feat: add MergePull() method to Gitea client

Add MergePull() that calls POST /repos/{owner}/{repo}/pulls/{index}/merge
with the specified merge style (merge, rebase, rebase-merge, squash).
Defaults to "merge" if no style specified. Includes unit tests for
success, default style, and error cases.

This is a prerequisite for #177 (merge PR button in UI) and #206
(POST /pulls merge handler).

Closes leeworks-agents/gitea-mobile#187

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.air.toml

@@ -0,0 +1,44 @@
+root = "."
+testdata_dir = "testdata"
+tmp_dir = "tmp"
+
+[build]
+  args_bin = []
+  bin = "./tmp/main"
+  cmd = "go build -o ./tmp/main ./cmd/server"
+  delay = 500
+  exclude_dir = ["assets", "tmp", "vendor", "testdata", ".git", "node_modules"]
+  exclude_file = []
+  exclude_regex = ["_test\\.go$"]
+  exclude_unchanged = false
+  follow_symlink = false
+  full_bin = ""
+  include_dir = []
+  include_ext = ["go", "html", "css", "js"]
+  include_file = []
+  kill_delay = "0s"
+  log = "build-errors.log"
+  poll = false
+  poll_interval = 0
+  rerun = false
+  rerun_delay = 500
+  send_interrupt = false
+  stop_on_error = false
+
+[color]
+  app = ""
+  build = "yellow"
+  main = "magenta"
+  runner = "green"
+  watcher = "cyan"
+
+[log]
+  main_only = false
+  time = false
+
+[misc]
+  clean_on_exit = true
+
+[screen]
+  clear_on_rebuild = false
+  keep_scroll = true

.dockerignore

@@ -0,0 +1,8 @@
+.git
+.gitignore
+*.md
+flake.nix
+flake.lock
+.envrc
+.direnv
+.claude

.gitea/workflows/build.yaml

@@ -0,0 +1,44 @@
+name: Build and Push
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Run tests
+        run: go test -race ./...
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to Gitea registry
+        run: |
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login gitea.leeworks.dev \
+            -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+
+      - name: Build and push Docker image
+        run: |
+          TIMESTAMP=$(date +%Y%m%d%H%M%S)
+          SHA=$(echo ${{ gitea.sha }} | cut -c1-7)
+          TAG="${TIMESTAMP}-${SHA}"
+          docker build -t gitea.leeworks.dev/0xwheatyz/gitea-mobile:${TAG} .
+          docker tag gitea.leeworks.dev/0xwheatyz/gitea-mobile:${TAG} \
+            gitea.leeworks.dev/0xwheatyz/gitea-mobile:latest
+          docker push gitea.leeworks.dev/0xwheatyz/gitea-mobile:${TAG}
+          docker push gitea.leeworks.dev/0xwheatyz/gitea-mobile:latest

Dockerfile

@@ -0,0 +1,16 @@
+# Stage 1: Build
+FROM golang:1.22-alpine AS builder
+WORKDIR /app
+COPY go.mod ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server
+
+# Stage 2: Runtime
+FROM gcr.io/distroless/static:nonroot
+COPY --from=builder /gitea-mobile /gitea-mobile
+COPY static/ /static/
+COPY internal/templates/ /templates/
+EXPOSE 8080
+USER nonroot:nonroot
+ENTRYPOINT ["/gitea-mobile"]

README.md

@@ -0,0 +1,116 @@
+# Gitea Mobile
+
+A mobile-first Progressive Web App (PWA) for managing Gitea issues and pull requests across multiple repositories and organizations from an iPhone. Built with Go, HTMX, and hand-rolled CSS -- no JavaScript frameworks, no build step, no node_modules.
+
+## Tech Stack
+
+| Layer | Choice |
+|-------|--------|
+| Backend | Go + Gitea SDK (`code.gitea.io/sdk/gitea`) |
+| Frontend | HTMX + Go `html/template` + hand-rolled CSS |
+| Container | Multi-stage Dockerfile -> distroless (~15MB) |
+| Deployment | Kustomize manifests + FluxCD GitOps |
+
+## Project Structure
+
+```
+/
+├── cmd/server/main.go          # entrypoint
+├── internal/
+│   ├── config/config.go        # env-based configuration
+│   ├── gitea/client.go         # Gitea SDK wrapper / aggregation layer
+│   ├── handlers/               # HTTP handlers (issues, PRs, triage, settings)
+│   ├── auth/                   # cookie-based token auth
+│   ├── middleware/              # auth middleware, logging
+│   └── templates/              # Go html/template files (for HTMX)
+├── static/                     # CSS, JS (htmx.min.js), icons, manifest
+├── .gitea/workflows/build.yaml # CI pipeline (Gitea Actions)
+├── Dockerfile
+├── flake.nix                   # Nix dev shell with Go + air
+└── go.mod
+```
+
+## Local Development
+
+### Prerequisites
+
+- [Nix](https://nixos.org/download/) with flakes enabled, **or** Go 1.22+
+- A Gitea instance with an API token
+
+### Quick Start
+
+```bash
+# Enter the Nix dev shell (provides Go, gopls, air)
+nix develop
+
+# Set required environment variables
+export GITEA_URL=https://gitea.leeworks.dev
+export SESSION_SECRET=$(openssl rand -hex 32)
+
+# Optional: set a default API token
+export GITEA_TOKEN=your-gitea-api-token
+
+# Start the server with live reload
+air
+```
+
+If you are not using Nix, install Go 1.22+ and [air](https://github.com/air-verse/air) manually, then run the same commands above starting from the export lines.
+
+### Environment Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `GITEA_URL` | Yes | -- | Base URL of the Gitea instance |
+| `SESSION_SECRET` | Yes | -- | HMAC key for signing session cookies (min 32 chars) |
+| `GITEA_TOKEN` | No | -- | Default API token (users can set their own via the settings page) |
+| `LISTEN_ADDR` | No | `:8080` | Server listen address |
+
+### Live Reload with Air
+
+The dev shell includes [air](https://github.com/air-verse/air) for automatic recompilation on file changes. Configuration is in `.air.toml`. Air watches `.go` and `.html` files under `cmd/`, `internal/`, and `static/` and rebuilds/restarts the server automatically.
+
+## Running Tests
+
+```bash
+# Run all tests
+go test ./...
+
+# Run tests with race detection
+go test -race ./...
+```
+
+## Building the Container
+
+```bash
+# Build the Docker image
+docker build -t gitea-mobile .
+
+# Run locally
+docker run -p 8080:8080 \
+  -e GITEA_URL=https://gitea.leeworks.dev \
+  -e SESSION_SECRET=$(openssl rand -hex 32) \
+  gitea-mobile
+```
+
+The Dockerfile uses a multi-stage build: Go binary compiled in an Alpine builder stage, then copied into a distroless image (~15MB final size).
+
+## Deployment
+
+Kubernetes manifests for this app live in the Talos cluster repo under `testing1/first-cluster/apps/gitea-mobile/`. FluxCD syncs from that repo and handles automated image updates via `ImagePolicy` annotations.
+
+Key deployment resources:
+- `deployment.yaml` -- Pod spec with health checks
+- `service.yaml` -- ClusterIP service on port 8080
+- `ingressroute.yaml` -- Traefik IngressRoute for `gitea-mobile.testing.leeworks.dev`
+- `kustomization.yaml` -- Kustomize overlay
+
+## Contributing
+
+1. Fork the repository
+2. Create a feature branch: `git checkout -b feature/your-feature`
+3. Make your changes and add tests
+4. Run `go test -race ./...` to verify
+5. Commit with a clear message referencing the issue number
+6. Push to your fork and open a pull request
+
+All PRs target the fork (`leeworks-agents/gitea-mobile`), not the upstream repo.

SMOKE_TEST.md

@@ -0,0 +1,148 @@
+# Post-Deployment Smoke Test Runbook
+
+Smoke test procedure for verifying gitea-mobile after deployment to the Talos cluster.
+
+## Pre-conditions
+
+Before running the smoke test, confirm:
+
+- [ ] FluxCD has reconciled the latest manifests: `flux get kustomizations -n flux-system`
+- [ ] The gitea-mobile pod is Running: `kubectl get pods -n gitea-mobile`
+- [ ] The IngressRoute is active: `kubectl get ingressroute -n gitea-mobile`
+- [ ] DNS resolves `gitea-mobile.testing.leeworks.dev` to the cluster ingress
+
+## Step 1: Pod Health
+
+```bash
+# Verify the pod is running and ready
+kubectl get pods -n gitea-mobile
+# Expected: STATUS=Running, READY=1/1
+
+# Check pod logs for startup errors
+kubectl logs -n gitea-mobile deployment/gitea-mobile --tail=20
+# Expected: JSON log line with "server starting" message
+```
+
+## Step 2: Health Endpoint
+
+```bash
+# Hit the health check endpoint from inside the cluster
+kubectl exec -n gitea-mobile deployment/gitea-mobile -- wget -qO- http://localhost:8080/health
+# Expected: HTTP 200
+
+# Hit the health check endpoint from outside the cluster
+curl -s -o /dev/null -w "%{http_code}" https://gitea-mobile.testing.leeworks.dev/health
+# Expected: 200
+```
+
+## Step 3: TLS and Ingress
+
+```bash
+# Verify TLS certificate is valid
+curl -vI https://gitea-mobile.testing.leeworks.dev 2>&1 | grep "SSL certificate"
+# Expected: valid certificate from Let's Encrypt or cluster CA
+
+# Verify the app responds with HTML
+curl -s https://gitea-mobile.testing.leeworks.dev | head -5
+# Expected: HTML document with <html> tag
+```
+
+## Step 4: Authentication Flow
+
+1. Open `https://gitea-mobile.testing.leeworks.dev` in a browser
+2. Navigate to the Settings page (`/settings`)
+3. Enter a valid Gitea API token
+4. Submit the form
+5. **Expected**: Token is saved, page confirms success
+6. Navigate back to the Issues tab
+7. **Expected**: Issues load from the Gitea API using the saved token
+
+## Step 5: Core Functionality -- Issues
+
+1. Navigate to the Issues tab (`/issues`)
+2. **Expected**: Cross-org issues load and display with titles, labels, and timestamps
+3. Tap on an issue to expand details
+4. **Expected**: Issue body renders correctly
+5. Use the filter dropdown to filter by repo or label
+6. **Expected**: List updates via HTMX without full page reload
+
+## Step 6: Core Functionality -- Pull Requests
+
+1. Navigate to the PRs tab (`/pulls`)
+2. **Expected**: Pull requests load with review status icons
+3. Tap on a PR to see details
+4. **Expected**: PR diff summary or review status displays correctly
+
+## Step 7: Core Functionality -- Dashboard / Triage Queue
+
+1. Navigate to the Dashboard/Triage tab (`/`)
+2. **Expected**: Unassigned issues and PRs awaiting review appear sorted by priority
+
+## Step 8: Create Issue (Write Operation)
+
+1. Navigate to the new issue form
+2. Fill in title: `[smoke-test] Automated verification`
+3. Fill in body: `This issue was created during smoke testing. Safe to close.`
+4. Submit the form
+5. **Expected**: Issue is created successfully in Gitea
+6. Verify in Gitea web UI that the issue exists
+7. Close and delete the test issue after verification
+
+## Step 9: Apply Label (Write Operation)
+
+1. On any test issue, attempt to apply a label
+2. **Expected**: Label is applied via the Gitea API and reflected in the UI
+
+## Step 10: PWA / iPhone Safari
+
+1. Open `https://gitea-mobile.testing.leeworks.dev` on iPhone Safari
+2. **Expected**: App loads with mobile-optimized layout, no horizontal scroll
+3. Tap "Add to Home Screen" from the Safari share menu
+4. **Expected**: App icon appears on the home screen (apple-touch-icon)
+5. Launch from the home screen
+6. **Expected**: App opens in standalone mode (no Safari browser chrome)
+7. Verify bottom navigation does not overlap with iPhone home indicator
+8. Toggle device dark mode in Settings
+9. **Expected**: App switches between dark and light themes via `prefers-color-scheme`
+10. See issue #93 for the full PWA validation checklist
+
+## Expected Results Summary
+
+| Step | Check | Expected |
+|------|-------|----------|
+| 1 | Pod status | Running, Ready 1/1 |
+| 2 | `/health` | HTTP 200 |
+| 3 | TLS | Valid cert, HTML response |
+| 4 | Auth | Token saved, API calls work |
+| 5 | Issues | List loads, filter works |
+| 6 | PRs | List loads with review status |
+| 7 | Dashboard/Triage | Queue displays correctly at `/` |
+| 8 | Create issue | Issue created in Gitea |
+| 9 | Apply label | Label applied via API |
+| 10 | PWA | Standalone mode, safe areas, dark mode |
+
+## Rollback Procedure
+
+If the deployment is broken or the app is not functioning:
+
+```bash
+# Roll back to the previous deployment revision
+kubectl rollout undo deployment/gitea-mobile -n gitea-mobile
+
+# Verify the rollback
+kubectl rollout status deployment/gitea-mobile -n gitea-mobile
+# Expected: "deployment successfully rolled out"
+
+# Check that the previous image tag is running
+kubectl get deployment gitea-mobile -n gitea-mobile -o jsonpath='{.spec.template.spec.containers[0].image}'
+```
+
+If FluxCD keeps reconciling back to the broken version, suspend reconciliation temporarily:
+
+```bash
+# Suspend Flux reconciliation
+flux suspend kustomization gitea-mobile -n flux-system
+
+# After fixing the issue, resume
+flux resume kustomization gitea-mobile -n flux-system
+```

