docs: add README.md with project overview, dev setup, and deployment guide

Covers tech stack, project structure, local development with nix develop
and air live reload, environment variables, testing, container build, and
deployment pointer to Talos repo manifests.

Closes leeworks-agents/gitea-mobile#148

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -0,0 +1,8 @@
+.git
+.gitignore
+*.md
+flake.nix
+flake.lock
+.envrc
+.direnv
+.claude

.gitea/workflows/build.yaml

@@ -0,0 +1,41 @@
+name: Build and Push
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Run tests
+        run: go test -race ./...
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to Gitea registry
+        run: |
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login gitea.leeworks.dev \
+            -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+
+      - name: Build and push Docker image
+        run: |
+          TIMESTAMP=$(date +%Y%m%d%H%M%S)
+          SHA=$(echo ${{ gitea.sha }} | cut -c1-7)
+          TAG="${TIMESTAMP}-${SHA}"
+          docker build -t gitea.leeworks.dev/0xwheatyz/gitea-mobile:${TAG} .
+          docker tag gitea.leeworks.dev/0xwheatyz/gitea-mobile:${TAG} \
+            gitea.leeworks.dev/0xwheatyz/gitea-mobile:latest
+          docker push gitea.leeworks.dev/0xwheatyz/gitea-mobile:${TAG}
+          docker push gitea.leeworks.dev/0xwheatyz/gitea-mobile:latest

Dockerfile

@@ -0,0 +1,16 @@
+# Stage 1: Build
+FROM golang:1.22-alpine AS builder
+WORKDIR /app
+COPY go.mod ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server
+
+# Stage 2: Runtime
+FROM gcr.io/distroless/static:nonroot
+COPY --from=builder /gitea-mobile /gitea-mobile
+COPY static/ /static/
+COPY internal/templates/ /templates/
+EXPOSE 8080
+USER nonroot:nonroot
+ENTRYPOINT ["/gitea-mobile"]

README.md

@@ -0,0 +1,116 @@
+# Gitea Mobile
+
+A mobile-first Progressive Web App (PWA) for managing Gitea issues and pull requests across multiple repositories and organizations from an iPhone. Built with Go, HTMX, and hand-rolled CSS -- no JavaScript frameworks, no build step, no node_modules.
+
+## Tech Stack
+
+| Layer | Choice |
+|-------|--------|
+| Backend | Go + Gitea SDK (`code.gitea.io/sdk/gitea`) |
+| Frontend | HTMX + Go `html/template` + hand-rolled CSS |
+| Container | Multi-stage Dockerfile -> distroless (~15MB) |
+| Deployment | Kustomize manifests + FluxCD GitOps |
+
+## Project Structure
+
+```
+/
+├── cmd/server/main.go          # entrypoint
+├── internal/
+│   ├── config/config.go        # env-based configuration
+│   ├── gitea/client.go         # Gitea SDK wrapper / aggregation layer
+│   ├── handlers/               # HTTP handlers (issues, PRs, triage, settings)
+│   ├── auth/                   # cookie-based token auth
+│   ├── middleware/              # auth middleware, logging
+│   └── templates/              # Go html/template files (for HTMX)
+├── static/                     # CSS, JS (htmx.min.js), icons, manifest
+├── .gitea/workflows/build.yaml # CI pipeline (Gitea Actions)
+├── Dockerfile
+├── flake.nix                   # Nix dev shell with Go + air
+└── go.mod
+```
+
+## Local Development
+
+### Prerequisites
+
+- [Nix](https://nixos.org/download/) with flakes enabled, **or** Go 1.22+
+- A Gitea instance with an API token
+
+### Quick Start
+
+```bash
+# Enter the Nix dev shell (provides Go, gopls, air)
+nix develop
+
+# Set required environment variables
+export GITEA_URL=https://gitea.leeworks.dev
+export SESSION_SECRET=$(openssl rand -hex 32)
+
+# Optional: set a default API token
+export GITEA_TOKEN=your-gitea-api-token
+
+# Start the server with live reload
+air
+```
+
+If you are not using Nix, install Go 1.22+ and [air](https://github.com/air-verse/air) manually, then run the same commands above starting from the export lines.
+
+### Environment Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `GITEA_URL` | Yes | -- | Base URL of the Gitea instance |
+| `SESSION_SECRET` | Yes | -- | HMAC key for signing session cookies (min 32 chars) |
+| `GITEA_TOKEN` | No | -- | Default API token (users can set their own via the settings page) |
+| `LISTEN_ADDR` | No | `:8080` | Server listen address |
+
+### Live Reload with Air
+
+The dev shell includes [air](https://github.com/air-verse/air) for automatic recompilation on file changes. Configuration is in `.air.toml`. Air watches `.go` and `.html` files under `cmd/`, `internal/`, and `static/` and rebuilds/restarts the server automatically.
+
+## Running Tests
+
+```bash
+# Run all tests
+go test ./...
+
+# Run tests with race detection
+go test -race ./...
+```
+
+## Building the Container
+
+```bash
+# Build the Docker image
+docker build -t gitea-mobile .
+
+# Run locally
+docker run -p 8080:8080 \
+  -e GITEA_URL=https://gitea.leeworks.dev \
+  -e SESSION_SECRET=$(openssl rand -hex 32) \
+  gitea-mobile
+```
+
+The Dockerfile uses a multi-stage build: Go binary compiled in an Alpine builder stage, then copied into a distroless image (~15MB final size).
+
+## Deployment
+
+Kubernetes manifests for this app live in the Talos cluster repo under `testing1/first-cluster/apps/gitea-mobile/`. FluxCD syncs from that repo and handles automated image updates via `ImagePolicy` annotations.
+
+Key deployment resources:
+- `deployment.yaml` -- Pod spec with health checks
+- `service.yaml` -- ClusterIP service on port 8080
+- `ingressroute.yaml` -- Traefik IngressRoute for `gitea-mobile.testing.leeworks.dev`
+- `kustomization.yaml` -- Kustomize overlay
+
+## Contributing
+
+1. Fork the repository
+2. Create a feature branch: `git checkout -b feature/your-feature`
+3. Make your changes and add tests
+4. Run `go test -race ./...` to verify
+5. Commit with a clear message referencing the issue number
+6. Push to your fork and open a pull request
+
+All PRs target the fork (`leeworks-agents/gitea-mobile`), not the upstream repo.

cmd/server/main.go

@@ -1,14 +1,13 @@
 package main
 
 import (
-	"fmt"
 	"log"
 	"log/slog"
 	"net/http"
 	"os"
-	"strings"
 
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
+	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/handlers"
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
@@ -24,37 +23,17 @@ func main() {
 		log.Fatalf("configuration error: %v", err)
 	}
 
-	// Determine if cookies should be marked Secure (disable for local dev).
-	secureCookies := !strings.HasPrefix(cfg.ListenAddr, "localhost") &&
-		!strings.HasPrefix(cfg.ListenAddr, "127.0.0.1")
+	// Create Gitea API client.
+	client := giteaclient.NewClient(cfg.GiteaURL)
 
+	// Create handler with all routes.
 	mux := http.NewServeMux()
-
-	// Health endpoint (no auth required).
-	mux.HandleFunc("GET /health", func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		fmt.Fprintln(w, "ok")
-	})
-
-	// Settings handler.
-	settingsHandler := &handlers.SettingsHandler{
-		SessionSecret: cfg.SessionSecret,
-		SecureCookies: secureCookies,
-	}
-	mux.HandleFunc("/settings", settingsHandler.ServeHTTP)
-
-	// Static file server.
-	mux.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
-
-	// Placeholder dashboard (will be replaced in issue #4/#5).
-	mux.HandleFunc("GET /", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/html; charset=utf-8")
-		fmt.Fprintln(w, "<h1>Gitea Mobile</h1><p>Dashboard coming soon.</p>")
-	})
+	h := handlers.NewHandler(cfg, client)
+	h.RegisterRoutes(mux)
 
 	// Apply middleware chain: logging -> auth.
 	var handler http.Handler = mux
-	handler = middleware.Auth(cfg.SessionSecret)(handler)
+	handler = middleware.Auth(cfg.SessionSecret, cfg.GiteaToken)(handler)
 	handler = middleware.Logging()(handler)
 
 	slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)

internal/gitea/client.go

@@ -8,8 +8,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
+	"math"
 	"net/http"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -27,6 +30,11 @@ type Client struct {
 	maxConcurrent int
 	// cacheTTL controls how long cache entries remain valid.
 	cacheTTL time.Duration
+
+	// maxRetries is the maximum number of retries for rate-limited requests.
+	maxRetries int
+	// baseRetryDelay is the initial backoff delay before the first retry.
+	baseRetryDelay time.Duration
 }
 
 type cacheEntry struct {
@@ -105,8 +113,9 @@ type PullRequest struct {
 	Deletions int    `json:"deletions"`
 	CreatedAt time.Time `json:"created_at"`
 	UpdatedAt time.Time `json:"updated_at"`
-	RepoOwner string    `json:"-"` // populated after fetch
-	RepoName  string    `json:"-"` // populated after fetch
+	RepoOwner   string `json:"-"` // populated after fetch
+	RepoName    string `json:"-"` // populated after fetch
+	ReviewState string `json:"-"` // aggregated review state: "approved", "changes_requested", "pending", or ""
 }
 
 // TriageItem represents an item in the triage queue.
@@ -128,39 +137,102 @@ func NewClient(baseURL string) *Client {
 		httpClient: &http.Client{
 			Timeout: 30 * time.Second,
 		},
-		cache:         make(map[string]*cacheEntry),
-		maxConcurrent: 5,
-		cacheTTL:      30 * time.Second,
+		cache:          make(map[string]*cacheEntry),
+		maxConcurrent:  5,
+		cacheTTL:       30 * time.Second,
+		maxRetries:     3,
+		baseRetryDelay: 1 * time.Second,
 	}
 }
 
