-get="/status" hx-trigger="every 2s" hx-swap="innerHTML">
-            <div class="status-header">
-                <div class="status-info">
-                    <div class="dot {{ status }}"></div>
-                    <div class="status-text">{{ status }}</div>
+        <div class="stats" id="stats" hx-get="/stats-partial" hx-trigger="every 3s" hx-swap="innerHTML">
+            {{ stats_html | safe }}
+        </div>
+
+        <div class="panels">
+            <div class="panel">
+                <div class="panel-header">
+                    <span class="panel-title">Current Build</span>
                 </div>
-            </div>
-            <div class="stats">
-                <div class="stat">
-                    <div class="stat-value success">{{ builds_completed }}</div>
-                    <div class="stat-label">Completed</div>
+                <div class="panel-body" id="current" hx-get="/current-partial" hx-trigger="every 2s" hx-swap="innerHTML">
+                    {{ current_html | safe }}
                 </div>
-                <div class="stat">
-                    <div class="stat-value failed">{{ builds_failed }}</div>
-                    <div class="stat-label">Failed</div>
+            </div>
+
+            <div class="panel">
+                <div class="panel-header">
+                    <span class="panel-title">Build History</span>
                 </div>
-                <div class="stat">
-                    <div class="stat-value">{{ 'Yes' if current_build else '-' }}</div>
-                    <div class="stat-label">Active</div>
+                <div class="panel-body" id="history" hx-get="/history-partial" hx-trigger="every 5s" hx-swap="innerHTML">
+                    {{ history_html | safe }}
                 </div>
             </div>
-        </div>
 
-        <div class="form-card">
-            <div class="form-title">Trigger Build</div>
-            <form hx-post="/build" hx-swap="none">
-                <div class="form-grid">
-                    <div class="form-group full">
-                        <label>Repository URL</label>
-                        <input type="text" name="repo_url" placeholder="https://github.com/user/repo" required>
-                    </div>
-                    <div class="form-group">
-                        <label>Branch</label>
-                        <input type="text" name="branch" value="main">
-                    </div>
-                    <div class="form-group">
-                        <label>Image Name</label>
-                        <input type="text" name="image_name" placeholder="username/repo" required>
-                    </div>
-                    <div class="form-group">
-                        <label>Tags</label>
-                        <input type="text" name="tags" value="latest" placeholder="latest, v1.0">
-                    </div>
-                    <div class="form-group">
-                        <label>Dockerfile</label>
-                        <input type="text" name="dockerfile" value="Dockerfile">
-                    </div>
-                    <div class="form-group full">
-                        <button type="submit" class="btn" {% if status == 'building' %}disabled{% endif %}>
-                            {% if status == 'building' %}Building...{% else %}Build & Push{% endif %}
-                        </button>
-                    </div>
+            <div class="panel full">
+                <div class="panel-header">
+                    <span class="panel-title">New Build</span>
+                </div>
+                <div class="panel-body">
+                    <form hx-post="/api/build" hx-swap="none" class="form-grid">
+                        <div class="form-group">
+                            <label>Repository URL</label>
+                            <input type="text" name="repo_url" placeholder="https://github.com/owner/repo" required>
+                        </div>
+                        <div class="form-row">
+                            <div class="form-group">
+                                <label>Image Name</label>
+                                <input type="text" name="image_name" placeholder="owner/repo" required>
+                            </div>
+                            <div class="form-group">
+                                <label>Branch</label>
+                                <input type="text" name="branch" value="main">
+                            </div>
+                        </div>
+                        <div class="form-row">
+                            <div class="form-group">
+                                <label>Tags (comma-separated)</label>
+                                <input type="text" name="tags" value="latest">
+                            </div>
+                            <div class="form-group">
+                                <label>Dockerfile</label>
+                                <input type="text" name="dockerfile" value="Dockerfile">
+                            </div>
+                        </div>
+                        <button type="submit" class="btn">Build & Push</button>
+                    </form>
                 </div>
-            </form>
+            </div>
         </div>
 