cmd/server/main.go

@@ -33,7 +33,7 @@ func main() {
 
 	// Apply middleware chain: logging -> auth.
 	var handler http.Handler = mux
-	handler = middleware.Auth(cfg.SessionSecret)(handler)
+	handler = middleware.Auth(cfg.SessionSecret, cfg.GiteaToken)(handler)
 	handler = middleware.Logging()(handler)
 
 	slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)

internal/gitea/client.go

@@ -8,8 +8,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
+	"math"
 	"net/http"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -27,6 +30,11 @@ type Client struct {
 	maxConcurrent int
 	// cacheTTL controls how long cache entries remain valid.
 	cacheTTL time.Duration
+
+	// maxRetries is the maximum number of retries for rate-limited requests.
+	maxRetries int
+	// baseRetryDelay is the initial backoff delay before the first retry.
+	baseRetryDelay time.Duration
 }
 
 type cacheEntry struct {
@@ -107,6 +115,7 @@ type PullRequest struct {
 	UpdatedAt time.Time `json:"updated_at"`
 	RepoOwner   string `json:"-"` // populated after fetch
 	RepoName    string `json:"-"` // populated after fetch
+	ReviewState string `json:"-"` // aggregated review state: "approved", "changes_requested", "pending", or ""
 }
 
 // TriageItem represents an item in the triage queue.
@@ -131,21 +140,43 @@ func NewClient(baseURL string) *Client {
 		cache:          make(map[string]*cacheEntry),
 		maxConcurrent:  5,
 		cacheTTL:       30 * time.Second,
+		maxRetries:     3,
+		baseRetryDelay: 1 * time.Second,
 	}
 }
 
 // doRequest performs an authenticated HTTP request to the Gitea API.
+// It automatically retries on HTTP 429 (rate limit) responses with
+// exponential backoff, respecting the Retry-After header when present.
 func (c *Client) doRequest(ctx context.Context, token, method, path string, body io.Reader) (*http.Response, error) {
 	url := c.baseURL + "/api/v1" + path
 
-	req, err := http.NewRequestWithContext(ctx, method, url, body)
+	// Read the body once so we can replay it on retries.
+	var bodyBytes []byte
+	if body != nil {
+		var err error
+		bodyBytes, err = io.ReadAll(body)
+		if err != nil {
+			return nil, fmt.Errorf("reading request body: %w", err)
+		}
+	}
+
+	var lastErr error
+	for attempt := 0; attempt <= c.maxRetries; attempt++ {
+		// Recreate the body reader for each attempt.
+		var reqBody io.Reader
+		if bodyBytes != nil {
+			reqBody = strings.NewReader(string(bodyBytes))
+		}
+
+		req, err := http.NewRequestWithContext(ctx, method, url, reqBody)
 		if err != nil {
 			return nil, fmt.Errorf("creating request: %w", err)
 		}
 
 		req.Header.Set("Authorization", "token "+token)
 		req.Header.Set("Accept", "application/json")
-	if body != nil {
+		if bodyBytes != nil {
 			req.Header.Set("Content-Type", "application/json")
 		}
 
@@ -154,13 +185,54 @@ func (c *Client) doRequest(ctx context.Context, token, method, path string, body
 			return nil, fmt.Errorf("executing request: %w", err)
 		}
 
+		// Not rate-limited: handle normally.
+		if resp.StatusCode != http.StatusTooManyRequests {
 			if resp.StatusCode >= 400 {
 				defer resp.Body.Close()
 				respBody, _ := io.ReadAll(resp.Body)
 				return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
 			}
-
 			return resp, nil
+		}
+
+		// Rate-limited (429): close body and compute retry delay.
+		resp.Body.Close()
+
+		if attempt == c.maxRetries {
+			lastErr = fmt.Errorf("API rate limit exceeded after %d retries (429)", c.maxRetries)
+			break
+		}
+
+		delay := c.retryDelay(resp, attempt)
+		slog.Warn("rate limited by Gitea API, retrying",
+			"attempt", attempt+1,
+			"max_retries", c.maxRetries,
+			"delay", delay,
+			"path", path,
+		)
+
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(delay):
+			// Continue to next attempt.
+		}
+	}
+
+	return nil, lastErr
+}
+
+// retryDelay computes the delay before the next retry attempt. It uses the
+// Retry-After header value (in seconds) if present, otherwise falls back to
+// exponential backoff: baseRetryDelay * 2^attempt.
+func (c *Client) retryDelay(resp *http.Response, attempt int) time.Duration {
+	if ra := resp.Header.Get("Retry-After"); ra != "" {
+		if seconds, err := strconv.Atoi(ra); err == nil && seconds > 0 {
+			return time.Duration(seconds) * time.Second
+		}
+	}
+	// Exponential backoff: 1s, 2s, 4s, ...
+	return c.baseRetryDelay * time.Duration(math.Pow(2, float64(attempt)))
 }
 
 // getFromCache returns cached data if still valid.
@@ -308,26 +380,60 @@ func (c *Client) ListOrgsAndRepos(ctx context.Context, token string) (map[string
 	return result, nil
 }
 
-// ListAllIssues fetches all open issues across all repos in the given orgs,
-// using concurrent requests with a semaphore.
-func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string) ([]Issue, error) {
-	cacheKey := fmt.Sprintf("issues-%s", strings.Join(orgs, ","))
-	if cached, ok := c.getFromCache(cacheKey); ok {
-		return cached.([]Issue), nil
+// PageSize is the number of items returned per page for paginated listings.
+const PageSize = 20
+
+// PaginatedIssues holds a page of issues along with pagination metadata.
+type PaginatedIssues struct {
+	Issues  []Issue
+	HasMore bool
+}
+
+// PaginatedPulls holds a page of pull requests along with pagination metadata.
+type PaginatedPulls struct {
+	Pulls   []PullRequest
+	HasMore bool
+}
+
+// ListAllIssues fetches issues across all repos in the given orgs,
+// using concurrent requests with a semaphore. Results are paginated.
+// The label parameter filters issues by label name (empty string means no filter).
+// The repoFilter parameter narrows results to a single repo name (empty means all repos).
+func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedIssues, error) {
+	if state == "" {
+		state = "open"
+	}
+	if page < 1 {
+		page = 1
 	}
 
+	cacheKey := fmt.Sprintf("issues-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
+	var allIssues []Issue
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		allIssues = cached.([]Issue)
+	} else {
 		// First, collect all repos for the given orgs.
 		var allRepos []Repo
 		for _, org := range orgs {
 			repos, err := c.ListOrgRepos(ctx, token, org)
 			if err != nil {
-			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
+				return PaginatedIssues{}, fmt.Errorf("listing repos for %s: %w", org, err)
 			}
 			allRepos = append(allRepos, repos...)
 		}
 
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
+				}
+			}
+			allRepos = filtered
+		}
+
 		// Fan out issue fetching across repos.
-	var allIssues []Issue
 		var mu sync.Mutex
 		sem := make(chan struct{}, c.maxConcurrent)
 		var wg sync.WaitGroup
@@ -340,7 +446,10 @@ func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string)
 				sem <- struct{}{}
 				defer func() { <-sem }()
 
-			path := fmt.Sprintf("/repos/%s/issues?state=open&type=issues&limit=50", r.FullName)
+				path := fmt.Sprintf("/repos/%s/issues?state=%s&type=issues&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
+				}
 				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
 				if err != nil {
 					mu.Lock()
@@ -377,7 +486,7 @@ func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string)
 		wg.Wait()
 
 		if firstErr != nil {
-		return nil, firstErr
+			return PaginatedIssues{}, firstErr
 		}
 
 		// Sort by updated time, newest first.
@@ -386,26 +495,58 @@ func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string)
 		})
 
 		c.setCache(cacheKey, allIssues)
-	return allIssues, nil
-}
-
-// ListAllPullRequests fetches all open PRs across all repos in the given orgs.
-func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string) ([]PullRequest, error) {
-	cacheKey := fmt.Sprintf("pulls-%s", strings.Join(orgs, ","))
-	if cached, ok := c.getFromCache(cacheKey); ok {
-		return cached.([]PullRequest), nil
 	}
 
+	// Paginate.
+	start := (page - 1) * PageSize
+	if start >= len(allIssues) {
+		return PaginatedIssues{}, nil
+	}
+	end := start + PageSize
+	hasMore := end < len(allIssues)
+	if end > len(allIssues) {
+		end = len(allIssues)
+	}
+
+	return PaginatedIssues{Issues: allIssues[start:end], HasMore: hasMore}, nil
+}
+
+// ListAllPullRequests fetches PRs across all repos in the given orgs.
+// Results are paginated. The label parameter filters PRs by label name.
+// The repoFilter parameter narrows results to a single repo name.
+func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedPulls, error) {
+	if state == "" {
+		state = "open"
+	}
+	if page < 1 {
+		page = 1
+	}
+
+	cacheKey := fmt.Sprintf("pulls-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
+	var allPRs []PullRequest
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		allPRs = cached.([]PullRequest)
+	} else {
 		var allRepos []Repo
 		for _, org := range orgs {
 			repos, err := c.ListOrgRepos(ctx, token, org)
 			if err != nil {
-			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
+				return PaginatedPulls{}, fmt.Errorf("listing repos for %s: %w", org, err)
 			}
 			allRepos = append(allRepos, repos...)
 		}
 
-	var allPRs []PullRequest
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
+				}
+			}
+			allRepos = filtered
+		}
+
 		var mu sync.Mutex
 		sem := make(chan struct{}, c.maxConcurrent)
 		var wg sync.WaitGroup
@@ -418,7 +559,10 @@ func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []s
 				sem <- struct{}{}
 				defer func() { <-sem }()
 
-			path := fmt.Sprintf("/repos/%s/pulls?state=open&limit=50", r.FullName)
+				path := fmt.Sprintf("/repos/%s/pulls?state=%s&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
+				}
 				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
 				if err != nil {
 					mu.Lock()
@@ -454,7 +598,7 @@ func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []s
 		wg.Wait()
 
 		if firstErr != nil {
-		return nil, firstErr
+			return PaginatedPulls{}, firstErr
 		}
 
 		sort.Slice(allPRs, func(i, j int) bool {
@@ -462,20 +606,49 @@ func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []s
 		})
 
 		c.setCache(cacheKey, allPRs)
-	return allPRs, nil
+	}
+
+	// Paginate.
+	start := (page - 1) * PageSize
+	if start >= len(allPRs) {
+		return PaginatedPulls{}, nil
+	}
+	end := start + PageSize
+	hasMore := end < len(allPRs)
+	if end > len(allPRs) {
+		end = len(allPRs)
+	}
+
+	return PaginatedPulls{Pulls: allPRs[start:end], HasMore: hasMore}, nil
 }
 
 // GetTriageQueue returns unassigned issues and PRs needing review, sorted by priority.
 func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string) ([]TriageItem, error) {
-	issues, err := c.ListAllIssues(ctx, token, orgs)
+	// Collect all open issues across all pages.
+	var issues []Issue
+	for page := 1; ; page++ {
+		result, err := c.ListAllIssues(ctx, token, orgs, "open", page, "", "")
 		if err != nil {
 			return nil, fmt.Errorf("fetching issues for triage: %w", err)
 		}
+		issues = append(issues, result.Issues...)
+		if !result.HasMore {
+			break
+		}
+	}
 
-	prs, err := c.ListAllPullRequests(ctx, token, orgs)
+	// Collect all open PRs across all pages.
+	var prs []PullRequest
+	for page := 1; ; page++ {
+		result, err := c.ListAllPullRequests(ctx, token, orgs, "open", page, "", "")
 		if err != nil {
 			return nil, fmt.Errorf("fetching PRs for triage: %w", err)
 		}
+		prs = append(prs, result.Pulls...)
+		if !result.HasMore {
+			break
+		}
+	}
 
 	var queue []TriageItem
 
@@ -530,6 +703,103 @@ func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string
 	return queue, nil
 }
 