 // doRequest performs an authenticated HTTP request to the Gitea API.
+// It automatically retries on HTTP 429 (rate limit) responses with
+// exponential backoff, respecting the Retry-After header when present.
 func (c *Client) doRequest(ctx context.Context, token, method, path string, body io.Reader) (*http.Response, error) {
 	url := c.baseURL + "/api/v1" + path
 
-	req, err := http.NewRequestWithContext(ctx, method, url, body)
-	if err != nil {
-		return nil, fmt.Errorf("creating request: %w", err)
-	}
-
-	req.Header.Set("Authorization", "token "+token)
-	req.Header.Set("Accept", "application/json")
+	// Read the body once so we can replay it on retries.
+	var bodyBytes []byte
 	if body != nil {
-		req.Header.Set("Content-Type", "application/json")
+		var err error
+		bodyBytes, err = io.ReadAll(body)
+		if err != nil {
+			return nil, fmt.Errorf("reading request body: %w", err)
+		}
 	}
 
-	resp, err := c.httpClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("executing request: %w", err)
+	var lastErr error
+	for attempt := 0; attempt <= c.maxRetries; attempt++ {
+		// Recreate the body reader for each attempt.
+		var reqBody io.Reader
+		if bodyBytes != nil {
+			reqBody = strings.NewReader(string(bodyBytes))
+		}
+
+		req, err := http.NewRequestWithContext(ctx, method, url, reqBody)
+		if err != nil {
+			return nil, fmt.Errorf("creating request: %w", err)
+		}
+
+		req.Header.Set("Authorization", "token "+token)
+		req.Header.Set("Accept", "application/json")
+		if bodyBytes != nil {
+			req.Header.Set("Content-Type", "application/json")
+		}
+
+		resp, err := c.httpClient.Do(req)
+		if err != nil {
+			return nil, fmt.Errorf("executing request: %w", err)
+		}
+
+		// Not rate-limited: handle normally.
+		if resp.StatusCode != http.StatusTooManyRequests {
+			if resp.StatusCode >= 400 {
+				defer resp.Body.Close()
+				respBody, _ := io.ReadAll(resp.Body)
+				return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
+			}
+			return resp, nil
+		}
+
+		// Rate-limited (429): close body and compute retry delay.
+		resp.Body.Close()
+
+		if attempt == c.maxRetries {
+			lastErr = fmt.Errorf("API rate limit exceeded after %d retries (429)", c.maxRetries)
+			break
+		}
+
+		delay := c.retryDelay(resp, attempt)
+		slog.Warn("rate limited by Gitea API, retrying",
+			"attempt", attempt+1,
+			"max_retries", c.maxRetries,
+			"delay", delay,
+			"path", path,
+		)
+
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(delay):
+			// Continue to next attempt.
+		}
 	}
 
-	if resp.StatusCode >= 400 {
-		defer resp.Body.Close()
-		respBody, _ := io.ReadAll(resp.Body)
-		return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
-	}
+	return nil, lastErr
+}
 
-	return resp, nil
+// retryDelay computes the delay before the next retry attempt. It uses the
+// Retry-After header value (in seconds) if present, otherwise falls back to
+// exponential backoff: baseRetryDelay * 2^attempt.
+func (c *Client) retryDelay(resp *http.Response, attempt int) time.Duration {
+	if ra := resp.Header.Get("Retry-After"); ra != "" {
+		if seconds, err := strconv.Atoi(ra); err == nil && seconds > 0 {
+			return time.Duration(seconds) * time.Second
+		}
+	}
+	// Exponential backoff: 1s, 2s, 4s, ...
+	return c.baseRetryDelay * time.Duration(math.Pow(2, float64(attempt)))
 }
 
 // getFromCache returns cached data if still valid.
@@ -308,173 +380,274 @@ func (c *Client) ListOrgsAndRepos(ctx context.Context, token string) (map[string
 	return result, nil
 }
 
-// ListAllIssues fetches all open issues across all repos in the given orgs,
-// using concurrent requests with a semaphore.
-func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string) ([]Issue, error) {
-	cacheKey := fmt.Sprintf("issues-%s", strings.Join(orgs, ","))
-	if cached, ok := c.getFromCache(cacheKey); ok {
-		return cached.([]Issue), nil
-	}
+// PageSize is the number of items returned per page for paginated listings.
+const PageSize = 20
 
-	// First, collect all repos for the given orgs.
-	var allRepos []Repo
-	for _, org := range orgs {
-		repos, err := c.ListOrgRepos(ctx, token, org)
-		if err != nil {
-			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
-		}
-		allRepos = append(allRepos, repos...)
-	}
-
-	// Fan out issue fetching across repos.
-	var allIssues []Issue
-	var mu sync.Mutex
-	sem := make(chan struct{}, c.maxConcurrent)
-	var wg sync.WaitGroup
-	var firstErr error
-
-	for _, repo := range allRepos {
-		wg.Add(1)
-		go func(r Repo) {
-			defer wg.Done()
-			sem <- struct{}{}
-			defer func() { <-sem }()
-
-			path := fmt.Sprintf("/repos/%s/issues?state=open&type=issues&limit=50", r.FullName)
-			resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
-			if err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("fetching issues for %s: %w", r.FullName, err)
-				}
-				mu.Unlock()
-				return
-			}
-			defer resp.Body.Close()
-
-			var issues []Issue
-			if err := json.NewDecoder(resp.Body).Decode(&issues); err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("decoding issues for %s: %w", r.FullName, err)
-				}
-				mu.Unlock()
-				return
-			}
-
-			// Tag each issue with repo info.
-			for i := range issues {
-				issues[i].RepoOwner = r.Owner.Login
-				issues[i].RepoName = r.Name
-			}
-
-			mu.Lock()
-			allIssues = append(allIssues, issues...)
-			mu.Unlock()
-		}(repo)
-	}
-
-	wg.Wait()
-
-	if firstErr != nil {
-		return nil, firstErr
-	}
-
-	// Sort by updated time, newest first.
-	sort.Slice(allIssues, func(i, j int) bool {
-		return allIssues[i].UpdatedAt.After(allIssues[j].UpdatedAt)
-	})
-
-	c.setCache(cacheKey, allIssues)
-	return allIssues, nil
+// PaginatedIssues holds a page of issues along with pagination metadata.
+type PaginatedIssues struct {
+	Issues  []Issue
+	HasMore bool
 }
 
-// ListAllPullRequests fetches all open PRs across all repos in the given orgs.
-func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string) ([]PullRequest, error) {
-	cacheKey := fmt.Sprintf("pulls-%s", strings.Join(orgs, ","))
+// PaginatedPulls holds a page of pull requests along with pagination metadata.
+type PaginatedPulls struct {
+	Pulls   []PullRequest
+	HasMore bool
+}
+
+// ListAllIssues fetches issues across all repos in the given orgs,
+// using concurrent requests with a semaphore. Results are paginated.
+// The label parameter filters issues by label name (empty string means no filter).
+// The repoFilter parameter narrows results to a single repo name (empty means all repos).
+func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedIssues, error) {
+	if state == "" {
+		state = "open"
+	}
+	if page < 1 {
+		page = 1
+	}
+
+	cacheKey := fmt.Sprintf("issues-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
+	var allIssues []Issue
 	if cached, ok := c.getFromCache(cacheKey); ok {
-		return cached.([]PullRequest), nil
-	}
-
-	var allRepos []Repo
-	for _, org := range orgs {
-		repos, err := c.ListOrgRepos(ctx, token, org)
-		if err != nil {
-			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
-		}
-		allRepos = append(allRepos, repos...)
-	}
-
-	var allPRs []PullRequest
-	var mu sync.Mutex
-	sem := make(chan struct{}, c.maxConcurrent)
-	var wg sync.WaitGroup
-	var firstErr error
-
-	for _, repo := range allRepos {
-		wg.Add(1)
-		go func(r Repo) {
-			defer wg.Done()
-			sem <- struct{}{}
-			defer func() { <-sem }()
-
-			path := fmt.Sprintf("/repos/%s/pulls?state=open&limit=50", r.FullName)
-			resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+		allIssues = cached.([]Issue)
+	} else {
+		// First, collect all repos for the given orgs.
+		var allRepos []Repo
+		for _, org := range orgs {
+			repos, err := c.ListOrgRepos(ctx, token, org)
 			if err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("fetching PRs for %s: %w", r.FullName, err)
+				return PaginatedIssues{}, fmt.Errorf("listing repos for %s: %w", org, err)
+			}
+			allRepos = append(allRepos, repos...)
+		}
+
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
 				}
-				mu.Unlock()
-				return
 			}
-			defer resp.Body.Close()
+			allRepos = filtered
+		}
 
-			var prs []PullRequest
-			if err := json.NewDecoder(resp.Body).Decode(&prs); err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("decoding PRs for %s: %w", r.FullName, err)
+		// Fan out issue fetching across repos.
+		var mu sync.Mutex
+		sem := make(chan struct{}, c.maxConcurrent)
+		var wg sync.WaitGroup
+		var firstErr error
+
+		for _, repo := range allRepos {
+			wg.Add(1)
+			go func(r Repo) {
+				defer wg.Done()
+				sem <- struct{}{}
+				defer func() { <-sem }()
+
+				path := fmt.Sprintf("/repos/%s/issues?state=%s&type=issues&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
 				}
+				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+				if err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("fetching issues for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+				defer resp.Body.Close()
+
+				var issues []Issue
+				if err := json.NewDecoder(resp.Body).Decode(&issues); err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("decoding issues for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+
+				// Tag each issue with repo info.
+				for i := range issues {
+					issues[i].RepoOwner = r.Owner.Login
+					issues[i].RepoName = r.Name
+				}
+
+				mu.Lock()
+				allIssues = append(allIssues, issues...)
 				mu.Unlock()
-				return
-			}
+			}(repo)
+		}
 