         <div class="logs-panel">
             <div class="logs-header">
                 <span class="logs-title">Logs</span>
             </div>
-            <div id="logs" class="logs" hx-get="/logs" hx-trigger="every 2s" hx-swap="innerHTML">
-                {% for line in logs %}<div class="log-line">{{ line }}</div>{% endfor %}
+            <div id="logs" class="logs" hx-get="/logs-partial" hx-trigger="every 2s" hx-swap="innerHTML">
+                {{ logs_html | safe }}
             </div>
         </div>
     </div>
@@ -790,305 +1430,209 @@ HTML_TEMPLATE = """
 """
 
 
-@app.route("/")
-def index():
-    with state_lock:
-        return render_template_string(
-            HTML_TEMPLATE,
-            runner_name=RUNNER_NAME,
-            runner_id=RUNNER_ID,
-            registry_url=REGISTRY_URL,
-            redis_connected=state["redis_connected"],
-            status=state["status"],
-            builds_completed=state["builds_completed"],
-            builds_failed=state["builds_failed"],
-            current_build=state["current_build"],
-            logs=state["logs"][-50:],
-        )
-
-
-@app.route("/status")
-def status():
-    with state_lock:
-        return render_template_string("""
-            <div class="status-header">
-                <div class="status-info">
-                    <div class="dot {{ status }}"></div>
-                    <div class="status-text">{{ status }}</div>
-                </div>
-            </div>
-            <div class="stats">
-                <div class="stat">
-                    <div class="stat-value success">{{ builds_completed }}</div>
-                    <div class="stat-label">Completed</div>
-                </div>
-                <div class="stat">
-                    <div class="stat-value failed">{{ builds_failed }}</div>
-                    <div class="stat-label">Failed</div>
-                </div>
-                <div class="stat">
-                    <div class="stat-value">{{ 'Yes' if current_build else '-' }}</div>
-                    <div class="stat-label">Active</div>
-                </div>
-            </div>
-        """,
-            status=state["status"],
-            builds_completed=state["builds_completed"],
-            builds_failed=state["builds_failed"],
-            current_build=state["current_build"],
-        )
-
-
-@app.route("/logs")
-def logs():
-    with state_lock:
-        return "".join(f'<div class="log-line">{line}</div>' for line in state["logs"][-50:])
-
-
-@app.route("/build", methods=["POST"])
-def trigger_build():
-    """Trigger a build via API or form."""
-    if state["status"] == "building":
-        return jsonify({"error": "Build already in progress"}), 409
-
-    # Get build config from form or JSON
-    if request.is_json:
-        config = request.json
-    else:
-        config = {
-            "repo_url": request.form.get("repo_url"),
-            "branch": request.form.get("branch", "main"),
-            "image_name": request.form.get("image_name"),
-            "dockerfile": request.form.get("dockerfile", "Dockerfile"),
-            "tags": [t.strip() for t in request.form.get("tags", "latest").split(",")],
-        }
-
-    if not config.get("repo_url") or not config.get("image_name"):
-        return jsonify({"error": "repo_url and image_name required"}), 400
-
-    # Run build in background
-    threading.Thread(target=run_build, args=(config,), daemon=True).start()
-
-    return jsonify({"status": "started", "config": config}), 202
-
+# =============================================================================
+# Hivemind Integration
+# =============================================================================
 
-@app.route("/api/status")
-def api_status():
-    with state_lock:
-        return jsonify({
-            "runner_id": RUNNER_ID,
-            "runner_name": RUNNER_NAME,
-            "status": state["status"],
-            "current_build": state["current_build"],
-            "builds_completed": state["builds_completed"],
-            "builds_failed": state["builds_failed"],
-            "last_build": state["last_build"],
-            "redis_connected": state["redis_connected"],
-        })
-
-
-@app.route("/api/queue", methods=["POST"])
-def api_queue():
-    """Queue a build for later processing."""
-    if not request.is_json:
-        return jsonify({"error": "JSON required"}), 400
-
-    config = request.json
-    build_id = queue_build(config)
-    return jsonify({"status": "queued", "build_id": build_id}), 202
 
+class HivemindClient:
+    """Client for connecting to the Hivemind controller."""
 