+// Comment represents a comment on an issue or pull request.
+type Comment struct {
+	ID        int64  `json:"id"`
+	Body      string `json:"body"`
+	User      string `json:"-"` // populated from nested object
+	CreatedAt string `json:"-"` // formatted after fetch
+	RawUser   struct {
+		Login string `json:"login"`
+	} `json:"user"`
+	RawCreatedAt time.Time `json:"created_at"`
+}
+
+// Label represents a Gitea label (used for available labels list).
+type Label struct {
+	ID    int64  `json:"id"`
+	Name  string `json:"name"`
+	Color string `json:"color"`
+}
+
+// GetIssue fetches a single issue by owner, repo, and index.
+func (c *Client) GetIssue(ctx context.Context, token, owner, repo string, index int64) (*Issue, error) {
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching issue: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var issue Issue
+	if err := json.NewDecoder(resp.Body).Decode(&issue); err != nil {
+		return nil, fmt.Errorf("decoding issue: %w", err)
+	}
+
+	issue.RepoOwner = owner
+	issue.RepoName = repo
+	return &issue, nil
+}
+
+// GetPull fetches a single pull request by owner, repo, and index.
+func (c *Client) GetPull(ctx context.Context, token, owner, repo string, index int64) (*PullRequest, error) {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching pull request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var pr PullRequest
+	if err := json.NewDecoder(resp.Body).Decode(&pr); err != nil {
+		return nil, fmt.Errorf("decoding pull request: %w", err)
+	}
+
+	pr.RepoOwner = owner
+	pr.RepoName = repo
+	return &pr, nil
+}
+
+// GetIssueComments fetches comments for an issue or pull request.
+func (c *Client) GetIssueComments(ctx context.Context, token, owner, repo string, index int64) ([]Comment, error) {
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d/comments?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching comments: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var comments []Comment
+	if err := json.NewDecoder(resp.Body).Decode(&comments); err != nil {
+		return nil, fmt.Errorf("decoding comments: %w", err)
+	}
+
+	// Populate convenience fields.
+	for i := range comments {
+		comments[i].User = comments[i].RawUser.Login
+		comments[i].CreatedAt = comments[i].RawCreatedAt.Format("Jan 2, 2006 15:04")
+	}
+
+	return comments, nil
+}
+
+// GetRepoLabels fetches all labels for a repository.
+func (c *Client) GetRepoLabels(ctx context.Context, token, owner, repo string) ([]Label, error) {
+	path := fmt.Sprintf("/repos/%s/%s/labels?limit=50", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching labels: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var labels []Label
+	if err := json.NewDecoder(resp.Body).Decode(&labels); err != nil {
+		return nil, fmt.Errorf("decoding labels: %w", err)
+	}
+
+	return labels, nil
+}
+
 // CreateIssue creates a new issue in the specified repository.
 func (c *Client) CreateIssue(ctx context.Context, token, owner, repo, title, body string, labels []int64) (*Issue, error) {
 	payload := map[string]interface{}{
@@ -586,6 +856,49 @@ func (c *Client) ApplyLabel(ctx context.Context, token, owner, repo string, inde
 	return nil
 }
 
+// ListCollaborators fetches the list of collaborators (users with access) for a repo.
+func (c *Client) ListCollaborators(ctx context.Context, token, owner, repo string) ([]string, error) {
+	path := fmt.Sprintf("/repos/%s/%s/collaborators?limit=50", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching collaborators: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var users []struct {
+		Login string `json:"login"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&users); err != nil {
+		return nil, fmt.Errorf("decoding collaborators: %w", err)
+	}
+
+	var logins []string
+	for _, u := range users {
+		logins = append(logins, u.Login)
+	}
+	return logins, nil
+}
+
+// AssignIssue sets the assignees on an issue.
+func (c *Client) AssignIssue(ctx context.Context, token, owner, repo string, index int64, assignees []string) error {
+	payload, err := json.Marshal(map[string]interface{}{
+		"assignees": assignees,
+	})
+	if err != nil {
+		return fmt.Errorf("marshaling assignees: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return fmt.Errorf("assigning issue: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
 // SubmitReview submits a review on a pull request.
 func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, index int64, reviewType, body string) error {
 	payload := map[string]interface{}{
@@ -609,6 +922,202 @@ func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, in
 	return nil
 }
 
+// CloseIssue closes an issue by setting its state to "closed".
+func (c *Client) CloseIssue(ctx context.Context, token, owner, repo string, index int64) error {
+	return c.SetIssueState(ctx, token, owner, repo, index, "closed")
+}
+
+// SetIssueState sets an issue's state (e.g. "open" or "closed").
+func (c *Client) SetIssueState(ctx context.Context, token, owner, repo string, index int64, state string) error {
+	payload, err := json.Marshal(map[string]string{"state": state})
+	if err != nil {
+		return fmt.Errorf("marshaling state change: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return fmt.Errorf("setting issue state: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
+// MergePull merges a pull request using the specified merge style.
+// Valid styles: "merge", "rebase", "rebase-merge", "squash".
+// If style is empty, defaults to "merge".
+func (c *Client) MergePull(ctx context.Context, token, owner, repo string, index int64, style, title, message string) error {
+	if style == "" {
+		style = "merge"
+	}
+
+	payload := map[string]string{
+		"Do": style,
+	}
+	if title != "" {
+		payload["merge_message_field"] = title
+	}
+	if message != "" {
+		payload["merge_message_field"] = message
+	}
+
+	jsonData, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("marshaling merge request: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/merge", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(jsonData)))
+	if err != nil {
+		return fmt.Errorf("merging pull request: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
+// AddComment creates a comment on an issue and returns the created Comment.
+func (c *Client) AddComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
+	return c.PostComment(ctx, token, owner, repo, index, body)
+}
+
+// PostComment creates a comment on an issue and returns the created Comment.
+func (c *Client) PostComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
+	payload, err := json.Marshal(map[string]string{"body": body})
+	if err != nil {
+		return nil, fmt.Errorf("marshaling comment: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d/comments", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return nil, fmt.Errorf("posting comment: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var comment Comment
+	if err := json.NewDecoder(resp.Body).Decode(&comment); err != nil {
+		return nil, fmt.Errorf("decoding comment: %w", err)
+	}
+
+	// Populate convenience fields.
+	comment.User = comment.RawUser.Login
+	comment.CreatedAt = comment.RawCreatedAt.Format("Jan 2, 2006 15:04")
+
+	c.InvalidateAll()
+	return &comment, nil
+}
+
+// RenderMarkdown renders raw markdown text to HTML using the Gitea API.
+// Falls back to the raw text if the API call fails.
+func (c *Client) RenderMarkdown(ctx context.Context, token, text string) (string, error) {
+	payload, err := json.Marshal(map[string]string{
+		"Text": text,
+		"Mode": "gfm",
+	})
+	if err != nil {
+		return text, fmt.Errorf("marshaling markdown request: %w", err)
+	}
+
+	url := c.baseURL + "/api/v1/markdown"
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, strings.NewReader(string(payload)))
+	if err != nil {
+		return text, fmt.Errorf("creating markdown request: %w", err)
+	}
+
+	req.Header.Set("Authorization", "token "+token)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "text/html")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return text, fmt.Errorf("executing markdown request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		return text, fmt.Errorf("markdown API error %d", resp.StatusCode)
+	}
+
+	rendered, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return text, fmt.Errorf("reading markdown response: %w", err)
+	}
+
+	return string(rendered), nil
+}
+
+// Review represents a single review on a pull request.
+type Review struct {
+	ID   int64  `json:"id"`
+	Body string `json:"body"`
+	State string `json:"state"` // "APPROVED", "REQUEST_CHANGES", "COMMENT", "PENDING"
+	User  struct {
+		Login string `json:"login"`
+	} `json:"user"`
+}
+
+// GetPullReviewState fetches reviews for a PR and returns the aggregate state.
+// Priority: changes_requested > approved > pending > "" (no reviews).
+func (c *Client) GetPullReviewState(ctx context.Context, token, owner, repo string, index int64) string {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/reviews?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+
+	var reviews []Review
+	if err := json.NewDecoder(resp.Body).Decode(&reviews); err != nil {
+		return ""
+	}
+
+	if len(reviews) == 0 {
+		return ""
+	}
+
+	// Aggregate: last non-comment review per user wins, then pick the "worst" state.
+	userState := make(map[string]string)
+	for _, r := range reviews {
+		switch r.State {
+		case "APPROVED", "REQUEST_CHANGES":
+			userState[r.User.Login] = r.State
+		}
+	}
+
+	if len(userState) == 0 {
+		return "pending"
+	}
+
+	for _, s := range userState {
+		if s == "REQUEST_CHANGES" {
+			return "changes_requested"
+		}
+	}
+	return "approved"
+}
+
+// EnrichPullsWithReviewState fetches review state for each PR concurrently.
+func (c *Client) EnrichPullsWithReviewState(ctx context.Context, token string, pulls []PullRequest) {
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+
+	for i := range pulls {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			pulls[idx].ReviewState = c.GetPullReviewState(ctx, token, pulls[idx].RepoOwner, pulls[idx].RepoName, pulls[idx].Number)
+		}(i)
+	}
+	wg.Wait()
+}
+
 // priorityScore returns a numeric score for sorting (lower = higher priority).
 func priorityScore(labels []string) int {
 	for _, l := range labels {

internal/handlers/handlers.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net/http"
 	"strconv"
+	"strings"
 
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
 	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
@@ -37,12 +38,24 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 
 	// Issues.
 	mux.HandleFunc("GET /issues", h.ListIssues)
+	mux.HandleFunc("GET /issues/new", h.NewIssue)
+	mux.HandleFunc("GET /issues/new/labels", h.NewIssueLabels)
 	mux.HandleFunc("POST /issues", h.CreateIssue)
 	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/labels", h.ApplyLabels)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/assignees", h.AssignIssue)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/close", h.CloseIssue)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comments", h.AddComment)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comment", h.AddComment)
+
+	// Issue detail.
+	mux.HandleFunc("GET /issues/{owner}/{repo}/{index}", h.IssueDetail)
 
 	// Pull requests.
 	mux.HandleFunc("GET /pulls", h.ListPulls)
+	mux.HandleFunc("GET /pulls/{owner}/{repo}/{index}", h.PullDetail)
 	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
+	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/state", h.SetPullState)
 
 	// Settings (handled separately for auth bypass).
 	settingsHandler := &SettingsHandler{
@@ -97,50 +110,20 @@ var basePage = template.Must(template.New("base").Parse(`<!DOCTYPE html>
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <meta name="apple-mobile-web-app-capable" content="yes">
+  <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
+  <meta name="theme-color" content="#161b22">
+  <link rel="manifest" href="/static/manifest.json">
+  <link rel="apple-touch-icon" href="/static/icon-192.png">
   <title>{{.Title}} — Gitea Mobile</title>
-  <style>
-    * { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-      background: #0d1117; color: #e6edf3;
-      padding-bottom: calc(60px + env(safe-area-inset-bottom));
-    }
-    .content { padding: 1rem; padding-top: max(1rem, env(safe-area-inset-top)); }
-    h1 { font-size: 1.25rem; margin-bottom: 1rem; }
-    .card {
-      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
-      padding: 0.75rem; margin-bottom: 0.5rem;
-    }
-    .card-title { font-weight: 600; font-size: 0.9rem; margin-bottom: 0.25rem; }
-    .card-meta { font-size: 0.75rem; color: #8b949e; }
-    .label {
-      display: inline-block; font-size: 0.7rem; padding: 2px 6px;
-      border-radius: 10px; font-weight: 500; margin-right: 4px;
-    }
-    .type-badge {
-      font-size: 0.65rem; text-transform: uppercase; font-weight: 700;
-      padding: 1px 5px; border-radius: 4px; margin-right: 4px;
-    }
-    .type-issue { background: #1f6feb22; color: #58a6ff; border: 1px solid #1f6feb44; }
-    .type-pull { background: #23863622; color: #3fb950; border: 1px solid #23863644; }
-    .empty { text-align: center; color: #8b949e; padding: 2rem 1rem; }
-    .bottom-nav {
-      position: fixed; bottom: 0; left: 0; right: 0;
-      background: #161b22; border-top: 1px solid #30363d;
-      display: flex; justify-content: space-around; align-items: center;
-      height: 56px;
-      padding-bottom: env(safe-area-inset-bottom);
-    }
-    .bottom-nav a {
-      color: #8b949e; text-decoration: none; font-size: 0.7rem;
-      display: flex; flex-direction: column; align-items: center; padding: 4px 0;
-    }
-    .bottom-nav a.active { color: #58a6ff; }
-    .bottom-nav svg { width: 22px; height: 22px; margin-bottom: 2px; }
-  </style>
-  <script src="https://unpkg.com/htmx.org@1.9.10"></script>
+  <link rel="stylesheet" href="/static/style.css">
+  <script src="/static/htmx.min.js"></script>
 </head>
 <body>
+  <header class="top-bar">
+    <span class="top-bar-title">Gitea Mobile</span>
+    <button class="refresh-btn" hx-get="" hx-target="#main-content" hx-swap="innerHTML" aria-label="Refresh">&#8635;</button>
+  </header>
   <div class="content" id="main-content">
     {{.Content}}
   </div>
@@ -162,6 +145,13 @@ var basePage = template.Must(template.New("base").Parse(`<!DOCTYPE html>
       Settings
     </a>
   </nav>
+  <script>
+    if ('serviceWorker' in navigator) {
+      navigator.serviceWorker.register('/static/sw.js').catch(function(err) {
+        console.log('SW registration failed:', err);
+      });
+    }
+  </script>
 </body>
 </html>`))
 