-			for i := range prs {
-				prs[i].RepoOwner = r.Owner.Login
-				prs[i].RepoName = r.Name
-			}
+		wg.Wait()
 
-			mu.Lock()
-			allPRs = append(allPRs, prs...)
-			mu.Unlock()
-		}(repo)
+		if firstErr != nil {
+			return PaginatedIssues{}, firstErr
+		}
+
+		// Sort by updated time, newest first.
+		sort.Slice(allIssues, func(i, j int) bool {
+			return allIssues[i].UpdatedAt.After(allIssues[j].UpdatedAt)
+		})
+
+		c.setCache(cacheKey, allIssues)
 	}
 
-	wg.Wait()
-
-	if firstErr != nil {
-		return nil, firstErr
+	// Paginate.
+	start := (page - 1) * PageSize
+	if start >= len(allIssues) {
+		return PaginatedIssues{}, nil
+	}
+	end := start + PageSize
+	hasMore := end < len(allIssues)
+	if end > len(allIssues) {
+		end = len(allIssues)
 	}
 
-	sort.Slice(allPRs, func(i, j int) bool {
-		return allPRs[i].UpdatedAt.After(allPRs[j].UpdatedAt)
-	})
+	return PaginatedIssues{Issues: allIssues[start:end], HasMore: hasMore}, nil
+}
 
-	c.setCache(cacheKey, allPRs)
-	return allPRs, nil
+// ListAllPullRequests fetches PRs across all repos in the given orgs.
+// Results are paginated. The label parameter filters PRs by label name.
+// The repoFilter parameter narrows results to a single repo name.
+func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedPulls, error) {
+	if state == "" {
+		state = "open"
+	}
+	if page < 1 {
+		page = 1
+	}
+
+	cacheKey := fmt.Sprintf("pulls-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
+	var allPRs []PullRequest
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		allPRs = cached.([]PullRequest)
+	} else {
+		var allRepos []Repo
+		for _, org := range orgs {
+			repos, err := c.ListOrgRepos(ctx, token, org)
+			if err != nil {
+				return PaginatedPulls{}, fmt.Errorf("listing repos for %s: %w", org, err)
+			}
+			allRepos = append(allRepos, repos...)
+		}
+
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
+				}
+			}
+			allRepos = filtered
+		}
+
+		var mu sync.Mutex
+		sem := make(chan struct{}, c.maxConcurrent)
+		var wg sync.WaitGroup
+		var firstErr error
+
+		for _, repo := range allRepos {
+			wg.Add(1)
+			go func(r Repo) {
+				defer wg.Done()
+				sem <- struct{}{}
+				defer func() { <-sem }()
+
+				path := fmt.Sprintf("/repos/%s/pulls?state=%s&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
+				}
+				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+				if err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("fetching PRs for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+				defer resp.Body.Close()
+
+				var prs []PullRequest
+				if err := json.NewDecoder(resp.Body).Decode(&prs); err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("decoding PRs for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+
+				for i := range prs {
+					prs[i].RepoOwner = r.Owner.Login
+					prs[i].RepoName = r.Name
+				}
+
+				mu.Lock()
+				allPRs = append(allPRs, prs...)
+				mu.Unlock()
+			}(repo)
+		}
+
+		wg.Wait()
+
+		if firstErr != nil {
+			return PaginatedPulls{}, firstErr
+		}
+
+		sort.Slice(allPRs, func(i, j int) bool {
+			return allPRs[i].UpdatedAt.After(allPRs[j].UpdatedAt)
+		})
+
+		c.setCache(cacheKey, allPRs)
+	}
+
+	// Paginate.
+	start := (page - 1) * PageSize
+	if start >= len(allPRs) {
+		return PaginatedPulls{}, nil
+	}
+	end := start + PageSize
+	hasMore := end < len(allPRs)
+	if end > len(allPRs) {
+		end = len(allPRs)
+	}
+
+	return PaginatedPulls{Pulls: allPRs[start:end], HasMore: hasMore}, nil
 }
 
 // GetTriageQueue returns unassigned issues and PRs needing review, sorted by priority.
 func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string) ([]TriageItem, error) {
-	issues, err := c.ListAllIssues(ctx, token, orgs)
-	if err != nil {
-		return nil, fmt.Errorf("fetching issues for triage: %w", err)
+	// Collect all open issues across all pages.
+	var issues []Issue
+	for page := 1; ; page++ {
+		result, err := c.ListAllIssues(ctx, token, orgs, "open", page, "", "")
+		if err != nil {
+			return nil, fmt.Errorf("fetching issues for triage: %w", err)
+		}
+		issues = append(issues, result.Issues...)
+		if !result.HasMore {
+			break
+		}
 	}
 
-	prs, err := c.ListAllPullRequests(ctx, token, orgs)
-	if err != nil {
-		return nil, fmt.Errorf("fetching PRs for triage: %w", err)
+	// Collect all open PRs across all pages.
+	var prs []PullRequest
+	for page := 1; ; page++ {
+		result, err := c.ListAllPullRequests(ctx, token, orgs, "open", page, "", "")
+		if err != nil {
+			return nil, fmt.Errorf("fetching PRs for triage: %w", err)
+		}
+		prs = append(prs, result.Pulls...)
+		if !result.HasMore {
+			break
+		}
 	}
 
 	var queue []TriageItem
@@ -530,6 +703,103 @@ func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string
 	return queue, nil
 }
 
+// Comment represents a comment on an issue or pull request.
+type Comment struct {
+	ID        int64  `json:"id"`
+	Body      string `json:"body"`
+	User      string `json:"-"` // populated from nested object
+	CreatedAt string `json:"-"` // formatted after fetch
+	RawUser   struct {
+		Login string `json:"login"`
+	} `json:"user"`
+	RawCreatedAt time.Time `json:"created_at"`
+}
+
+// Label represents a Gitea label (used for available labels list).
+type Label struct {
+	ID    int64  `json:"id"`
+	Name  string `json:"name"`
+	Color string `json:"color"`
+}
+
+// GetIssue fetches a single issue by owner, repo, and index.
+func (c *Client) GetIssue(ctx context.Context, token, owner, repo string, index int64) (*Issue, error) {
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching issue: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var issue Issue
+	if err := json.NewDecoder(resp.Body).Decode(&issue); err != nil {
+		return nil, fmt.Errorf("decoding issue: %w", err)
+	}
+
+	issue.RepoOwner = owner
+	issue.RepoName = repo
+	return &issue, nil
+}
+
+// GetPull fetches a single pull request by owner, repo, and index.
+func (c *Client) GetPull(ctx context.Context, token, owner, repo string, index int64) (*PullRequest, error) {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching pull request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var pr PullRequest
+	if err := json.NewDecoder(resp.Body).Decode(&pr); err != nil {
+		return nil, fmt.Errorf("decoding pull request: %w", err)
+	}
+
+	pr.RepoOwner = owner
+	pr.RepoName = repo
+	return &pr, nil
+}
+
+// GetIssueComments fetches comments for an issue or pull request.
+func (c *Client) GetIssueComments(ctx context.Context, token, owner, repo string, index int64) ([]Comment, error) {
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d/comments?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching comments: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var comments []Comment
+	if err := json.NewDecoder(resp.Body).Decode(&comments); err != nil {
+		return nil, fmt.Errorf("decoding comments: %w", err)
+	}
+
+	// Populate convenience fields.
+	for i := range comments {
+		comments[i].User = comments[i].RawUser.Login
+		comments[i].CreatedAt = comments[i].RawCreatedAt.Format("Jan 2, 2006 15:04")
+	}
+
+	return comments, nil
+}
+
+// GetRepoLabels fetches all labels for a repository.
+func (c *Client) GetRepoLabels(ctx context.Context, token, owner, repo string) ([]Label, error) {
+	path := fmt.Sprintf("/repos/%s/%s/labels?limit=50", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching labels: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var labels []Label
+	if err := json.NewDecoder(resp.Body).Decode(&labels); err != nil {
+		return nil, fmt.Errorf("decoding labels: %w", err)
+	}
+
+	return labels, nil
+}
+
 // CreateIssue creates a new issue in the specified repository.
 func (c *Client) CreateIssue(ctx context.Context, token, owner, repo, title, body string, labels []int64) (*Issue, error) {
 	payload := map[string]interface{}{
@@ -586,6 +856,49 @@ func (c *Client) ApplyLabel(ctx context.Context, token, owner, repo string, inde
 	return nil
 }
 
+// ListCollaborators fetches the list of collaborators (users with access) for a repo.
+func (c *Client) ListCollaborators(ctx context.Context, token, owner, repo string) ([]string, error) {
+	path := fmt.Sprintf("/repos/%s/%s/collaborators?limit=50", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching collaborators: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var users []struct {
+		Login string `json:"login"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&users); err != nil {
+		return nil, fmt.Errorf("decoding collaborators: %w", err)
+	}
+
+	var logins []string
+	for _, u := range users {
+		logins = append(logins, u.Login)
+	}
+	return logins, nil
+}
+
+// AssignIssue sets the assignees on an issue.
+func (c *Client) AssignIssue(ctx context.Context, token, owner, repo string, index int64, assignees []string) error {
+	payload, err := json.Marshal(map[string]interface{}{
+		"assignees": assignees,
+	})
+	if err != nil {
+		return fmt.Errorf("marshaling assignees: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return fmt.Errorf("assigning issue: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
 // SubmitReview submits a review on a pull request.
 func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, index int64, reviewType, body string) error {
 	payload := map[string]interface{}{
@@ -609,6 +922,168 @@ func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, in
 	return nil
 }
 