-# =============================================================================
-# GitHub Webhook
-# =============================================================================
+    def __init__(self, cfg: Config, build_state: BuildState, kaniko_builder: KanikoBuilder) -> None:
+        self.config = cfg
+        self.state = build_state
+        self.builder = kaniko_builder
+        self.controller_url = os.getenv("HIVEMIND_CONTROLLER_URL", "")
+        self.worker_id = cfg.runner_id
+        self.poll_interval = int(os.getenv("HIVEMIND_POLL_INTERVAL", "30"))
+        self.enabled = bool(self.controller_url)
+        self._running = False
 
-def verify_webhook_signature(payload: bytes, signature: str) -> bool:
-    """Verify GitHub webhook signature using HMAC-SHA256."""
-    if not GITHUB_WEBHOOK_SECRET:
-        log("⚠️ GITHUB_WEBHOOK_SECRET not set - skipping signature verification")
-        return True  # Allow if no secret configured (not recommended for production)
+    def register(self) -> bool:
+        """Register this builder with the hivemind controller."""
+        if not self.enabled:
+            return False
 
-    if not signature or not signature.startswith("sha256="):
-        return False
+        try:
+            resp = http_requests.post(
+                f"{self.controller_url}/api/register",
+                json={
+                    "worker_id": self.worker_id,
+                    "name": f"Builder {self.worker_id}",
+                    "capabilities": ["build"],
+                },
+                timeout=10,
+            )
+            if resp.ok:
+                self.state.log(f"Registered with hivemind: {self.controller_url}")
+                return True
+            else:
+                self.state.log(f"Hivemind registration failed: {resp.status_code}", level="warn")
+                return False
+        except Exception as e:
+            self.state.log(f"Hivemind registration error: {e}", level="error")
+            return False
 
-    expected = hmac.new(
-        GITHUB_WEBHOOK_SECRET.encode(),
-        payload,
-        hashlib.sha256
-    ).hexdigest()
+    def heartbeat(self, status: str = "idle", work_id: str | None = None, progress: float | None = None) -> None:
+        """Send heartbeat to controller."""
+        if not self.enabled:
+            return
 
-    return hmac.compare_digest(f"sha256={expected}", signature)
+        try:
+            http_requests.post(
+                f"{self.controller_url}/api/heartbeat",
+                json={
+                    "worker_id": self.worker_id,
+                    "status": status,
+                    "work_id": work_id,
+                    "progress": progress,
+                },
+                timeout=5,
+            )
+        except Exception:
+            pass  # Heartbeat failures are not critical
 
+    def get_work(self) -> dict | None:
+        """Poll controller for available work."""
+        if not self.enabled:
+            return None
 
-def should_trigger_build(changed_files: list[str]) -> tuple[bool, list[str]]:
-    """Check if any changed files match build trigger patterns.
+        try:
+            resp = http_requests.get(
+                f"{self.controller_url}/api/work",
+                params={"worker_id": self.worker_id, "capabilities": "build"},
+                timeout=10,
+            )
+            if resp.ok:
+                data = resp.json()
+                return data.get("work")
+            return None
+        except Exception as e:
+            self.state.log(f"Hivemind work poll error: {e}", level="warn")
+            return None
 
-    Returns:
-        Tuple of (should_build, matching_files)
-    """
-    matching = []
-    for filepath in changed_files:
-        for pattern in BUILD_TRIGGER_PATTERNS:
-            if fnmatch.fnmatch(filepath, pattern):
-                matching.append(filepath)
-                break
-    return len(matching) > 0, matching
+    def complete_work(self, work_id: str, result: dict | None = None) -> None:
+        """Report work completion to controller."""
+        if not self.enabled:
+            return
 