@@ -191,169 +181,545 @@ func renderPage(w http.ResponseWriter, r *http.Request, title, activeTab string,
 	}
 }
 
+// errorData holds the template data for error pages.
+type errorData struct {
+	Code    int
+	Title   string
+	Message string
+}
+
+// ErrorNotFound renders a mobile-friendly 404 error page.
+func (h *Handler) ErrorNotFound(w http.ResponseWriter, r *http.Request) {
+	data := errorData{
+		Code:    http.StatusNotFound,
+		Title:   "Page Not Found",
+		Message: "The page you are looking for does not exist or has been moved.",
+	}
+	h.renderError(w, r, data)
+}
+
+// ErrorInternal renders a mobile-friendly 500 error page.
+func (h *Handler) ErrorInternal(w http.ResponseWriter, r *http.Request) {
+	data := errorData{
+		Code:    http.StatusInternalServerError,
+		Title:   "Internal Server Error",
+		Message: "Something went wrong on our end. Please try again later.",
+	}
+	h.renderError(w, r, data)
+}
+
+// renderError renders the error template with the given data and status code.
+func (h *Handler) renderError(w http.ResponseWriter, r *http.Request, data errorData) {
+	tmpl, err := template.ParseFiles("internal/templates/error.html")
+	if err != nil {
+		slog.Error("failed to parse error template", "error", err)
+		http.Error(w, fmt.Sprintf("%d %s", data.Code, data.Title), data.Code)
+		return
+	}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute error template", "error", err)
+		http.Error(w, fmt.Sprintf("%d %s", data.Code, data.Title), data.Code)
+		return
+	}
+
+	w.WriteHeader(data.Code)
+	renderPage(w, r, data.Title, "", buf.String())
+}
+
 // Dashboard handles GET / — the triage queue.
 func (h *Handler) Dashboard(w http.ResponseWriter, r *http.Request) {
 	// Only handle exact root path.
 	if r.URL.Path != "/" {
-		http.NotFound(w, r)
+		h.ErrorNotFound(w, r)
 		return
 	}
 
 	token := getToken(r)
 	orgs := h.getUserOrgs(r)
+	selectedOrg := r.URL.Query().Get("org")
+
+	type dashboardData struct {
+		Items       []giteaclient.TriageItem
+		Orgs        []string
+		SelectedOrg string
+		Error       string
+	}
+
+	data := dashboardData{
+		Orgs:        orgs,
+		SelectedOrg: selectedOrg,
+	}
 
 	if len(orgs) == 0 {
-		renderPage(w, r, "Dashboard", "dashboard",
-			`<h1>Dashboard</h1><p class="empty">No organizations found. Check your token permissions.</p>`)
-		return
+		data.Error = "No organizations found. Check your token permissions."
+	} else {
+		// Determine which orgs to query.
+		queryOrgs := orgs
+		if selectedOrg != "" {
+			queryOrgs = []string{selectedOrg}
 		}
 
-	queue, err := h.Client.GetTriageQueue(r.Context(), token, orgs)
+		queue, err := h.Client.GetTriageQueue(r.Context(), token, queryOrgs)
 		if err != nil {
 			slog.Error("failed to get triage queue", "error", err)
-		renderPage(w, r, "Dashboard", "dashboard",
-			`<h1>Dashboard</h1><p class="empty">Error loading triage queue.</p>`)
+			data.Error = "Error loading triage queue."
+		} else {
+			data.Items = queue
+		}
+	}
+
+	tmpl, err := template.ParseFiles("internal/templates/dashboard.html")
+	if err != nil {
+		slog.Error("failed to parse dashboard template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	if len(queue) == 0 {
-		renderPage(w, r, "Dashboard", "dashboard",
-			`<h1>Dashboard</h1><p class="empty">No items need attention. Nice work!</p>`)
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute dashboard template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	content := `<h1>Dashboard</h1>`
-	for _, item := range queue {
-		typeBadge := `<span class="type-badge type-issue">issue</span>`
-		if item.Type == "pull" {
-			typeBadge = `<span class="type-badge type-pull">PR</span>`
-		}
-
-		labels := ""
-		for _, l := range item.Labels {
-			color := "#8b949e"
-			switch l {
-			case "P1":
-				color = "#f85149"
-			case "P2":
-				color = "#d29922"
-			case "P3":
-				color = "#58a6ff"
-			}
-			labels += fmt.Sprintf(`<span class="label" style="color:%s;border:1px solid %s">%s</span>`, color, color, template.HTMLEscapeString(l))
-		}
-
-		content += fmt.Sprintf(`<div class="card">
-  <div class="card-title">%s %s</div>
-  <div class="card-meta">%s/%s #%d %s</div>
-</div>`, typeBadge, template.HTMLEscapeString(item.Title),
-			template.HTMLEscapeString(item.RepoOwner),
-			template.HTMLEscapeString(item.RepoName),
-			item.Number, labels)
-	}
-
-	renderPage(w, r, "Dashboard", "dashboard", content)
+	renderPage(w, r, "Dashboard", "dashboard", buf.String())
 }
 
 // ListIssues handles GET /issues.
 func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
-	orgs := h.getUserOrgs(r)
+	orgNames := h.getUserOrgs(r)
 
-	if len(orgs) == 0 {
-		renderPage(w, r, "Issues", "issues",
-			`<h1>Issues</h1><p class="empty">No organizations found.</p>`)
-		return
+	type issuesData struct {
+		Issues        []giteaclient.Issue
+		Orgs          []string
+		SelectedOrg   string
+		SelectedState string
+		SelectedLabel string
+		SelectedRepo  string
+		Repos         []string
+		HasMore       bool
+		NextPage      int
+		Error         string
 	}
 
-	issues, err := h.Client.ListAllIssues(r.Context(), token, orgs)
+	selectedOrg := r.URL.Query().Get("org")
+	selectedState := r.URL.Query().Get("state")
+	if selectedState == "" {
+		selectedState = "open"
+	}
+	selectedLabel := r.URL.Query().Get("label")
+	selectedRepo := r.URL.Query().Get("repo")
+	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
+	if page < 1 {
+		page = 1
+	}
+
+	data := issuesData{
+		Orgs:          orgNames,
+		SelectedOrg:   selectedOrg,
+		SelectedState: selectedState,
+		SelectedLabel: selectedLabel,
+		SelectedRepo:  selectedRepo,
+	}
+
+	if len(orgNames) == 0 {
+		data.Error = "No organizations found."
+	} else {
+		// Filter to selected org if specified.
+		queryOrgs := orgNames
+		if selectedOrg != "" {
+			queryOrgs = []string{selectedOrg}
+
+			// Populate repo list for the selected org.
+			repos, err := h.Client.ListOrgRepos(r.Context(), token, selectedOrg)
+			if err != nil {
+				slog.Warn("failed to list repos for org filter", "error", err, "org", selectedOrg)
+			} else {
+				for _, repo := range repos {
+					data.Repos = append(data.Repos, repo.Name)
+				}
+			}
+		}
+
+		result, err := h.Client.ListAllIssues(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
 		if err != nil {
 			slog.Error("failed to list issues", "error", err)
-		renderPage(w, r, "Issues", "issues",
-			`<h1>Issues</h1><p class="empty">Error loading issues.</p>`)
+			data.Error = "Error loading issues."
+		} else {
+			data.Issues = result.Issues
+			data.HasMore = result.HasMore
+			if result.HasMore {
+				data.NextPage = page + 1
+			}
+		}
+	}
+
+	// For HTMX infinite-scroll requests (page > 1), return only the card fragment.
+	if isHTMX(r) && page > 1 {
+		tmpl, err := template.ParseFiles("internal/templates/issues.html")
+		if err != nil {
+			slog.Error("failed to parse issues template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		var buf strings.Builder
+		if err := tmpl.ExecuteTemplate(&buf, "cards", data); err != nil {
+			slog.Error("failed to execute issues cards template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, buf.String())
 		return
 	}
 
-	if len(issues) == 0 {
-		renderPage(w, r, "Issues", "issues",
-			`<h1>Issues</h1><p class="empty">No open issues found.</p>`)
+	tmpl, err := template.ParseFiles("internal/templates/issues.html")
+	if err != nil {
+		slog.Error("failed to parse issues template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	content := `<h1>Issues</h1>`
-	for _, issue := range issues {
-		labels := ""
-		for _, l := range issue.Labels {
-			labels += fmt.Sprintf(`<span class="label" style="color:#%s;border:1px solid #%s">%s</span>`,
-				l.Color, l.Color, template.HTMLEscapeString(l.Name))
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute issues template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
 	}
 
-		assignee := ""
-		if issue.Assignee != nil {
-			assignee = fmt.Sprintf(` &middot; %s`, template.HTMLEscapeString(issue.Assignee.Login))
-		}
-
-		content += fmt.Sprintf(`<div class="card">
-  <div class="card-title">%s</div>
-  <div class="card-meta">%s/%s #%d %s%s</div>
-</div>`, template.HTMLEscapeString(issue.Title),
-			template.HTMLEscapeString(issue.RepoOwner),
-			template.HTMLEscapeString(issue.RepoName),
-			issue.Number, labels, assignee)
-	}
-
-	renderPage(w, r, "Issues", "issues", content)
+	renderPage(w, r, "Issues", "issues", buf.String())
 }
 
 // ListPulls handles GET /pulls.
 func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
-	orgs := h.getUserOrgs(r)
+	orgNames := h.getUserOrgs(r)
 
-	if len(orgs) == 0 {
-		renderPage(w, r, "Pull Requests", "pulls",
-			`<h1>Pull Requests</h1><p class="empty">No organizations found.</p>`)
-		return
+	type pullsData struct {
+		Pulls         []giteaclient.PullRequest
+		Orgs          []string
+		SelectedOrg   string
+		SelectedState string
+		SelectedLabel string
+		SelectedRepo  string
+		Repos         []string
+		HasMore       bool
+		NextPage      int
+		Error         string
 	}
 
-	prs, err := h.Client.ListAllPullRequests(r.Context(), token, orgs)
+	selectedOrg := r.URL.Query().Get("org")
+	selectedState := r.URL.Query().Get("state")
+	if selectedState == "" {
+		selectedState = "open"
+	}
+	selectedLabel := r.URL.Query().Get("label")
+	selectedRepo := r.URL.Query().Get("repo")
+	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
+	if page < 1 {
+		page = 1
+	}
+
+	data := pullsData{
+		Orgs:          orgNames,
+		SelectedOrg:   selectedOrg,
+		SelectedState: selectedState,
+		SelectedLabel: selectedLabel,
+		SelectedRepo:  selectedRepo,
+	}
+
+	if len(orgNames) == 0 {
+		data.Error = "No organizations found."
+	} else {
+		queryOrgs := orgNames
+		if selectedOrg != "" {
+			queryOrgs = []string{selectedOrg}
+
+			// Populate repo list for the selected org.
+			repos, err := h.Client.ListOrgRepos(r.Context(), token, selectedOrg)
+			if err != nil {
+				slog.Warn("failed to list repos for org filter", "error", err, "org", selectedOrg)
+			} else {
+				for _, repo := range repos {
+					data.Repos = append(data.Repos, repo.Name)
+				}
+			}
+		}
+
+		result, err := h.Client.ListAllPullRequests(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
 		if err != nil {
 			slog.Error("failed to list pull requests", "error", err)
-		renderPage(w, r, "Pull Requests", "pulls",
-			`<h1>Pull Requests</h1><p class="empty">Error loading pull requests.</p>`)
+			data.Error = "Error loading pull requests."
+		} else {
+			data.Pulls = result.Pulls
+			data.HasMore = result.HasMore
+			if result.HasMore {
+				data.NextPage = page + 1
+			}
+			// Enrich PRs with review state for status icons.
+			if len(data.Pulls) > 0 {
+				h.Client.EnrichPullsWithReviewState(r.Context(), token, data.Pulls)
+			}
+		}
+	}
+
+	// For HTMX infinite-scroll requests (page > 1), return only the card fragment.
+	if isHTMX(r) && page > 1 {
+		tmpl, err := template.ParseFiles("internal/templates/pulls.html")
+		if err != nil {
+			slog.Error("failed to parse pulls template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		var buf strings.Builder
+		if err := tmpl.ExecuteTemplate(&buf, "cards", data); err != nil {
+			slog.Error("failed to execute pulls cards template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, buf.String())
 		return
 	}
 