+// CloseIssue closes an issue by setting its state to "closed".
+func (c *Client) CloseIssue(ctx context.Context, token, owner, repo string, index int64) error {
+	return c.SetIssueState(ctx, token, owner, repo, index, "closed")
+}
+
+// SetIssueState sets an issue's state (e.g. "open" or "closed").
+func (c *Client) SetIssueState(ctx context.Context, token, owner, repo string, index int64, state string) error {
+	payload, err := json.Marshal(map[string]string{"state": state})
+	if err != nil {
+		return fmt.Errorf("marshaling state change: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return fmt.Errorf("setting issue state: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
+// AddComment creates a comment on an issue and returns the created Comment.
+func (c *Client) AddComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
+	return c.PostComment(ctx, token, owner, repo, index, body)
+}
+
+// PostComment creates a comment on an issue and returns the created Comment.
+func (c *Client) PostComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
+	payload, err := json.Marshal(map[string]string{"body": body})
+	if err != nil {
+		return nil, fmt.Errorf("marshaling comment: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d/comments", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return nil, fmt.Errorf("posting comment: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var comment Comment
+	if err := json.NewDecoder(resp.Body).Decode(&comment); err != nil {
+		return nil, fmt.Errorf("decoding comment: %w", err)
+	}
+
+	// Populate convenience fields.
+	comment.User = comment.RawUser.Login
+	comment.CreatedAt = comment.RawCreatedAt.Format("Jan 2, 2006 15:04")
+
+	c.InvalidateAll()
+	return &comment, nil
+}
+
+// RenderMarkdown renders raw markdown text to HTML using the Gitea API.
+// Falls back to the raw text if the API call fails.
+func (c *Client) RenderMarkdown(ctx context.Context, token, text string) (string, error) {
+	payload, err := json.Marshal(map[string]string{
+		"Text": text,
+		"Mode": "gfm",
+	})
+	if err != nil {
+		return text, fmt.Errorf("marshaling markdown request: %w", err)
+	}
+
+	url := c.baseURL + "/api/v1/markdown"
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, strings.NewReader(string(payload)))
+	if err != nil {
+		return text, fmt.Errorf("creating markdown request: %w", err)
+	}
+
+	req.Header.Set("Authorization", "token "+token)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "text/html")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return text, fmt.Errorf("executing markdown request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		return text, fmt.Errorf("markdown API error %d", resp.StatusCode)
+	}
+
+	rendered, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return text, fmt.Errorf("reading markdown response: %w", err)
+	}
+
+	return string(rendered), nil
+}
+
+// Review represents a single review on a pull request.
+type Review struct {
+	ID   int64  `json:"id"`
+	Body string `json:"body"`
+	State string `json:"state"` // "APPROVED", "REQUEST_CHANGES", "COMMENT", "PENDING"
+	User  struct {
+		Login string `json:"login"`
+	} `json:"user"`
+}
+
+// GetPullReviewState fetches reviews for a PR and returns the aggregate state.
+// Priority: changes_requested > approved > pending > "" (no reviews).
+func (c *Client) GetPullReviewState(ctx context.Context, token, owner, repo string, index int64) string {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/reviews?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+
+	var reviews []Review
+	if err := json.NewDecoder(resp.Body).Decode(&reviews); err != nil {
+		return ""
+	}
+
+	if len(reviews) == 0 {
+		return ""
+	}
+
+	// Aggregate: last non-comment review per user wins, then pick the "worst" state.
+	userState := make(map[string]string)
+	for _, r := range reviews {
+		switch r.State {
+		case "APPROVED", "REQUEST_CHANGES":
+			userState[r.User.Login] = r.State
+		}
+	}
+
+	if len(userState) == 0 {
+		return "pending"
+	}
+
+	for _, s := range userState {
+		if s == "REQUEST_CHANGES" {
+			return "changes_requested"
+		}
+	}
+	return "approved"
+}
+
+// EnrichPullsWithReviewState fetches review state for each PR concurrently.
+func (c *Client) EnrichPullsWithReviewState(ctx context.Context, token string, pulls []PullRequest) {
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+
+	for i := range pulls {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			pulls[idx].ReviewState = c.GetPullReviewState(ctx, token, pulls[idx].RepoOwner, pulls[idx].RepoName, pulls[idx].Number)
+		}(i)
+	}
+	wg.Wait()
+}
+
 // priorityScore returns a numeric score for sorting (lower = higher priority).
 func priorityScore(labels []string) int {
 	for _, l := range labels {

internal/handlers/handlers_test.go

@@ -0,0 +1,278 @@
+package handlers
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
+	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
+)
+
+func newTestHandler() *Handler {
+	cfg := &config.Config{
+		GiteaURL:      "https://gitea.example.com",
+		SessionSecret: "test-secret-that-is-at-least-32-chars-long",
+		ListenAddr:    ":8080",
+	}
+	client := giteaclient.NewClient(cfg.GiteaURL)
+	return NewHandler(cfg, client)
+}
+
+func TestHealth(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/health", nil)
+	w := httptest.NewRecorder()
+
+	h.Health(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+	if body := w.Body.String(); body != "ok\n" {
+		t.Errorf("body = %q, want %q", body, "ok\n")
+	}
+}
+
+func TestDashboard_NoToken(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+	// Without a token in context, should show "No organizations found."
+	if body := w.Body.String(); body == "" {
+		t.Error("expected non-empty response body")
+	}
+}
+
+func TestDashboard_HTMX(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("HX-Request", "true")
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	// HTMX request should not include full HTML page wrapper.
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	// Should NOT contain DOCTYPE for HTMX fragment.
+	if contains(body, "<!DOCTYPE") {
+		t.Error("HTMX response should not contain DOCTYPE")
+	}
+}
+
+func TestIsHTMX(t *testing.T) {
+	tests := []struct {
+		header string
+		want   bool
+	}{
+		{"true", true},
+		{"false", false},
+		{"", false},
+	}
+
+	for _, tt := range tests {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		if tt.header != "" {
+			req.Header.Set("HX-Request", tt.header)
+		}
+		if got := isHTMX(req); got != tt.want {
+			t.Errorf("isHTMX(HX-Request=%q) = %v, want %v", tt.header, got, tt.want)
+		}
+	}
+}
+
+func TestCreateIssue_MissingFields(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodPost, "/issues", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	h.CreateIssue(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestApplyLabels_InvalidIndex(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/labels", h.ApplyLabels)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/abc/labels", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestSubmitReview_MissingEventType(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
+
+	req := httptest.NewRequest(http.MethodPost, "/pulls/org/repo/1/review", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestSetIssueState_InvalidState(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestSetIssueState_InvalidIndex(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/abc/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestAddComment_EmptyBody(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comments", h.AddComment)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/comments", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestErrorNotFound(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404'")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
+func TestErrorInternal(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/error", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorInternal(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusInternalServerError)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "500") {
+		t.Error("expected body to contain '500'")
+	}
+	if !contains(body, "Internal Server Error") {
+		t.Error("expected body to contain 'Internal Server Error'")
+	}
+}
+
+func TestDashboard_NonRootPath_Returns404(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/unknown/path", nil)
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404' for non-root path")
+	}
+}
+
+func TestErrorNotFound_HTMX(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	req.Header.Set("HX-Request", "true")
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	// HTMX response should not contain DOCTYPE.
+	if contains(body, "<!DOCTYPE") {
+		t.Error("HTMX response should not contain DOCTYPE")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && searchString(s, substr)
+}
+
+func searchString(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}

internal/handlers/settings.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"html/template"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -9,89 +10,7 @@ import (
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
 
-var settingsTemplate = template.Must(template.New("settings").Parse(`<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
-  <title>Settings — Gitea Mobile</title>
-  <style>
-    * { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-      background: #0d1117; color: #e6edf3;
-      padding: 1rem;
-      padding-top: max(1rem, env(safe-area-inset-top));
-    }
-    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
-    .card {
-      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
-      padding: 1rem; margin-bottom: 1rem;
-    }
-    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
-    input[type="text"], input[type="password"] {
-      width: 100%; padding: 0.5rem; font-size: 1rem;
-      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
-      color: #e6edf3; margin-bottom: 1rem;
-    }
-    input:focus { outline: none; border-color: #58a6ff; }
-    button {
-      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
-      background: #238636; color: #fff; border: none; border-radius: 6px;
-      cursor: pointer;
-    }
-    button:active { background: #2ea043; }
-    .message {
-      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
-      font-size: 0.875rem;
-    }
-    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
-    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
-    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
-    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
-    .status { font-size: 0.875rem; color: #8b949e; }
-    .status .connected { color: #3fb950; }
-    .logout-btn {
-      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
-    }
-    .logout-btn:active { background: #30363d; }
-  </style>
-</head>
-<body>
-  <h1>Settings</h1>
-
-  {{if .Message}}
-  <div class="message {{.MessageType}}">{{.Message}}</div>
-  {{end}}
-
-  {{if .HasToken}}
-  <div class="card">
-    <p class="status">Status: <span class="connected">Connected</span></p>
-    <p class="hint">A Gitea API token is configured.</p>
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="logout">
-      <button type="submit" class="logout-btn">Remove Token</button>
-    </form>
-  </div>
-  {{end}}
-
-  <div class="card">
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="save">
-      <label for="token">Gitea API Token</label>
-      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
-      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
-      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
-    </form>
-  </div>
-
-  {{if .HasToken}}
-  <p style="text-align:center; margin-top:1rem;">
-    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
-  </p>
-  {{end}}
-</body>
-</html>`))
+const settingsTemplatePath = "internal/templates/settings.html"
 