+        try:
+            http_requests.post(
+                f"{self.controller_url}/api/complete",
+                json={
+                    "worker_id": self.worker_id,
+                    "work_id": work_id,
+                    "result": result or {},
+                },
+                timeout=10,
+            )
+            self.state.log(f"Reported completion: {work_id}")
+        except Exception as e:
+            self.state.log(f"Hivemind complete error: {e}", level="warn")
 
-def extract_changed_files(payload: dict) -> list[str]:
-    """Extract list of changed files from GitHub push payload."""
-    files = set()
-    for commit in payload.get("commits", []):
-        files.update(commit.get("added", []))
-        files.update(commit.get("modified", []))
-        files.update(commit.get("removed", []))
-    return list(files)
+    def fail_work(self, work_id: str, error: str) -> None:
+        """Report work failure to controller."""
+        if not self.enabled:
+            return
 
+        try:
+            http_requests.post(
+                f"{self.controller_url}/api/fail",
+                json={
+                    "worker_id": self.worker_id,
+                    "work_id": work_id,
+                    "error": error,
+                },
+                timeout=10,
+            )
+            self.state.log(f"Reported failure: {work_id}")
+        except Exception as e:
+            self.state.log(f"Hivemind fail error: {e}", level="warn")
 
-@app.route("/webhook/github", methods=["POST"])
-def github_webhook():
-    """Handle GitHub webhook events from any repository.
+    def process_work(self, work: dict) -> bool:
+        """Process a work item from the controller."""
+        work_id = work.get("work_id", "unknown")
+        work_type = work.get("type", "")
 
-    Triggers a build when:
-    - Event is a push to the default branch (main/master)
-    - Changed files match BUILD_TRIGGER_PATTERNS
+        if work_type != "build":
+            self.state.log(f"Unknown work type: {work_type}", level="warn")
+            self.fail_work(work_id, f"Unknown work type: {work_type}")
+            return False
 
-    Works with any GitHub repository - extracts repo info from payload.
+        self.state.log(f"Processing hivemind work: {work_id}")
+        self.heartbeat(status="working", work_id=work_id)
 
-    Optional headers for per-repo configuration:
-    - X-Builder-Token: GitHub token for cloning private repos (overrides env GITHUB_TOKEN)
-    - X-Builder-Image: Override image name (default: uses repo full_name)
-    - X-Builder-Tags: Comma-separated tags (default: "latest")
-    """
-    # Verify signature
-    signature = request.headers.get("X-Hub-Signature-256", "")
-    if not verify_webhook_signature(request.data, signature):
-        log("✗ Webhook signature verification failed")
-        abort(401, "Invalid signature")
+        # Extract build config from work item
+        repo_url = work.get("repo_url", "")
+        image_name = work.get("image_name", "") or work.get("image", "")
+        branch = work.get("branch", "main")
+        tags = work.get("tags", ["latest"])
 
-    # Only handle push events
-    event = request.headers.get("X-GitHub-Event", "")
-    if event == "ping":
-        log("✓ Webhook ping received")
-        return jsonify({"status": "pong"}), 200
+        if not repo_url or not image_name:
+            self.fail_work(work_id, "Missing repo_url or image_name")
+            return False
 
-    if event != "push":
-        log(f"Ignoring non-push event: {event}")
-        return jsonify({"status": "ignored", "reason": f"event type: {event}"}), 200
+        build_config = BuildConfig(
+            repo_url=repo_url,
+            image_name=image_name,
+            branch=branch,
+            tags=tags if isinstance(tags, list) else [tags],
+            dockerfile=work.get("dockerfile", "Dockerfile"),
+            context_path=work.get("context_path", "."),
+            build_args=work.get("build_args", {}),
+            github_token=work.get("github_token"),
+            platform=work.get("platform"),
+            trigger="hivemind",
+        )
 