-	if len(prs) == 0 {
-		renderPage(w, r, "Pull Requests", "pulls",
-			`<h1>Pull Requests</h1><p class="empty">No open pull requests found.</p>`)
+	tmpl, err := template.ParseFiles("internal/templates/pulls.html")
+	if err != nil {
+		slog.Error("failed to parse pulls template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	content := `<h1>Pull Requests</h1>`
-	for _, pr := range prs {
-		labels := ""
-		for _, l := range pr.Labels {
-			labels += fmt.Sprintf(`<span class="label" style="color:#%s;border:1px solid #%s">%s</span>`,
-				l.Color, l.Color, template.HTMLEscapeString(l.Name))
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute pulls template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
 	}
 
-		stats := fmt.Sprintf(`<span style="color:#3fb950">+%d</span> <span style="color:#f85149">-%d</span>`, pr.Additions, pr.Deletions)
-		mergeStatus := ""
-		if pr.Mergeable {
-			mergeStatus = `<span style="color:#3fb950;font-size:0.7rem;">mergeable</span>`
+	renderPage(w, r, "Pull Requests", "pulls", buf.String())
+}
+
+// IssueDetail handles GET /issues/{owner}/{repo}/{index}.
+func (h *Handler) IssueDetail(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
 	}
 
-		content += fmt.Sprintf(`<div class="card">
-  <div class="card-title"><span class="type-badge type-pull">PR</span> %s</div>
-  <div class="card-meta">%s/%s #%d %s %s %s</div>
-</div>`, template.HTMLEscapeString(pr.Title),
-			template.HTMLEscapeString(pr.RepoOwner),
-			template.HTMLEscapeString(pr.RepoName),
-			pr.Number, labels, stats, mergeStatus)
+	issue, err := h.Client.GetIssue(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Error("failed to get issue", "error", err, "owner", owner, "repo", repo, "index", index)
+		renderPage(w, r, "Issue Not Found", "issues",
+			`<h1>Issue Not Found</h1><p class="empty">Could not load the requested issue.</p>`)
+		return
 	}
 
-	renderPage(w, r, "Pull Requests", "pulls", content)
+	comments, err := h.Client.GetIssueComments(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Error("failed to get comments", "error", err)
+		comments = nil // non-fatal, render without comments
+	}
+
+	labels, err := h.Client.GetRepoLabels(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to get repo labels", "error", err)
+		labels = nil
+	}
+
+	collaborators, err := h.Client.ListCollaborators(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to get collaborators", "error", err)
+		collaborators = nil
+	}
+
+	// Render markdown body if present.
+	var renderedBody template.HTML
+	if issue.Body != "" {
+		rendered, err := h.Client.RenderMarkdown(r.Context(), token, issue.Body)
+		if err != nil {
+			slog.Warn("failed to render issue body markdown, using plain text", "error", err)
+		} else {
+			renderedBody = template.HTML(rendered)
+		}
+	}
+
+	// Build the content HTML using the template.
+	tmpl, err := template.ParseFiles("internal/templates/issue_detail.html")
+	if err != nil {
+		slog.Error("failed to parse issue_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	type templateData struct {
+		Issue           *giteaclient.Issue
+		RenderedBody    template.HTML
+		Comments        []giteaclient.Comment
+		AvailableLabels []giteaclient.Label
+		Collaborators   []string
+	}
+
+	data := templateData{
+		Issue:           issue,
+		RenderedBody:    renderedBody,
+		Comments:        comments,
+		AvailableLabels: labels,
+		Collaborators:   collaborators,
+	}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute issue_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	renderPage(w, r, fmt.Sprintf("Issue #%d", index), "issues", buf.String())
+}
+
+// PullDetail handles GET /pulls/{owner}/{repo}/{index}.
+func (h *Handler) PullDetail(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid PR index", http.StatusBadRequest)
+		return
+	}
+
+	pr, err := h.Client.GetPull(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Error("failed to get pull request", "error", err, "owner", owner, "repo", repo, "index", index)
+		renderPage(w, r, "PR Not Found", "pulls",
+			`<h1>Pull Request Not Found</h1><p class="empty">Could not load the requested pull request.</p>`)
+		return
+	}
+
+	// Render markdown body if present.
+	var renderedBody template.HTML
+	if pr.Body != "" {
+		rendered, err := h.Client.RenderMarkdown(r.Context(), token, pr.Body)
+		if err != nil {
+			slog.Warn("failed to render PR body markdown, using plain text", "error", err)
+		} else {
+			renderedBody = template.HTML(rendered)
+		}
+	}
+
+	// Fetch comments for this PR (Gitea uses the issues endpoint for PR comments).
+	comments, err := h.Client.GetIssueComments(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Warn("failed to fetch PR comments", "error", err, "owner", owner, "repo", repo, "index", index)
+		// Non-fatal: continue rendering without comments.
+	}
+
+	// Build the content HTML using the template.
+	tmpl, err := template.ParseFiles("internal/templates/pull_detail.html")
+	if err != nil {
+		slog.Error("failed to parse pull_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	type templateData struct {
+		Pull         *giteaclient.PullRequest
+		RenderedBody template.HTML
+		Comments     []giteaclient.Comment
+	}
+
+	data := templateData{
+		Pull:         pr,
+		RenderedBody: renderedBody,
+		Comments:     comments,
+	}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute pull_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	renderPage(w, r, fmt.Sprintf("PR #%d", index), "pulls", buf.String())
+}
+
+// NewIssue handles GET /issues/new — renders the create-issue form.
+func (h *Handler) NewIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+
+	repos, err := h.Client.ListOrgsAndRepos(r.Context(), token)
+	if err != nil {
+		slog.Error("failed to list repos for new issue form", "error", err)
+		renderPage(w, r, "New Issue", "issues",
+			`<h1>New Issue</h1><p class="empty">Error loading repositories.</p>`)
+		return
+	}
+
+	tmpl, err := template.ParseFiles("internal/templates/create_issue.html")
+	if err != nil {
+		slog.Error("failed to parse create_issue template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	type templateData struct {
+		Repos map[string][]giteaclient.Repo
+	}
+
+	data := templateData{Repos: repos}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute create_issue template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	renderPage(w, r, "New Issue", "issues", buf.String())
+}
+
+// NewIssueLabels handles GET /issues/new/labels — returns label checkboxes for a repo.
+func (h *Handler) NewIssueLabels(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.URL.Query().Get("owner")
+	repo := r.URL.Query().Get("repo")
+
+	if owner == "" || repo == "" {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, `<span class="empty">Select a repository first.</span>`)
+		return
+	}
+
+	labels, err := h.Client.GetRepoLabels(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to fetch labels", "error", err, "owner", owner, "repo", repo)
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, `<span class="empty">Error loading labels.</span>`)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if len(labels) == 0 {
+		fmt.Fprint(w, `<span class="empty">No labels available for this repository.</span>`)
+		return
+	}
+
+	for _, l := range labels {
+		fmt.Fprintf(w, `<label style="display:inline-block;margin:0.25rem 0.5rem 0.25rem 0;cursor:pointer;"><input type="checkbox" name="label_ids" value="%d" style="margin-right:0.25rem;"> <span class="label" style="color:#%s;border:1px solid #%s">%s</span></label>`,
+			l.ID, template.HTMLEscapeString(l.Color), template.HTMLEscapeString(l.Color), template.HTMLEscapeString(l.Name))
+	}
 }
 
 // CreateIssue handles POST /issues.
@@ -369,14 +735,35 @@ func (h *Handler) CreateIssue(w http.ResponseWriter, r *http.Request) {
 	title := r.FormValue("title")
 	body := r.FormValue("body")
 
+	// Parse label IDs from form checkboxes.
+	var labelIDs []int64
+	for _, idStr := range r.Form["label_ids"] {
+		id, err := strconv.ParseInt(idStr, 10, 64)
+		if err == nil {
+			labelIDs = append(labelIDs, id)
+		}
+	}
+
 	if owner == "" || repo == "" || title == "" {
+		if isHTMX(r) {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			w.WriteHeader(http.StatusBadRequest)
+			fmt.Fprint(w, `<span class="empty">owner, repo, and title are required</span>`)
+			return
+		}
 		http.Error(w, "owner, repo, and title are required", http.StatusBadRequest)
 		return
 	}
 
-	issue, err := h.Client.CreateIssue(r.Context(), token, owner, repo, title, body, nil)
+	issue, err := h.Client.CreateIssue(r.Context(), token, owner, repo, title, body, labelIDs)
 	if err != nil {
 		slog.Error("failed to create issue", "error", err)
+		if isHTMX(r) {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			w.WriteHeader(http.StatusInternalServerError)
+			fmt.Fprint(w, `<span class="empty">Failed to create issue. Please try again.</span>`)
+			return
+		}
 		http.Error(w, "failed to create issue", http.StatusInternalServerError)
 		return
 	}
@@ -437,6 +824,210 @@ func (h *Handler) ApplyLabels(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
 }
 
+// AssignIssue handles POST /issues/{owner}/{repo}/{index}/assignees.
+func (h *Handler) AssignIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	assignee := r.FormValue("assignee")
+	if assignee == "" {
+		http.Error(w, "assignee is required", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.AssignIssue(r.Context(), token, owner, repo, index, []string{assignee}); err != nil {
+		slog.Error("failed to assign issue", "error", err, "owner", owner, "repo", repo, "index", index, "assignee", assignee)
+		http.Error(w, "failed to assign issue", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprintf(w, `<span style="color:#3fb950">Assigned to %s</span>`, template.HTMLEscapeString(assignee))
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// CloseIssue handles POST /issues/{owner}/{repo}/{index}/close.
+func (h *Handler) CloseIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.CloseIssue(r.Context(), token, owner, repo, index); err != nil {
+		slog.Error("failed to close issue", "error", err, "owner", owner, "repo", repo, "index", index)
+		http.Error(w, "failed to close issue", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("HX-Redirect", fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index))
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// SetIssueState handles POST /issues/{owner}/{repo}/{index}/state.
+func (h *Handler) SetIssueState(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	state := r.FormValue("state")
+	if state != "open" && state != "closed" {
+		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
+		slog.Error("failed to set issue state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
+		http.Error(w, "failed to update issue state", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if state == "closed" {
+			fmt.Fprintf(w, `<span class="state-closed" id="issue-state">closed</span>
+<button class="btn btn-secondary" hx-post="/issues/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen Issue</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		} else {
+			fmt.Fprintf(w, `<span class="state-open" id="issue-state">open</span>
+<button class="btn btn-danger" hx-post="/issues/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close Issue</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		}
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// SetPullState handles POST /pulls/{owner}/{repo}/{index}/state.
+func (h *Handler) SetPullState(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid pull request index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	state := r.FormValue("state")
+	if state != "open" && state != "closed" {
+		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
+		slog.Error("failed to set pull request state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
+		http.Error(w, "failed to update pull request state", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if state == "closed" {
+			fmt.Fprintf(w, `<span class="state-closed" id="pull-state">closed</span>
+<button class="btn btn-secondary" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		} else {
+			fmt.Fprintf(w, `<span class="state-open" id="pull-state">open</span>
+<button class="btn btn-danger" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		}
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/pulls/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// AddComment handles POST /issues/{owner}/{repo}/{index}/comment.
+func (h *Handler) AddComment(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	body := r.FormValue("body")
+	if body == "" {
+		http.Error(w, "comment body is required", http.StatusBadRequest)
+		return
+	}
+
+	comment, err := h.Client.PostComment(r.Context(), token, owner, repo, index, body)
+	if err != nil {
+		slog.Error("failed to post comment", "error", err, "owner", owner, "repo", repo, "index", index)
+		http.Error(w, "failed to post comment", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprintf(w, `<div class="card comment">
+  <div class="card-meta">%s &middot; %s</div>
+  <div class="card-body">%s</div>
+</div>`, template.HTMLEscapeString(comment.User), template.HTMLEscapeString(comment.CreatedAt), template.HTMLEscapeString(comment.Body))
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
 // SubmitReview handles POST /pulls/{owner}/{repo}/{index}/review.
 func (h *Handler) SubmitReview(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)

internal/handlers/handlers_test.go

@@ -135,6 +135,135 @@ func TestSubmitReview_MissingEventType(t *testing.T) {
 	}
 }
 
+func TestSetIssueState_InvalidState(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestSetIssueState_InvalidIndex(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/abc/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestAddComment_EmptyBody(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comments", h.AddComment)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/comments", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestErrorNotFound(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404'")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
+func TestErrorInternal(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/error", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorInternal(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusInternalServerError)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "500") {
+		t.Error("expected body to contain '500'")
+	}
+	if !contains(body, "Internal Server Error") {
+		t.Error("expected body to contain 'Internal Server Error'")
+	}
+}
+
+func TestDashboard_NonRootPath_Returns404(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/unknown/path", nil)
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404' for non-root path")
+	}
+}
+
+func TestErrorNotFound_HTMX(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	req.Header.Set("HX-Request", "true")
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	// HTMX response should not contain DOCTYPE.
+	if contains(body, "<!DOCTYPE") {
+		t.Error("HTMX response should not contain DOCTYPE")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
 func contains(s, substr string) bool {
 	return len(s) >= len(substr) && searchString(s, substr)
 }

internal/handlers/settings.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"html/template"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -9,89 +10,7 @@ import (
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
 