 // SettingsHandler handles GET and POST requests for the settings page.
 type SettingsHandler struct {
@@ -126,8 +45,7 @@ func (h *SettingsHandler) handleGet(w http.ResponseWriter, r *http.Request) {
 	}
 
 	data := settingsData{HasToken: hasToken}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
 }
 
 func (h *SettingsHandler) handlePost(w http.ResponseWriter, r *http.Request) {
@@ -172,6 +90,18 @@ func (h *SettingsHandler) renderWithMessage(w http.ResponseWriter, r *http.Reque
 		Message:     msg,
 		MessageType: msgType,
 	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
+}
+
+func (h *SettingsHandler) renderSettings(w http.ResponseWriter, data settingsData) {
+	tmpl, err := template.ParseFiles(settingsTemplatePath)
+	if err != nil {
+		slog.Error("failed to parse settings template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := tmpl.Execute(w, data); err != nil {
+		slog.Error("failed to execute settings template", "error", err)
+	}
 }

internal/middleware/auth.go

@@ -23,9 +23,12 @@ func TokenFromContext(ctx context.Context) string {
 }
 
 // Auth returns middleware that checks for a valid token cookie.
+// If no cookie token is found and fallbackToken is non-empty, the fallback
+// token is used instead (useful for single-user or service-account deployments
+// where GITEA_TOKEN is set in the environment).
 // Unauthenticated requests are redirected to the settings page.
 // The /health, /settings, and /static/ paths are exempt from auth.
-func Auth(sessionSecret string) func(http.Handler) http.Handler {
+func Auth(sessionSecret, fallbackToken string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Skip auth for exempt paths.
@@ -37,6 +40,13 @@ func Auth(sessionSecret string) func(http.Handler) http.Handler {
 
 			token, err := auth.GetToken(r, sessionSecret)
 			if err != nil || token == "" {
+				// Fall back to environment token if available.
+				if fallbackToken != "" {
+					slog.Debug("using fallback token from environment", "path", path)
+					ctx := context.WithValue(r.Context(), TokenContextKey, fallbackToken)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
 				slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
 				http.Redirect(w, r, "/settings", http.StatusSeeOther)
 				return

internal/middleware/auth_test.go

@@ -11,7 +11,7 @@ import (
 const testSecret = "test-secret-that-is-at-least-32-chars-long"
 
 func TestAuth_HealthBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -25,7 +25,7 @@ func TestAuth_HealthBypass(t *testing.T) {
 }
 
 func TestAuth_SettingsBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -39,7 +39,7 @@ func TestAuth_SettingsBypass(t *testing.T) {
 }
 
 func TestAuth_RedirectWithoutToken(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -57,7 +57,7 @@ func TestAuth_RedirectWithoutToken(t *testing.T) {
 
 func TestAuth_PassWithToken(t *testing.T) {
 	called := false
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		called = true
 		token := TokenFromContext(r.Context())
 		if token != "my-token" {
@@ -83,3 +83,72 @@ func TestAuth_PassWithToken(t *testing.T) {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
 	}
 }
+
+func TestAuth_FallbackToken_UsedWhenNoCookie(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "env-fallback-token" {
+			t.Errorf("token = %q, want %q", token, "env-fallback-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called with fallback token")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_FallbackToken_CookieTakesPrecedence(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "cookie-token" {
+			t.Errorf("token = %q, want %q (cookie should take precedence over fallback)", token, "cookie-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Set a cookie token.
+	cookieW := httptest.NewRecorder()
+	auth.SetTokenCookie(cookieW, "cookie-token", testSecret, false)
+	cookie := cookieW.Result().Cookies()[0]
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.AddCookie(cookie)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_NoFallbackToken_RedirectsWithoutCookie(t *testing.T) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/issues", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusSeeOther {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
+	}
+	if loc := w.Header().Get("Location"); loc != "/settings" {
+		t.Errorf("Location = %q, want %q", loc, "/settings")
+	}
+}

internal/templates/create_issue.html

@@ -0,0 +1,125 @@
+{{define "content"}}
+<h1>Create Issue</h1>
+
+<div id="form-error" class="empty" style="display:none;"></div>
+
+<form id="create-issue-form" hx-post="/issues" hx-swap="innerHTML" hx-target="#main-content">
+  <div class="form-group">
+    <label for="repo-select">Repository</label>
+    <input list="repo-options" id="repo-select" name="owner_repo"
+           placeholder="Type to search repositories..." required autocomplete="off">
+    <datalist id="repo-options">
+      {{range $org, $repos := .Repos}}
+        {{range $repos}}
+        <option value="{{.Owner.Login}}/{{.Name}}">{{.FullName}}</option>
+        {{end}}
+      {{end}}
+    </datalist>
+    <input type="hidden" name="owner" id="owner-input">
+    <input type="hidden" name="repo" id="repo-input">
+  </div>
+
+  <div class="form-group" id="label-section" style="display:none;">
+    <label>Labels</label>
+    <div id="label-list"></div>
+  </div>
+
+  <div class="form-group">
+    <label for="title">Title</label>
+    <input type="text" id="title" name="title" placeholder="Issue title" required>
+  </div>
+
+  <div class="form-group">
+    <label for="body">Description</label>
+    <textarea id="body" name="body" placeholder="Describe the issue..."></textarea>
+  </div>
+
+  <button type="submit" class="btn btn-primary">Create Issue</button>
+</form>
+
+<script>
+  (function() {
+    var repoSelect = document.getElementById('repo-select');
+    var ownerInput = document.getElementById('owner-input');
+    var repoInput = document.getElementById('repo-input');
+    var formError = document.getElementById('form-error');
+
+    // Build a set of valid repo values for validation.
+    var validRepos = {};
+    var options = document.getElementById('repo-options').options;
+    for (var i = 0; i < options.length; i++) {
+      validRepos[options[i].value] = true;
+    }
+
+    function splitOwnerRepo() {
+      var val = repoSelect.value;
+      if (val && val.indexOf('/') !== -1) {
+        var parts = val.split('/');
+        ownerInput.value = parts[0] || '';
+        repoInput.value = parts[1] || '';
+      } else {
+        ownerInput.value = '';
+        repoInput.value = '';
+      }
+    }
+
+    var debounceTimer = null;
+    repoSelect.addEventListener('input', function() {
+      clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(function() {
+        splitOwnerRepo();
+        var labelSection = document.getElementById('label-section');
+        var labelList = document.getElementById('label-list');
+        if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+          labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+          labelSection.style.display = 'block';
+          htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+        } else {
+          labelSection.style.display = 'none';
+          labelList.innerHTML = '';
+        }
+      }, 300);
+    });
+
+    // Also handle the change event for when a datalist option is selected directly.
+    repoSelect.addEventListener('change', function() {
+      clearTimeout(debounceTimer);
+      splitOwnerRepo();
+      var labelSection = document.getElementById('label-section');
+      var labelList = document.getElementById('label-list');
+      if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+        labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+        labelSection.style.display = 'block';
+        htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+      } else {
+        labelSection.style.display = 'none';
+        labelList.innerHTML = '';
+      }
+    });
+
+    // Validate before HTMX submit.
+    document.getElementById('create-issue-form').addEventListener('htmx:configRequest', function(evt) {
+      splitOwnerRepo();
+      if (!ownerInput.value || !repoInput.value) {
+        evt.preventDefault();
+        formError.textContent = 'Please select a repository before submitting.';
+        formError.style.display = 'block';
+        return false;
+      }
+      if (!validRepos[repoSelect.value]) {
+        evt.preventDefault();
+        formError.textContent = 'Please select a valid repository from the list.';
+        formError.style.display = 'block';
+        return false;
+      }
+      formError.style.display = 'none';
+    });
+
+    // Show server-side errors inline on HTMX error responses.
+    document.getElementById('create-issue-form').addEventListener('htmx:responseError', function(evt) {
+      formError.textContent = evt.detail.xhr.responseText || 'An error occurred. Please try again.';
+      formError.style.display = 'block';
+    });
+  })();
+</script>
+{{end}}

internal/templates/dashboard.html

@@ -0,0 +1,37 @@
+{{define "content"}}
+<h1>Dashboard</h1>
+
+{{if gt (len .Orgs) 1}}
+<div class="filter-bar">
+  <select name="org" hx-get="/" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+</div>
+{{end}}
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Items}}
+<p class="empty">No items need attention. Nice work!</p>
+{{else}}
+<div class="card-grid">
+  {{range .Items}}
+  <div class="card" hx-get="/{{if eq .Type "pull"}}pulls{{else}}issues{{end}}/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <div class="card-title">
+      {{if eq .Type "pull"}}<span class="type-badge type-pull">PR</span>{{else}}<span class="type-badge type-issue">issue</span>{{end}}
+      {{.Title}}
+    </div>
+    <div class="card-meta">
+      <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
+      {{range .Labels}}
+      <span class="label">{{.}}</span>
+      {{end}}
+    </div>
+  </div>
+  {{end}}
+</div>
+{{end}}
+{{end}}

internal/templates/error.html

@@ -0,0 +1,23 @@
+{{define "content"}}
+<div class="error-page">
+  <div class="error-icon">
+    {{if eq .Code 404}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <circle cx="11" cy="11" r="8"/>
+      <line x1="21" y1="21" x2="16.65" y2="16.65"/>
+      <line x1="8" y1="11" x2="14" y2="11"/>
+    </svg>
+    {{else}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"/>
+      <line x1="12" y1="9" x2="12" y2="13"/>
+      <line x1="12" y1="17" x2="12.01" y2="17"/>
+    </svg>
+    {{end}}
+  </div>
+  <h1 class="error-code">{{.Code}}</h1>
+  <p class="error-title">{{.Title}}</p>
+  <p class="error-message">{{.Message}}</p>
+  <a href="/" class="error-home-link">Go to Dashboard</a>
+</div>
+{{end}}