-    payload = request.json
-    if not payload:
-        abort(400, "Missing payload")
+        build = Build(id=work_id, config=build_config)
+        success = self.builder.build_and_push(build)
 
-    # Extract repo info from webhook payload (works for any repo)
-    repo = payload.get("repository", {})
-    repo_url = repo.get("clone_url", "")
-    repo_full_name = repo.get("full_name", "")  # e.g., "owner/repo"
-    default_branch = repo.get("default_branch", "main")
-    is_private = repo.get("private", False)
-
-    # Get the ref that was pushed
-    ref = payload.get("ref", "")
-    pushed_branch = ref.replace("refs/heads/", "") if ref.startswith("refs/heads/") else ""
-
-    log(f"Webhook: push to {repo_full_name}/{pushed_branch} (private={is_private})")
-
-    # Only build on pushes to default branch
-    if pushed_branch != default_branch:
-        log(f"Ignoring push to non-default branch: {pushed_branch} (default: {default_branch})")
-        return jsonify({
-            "status": "ignored",
-            "reason": f"branch {pushed_branch} is not default branch {default_branch}"
-        }), 200
-
-    # Check if any relevant files changed
-    changed_files = extract_changed_files(payload)
-    should_build, matching_files = should_trigger_build(changed_files)
-
-    if not should_build:
-        log(f"No build-relevant files changed in {len(changed_files)} files")
-        return jsonify({
-            "status": "ignored",
-            "reason": "no build-relevant files changed",
-            "changed_files": changed_files[:20]  # Limit for response size
-        }), 200
-
-    log(f"Build triggered by {len(matching_files)} matching files: {matching_files[:5]}")
-
-    # Per-repo overrides via headers
-    override_token = request.headers.get("X-Builder-Token", "")
-    override_image = request.headers.get("X-Builder-Image", "")
-    override_tags = request.headers.get("X-Builder-Tags", "")
-
-    # Determine image name: header override > env default > repo name
-    image_name = override_image or DEFAULT_IMAGE_NAME or repo_full_name
-
-    # Determine tags
-    if override_tags:
-        tags = [t.strip() for t in override_tags.split(",") if t.strip()]
-    else:
-        tags = ["latest"]
-
-    # Build configuration
-    build_config = {
-        "repo_url": repo_url,
-        "branch": pushed_branch,
-        "image_name": image_name,
-        "tags": tags,
-        "trigger": "webhook",
-        "matching_files": matching_files[:10],
-    }
-
-    # Add per-repo token if provided (for private repos)
-    if override_token:
-        build_config["github_token"] = override_token
-        log(f"Using per-repo token for {repo_full_name}")
-
-    # Check if already building
-    if state["status"] == "building":
-        log("Build already in progress - queueing webhook build")
-        if redis_client:
-            build_id = queue_build(build_config)
-            return jsonify({"status": "queued", "build_id": build_id}), 202
+        if success:
+            self.complete_work(work_id, {
+                "image": f"{self.config.registry_url}/{image_name}",
+                "tags": tags,
+                "duration": build.duration_seconds,
+            })
         else:
-            return jsonify({"status": "busy", "reason": "build in progress and no queue configured"}), 409
+            self.fail_work(work_id, build.error or "Build failed")
 
-    threading.Thread(target=run_build, args=(build_config,), daemon=True).start()
+        return success
 
-    return jsonify({
-        "status": "started",
-        "repo": repo_full_name,
-        "branch": pushed_branch,
-        "image": f"{REGISTRY_URL}/{image_name}",
-        "tags": tags,
-        "matching_files": matching_files
-    }), 202
+    def work_loop(self) -> None:
+        """Main loop for polling and processing work from hivemind."""
+        self._running = True
+        self.state.log("Hivemind work loop started")
 
+        while self._running:
+            try:
+                # Don't poll if already building
+                if self.state.is_building:
+                    self.heartbeat(status="working")
+                    time.sleep(self.poll_interval)
+                    continue
 
