diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
index 1c1b720..3ce8b61 100644
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -2,7 +2,7 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.9
+  version: 1.22.10
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
@@ -23,7 +23,6 @@ lint:
   enabled:
     - hadolint@2.12.1-beta
     - actionlint@1.7.7
-    - checkov@3.2.360
     - git-diff-check
     - gofmt@1.20.4
     - golangci-lint@1.63.4
@@ -32,7 +31,7 @@ lint:
     - prettier@3.4.2
     - shellcheck@0.10.0
     - shfmt@3.6.0
-    - trufflehog@3.88.4
+    - trufflehog@3.88.5
 actions:
   disabled:
     - trunk-announce
diff --git a/agent/cmd/args.go b/agent/cmd/args.go
index 819fc29..de4293f 100644
--- a/agent/cmd/args.go
+++ b/agent/cmd/args.go
@@ -9,8 +9,7 @@ type agentCommandValidator struct{}
 
 func (v agentCommandValidator) IsCommandValid(cmd string) bool {
 	switch cmd {
-	case CommandStart,
-		CommandNewClient:
+	case CommandStart, CommandNewClient:
 		return true
 	}
 	return false
diff --git a/agent/cmd/main.go b/agent/cmd/main.go
index 4138489..d91ad3f 100644
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@@ -72,8 +72,7 @@ func main() {
 		E.LogFatal("init CA error", err)
 	}
 
-	switch args.Command {
-	case CommandNewClient:
+	if args.Command == CommandNewClient {
 		printNewClientHelp(ca)
 		return
 	}
diff --git a/agent/pkg/agent/config.go b/agent/pkg/agent/config.go
index 9806fe2..5ec6022 100644
--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@@ -37,7 +37,6 @@ type (
 const (
 	EndpointVersion   = "/version"
 	EndpointName      = "/name"
-	EndpointCACert    = "/ca-cert"
 	EndpointProxyHTTP = "/proxy/http"
 	EndpointHealth    = "/health"
 	EndpointLogs      = "/logs"
diff --git a/agent/pkg/agent/requests.go b/agent/pkg/agent/requests.go
index b36d365..40ad158 100644
--- a/agent/pkg/agent/requests.go
+++ b/agent/pkg/agent/requests.go
@@ -24,7 +24,7 @@ func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int
 		return nil, 0, err
 	}
 	defer resp.Body.Close()
-	data, err := io.ReadAll(resp.Body)
+	data, _ := io.ReadAll(resp.Body)
 	return data, resp.StatusCode, nil
 }
 
diff --git a/agent/pkg/handler/docker_socket.go b/agent/pkg/handler/docker_socket.go
index a167b09..8e2e5d8 100644
--- a/agent/pkg/handler/docker_socket.go
+++ b/agent/pkg/handler/docker_socket.go
@@ -86,7 +86,7 @@ func DockerSocketHandler() http.HandlerFunc {
 			}
 		} else {
 			// For non-event streams, just copy the body
-			godoxyIO.NewPipe(r.Context(), resp.Body, NopWriteCloser{w}).Start()
+			_ = godoxyIO.NewPipe(r.Context(), resp.Body, NopWriteCloser{w}).Start()
 		}
 	}
 }
diff --git a/agent/pkg/handler/handler.go b/agent/pkg/handler/handler.go
index b596bda..14f4ef0 100644
--- a/agent/pkg/handler/handler.go
+++ b/agent/pkg/handler/handler.go
@@ -32,7 +32,7 @@ func (NopWriteCloser) Close() error {
 	return nil
 }
 
-func NewHandler(caCertPEM []byte) http.Handler {
+func NewHandler() http.Handler {
 	mux := ServeMux{http.NewServeMux()}
 
 	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
@@ -40,9 +40,6 @@ func NewHandler(caCertPEM []byte) http.Handler {
 	mux.HandleMethods("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, env.AgentName)
 	})
-	mux.HandleMethods("GET", agent.EndpointCACert, func(w http.ResponseWriter, r *http.Request) {
-		w.Write(caCertPEM)
-	})
 	mux.HandleMethods("GET", agent.EndpointHealth, CheckHealth)
 	mux.HandleMethods("GET", agent.EndpointLogs, memlogger.LogsWS(nil))
 	mux.ServeMux.HandleFunc("/", DockerSocketHandler())
diff --git a/agent/pkg/handler/proxy_http.go b/agent/pkg/handler/proxy_http.go
index badfeb9..3187637 100644
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@@ -17,14 +17,14 @@ import (
 
 func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
 	host := r.Header.Get(agentproxy.HeaderXProxyHost)
-	isHTTPs := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
+	isHTTPS := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
 	skipTLSVerify := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
 	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
 	if err != nil {
 		responseHeaderTimeout = 0
 	}
 