internal/templates/issue_detail.html

@@ -0,0 +1,77 @@
+{{define "content"}}
+<h1>{{.Issue.Title}}</h1>
+
+<div class="card">
+  <div class="card-meta">
+    <span id="state-section">
+      {{if eq .Issue.State "closed"}}
+      <span class="state-closed" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-secondary" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen Issue</button>
+      {{else}}
+      <span class="state-open" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-danger" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close Issue</button>
+      {{end}}
+    </span>
+    <span>{{.Issue.RepoOwner}}/{{.Issue.RepoName}} #{{.Issue.Number}}</span>
+    {{range .Issue.Labels}}
+    <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+    {{end}}
+  </div>
+  {{if .RenderedBody}}
+  <div class="card-body markdown-body">{{.RenderedBody}}</div>
+  {{else if .Issue.Body}}
+  <div class="card-body">{{.Issue.Body}}</div>
+  {{end}}
+</div>
+
+{{if .Comments}}
+<h2>Comments</h2>
+<div id="comments-list">
+{{range .Comments}}
+<div class="comment">
+  <div class="comment-header">
+    <strong>{{.User}}</strong>
+    <span>{{.CreatedAt}}</span>
+  </div>
+  <div class="comment-body">{{.Body}}</div>
+</div>
+{{end}}
+</div>
+{{else}}
+<div id="comments-list"></div>
+{{end}}
+
+<div class="card" style="margin-top:1rem;">
+  <h2>Add Comment</h2>
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/comments" hx-target="#comments-list" hx-swap="beforeend" hx-on::after-request="if(event.detail.successful) this.reset()">
+    <textarea name="body" rows="4" placeholder="Write a comment..." required style="width:100%;margin-bottom:0.5rem;"></textarea>
+    <button type="submit" class="btn btn-primary" style="width:auto;padding:0.5rem 1rem;">Comment</button>
+  </form>
+</div>
+
+<div class="card" style="margin-top:1rem;">
+  <h2>Actions</h2>
+  {{if .Collaborators}}
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/assignees" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
+    <div class="filter-bar" style="margin-bottom:0.5rem;">
+      <select name="assignee">
+        {{range .Collaborators}}
+        <option value="{{.}}">{{.}}</option>
+        {{end}}
+      </select>
+      <button type="submit" class="btn btn-secondary" style="width:auto;padding:0.5rem 1rem;">Assign</button>
+    </div>
+  </form>
+  {{end}}
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/labels" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
+    <div class="filter-bar" style="margin-bottom:0.5rem;">
+      <select name="label_id">
+        {{range .AvailableLabels}}
+        <option value="{{.ID}}">{{.Name}}</option>
+        {{end}}
+      </select>
+      <button type="submit" class="btn btn-secondary" style="width:auto;padding:0.5rem 1rem;">Apply Label</button>
+    </div>
+  </form>
+</div>
+{{end}}

internal/templates/issues.html

@@ -0,0 +1,57 @@
+{{define "cards"}}
+  {{range .Issues}}
+  <div class="card" hx-get="/issues/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <div class="card-title">{{.Title}}</div>
+    <div class="card-meta">
+      <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
+      {{range .Labels}}
+      <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+      {{end}}
+      {{if .Assignee}}
+      <img src="{{.Assignee.AvatarURL}}" alt="{{.Assignee.Login}}" class="avatar" title="Assigned to {{.Assignee.Login}}">
+      {{end}}
+    </div>
+  </div>
+  {{end}}
+  {{if .HasMore}}
+  <div class="scroll-sentinel" hx-get="/issues?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+    <div class="spinner htmx-indicator"></div>
+  </div>
+  {{end}}
+{{end}}
+
+{{define "content"}}
+<h1>Issues</h1>
+
+<div class="filter-bar">
+  <select name="org" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+  {{if .Repos}}
+  <select name="repo" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
+    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
+    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
+  </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/issues" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
+</div>
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Issues}}
+<p class="empty">No issues found.</p>
+{{else}}
+<div id="issue-list">
+  {{template "cards" .}}
+</div>
+{{end}}
+{{end}}

internal/templates/layout.html

@@ -0,0 +1,49 @@
+{{define "layout"}}<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <meta name="apple-mobile-web-app-capable" content="yes">
+  <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
+  <meta name="theme-color" content="#161b22">
+  <link rel="manifest" href="/static/manifest.json">
+  <link rel="apple-touch-icon" href="/static/icon-192.png">
+  <title>{{.Title}} — Gitea Mobile</title>
+  <link rel="stylesheet" href="/static/style.css">
+  <script src="/static/htmx.min.js"></script>
+</head>
+<body>
+  <header class="top-bar">
+    <span class="top-bar-title">Gitea Mobile</span>
+    <button class="refresh-btn" hx-get="" hx-target="#main-content" hx-swap="innerHTML" aria-label="Refresh">&#8635;</button>
+  </header>
+  <div class="content" id="main-content">
+    {{template "content" .}}
+  </div>
+  <nav class="bottom-nav">
+    <a href="/" {{if eq .ActiveTab "dashboard"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M3 9l9-7 9 7v11a2 2 0 01-2 2H5a2 2 0 01-2-2V9z"/></svg>
+      Dashboard
+    </a>
+    <a href="/issues" {{if eq .ActiveTab "issues"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>
+      Issues
+    </a>
+    <a href="/pulls" {{if eq .ActiveTab "pulls"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="18" cy="18" r="3"/><circle cx="6" cy="6" r="3"/><path d="M6 21V9a9 9 0 009 9"/></svg>
+      PRs
+    </a>
+    <a href="/settings" {{if eq .ActiveTab "settings"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="3"/><path d="M19.4 15a1.65 1.65 0 00.33 1.82l.06.06a2 2 0 010 2.83 2 2 0 01-2.83 0l-.06-.06a1.65 1.65 0 00-1.82-.33 1.65 1.65 0 00-1 1.51V21a2 2 0 01-4 0v-.09A1.65 1.65 0 009 19.4a1.65 1.65 0 00-1.82.33l-.06.06a2 2 0 01-2.83-2.83l.06-.06A1.65 1.65 0 004.68 15a1.65 1.65 0 00-1.51-1H3a2 2 0 010-4h.09A1.65 1.65 0 004.6 9a1.65 1.65 0 00-.33-1.82l-.06-.06a2 2 0 012.83-2.83l.06.06A1.65 1.65 0 009 4.68a1.65 1.65 0 001-1.51V3a2 2 0 014 0v.09a1.65 1.65 0 001 1.51 1.65 1.65 0 001.82-.33l.06-.06a2 2 0 012.83 2.83l-.06.06A1.65 1.65 0 0019.4 9a1.65 1.65 0 001.51 1H21a2 2 0 010 4h-.09a1.65 1.65 0 00-1.51 1z"/></svg>
+      Settings
+    </a>
+  </nav>
+  <script>
+    if ('serviceWorker' in navigator) {
+      navigator.serviceWorker.register('/static/sw.js').catch(function(err) {
+        console.log('SW registration failed:', err);
+      });
+    }
+  </script>
+</body>
+</html>{{end}}

internal/templates/pull_detail.html

@@ -0,0 +1,77 @@
+{{define "content"}}
+<h1>{{.Pull.Title}}</h1>
+
+<div class="card">
+  <div class="card-meta">
+    <span class="type-badge type-pull">PR</span>
+    {{if eq .Pull.State "closed"}}<span class="state-closed">{{.Pull.State}}</span>{{else}}<span class="state-open">{{.Pull.State}}</span>{{end}}
+    <span>{{.Pull.RepoOwner}}/{{.Pull.RepoName}} #{{.Pull.Number}}</span>
+    {{range .Pull.Labels}}
+    <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+    {{end}}
+  </div>
+  <div class="card-meta" style="margin-top:0.5rem;">
+    <span class="diff-add">+{{.Pull.Additions}}</span>
+    <span class="diff-del">-{{.Pull.Deletions}}</span>
+    {{if .Pull.Mergeable}}<span style="color:var(--accent-green);">Mergeable</span>{{end}}
+  </div>
+  <div class="card-meta" style="margin-top:0.5rem;">
+    <span id="state-section">
+      {{if eq .Pull.State "closed"}}
+      <span class="state-closed" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-secondary" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>
+      {{else}}
+      <span class="state-open" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-danger" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>
+      {{end}}
+    </span>
+  </div>
+  {{if .RenderedBody}}
+  <div class="card-body markdown-body">{{.RenderedBody}}</div>
+  {{else if .Pull.Body}}
+  <div class="card-body">{{.Pull.Body}}</div>
+  {{end}}
+</div>
+
+<div class="card" style="margin-top:1rem;">
+  <h2>Submit Review</h2>
+  <form hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/review" hx-swap="outerHTML">
+    <div class="form-group">
+      <label for="review-body">Comment</label>
+      <textarea id="review-body" name="body" placeholder="Leave a review comment..."></textarea>
+    </div>
+    <div class="review-options">
+      <label class="review-option">
+        <input type="radio" name="event" value="COMMENT" checked>
+        <span>Comment</span>
+      </label>
+      <label class="review-option">
+        <input type="radio" name="event" value="APPROVED">
+        <span>Approve</span>
+      </label>
+      <label class="review-option">
+        <input type="radio" name="event" value="REQUEST_CHANGES">
+        <span>Request Changes</span>
+      </label>
+    </div>
+    <button type="submit" class="btn btn-primary">Submit Review</button>
+  </form>
+</div>
+
+{{if .Comments}}
+<h2>Comments</h2>
+<div id="comments-list">
+{{range .Comments}}
+<div class="comment">
+  <div class="comment-header">
+    <strong>{{.User}}</strong>
+    <span>{{.CreatedAt}}</span>
+  </div>
+  <div class="comment-body">{{.Body}}</div>
+</div>
+{{end}}
+</div>
+{{else}}
+<p class="empty" style="margin-top:1rem;">No comments yet.</p>
+{{end}}
+{{end}}