-@app.route("/webhook/test", methods=["POST"])
-def test_webhook():
-    """Test endpoint to simulate a webhook (no signature required)."""
-    if state["status"] == "building":
-        return jsonify({"error": "Build already in progress"}), 409
+                # Send idle heartbeat
+                self.heartbeat(status="idle")
+
+                # Poll for work
+                work = self.get_work()
+                if work:
+                    self.process_work(work)
+                else:
+                    time.sleep(self.poll_interval)
 
-    # Allow testing with minimal payload
-    payload = request.json or {}
-    repo_url = payload.get("repo_url", "https://github.com/jonathanagustin/lawforge")
-    branch = payload.get("branch", "main")
-    image_name = payload.get("image_name", DEFAULT_IMAGE_NAME or "jonathanagustin/lawforge")
+            except Exception as e:
+                self.state.log(f"Hivemind loop error: {e}", level="error")
+                time.sleep(self.poll_interval)
 
-    build_config = {
-        "repo_url": repo_url,
-        "branch": branch,
-        "image_name": image_name,
-        "tags": ["latest"],
-        "trigger": "test",
-    }
+    def stop(self) -> None:
+        """Stop the work loop."""
+        self._running = False
 
-    log(f"Test webhook triggered: {image_name}")
-    threading.Thread(target=run_build, args=(build_config,), daemon=True).start()
 
-    return jsonify({"status": "started", "config": build_config}), 202
+# Initialize hivemind client
+hivemind = HivemindClient(config, state, builder)
 
 
 # =============================================================================
@@ -1096,33 +1640,27 @@ def test_webhook():
 # =============================================================================
 
 def startup():
-    log(f"Builder started: {RUNNER_NAME} ({RUNNER_ID})")
-    log(f"Registry: {REGISTRY_URL}")
+    init_telemetry()
 
-    # Initialize Redis
-    init_redis()
+    state.log(f"HF Builder starting ({config.runner_id})")
+    state.log(f"Registry: {config.registry_url}")
 
-    # Setup registry auth
-    if REGISTRY_USER:
-        setup_registry_auth()
-    else:
-        log("⚠️ REGISTRY_USER not set - pushes will fail")
-
-    # Webhook configuration status
-    if GITHUB_WEBHOOK_SECRET:
-        log("✓ GitHub webhook secret configured")
-    else:
-        log("⚠️ GITHUB_WEBHOOK_SECRET not set - webhooks will accept unsigned payloads")
+    if config.registry_user:
+        builder.setup_registry_auth()
 
-    if DEFAULT_IMAGE_NAME:
-        log(f"✓ Default image: {REGISTRY_URL}/{DEFAULT_IMAGE_NAME}")
+    if config.slack_webhook_url:
+        state.log("Slack notifications enabled")
+    if config.discord_webhook_url:
+        state.log("Discord notifications enabled")
 
-    # Start queue worker if Redis is configured
-    if redis_client:
-        threading.Thread(target=queue_worker, daemon=True).start()
+    # Hivemind integration
+    if hivemind.enabled:
+        state.log(f"Hivemind controller: {hivemind.controller_url}")
+        if hivemind.register():
+            threading.Thread(target=hivemind.work_loop, daemon=True).start()
 
-    log("Ready for builds!")
-    log(f"Webhook endpoint: /webhook/github")
+    state.set_ready(True)
+    state.log("Ready")
 
 
 threading.Thread(target=startup, daemon=True).start()

requirements.txt

@@ -1,5 +1,8 @@
 flask>=3.0.0
-huggingface_hub>=0.24.0
-httpx>=0.27.0
 gitpython>=3.1.0
-upstash-redis>=1.0.0
+requests>=2.31.0
+
+# Optional: OpenTelemetry (uncomment to enable)
+# opentelemetry-api>=1.20.0
+# opentelemetry-sdk>=1.20.0
+# opentelemetry-exporter-otlp>=1.20.0