-var settingsTemplate = template.Must(template.New("settings").Parse(`<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
-  <title>Settings — Gitea Mobile</title>
-  <style>
-    * { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-      background: #0d1117; color: #e6edf3;
-      padding: 1rem;
-      padding-top: max(1rem, env(safe-area-inset-top));
-    }
-    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
-    .card {
-      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
-      padding: 1rem; margin-bottom: 1rem;
-    }
-    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
-    input[type="text"], input[type="password"] {
-      width: 100%; padding: 0.5rem; font-size: 1rem;
-      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
-      color: #e6edf3; margin-bottom: 1rem;
-    }
-    input:focus { outline: none; border-color: #58a6ff; }
-    button {
-      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
-      background: #238636; color: #fff; border: none; border-radius: 6px;
-      cursor: pointer;
-    }
-    button:active { background: #2ea043; }
-    .message {
-      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
-      font-size: 0.875rem;
-    }
-    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
-    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
-    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
-    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
-    .status { font-size: 0.875rem; color: #8b949e; }
-    .status .connected { color: #3fb950; }
-    .logout-btn {
-      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
-    }
-    .logout-btn:active { background: #30363d; }
-  </style>
-</head>
-<body>
-  <h1>Settings</h1>
-
-  {{if .Message}}
-  <div class="message {{.MessageType}}">{{.Message}}</div>
-  {{end}}
-
-  {{if .HasToken}}
-  <div class="card">
-    <p class="status">Status: <span class="connected">Connected</span></p>
-    <p class="hint">A Gitea API token is configured.</p>
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="logout">
-      <button type="submit" class="logout-btn">Remove Token</button>
-    </form>
-  </div>
-  {{end}}
-
-  <div class="card">
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="save">
-      <label for="token">Gitea API Token</label>
-      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
-      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
-      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
-    </form>
-  </div>
-
-  {{if .HasToken}}
-  <p style="text-align:center; margin-top:1rem;">
-    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
-  </p>
-  {{end}}
-</body>
-</html>`))
+const settingsTemplatePath = "internal/templates/settings.html"
 
 // SettingsHandler handles GET and POST requests for the settings page.
 type SettingsHandler struct {
@@ -126,8 +45,7 @@ func (h *SettingsHandler) handleGet(w http.ResponseWriter, r *http.Request) {
 	}
 
 	data := settingsData{HasToken: hasToken}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
 }
 
 func (h *SettingsHandler) handlePost(w http.ResponseWriter, r *http.Request) {
@@ -172,6 +90,18 @@ func (h *SettingsHandler) renderWithMessage(w http.ResponseWriter, r *http.Reque
 		Message:     msg,
 		MessageType: msgType,
 	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
+}
+
+func (h *SettingsHandler) renderSettings(w http.ResponseWriter, data settingsData) {
+	tmpl, err := template.ParseFiles(settingsTemplatePath)
+	if err != nil {
+		slog.Error("failed to parse settings template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := tmpl.Execute(w, data); err != nil {
+		slog.Error("failed to execute settings template", "error", err)
+	}
 }

internal/middleware/auth.go

@@ -23,9 +23,12 @@ func TokenFromContext(ctx context.Context) string {
 }
 
 // Auth returns middleware that checks for a valid token cookie.
+// If no cookie token is found and fallbackToken is non-empty, the fallback
+// token is used instead (useful for single-user or service-account deployments
+// where GITEA_TOKEN is set in the environment).
 // Unauthenticated requests are redirected to the settings page.
 // The /health, /settings, and /static/ paths are exempt from auth.
-func Auth(sessionSecret string) func(http.Handler) http.Handler {
+func Auth(sessionSecret, fallbackToken string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Skip auth for exempt paths.
@@ -37,6 +40,13 @@ func Auth(sessionSecret string) func(http.Handler) http.Handler {
 
 			token, err := auth.GetToken(r, sessionSecret)
 			if err != nil || token == "" {
+				// Fall back to environment token if available.
+				if fallbackToken != "" {
+					slog.Debug("using fallback token from environment", "path", path)
+					ctx := context.WithValue(r.Context(), TokenContextKey, fallbackToken)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
 				slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
 				http.Redirect(w, r, "/settings", http.StatusSeeOther)
 				return

internal/middleware/auth_test.go

@@ -11,7 +11,7 @@ import (
 const testSecret = "test-secret-that-is-at-least-32-chars-long"
 
 func TestAuth_HealthBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -25,7 +25,7 @@ func TestAuth_HealthBypass(t *testing.T) {
 }
 
 func TestAuth_SettingsBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -39,7 +39,7 @@ func TestAuth_SettingsBypass(t *testing.T) {
 }
 
 func TestAuth_RedirectWithoutToken(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -57,7 +57,7 @@ func TestAuth_RedirectWithoutToken(t *testing.T) {
 
 func TestAuth_PassWithToken(t *testing.T) {
 	called := false
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		called = true
 		token := TokenFromContext(r.Context())
 		if token != "my-token" {
@@ -83,3 +83,72 @@ func TestAuth_PassWithToken(t *testing.T) {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
 	}
 }
+
+func TestAuth_FallbackToken_UsedWhenNoCookie(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "env-fallback-token" {
+			t.Errorf("token = %q, want %q", token, "env-fallback-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called with fallback token")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_FallbackToken_CookieTakesPrecedence(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "cookie-token" {
+			t.Errorf("token = %q, want %q (cookie should take precedence over fallback)", token, "cookie-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Set a cookie token.
+	cookieW := httptest.NewRecorder()
+	auth.SetTokenCookie(cookieW, "cookie-token", testSecret, false)
+	cookie := cookieW.Result().Cookies()[0]
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.AddCookie(cookie)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_NoFallbackToken_RedirectsWithoutCookie(t *testing.T) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/issues", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusSeeOther {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
+	}
+	if loc := w.Header().Get("Location"); loc != "/settings" {
+		t.Errorf("Location = %q, want %q", loc, "/settings")
+	}
+}

internal/templates/create_issue.html

@@ -0,0 +1,125 @@
+{{define "content"}}
+<h1>Create Issue</h1>
+
+<div id="form-error" class="empty" style="display:none;"></div>
+
+<form id="create-issue-form" hx-post="/issues" hx-swap="innerHTML" hx-target="#main-content">
+  <div class="form-group">
+    <label for="repo-select">Repository</label>
+    <input list="repo-options" id="repo-select" name="owner_repo"
+           placeholder="Type to search repositories..." required autocomplete="off">
+    <datalist id="repo-options">
+      {{range $org, $repos := .Repos}}
+        {{range $repos}}
+        <option value="{{.Owner.Login}}/{{.Name}}">{{.FullName}}</option>
+        {{end}}
+      {{end}}
+    </datalist>
+    <input type="hidden" name="owner" id="owner-input">
+    <input type="hidden" name="repo" id="repo-input">
+  </div>
+
+  <div class="form-group" id="label-section" style="display:none;">
+    <label>Labels</label>
+    <div id="label-list"></div>
+  </div>
+
+  <div class="form-group">
+    <label for="title">Title</label>
+    <input type="text" id="title" name="title" placeholder="Issue title" required>
+  </div>
+
+  <div class="form-group">
+    <label for="body">Description</label>
+    <textarea id="body" name="body" placeholder="Describe the issue..."></textarea>
+  </div>
+
+  <button type="submit" class="btn btn-primary">Create Issue</button>
+</form>
+
+<script>
+  (function() {
+    var repoSelect = document.getElementById('repo-select');
+    var ownerInput = document.getElementById('owner-input');
+    var repoInput = document.getElementById('repo-input');
+    var formError = document.getElementById('form-error');
+
+    // Build a set of valid repo values for validation.
+    var validRepos = {};
+    var options = document.getElementById('repo-options').options;
+    for (var i = 0; i < options.length; i++) {
+      validRepos[options[i].value] = true;
+    }
+
+    function splitOwnerRepo() {
+      var val = repoSelect.value;
+      if (val && val.indexOf('/') !== -1) {
+        var parts = val.split('/');
+        ownerInput.value = parts[0] || '';
+        repoInput.value = parts[1] || '';
+      } else {
+        ownerInput.value = '';
+        repoInput.value = '';
+      }
+    }
+
+    var debounceTimer = null;
+    repoSelect.addEventListener('input', function() {
+      clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(function() {
+        splitOwnerRepo();
+        var labelSection = document.getElementById('label-section');
+        var labelList = document.getElementById('label-list');
+        if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+          labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+          labelSection.style.display = 'block';
+          htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+        } else {
+          labelSection.style.display = 'none';
+          labelList.innerHTML = '';
+        }
+      }, 300);
+    });
+
+    // Also handle the change event for when a datalist option is selected directly.
+    repoSelect.addEventListener('change', function() {
+      clearTimeout(debounceTimer);
+      splitOwnerRepo();
+      var labelSection = document.getElementById('label-section');
+      var labelList = document.getElementById('label-list');
+      if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+        labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+        labelSection.style.display = 'block';
+        htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+      } else {
+        labelSection.style.display = 'none';
+        labelList.innerHTML = '';
+      }
+    });
+
+    // Validate before HTMX submit.
+    document.getElementById('create-issue-form').addEventListener('htmx:configRequest', function(evt) {
+      splitOwnerRepo();
+      if (!ownerInput.value || !repoInput.value) {
+        evt.preventDefault();
+        formError.textContent = 'Please select a repository before submitting.';
+        formError.style.display = 'block';
+        return false;
+      }
+      if (!validRepos[repoSelect.value]) {
+        evt.preventDefault();
+        formError.textContent = 'Please select a valid repository from the list.';
+        formError.style.display = 'block';
+        return false;
+      }
+      formError.style.display = 'none';
+    });
+
+    // Show server-side errors inline on HTMX error responses.
+    document.getElementById('create-issue-form').addEventListener('htmx:responseError', function(evt) {
+      formError.textContent = evt.detail.xhr.responseText || 'An error occurred. Please try again.';
+      formError.style.display = 'block';
+    });
+  })();
+</script>
+{{end}}

internal/templates/dashboard.html

@@ -0,0 +1,37 @@
+{{define "content"}}
+<h1>Dashboard</h1>
+
+{{if gt (len .Orgs) 1}}
+<div class="filter-bar">
+  <select name="org" hx-get="/" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+</div>
+{{end}}
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Items}}
+<p class="empty">No items need attention. Nice work!</p>
+{{else}}
+<div class="card-grid">
+  {{range .Items}}
+  <div class="card" hx-get="/{{if eq .Type "pull"}}pulls{{else}}issues{{end}}/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <div class="card-title">
+      {{if eq .Type "pull"}}<span class="type-badge type-pull">PR</span>{{else}}<span class="type-badge type-issue">issue</span>{{end}}
+      {{.Title}}
+    </div>
+    <div class="card-meta">
+      <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
+      {{range .Labels}}
+      <span class="label">{{.}}</span>
+      {{end}}
+    </div>
+  </div>
+  {{end}}
+</div>
+{{end}}
+{{end}}

internal/templates/error.html

@@ -0,0 +1,23 @@
+{{define "content"}}
+<div class="error-page">
+  <div class="error-icon">
+    {{if eq .Code 404}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <circle cx="11" cy="11" r="8"/>
+      <line x1="21" y1="21" x2="16.65" y2="16.65"/>
+      <line x1="8" y1="11" x2="14" y2="11"/>
+    </svg>
+    {{else}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"/>
+      <line x1="12" y1="9" x2="12" y2="13"/>
+      <line x1="12" y1="17" x2="12.01" y2="17"/>
+    </svg>
+    {{end}}
+  </div>
+  <h1 class="error-code">{{.Code}}</h1>
+  <p class="error-title">{{.Title}}</p>
+  <p class="error-message">{{.Message}}</p>
+  <a href="/" class="error-home-link">Go to Dashboard</a>
+</div>
+{{end}}