internal/templates/pulls.html

@@ -0,0 +1,66 @@
+{{define "cards"}}
+  {{range .Pulls}}
+  <div class="card" hx-get="/pulls/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <div class="card-title">
+      <span class="type-badge type-pull">PR</span>
+      {{.Title}}
+    </div>
+    <div class="card-meta">
+      <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
+      {{range .Labels}}
+      <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+      {{end}}
+      <span class="diff-add">+{{.Additions}}</span>
+      <span class="diff-del">-{{.Deletions}}</span>
+      {{if eq .ReviewState "approved"}}<span class="review-badge review-approved" title="Approved">&#10003;</span>
+      {{else if eq .ReviewState "changes_requested"}}<span class="review-badge review-changes" title="Changes requested">&#10007;</span>
+      {{else if eq .ReviewState "pending"}}<span class="review-badge review-pending" title="Awaiting review">&#9202;</span>
+      {{end}}
+      {{if .Mergeable}}<span class="merge-badge merge-ready" title="Ready to merge">&#9654; Ready</span>
+      {{else}}<span class="merge-badge merge-conflicts" title="Has conflicts or not mergeable">Conflicts</span>
+      {{end}}
+    </div>
+  </div>
+  {{end}}
+  {{if .HasMore}}
+  <div class="scroll-sentinel" hx-get="/pulls?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+    <div class="spinner htmx-indicator"></div>
+  </div>
+  {{end}}
+{{end}}
+
+{{define "content"}}
+<h1>Pull Requests</h1>
+
+<div class="filter-bar">
+  <select name="org" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+  {{if .Repos}}
+  <select name="repo" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
+    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
+    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
+  </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/pulls" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
+</div>
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Pulls}}
+<p class="empty">No {{.SelectedState}} pull requests found.</p>
+{{else}}
+<div id="pull-list">
+  {{template "cards" .}}
+</div>
+{{end}}
+{{end}}

internal/templates/settings.html

@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <title>Settings — Gitea Mobile</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: #0d1117; color: #e6edf3;
+      padding: 1rem;
+      padding-top: max(1rem, env(safe-area-inset-top));
+    }
+    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+    .card {
+      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
+      padding: 1rem; margin-bottom: 1rem;
+    }
+    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
+    input[type="text"], input[type="password"] {
+      width: 100%; padding: 0.5rem; font-size: 1rem;
+      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
+      color: #e6edf3; margin-bottom: 1rem;
+    }
+    input:focus { outline: none; border-color: #58a6ff; }
+    button {
+      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
+      background: #238636; color: #fff; border: none; border-radius: 6px;
+      cursor: pointer;
+    }
+    button:active { background: #2ea043; }
+    .message {
+      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
+      font-size: 0.875rem;
+    }
+    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
+    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
+    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
+    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
+    .status { font-size: 0.875rem; color: #8b949e; }
+    .status .connected { color: #3fb950; }
+    .logout-btn {
+      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
+    }
+    .logout-btn:active { background: #30363d; }
+  </style>
+</head>
+<body>
+  <h1>Settings</h1>
+
+  {{if .Message}}
+  <div class="message {{.MessageType}}">{{.Message}}</div>
+  {{end}}
+
+  {{if .HasToken}}
+  <div class="card">
+    <p class="status">Status: <span class="connected">Connected</span></p>
+    <p class="hint">A Gitea API token is configured.</p>
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="logout">
+      <button type="submit" class="logout-btn">Remove Token</button>
+    </form>
+  </div>
+  {{end}}
+
+  <div class="card">
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="save">
+      <label for="token">Gitea API Token</label>
+      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
+      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
+      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
+    </form>
+  </div>
+
+  {{if .HasToken}}
+  <p style="text-align:center; margin-top:1rem;">
+    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
+  </p>
+  {{end}}
+</body>
+</html>

static/manifest.json

@@ -0,0 +1,24 @@
+{
+  "name": "Gitea Mobile",
+  "short_name": "Gitea",
+  "description": "Mobile-first PWA for managing Gitea issues and pull requests",
+  "start_url": "/",
+  "display": "standalone",
+  "background_color": "#0d1117",
+  "theme_color": "#161b22",
+  "orientation": "portrait",
+  "icons": [
+    {
+      "src": "/static/icon-192.png",
+      "sizes": "192x192",
+      "type": "image/png",
+      "purpose": "any maskable"
+    },
+    {
+      "src": "/static/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "any maskable"
+    }
+  ]
+}