-	logging.Debug().Msgf("proxy http request: host=%s, isHTTPs=%t, skipTLSVerify=%t, responseHeaderTimeout=%d", host, isHTTPs, skipTLSVerify, responseHeaderTimeout)
+	logging.Debug().Msgf("proxy http request: host=%s, isHTTPs=%t, skipTLSVerify=%t, responseHeaderTimeout=%d", host, isHTTPS, skipTLSVerify, responseHeaderTimeout)
 
 	if host == "" {
 		http.Error(w, "missing required headers", http.StatusBadRequest)
@@ -32,7 +32,7 @@ func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	scheme := "http"
-	if isHTTPs {
+	if isHTTPS {
 		scheme = "https"
 	}
 
diff --git a/agent/pkg/server/server.go b/agent/pkg/server/server.go
index a8c34c1..f6e528d 100644
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@@ -43,9 +43,11 @@ func StartAgentServer(parent task.Parent, opt Options) {
 	defer l.Close()
 
 	server := &http.Server{
-		Handler:   handler.NewHandler(caCertPEM),
+		Handler:   handler.NewHandler(),
 		TLSConfig: tlsConfig,
 		ErrorLog:  log.New(logging.GetLogger(), "", 0),
 	}
-	server.Serve(tls.NewListener(l, tlsConfig))
+	if err := server.Serve(tls.NewListener(l, tlsConfig)); err != nil {
+		logging.Fatal().Err(err).Int("port", opt.Port).Msg("failed to serve")
+	}
 }
diff --git a/internal/api/v1/favicon/favicon.go b/internal/api/v1/favicon/favicon.go
index 4c5d8f1..5376644 100644
--- a/internal/api/v1/favicon/favicon.go
+++ b/internal/api/v1/favicon/favicon.go
@@ -36,9 +36,8 @@ func (res *fetchResult) ContentType() string {
 	if res.contentType == "" {
 		if bytes.HasPrefix(res.icon, []byte("<svg")) || bytes.HasPrefix(res.icon, []byte("<?xml")) {
 			return "image/svg+xml"
-		} else {
-			return "image/x-icon"
 		}
+		return "image/x-icon"
 	}
 	return res.contentType
 }
diff --git a/internal/common/ports.go b/internal/common/ports.go
index 6bd3cfe..b567675 100644
--- a/internal/common/ports.go
+++ b/internal/common/ports.go
@@ -1,3 +1,4 @@
+//nolint:misspell
 package common
 
 var (
diff --git a/internal/logging/logging.go b/internal/logging/logging.go
index 0870ea3..e6ca387 100644
--- a/internal/logging/logging.go
+++ b/internal/logging/logging.go
@@ -11,11 +11,10 @@ import (
 )
 
 var (
-	logger     zerolog.Logger
-	timeFmt    string
-	level      zerolog.Level
-	prefix     string
-	prefixHTML []byte
+	logger  zerolog.Logger
+	timeFmt string
+	level   zerolog.Level
+	prefix  string
 )
 
 func init() {
@@ -32,8 +31,6 @@ func init() {
 	}
 	prefixLength := len(timeFmt) + 5 // level takes 3 + 2 spaces
 	prefix = strings.Repeat(" ", prefixLength)
-	// prefixHTML = []byte(strings.Repeat("&nbsp;", prefixLength))
-	prefixHTML = []byte(prefix)
 
 	if zerolog.TraceLevel != -1 && zerolog.NoLevel != 6 {
 		panic("zerolog implementation changed")
diff --git a/internal/route/provider/event_handler.go b/internal/route/provider/event_handler.go
index 63bb1d3..3dccc0f 100644
--- a/internal/route/provider/event_handler.go
+++ b/internal/route/provider/event_handler.go
@@ -37,26 +37,6 @@ func (handler *EventHandler) Handle(parent task.Parent, events []watcher.Event)
 		}
 	}
 
-	// if common.IsDebug {
-	// 	eventsLog := E.NewBuilder("events")
-	// 	for _, event := range events {
-	// 		eventsLog.Addf("event %s, actor: name=%s, id=%s", event.Action, event.ActorName, event.ActorID)
-	// 	}
-	// 	E.LogDebug(eventsLog.About(), eventsLog.Error(), handler.provider.Logger())
-
-	// 	oldRoutesLog := E.NewBuilder("old routes")
-	// 	for k := range oldRoutes {
-	// 		oldRoutesLog.Adds(k)
-	// 	}
-	// 	E.LogDebug(oldRoutesLog.About(), oldRoutesLog.Error(), handler.provider.Logger())
-
-	// 	newRoutesLog := E.NewBuilder("new routes")
-	// 	for k := range newRoutes {
-	// 		newRoutesLog.Adds(k)
-	// 	}
-	// 	E.LogDebug(newRoutesLog.About(), newRoutesLog.Error(), handler.provider.Logger())
-	// }
-
 	for k, oldr := range oldRoutes {
 		newr, ok := newRoutes[k]
 		switch {
diff --git a/internal/route/reverse_proxy.go b/internal/route/reverse_proxy.go
index b841b33..c97c53b 100755
--- a/internal/route/reverse_proxy.go
+++ b/internal/route/reverse_proxy.go
@@ -41,7 +41,6 @@ type (
 
 // var globalMux    = http.NewServeMux() // TODO: support regex subdomain matching.
 
-// TODO: fix this for agent
 func NewReverseProxyRoute(base *Route) (*ReveseProxyRoute, E.Error) {
 	httpConfig := base.HTTPConfig
 	proxyURL := base.ProxyURL
diff --git a/internal/route/route.go b/internal/route/route.go
index d6e3c00..d92c6d7 100644
--- a/internal/route/route.go
+++ b/internal/route/route.go
@@ -280,14 +280,15 @@ func (r *Route) Finalize() {
 	}
 
 	if pp == 0 {
-		if isDocker {
+		switch {
+		case isDocker:
 			pp = lowestPort(cont.PrivatePortMapping)
 			if pp == 0 {
 				pp = lowestPort(cont.PublicPortMapping)
 			}
-		} else if r.Scheme == "https" {
+		case r.Scheme == "https":
 			pp = 443
-		} else {
+		default:
 			pp = 80
 		}
 	}