internal/templates/issue_detail.html

@@ -0,0 +1,77 @@
+{{define "content"}}
+<h1>{{.Issue.Title}}</h1>
+
+<div class="card">
+  <div class="card-meta">
+    <span id="state-section">
+      {{if eq .Issue.State "closed"}}
+      <span class="state-closed" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-secondary" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen Issue</button>
+      {{else}}
+      <span class="state-open" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-danger" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close Issue</button>
+      {{end}}
+    </span>
+    <span>{{.Issue.RepoOwner}}/{{.Issue.RepoName}} #{{.Issue.Number}}</span>
+    {{range .Issue.Labels}}
+    <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+    {{end}}
+  </div>
+  {{if .RenderedBody}}
+  <div class="card-body markdown-body">{{.RenderedBody}}</div>
+  {{else if .Issue.Body}}
+  <div class="card-body">{{.Issue.Body}}</div>
+  {{end}}
+</div>
+
+{{if .Comments}}
+<h2>Comments</h2>
+<div id="comments-list">
+{{range .Comments}}
+<div class="comment">
+  <div class="comment-header">
+    <strong>{{.User}}</strong>
+    <span>{{.CreatedAt}}</span>
+  </div>
+  <div class="comment-body">{{.Body}}</div>
+</div>
+{{end}}
+</div>
+{{else}}
+<div id="comments-list"></div>
+{{end}}
+
+<div class="card" style="margin-top:1rem;">
+  <h2>Add Comment</h2>
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/comments" hx-target="#comments-list" hx-swap="beforeend" hx-on::after-request="if(event.detail.successful) this.reset()">
+    <textarea name="body" rows="4" placeholder="Write a comment..." required style="width:100%;margin-bottom:0.5rem;"></textarea>
+    <button type="submit" class="btn btn-primary" style="width:auto;padding:0.5rem 1rem;">Comment</button>
+  </form>
+</div>
+
+<div class="card" style="margin-top:1rem;">
+  <h2>Actions</h2>
+  {{if .Collaborators}}
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/assignees" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
+    <div class="filter-bar" style="margin-bottom:0.5rem;">
+      <select name="assignee">
+        {{range .Collaborators}}
+        <option value="{{.}}">{{.}}</option>
+        {{end}}
+      </select>
+      <button type="submit" class="btn btn-secondary" style="width:auto;padding:0.5rem 1rem;">Assign</button>
+    </div>
+  </form>
+  {{end}}
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/labels" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
+    <div class="filter-bar" style="margin-bottom:0.5rem;">
+      <select name="label_id">
+        {{range .AvailableLabels}}
+        <option value="{{.ID}}">{{.Name}}</option>
+        {{end}}
+      </select>
+      <button type="submit" class="btn btn-secondary" style="width:auto;padding:0.5rem 1rem;">Apply Label</button>
+    </div>
+  </form>
+</div>
+{{end}}

internal/templates/issues.html

@@ -0,0 +1,57 @@
+{{define "cards"}}
+  {{range .Issues}}
+  <div class="card" hx-get="/issues/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <div class="card-title">{{.Title}}</div>
+    <div class="card-meta">
+      <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
+      {{range .Labels}}
+      <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+      {{end}}
+      {{if .Assignee}}
+      <img src="{{.Assignee.AvatarURL}}" alt="{{.Assignee.Login}}" class="avatar" title="Assigned to {{.Assignee.Login}}">
+      {{end}}
+    </div>
+  </div>
+  {{end}}
+  {{if .HasMore}}
+  <div class="scroll-sentinel" hx-get="/issues?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+    <div class="spinner htmx-indicator"></div>
+  </div>
+  {{end}}
+{{end}}
+
+{{define "content"}}
+<h1>Issues</h1>
+
+<div class="filter-bar">
+  <select name="org" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+  {{if .Repos}}
+  <select name="repo" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
+    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
+    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
+  </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/issues" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
+</div>
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Issues}}
+<p class="empty">No issues found.</p>
+{{else}}
+<div id="issue-list">
+  {{template "cards" .}}
+</div>
+{{end}}
+{{end}}

internal/templates/layout.html

@@ -0,0 +1,49 @@
+{{define "layout"}}<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <meta name="apple-mobile-web-app-capable" content="yes">
+  <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
+  <meta name="theme-color" content="#161b22">
+  <link rel="manifest" href="/static/manifest.json">
+  <link rel="apple-touch-icon" href="/static/icon-192.png">
+  <title>{{.Title}} — Gitea Mobile</title>
+  <link rel="stylesheet" href="/static/style.css">
+  <script src="/static/htmx.min.js"></script>
+</head>
+<body>
+  <header class="top-bar">
+    <span class="top-bar-title">Gitea Mobile</span>
+    <button class="refresh-btn" hx-get="" hx-target="#main-content" hx-swap="innerHTML" aria-label="Refresh">&#8635;</button>
+  </header>
+  <div class="content" id="main-content">
+    {{template "content" .}}
+  </div>
+  <nav class="bottom-nav">
+    <a href="/" {{if eq .ActiveTab "dashboard"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M3 9l9-7 9 7v11a2 2 0 01-2 2H5a2 2 0 01-2-2V9z"/></svg>
+      Dashboard
+    </a>
+    <a href="/issues" {{if eq .ActiveTab "issues"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>
+      Issues
+    </a>
+    <a href="/pulls" {{if eq .ActiveTab "pulls"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="18" cy="18" r="3"/><circle cx="6" cy="6" r="3"/><path d="M6 21V9a9 9 0 009 9"/></svg>
+      PRs
+    </a>
+    <a href="/settings" {{if eq .ActiveTab "settings"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="3"/><path d="M19.4 15a1.65 1.65 0 00.33 1.82l.06.06a2 2 0 010 2.83 2 2 0 01-2.83 0l-.06-.06a1.65 1.65 0 00-1.82-.33 1.65 1.65 0 00-1 1.51V21a2 2 0 01-4 0v-.09A1.65 1.65 0 009 19.4a1.65 1.65 0 00-1.82.33l-.06.06a2 2 0 01-2.83-2.83l.06-.06A1.65 1.65 0 004.68 15a1.65 1.65 0 00-1.51-1H3a2 2 0 010-4h.09A1.65 1.65 0 004.6 9a1.65 1.65 0 00-.33-1.82l-.06-.06a2 2 0 012.83-2.83l.06.06A1.65 1.65 0 009 4.68a1.65 1.65 0 001-1.51V3a2 2 0 014 0v.09a1.65 1.65 0 001 1.51 1.65 1.65 0 001.82-.33l.06-.06a2 2 0 012.83 2.83l-.06.06A1.65 1.65 0 0019.4 9a1.65 1.65 0 001.51 1H21a2 2 0 010 4h-.09a1.65 1.65 0 00-1.51 1z"/></svg>
+      Settings
+    </a>
+  </nav>
+  <script>
+    if ('serviceWorker' in navigator) {
+      navigator.serviceWorker.register('/static/sw.js').catch(function(err) {
+        console.log('SW registration failed:', err);
+      });
+    }
+  </script>
+</body>
+</html>{{end}}

internal/templates/pull_detail.html

@@ -0,0 +1,77 @@
+{{define "content"}}
+<h1>{{.Pull.Title}}</h1>
+
+<div class="card">
+  <div class="card-meta">
+    <span class="type-badge type-pull">PR</span>
+    {{if eq .Pull.State "closed"}}<span class="state-closed">{{.Pull.State}}</span>{{else}}<span class="state-open">{{.Pull.State}}</span>{{end}}
+    <span>{{.Pull.RepoOwner}}/{{.Pull.RepoName}} #{{.Pull.Number}}</span>
+    {{range .Pull.Labels}}
+    <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+    {{end}}
+  </div>
+  <div class="card-meta" style="margin-top:0.5rem;">
+    <span class="diff-add">+{{.Pull.Additions}}</span>
+    <span class="diff-del">-{{.Pull.Deletions}}</span>
+    {{if .Pull.Mergeable}}<span style="color:var(--accent-green);">Mergeable</span>{{end}}
+  </div>
+  <div class="card-meta" style="margin-top:0.5rem;">
+    <span id="state-section">
+      {{if eq .Pull.State "closed"}}
+      <span class="state-closed" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-secondary" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>
+      {{else}}
+      <span class="state-open" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-danger" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>
+      {{end}}
+    </span>
+  </div>
+  {{if .RenderedBody}}
+  <div class="card-body markdown-body">{{.RenderedBody}}</div>
+  {{else if .Pull.Body}}
+  <div class="card-body">{{.Pull.Body}}</div>
+  {{end}}
+</div>
+
+<div class="card" style="margin-top:1rem;">
+  <h2>Submit Review</h2>
+  <form hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/review" hx-swap="outerHTML">
+    <div class="form-group">
+      <label for="review-body">Comment</label>
+      <textarea id="review-body" name="body" placeholder="Leave a review comment..."></textarea>
+    </div>
+    <div class="review-options">
+      <label class="review-option">
+        <input type="radio" name="event" value="COMMENT" checked>
+        <span>Comment</span>
+      </label>
+      <label class="review-option">
+        <input type="radio" name="event" value="APPROVED">
+        <span>Approve</span>
+      </label>
+      <label class="review-option">
+        <input type="radio" name="event" value="REQUEST_CHANGES">
+        <span>Request Changes</span>
+      </label>
+    </div>
+    <button type="submit" class="btn btn-primary">Submit Review</button>
+  </form>
+</div>
+
+{{if .Comments}}
+<h2>Comments</h2>
+<div id="comments-list">
+{{range .Comments}}
+<div class="comment">
+  <div class="comment-header">
+    <strong>{{.User}}</strong>
+    <span>{{.CreatedAt}}</span>
+  </div>
+  <div class="comment-body">{{.Body}}</div>
+</div>
+{{end}}
+</div>
+{{else}}
+<p class="empty" style="margin-top:1rem;">No comments yet.</p>
+{{end}}
+{{end}}

internal/templates/pulls.html

@@ -0,0 +1,66 @@
+{{define "cards"}}
+  {{range .Pulls}}
+  <div class="card" hx-get="/pulls/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <div class="card-title">
+      <span class="type-badge type-pull">PR</span>
+      {{.Title}}
+    </div>
+    <div class="card-meta">
+      <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
+      {{range .Labels}}
+      <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+      {{end}}
+      <span class="diff-add">+{{.Additions}}</span>
+      <span class="diff-del">-{{.Deletions}}</span>
+      {{if eq .ReviewState "approved"}}<span class="review-badge review-approved" title="Approved">&#10003;</span>
+      {{else if eq .ReviewState "changes_requested"}}<span class="review-badge review-changes" title="Changes requested">&#10007;</span>
+      {{else if eq .ReviewState "pending"}}<span class="review-badge review-pending" title="Awaiting review">&#9202;</span>
+      {{end}}
+      {{if .Mergeable}}<span class="merge-badge merge-ready" title="Ready to merge">&#9654; Ready</span>
+      {{else}}<span class="merge-badge merge-conflicts" title="Has conflicts or not mergeable">Conflicts</span>
+      {{end}}
+    </div>
+  </div>
+  {{end}}
+  {{if .HasMore}}
+  <div class="scroll-sentinel" hx-get="/pulls?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+    <div class="spinner htmx-indicator"></div>
+  </div>
+  {{end}}
+{{end}}
+
+{{define "content"}}
+<h1>Pull Requests</h1>
+
+<div class="filter-bar">
+  <select name="org" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+  {{if .Repos}}
+  <select name="repo" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
+    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
+    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
+  </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/pulls" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
+</div>
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Pulls}}
+<p class="empty">No {{.SelectedState}} pull requests found.</p>
+{{else}}
+<div id="pull-list">
+  {{template "cards" .}}
+</div>
+{{end}}
+{{end}}

internal/templates/settings.html

@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <title>Settings — Gitea Mobile</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: #0d1117; color: #e6edf3;
+      padding: 1rem;
+      padding-top: max(1rem, env(safe-area-inset-top));
+    }
+    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+    .card {
+      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
+      padding: 1rem; margin-bottom: 1rem;
+    }
+    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
+    input[type="text"], input[type="password"] {
+      width: 100%; padding: 0.5rem; font-size: 1rem;
+      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
+      color: #e6edf3; margin-bottom: 1rem;
+    }
+    input:focus { outline: none; border-color: #58a6ff; }
+    button {
+      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
+      background: #238636; color: #fff; border: none; border-radius: 6px;
+      cursor: pointer;
+    }
+    button:active { background: #2ea043; }
+    .message {
+      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
+      font-size: 0.875rem;
+    }
+    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
+    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
+    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
+    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
+    .status { font-size: 0.875rem; color: #8b949e; }
+    .status .connected { color: #3fb950; }
+    .logout-btn {
+      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
+    }
+    .logout-btn:active { background: #30363d; }
+  </style>
+</head>
+<body>
+  <h1>Settings</h1>
+
+  {{if .Message}}
+  <div class="message {{.MessageType}}">{{.Message}}</div>
+  {{end}}
+
+  {{if .HasToken}}
+  <div class="card">
+    <p class="status">Status: <span class="connected">Connected</span></p>
+    <p class="hint">A Gitea API token is configured.</p>
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="logout">
+      <button type="submit" class="logout-btn">Remove Token</button>
+    </form>
+  </div>
+  {{end}}
+
+  <div class="card">
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="save">
+      <label for="token">Gitea API Token</label>
+      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
+      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
+      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
+    </form>
+  </div>
+
+  {{if .HasToken}}
+  <p style="text-align:center; margin-top:1rem;">
+    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
+  </p>
+  {{end}}
+</body>
+</html>