static/style.css

@@ -0,0 +1,600 @@
+/* Gitea Mobile — Mobile-first CSS (~5KB target) */
+
+/* Reset */
+*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+
+/* CSS Variables */
+:root {
+  --bg-primary: #0d1117;
+  --bg-secondary: #161b22;
+  --bg-tertiary: #21262d;
+  --border: #30363d;
+  --text-primary: #e6edf3;
+  --text-secondary: #8b949e;
+  --text-link: #58a6ff;
+  --accent-green: #3fb950;
+  --accent-red: #f85149;
+  --accent-yellow: #d29922;
+  --accent-blue: #58a6ff;
+  --accent-purple: #bc8cff;
+  --spacing-xs: 0.25rem;
+  --spacing-sm: 0.5rem;
+  --spacing-md: 0.75rem;
+  --spacing-lg: 1rem;
+  --radius: 8px;
+  --radius-sm: 6px;
+  --radius-pill: 10px;
+  --nav-height: 56px;
+  --font-sm: 0.75rem;
+  --font-base: 0.875rem;
+  --font-lg: 1rem;
+  --font-xl: 1.25rem;
+}
+
+/* Base */
+html {
+  font-size: 16px;
+  -webkit-text-size-adjust: 100%;
+}
+
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+  background: var(--bg-primary);
+  color: var(--text-primary);
+  line-height: 1.5;
+  padding-bottom: calc(var(--nav-height) + env(safe-area-inset-bottom));
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+/* Top bar */
+.top-bar {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  padding-top: max(var(--spacing-sm), env(safe-area-inset-top));
+  background: var(--bg-secondary);
+  border-bottom: 1px solid var(--border);
+}
+
+.top-bar-title {
+  font-size: var(--font-base);
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.refresh-btn {
+  background: none;
+  border: none;
+  color: var(--text-secondary);
+  font-size: 1.4rem;
+  padding: var(--spacing-xs) var(--spacing-sm);
+  cursor: pointer;
+  -webkit-tap-highlight-color: transparent;
+  line-height: 1;
+  border-radius: var(--radius-sm);
+  transition: color 0.15s ease, background 0.15s ease;
+}
+
+.refresh-btn:active {
+  color: var(--accent-blue);
+  background: var(--bg-tertiary);
+}
+
+.refresh-btn.htmx-request {
+  animation: spin 0.6s linear infinite;
+  pointer-events: none;
+}
+
+/* Content area */
+.content {
+  padding: var(--spacing-lg);
+  padding-top: var(--spacing-lg);
+  max-width: 640px;
+  margin: 0 auto;
+}
+
+/* Typography */
+h1 {
+  font-size: var(--font-xl);
+  font-weight: 700;
+  margin-bottom: var(--spacing-lg);
+}
+
+h2 {
+  font-size: var(--font-lg);
+  font-weight: 600;
+  margin-bottom: var(--spacing-md);
+}
+
+a {
+  color: var(--text-link);
+  text-decoration: none;
+}
+
+a:active {
+  opacity: 0.7;
+}
+
+/* Cards */
+.card {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  padding: var(--spacing-md);
+  margin-bottom: var(--spacing-sm);
+  transition: background 0.15s ease;
+}
+
+.card:active {
+  background: var(--bg-tertiary);
+}
+
+.card-title {
+  font-weight: 600;
+  font-size: var(--font-base);
+  margin-bottom: var(--spacing-xs);
+  line-height: 1.3;
+}
+
+.card-meta {
+  font-size: var(--font-sm);
+  color: var(--text-secondary);
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  gap: var(--spacing-xs);
+}
+
+.card-body {
+  font-size: var(--font-base);
+  color: var(--text-secondary);
+  margin-top: var(--spacing-sm);
+  line-height: 1.5;
+}
+
+/* Labels / badges */
+.label {
+  display: inline-block;
+  font-size: 0.7rem;
+  padding: 1px 6px;
+  border-radius: var(--radius-pill);
+  font-weight: 500;
+  line-height: 1.5;
+  white-space: nowrap;
+}
+
+.type-badge {
+  font-size: 0.65rem;
+  text-transform: uppercase;
+  font-weight: 700;
+  padding: 1px 5px;
+  border-radius: 4px;
+  white-space: nowrap;
+}
+
+.type-issue {
+  background: rgba(31, 111, 235, 0.13);
+  color: var(--accent-blue);
+  border: 1px solid rgba(31, 111, 235, 0.27);
+}
+
+.type-pull {
+  background: rgba(35, 134, 54, 0.13);
+  color: var(--accent-green);
+  border: 1px solid rgba(35, 134, 54, 0.27);
+}
+
+.state-open {
+  color: var(--accent-green);
+}
+
+.state-closed {
+  color: var(--accent-red);
+}
+
+.state-merged {
+  color: var(--accent-purple);
+}
+
+/* Priority labels */
+.priority-p1 { color: var(--accent-red); border-color: var(--accent-red); }
+.priority-p2 { color: var(--accent-yellow); border-color: var(--accent-yellow); }
+.priority-p3 { color: var(--accent-blue); border-color: var(--accent-blue); }
+
+/* Diff stats */
+.diff-add { color: var(--accent-green); font-size: var(--font-sm); }
+.diff-del { color: var(--accent-red); font-size: var(--font-sm); }
+
+/* Bottom navigation */
+.bottom-nav {
+  position: fixed;
+  bottom: 0;
+  left: 0;
+  right: 0;
+  background: var(--bg-secondary);
+  border-top: 1px solid var(--border);
+  display: flex;
+  justify-content: space-around;
+  align-items: center;
+  height: var(--nav-height);
+  padding-bottom: env(safe-area-inset-bottom);
+  z-index: 100;
+}
+
+.bottom-nav a {
+  color: var(--text-secondary);
+  text-decoration: none;
+  font-size: 0.7rem;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  padding: 4px 0;
+  min-width: 64px;
+  -webkit-tap-highlight-color: transparent;
+}
+
+.bottom-nav a.active {
+  color: var(--accent-blue);
+}
+
+.bottom-nav svg {
+  width: 22px;
+  height: 22px;
+  margin-bottom: 2px;
+}
+
+/* Filter bar */
+.filter-bar {
+  display: flex;
+  gap: var(--spacing-sm);
+  margin-bottom: var(--spacing-lg);
+  overflow-x: auto;
+  -webkit-overflow-scrolling: touch;
+  scrollbar-width: none;
+  padding-bottom: var(--spacing-xs);
+}
+
+.filter-bar::-webkit-scrollbar {
+  display: none;
+}
+
+.filter-bar select,
+.filter-bar input {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  color: var(--text-primary);
+  padding: var(--spacing-sm) var(--spacing-md);
+  font-size: var(--font-base);
+  min-width: 0;
+  flex-shrink: 0;
+  appearance: none;
+  -webkit-appearance: none;
+}
+
+.filter-bar select:focus,
+.filter-bar input:focus {
+  outline: none;
+  border-color: var(--accent-blue);
+}
+
+/* Forms */
+.form-group {
+  margin-bottom: var(--spacing-lg);
+}
+
+.form-group label {
+  display: block;
+  font-size: var(--font-sm);
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-sm);
+}
+
+.form-group input,
+.form-group textarea,
+.form-group select {
+  width: 100%;
+  padding: var(--spacing-sm) var(--spacing-md);
+  font-size: var(--font-lg);
+  background: var(--bg-primary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  color: var(--text-primary);
+  font-family: inherit;
+}
+
+.form-group textarea {
+  min-height: 120px;
+  resize: vertical;
+}
+
+.form-group input:focus,
+.form-group textarea:focus,
+.form-group select:focus {
+  outline: none;
+  border-color: var(--accent-blue);
+}
+
+/* Buttons */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  padding: var(--spacing-md) var(--spacing-lg);
+  font-size: var(--font-lg);
+  font-weight: 600;
+  border: none;
+  border-radius: var(--radius-sm);
+  cursor: pointer;
+  -webkit-tap-highlight-color: transparent;
+  transition: background 0.15s ease;
+}
+
+.btn-primary {
+  background: #238636;
+  color: #fff;
+  width: 100%;
+}
+
+.btn-primary:active {
+  background: #2ea043;
+}
+
+.btn-secondary {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  border: 1px solid var(--border);
+  width: 100%;
+}
+
+.btn-secondary:active {
+  background: var(--border);
+}
+
+.btn-danger {
+  background: #da363322;
+  color: var(--accent-red);
+  border: 1px solid #da363366;
+  width: 100%;
+}
+
+/* Review form */
+.review-options {
+  display: flex;
+  flex-direction: column;
+  gap: var(--spacing-sm);
+  margin-bottom: var(--spacing-lg);
+}
+
+.review-option {
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-sm);
+  padding: var(--spacing-sm);
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  cursor: pointer;
+}
+
+.review-option input[type="radio"] {
+  accent-color: var(--accent-blue);
+}
+
+/* Comments thread */
+.comment {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  margin-bottom: var(--spacing-sm);
+  overflow: hidden;
+}
+
+.comment-header {
+  padding: var(--spacing-sm) var(--spacing-md);
+  background: var(--bg-tertiary);
+  font-size: var(--font-sm);
+  color: var(--text-secondary);
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-sm);
+}
+
+.comment-body {
+  padding: var(--spacing-md);
+  font-size: var(--font-base);
+  line-height: 1.6;
+}
+
+/* Avatar */
+.avatar {
+  width: 20px;
+  height: 20px;
+  border-radius: 50%;
+  vertical-align: middle;
+}
+
+/* Review status badges */
+.review-badge {
+  font-size: 0.7rem;
+  font-weight: 600;
+  padding: 1px 4px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.review-approved { color: var(--accent-green); }
+.review-changes { color: var(--accent-red); }
+.review-pending { color: var(--accent-yellow); }
+
+/* Merge status badges */
+.merge-badge {
+  font-size: 0.65rem;
+  font-weight: 600;
+  padding: 1px 5px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.merge-ready { color: var(--accent-green); border: 1px solid var(--accent-green); }
+.merge-conflicts { color: var(--accent-red); border: 1px solid var(--accent-red); }
+
+/* Empty state */
+.empty {
+  text-align: center;
+  color: var(--text-secondary);
+  padding: 3rem var(--spacing-lg);
+  font-size: var(--font-base);
+}
+
+/* Messages */
+.message {
+  padding: var(--spacing-md);
+  border-radius: var(--radius-sm);
+  margin-bottom: var(--spacing-lg);
+  font-size: var(--font-base);
+}
+
+.message.success {
+  background: #0d2818;
+  border: 1px solid #238636;
+  color: var(--accent-green);
+}
+
+.message.error {
+  background: #2d1117;
+  border: 1px solid #da3633;
+  color: var(--accent-red);
+}
+
+.message.info {
+  background: #0c1d2e;
+  border: 1px solid #1f6feb;
+  color: var(--accent-blue);
+}
+
+/* Loading indicator */
+.htmx-indicator {
+  display: none;
+}
+
+.htmx-request .htmx-indicator {
+  display: inline-block;
+}
+
+.spinner {
+  width: 16px;
+  height: 16px;
+  border: 2px solid var(--border);
+  border-top-color: var(--accent-blue);
+  border-radius: 50%;
+  animation: spin 0.6s linear infinite;
+}
+
+@keyframes spin {
+  to { transform: rotate(360deg); }
+}
+
+/* Infinite scroll sentinel */
+.scroll-sentinel {
+  height: 1px;
+  margin-bottom: var(--spacing-lg);
+}
+
+/* Tablet breakpoint: 2-column grid */
+@media (min-width: 640px) {
+  .content {
+    max-width: 960px;
+  }
+
+  .card-grid,
+  #issue-list,
+  #pull-list {
+    display: grid;
+    grid-template-columns: repeat(2, 1fr);
+    gap: var(--spacing-sm);
+  }
+
+  .card-grid .card,
+  #issue-list .card,
+  #pull-list .card {
+    margin-bottom: 0;
+  }
+}
+
+/* Respect reduced motion preference */
+@media (prefers-reduced-motion: reduce) {
+  * {
+    animation-duration: 0.01ms !important;
+    transition-duration: 0.01ms !important;
+  }
+}
+
+/* Dark mode is default; light mode override if needed */
+@media (prefers-color-scheme: light) {
+  :root {
+    --bg-primary: #ffffff;
+    --bg-secondary: #f6f8fa;
+    --bg-tertiary: #eaeef2;
+    --border: #d0d7de;
+    --text-primary: #1f2328;
+    --text-secondary: #656d76;
+    --text-link: #0969da;
+  }
+}
+
+/* Error page */
+.error-page {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  min-height: 60vh;
+  text-align: center;
+  padding: var(--spacing-lg);
+}
+
+.error-icon {
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+}
+
+.error-code {
+  font-size: 4rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  line-height: 1;
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-title {
+  font-size: var(--font-xl);
+  color: var(--text-primary);
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-message {
+  font-size: var(--font-base);
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+  max-width: 300px;
+}
+
+.error-home-link {
+  display: inline-block;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  background: var(--accent-blue);
+  color: #fff;
+  border-radius: var(--radius);
+  text-decoration: none;
+  font-size: var(--font-base);
+  font-weight: 500;
+  transition: opacity 0.15s;
+}
+
+.error-home-link:active {
+  opacity: 0.8;
+}

static/sw.js

@@ -0,0 +1,86 @@
+// Service Worker for Gitea Mobile PWA
+// Caches the app shell for offline/fast loading.
+
+const CACHE_NAME = 'gitea-mobile-v2';
+const APP_SHELL = [
+  '/',
+  '/static/style.css',
+  '/static/manifest.json',
+  '/static/icon-192.png',
+  '/static/icon-512.png',
+  '/static/htmx.min.js'
+];
+
+// Install: cache app shell resources.
+self.addEventListener('install', (event) => {
+  event.waitUntil(
+    caches.open(CACHE_NAME).then((cache) => {
+      return cache.addAll(APP_SHELL);
+    })
+  );
+  // Activate immediately.
+  self.skipWaiting();
+});
+
+// Activate: clean up old caches.
+self.addEventListener('activate', (event) => {
+  event.waitUntil(
+    caches.keys().then((cacheNames) => {
+      return Promise.all(
+        cacheNames
+          .filter((name) => name !== CACHE_NAME)
+          .map((name) => caches.delete(name))
+      );
+    })
+  );
+  // Take control of all clients immediately.
+  self.clients.claim();
+});
+
+// Fetch: network-first for API/HTML, cache-first for static assets.
+self.addEventListener('fetch', (event) => {
+  const url = new URL(event.request.url);
+
+  // Cache-first for static assets.
+  if (url.pathname.startsWith('/static/')) {
+    event.respondWith(
+      caches.match(event.request).then((cached) => {
+        return cached || fetch(event.request).then((response) => {
+          // Cache the fetched response for next time.
+          const responseClone = response.clone();
+          caches.open(CACHE_NAME).then((cache) => {
+            cache.put(event.request, responseClone);
+          });
+          return response;
+        });
+      })
+    );
+    return;
+  }
+
+  // Network-first for HTML/API requests.
+  if (event.request.headers.get('accept')?.includes('text/html') ||
+      event.request.headers.get('HX-Request')) {
+    event.respondWith(
+      fetch(event.request)
+        .then((response) => {
+          // Cache successful GET responses.
+          if (event.request.method === 'GET' && response.ok) {
+            const responseClone = response.clone();
+            caches.open(CACHE_NAME).then((cache) => {
+              cache.put(event.request, responseClone);
+            });
+          }
+          return response;
+        })
+        .catch(() => {
+          // Fallback to cache if network fails.
+          return caches.match(event.request);
+        })
+    );
+    return;
+  }
+
+  // Default: network only.
+  event.respondWith(fetch(event.request));
+});