static/manifest.json

@@ -0,0 +1,24 @@
+{
+  "name": "Gitea Mobile",
+  "short_name": "Gitea",
+  "description": "Mobile-first PWA for managing Gitea issues and pull requests",
+  "start_url": "/",
+  "display": "standalone",
+  "background_color": "#0d1117",
+  "theme_color": "#161b22",
+  "orientation": "portrait",
+  "icons": [
+    {
+      "src": "/static/icon-192.png",
+      "sizes": "192x192",
+      "type": "image/png",
+      "purpose": "any maskable"
+    },
+    {
+      "src": "/static/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "any maskable"
+    }
+  ]
+}

static/style.css

@@ -0,0 +1,651 @@
+/* Gitea Mobile — Mobile-first CSS
+ * Dark-mode-first: dark colors are the :root defaults.
+ * Light mode is applied via @media (prefers-color-scheme: light).
+ *
+ * Size note: The original ~5KB target was based on the initial Phase 1 scope.
+ * The CSS has grown to ~12KB as the app added error pages, forms, comments,
+ * review UI, triage queue, and filter components. All rules are in active use.
+ * Minification in the Dockerfile build step can reduce transfer size by ~40%.
+ */
+
+/* Reset */
+*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+
+/* CSS Variables */
+:root {
+  --bg-primary: #0d1117;
+  --bg-secondary: #161b22;
+  --bg-tertiary: #21262d;
+  --border: #30363d;
+  --text-primary: #e6edf3;
+  --text-secondary: #8b949e;
+  --text-link: #58a6ff;
+  --accent-green: #3fb950;
+  --accent-red: #f85149;
+  --accent-yellow: #d29922;
+  --accent-blue: #58a6ff;
+  --accent-purple: #bc8cff;
+  --spacing-xs: 0.25rem;
+  --spacing-sm: 0.5rem;
+  --spacing-md: 0.75rem;
+  --spacing-lg: 1rem;
+  --radius: 8px;
+  --radius-sm: 6px;
+  --radius-pill: 10px;
+  --nav-height: 56px;
+  --font-sm: 0.75rem;
+  --font-base: 0.875rem;
+  --font-lg: 1rem;
+  --font-xl: 1.25rem;
+}
+
+/* Base */
+html {
+  font-size: 16px;
+  -webkit-text-size-adjust: 100%;
+}
+
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+  background: var(--bg-primary);
+  color: var(--text-primary);
+  line-height: 1.5;
+  padding-bottom: calc(var(--nav-height) + env(safe-area-inset-bottom));
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+/* Top bar */
+.top-bar {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  padding-top: max(var(--spacing-sm), env(safe-area-inset-top));
+  background: var(--bg-secondary);
+  border-bottom: 1px solid var(--border);
+}
+
+.top-bar-title {
+  font-size: var(--font-base);
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.refresh-btn {
+  background: none;
+  border: none;
+  color: var(--text-secondary);
+  font-size: 1.4rem;
+  padding: var(--spacing-xs) var(--spacing-sm);
+  cursor: pointer;
+  -webkit-tap-highlight-color: transparent;
+  line-height: 1;
+  border-radius: var(--radius-sm);
+  transition: color 0.15s ease, background 0.15s ease;
+}
+
+.refresh-btn:active {
+  color: var(--accent-blue);
+  background: var(--bg-tertiary);
+}
+
+.refresh-btn.htmx-request {
+  animation: spin 0.6s linear infinite;
+  pointer-events: none;
+}
+
+/* Content area */
+.content {
+  padding: var(--spacing-lg);
+  padding-top: var(--spacing-lg);
+  max-width: 640px;
+  margin: 0 auto;
+}
+
+/* Typography */
+h1 {
+  font-size: var(--font-xl);
+  font-weight: 700;
+  margin-bottom: var(--spacing-lg);
+}
+
+h2 {
+  font-size: var(--font-lg);
+  font-weight: 600;
+  margin-bottom: var(--spacing-md);
+}
+
+a {
+  color: var(--text-link);
+  text-decoration: none;
+}
+
+a:active {
+  opacity: 0.7;
+}
+
+/* Cards */
+.card {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  padding: var(--spacing-md);
+  margin-bottom: var(--spacing-sm);
+  transition: background 0.15s ease;
+}
+
+.card:active {
+  background: var(--bg-tertiary);
+}
+
+.card-title {
+  font-weight: 600;
+  font-size: var(--font-base);
+  margin-bottom: var(--spacing-xs);
+  line-height: 1.3;
+}
+
+.card-meta {
+  font-size: var(--font-sm);
+  color: var(--text-secondary);
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  gap: var(--spacing-xs);
+}
+
+.card-body {
+  font-size: var(--font-base);
+  color: var(--text-secondary);
+  margin-top: var(--spacing-sm);
+  line-height: 1.5;
+}
+
+/* Labels / badges */
+.label {
+  display: inline-block;
+  font-size: 0.7rem;
+  padding: 1px 6px;
+  border-radius: var(--radius-pill);
+  font-weight: 500;
+  line-height: 1.5;
+  white-space: nowrap;
+}
+
+.type-badge {
+  font-size: 0.65rem;
+  text-transform: uppercase;
+  font-weight: 700;
+  padding: 1px 5px;
+  border-radius: 4px;
+  white-space: nowrap;
+}
+
+.type-issue {
+  background: rgba(31, 111, 235, 0.13);
+  color: var(--accent-blue);
+  border: 1px solid rgba(31, 111, 235, 0.27);
+}
+
+.type-pull {
+  background: rgba(35, 134, 54, 0.13);
+  color: var(--accent-green);
+  border: 1px solid rgba(35, 134, 54, 0.27);
+}
+
+.state-open {
+  color: var(--accent-green);
+}
+
+.state-closed {
+  color: var(--accent-red);
+}
+
+.state-merged {
+  color: var(--accent-purple);
+}
+
+/* Priority labels */
+.priority-p1 { color: var(--accent-red); border-color: var(--accent-red); }
+.priority-p2 { color: var(--accent-yellow); border-color: var(--accent-yellow); }
+.priority-p3 { color: var(--accent-blue); border-color: var(--accent-blue); }
+
+/* Diff stats */
+.diff-add { color: var(--accent-green); font-size: var(--font-sm); }
+.diff-del { color: var(--accent-red); font-size: var(--font-sm); }
+
+/* Bottom navigation */
+.bottom-nav {
+  position: fixed;
+  bottom: 0;
+  left: 0;
+  right: 0;
+  background: var(--bg-secondary);
+  border-top: 1px solid var(--border);
+  display: flex;
+  justify-content: space-around;
+  align-items: center;
+  height: var(--nav-height);
+  padding-bottom: env(safe-area-inset-bottom);
+  z-index: 100;
+}
+
+.bottom-nav a {
+  color: var(--text-secondary);
+  text-decoration: none;
+  font-size: 0.7rem;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  padding: 4px 0;
+  min-width: 64px;
+  -webkit-tap-highlight-color: transparent;
+}
+
+.bottom-nav a.active {
+  color: var(--accent-blue);
+}
+
+.bottom-nav svg {
+  width: 22px;
+  height: 22px;
+  margin-bottom: 2px;
+}
+
+/* Filter bar */
+.filter-bar {
+  display: flex;
+  gap: var(--spacing-sm);
+  margin-bottom: var(--spacing-lg);
+  overflow-x: auto;
+  -webkit-overflow-scrolling: touch;
+  scrollbar-width: none;
+  padding-bottom: var(--spacing-xs);
+}
+
+.filter-bar::-webkit-scrollbar {
+  display: none;
+}
+
+.filter-bar select,
+.filter-bar input {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  color: var(--text-primary);
+  padding: var(--spacing-sm) var(--spacing-md);
+  font-size: var(--font-base);
+  min-width: 0;
+  flex-shrink: 0;
+  appearance: none;
+  -webkit-appearance: none;
+}
+
+.filter-bar select:focus,
+.filter-bar input:focus {
+  outline: none;
+  border-color: var(--accent-blue);
+}
+
+/* Forms */
+.form-group {
+  margin-bottom: var(--spacing-lg);
+}
+
+.form-group label {
+  display: block;
+  font-size: var(--font-sm);
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-sm);
+}
+
+.form-group input,
+.form-group textarea,
+.form-group select {
+  width: 100%;
+  padding: var(--spacing-sm) var(--spacing-md);
+  font-size: var(--font-lg);
+  background: var(--bg-primary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  color: var(--text-primary);
+  font-family: inherit;
+}
+
+.form-group textarea {
+  min-height: 120px;
+  resize: vertical;
+}
+
+.form-group input:focus,
+.form-group textarea:focus,
+.form-group select:focus {
+  outline: none;
+  border-color: var(--accent-blue);
+}
+
+/* Buttons */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  padding: var(--spacing-md) var(--spacing-lg);
+  font-size: var(--font-lg);
+  font-weight: 600;
+  border: none;
+  border-radius: var(--radius-sm);
+  cursor: pointer;
+  -webkit-tap-highlight-color: transparent;
+  transition: background 0.15s ease;
+}
+
+.btn-primary {
+  background: #238636;
+  color: #fff;
+  width: 100%;
+}
+
+.btn-primary:active {
+  background: #2ea043;
+}
+
+.btn-secondary {
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+  border: 1px solid var(--border);
+  width: 100%;
+}
+
+.btn-secondary:active {
+  background: var(--border);
+}
+
+.btn-danger {
+  background: #da363322;
+  color: var(--accent-red);
+  border: 1px solid #da363366;
+  width: 100%;
+}
+
+/* Review form */
+.review-options {
+  display: flex;
+  flex-direction: column;
+  gap: var(--spacing-sm);
+  margin-bottom: var(--spacing-lg);
+}
+
+.review-option {
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-sm);
+  padding: var(--spacing-sm);
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  cursor: pointer;
+}
+
+.review-option input[type="radio"] {
+  accent-color: var(--accent-blue);
+}
+
+/* Comments thread */
+.comment {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  margin-bottom: var(--spacing-sm);
+  overflow: hidden;
+}
+
+.comment-header {
+  padding: var(--spacing-sm) var(--spacing-md);
+  background: var(--bg-tertiary);
+  font-size: var(--font-sm);
+  color: var(--text-secondary);
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-sm);
+}
+
+.comment-body {
+  padding: var(--spacing-md);
+  font-size: var(--font-base);
+  line-height: 1.6;
+}
+
+/* Avatar */
+.avatar {
+  width: 20px;
+  height: 20px;
+  border-radius: 50%;
+  vertical-align: middle;
+}
+
+/* Review status badges */
+.review-badge {
+  font-size: 0.7rem;
+  font-weight: 600;
+  padding: 1px 4px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.review-approved { color: var(--accent-green); }
+.review-changes { color: var(--accent-red); }
+.review-pending { color: var(--accent-yellow); }
+
+/* Merge status badges */
+.merge-badge {
+  font-size: 0.65rem;
+  font-weight: 600;
+  padding: 1px 5px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.merge-ready { color: var(--accent-green); border: 1px solid var(--accent-green); }
+.merge-conflicts { color: var(--accent-red); border: 1px solid var(--accent-red); }
+
+/* Empty state */
+.empty {
+  text-align: center;
+  color: var(--text-secondary);
+  padding: 3rem var(--spacing-lg);
+  font-size: var(--font-base);
+}
+
+/* Messages */
+.message {
+  padding: var(--spacing-md);
+  border-radius: var(--radius-sm);
+  margin-bottom: var(--spacing-lg);
+  font-size: var(--font-base);
+}
+
+.message.success {
+  background: #0d2818;
+  border: 1px solid #238636;
+  color: var(--accent-green);
+}
+
+.message.error {
+  background: #2d1117;
+  border: 1px solid #da3633;
+  color: var(--accent-red);
+}
+
+.message.info {
+  background: #0c1d2e;
+  border: 1px solid #1f6feb;
+  color: var(--accent-blue);
+}
+
+/* Loading indicator */
+.htmx-indicator {
+  display: none;
+}
+
+.htmx-request .htmx-indicator {
+  display: inline-block;
+}
+
+.spinner {
+  width: 16px;
+  height: 16px;
+  border: 2px solid var(--border);
+  border-top-color: var(--accent-blue);
+  border-radius: 50%;
+  animation: spin 0.6s linear infinite;
+}
+
+@keyframes spin {
+  to { transform: rotate(360deg); }
+}
+
+/* Infinite scroll sentinel */
+.scroll-sentinel {
+  height: 1px;
+  margin-bottom: var(--spacing-lg);
+}
+
+/* Tablet breakpoint: 2-column grid */
+@media (min-width: 640px) {
+  .content {
+    max-width: 960px;
+  }
+
+  .card-grid,
+  #issue-list,
+  #pull-list {
+    display: grid;
+    grid-template-columns: repeat(2, 1fr);
+    gap: var(--spacing-sm);
+  }
+
+  .card-grid .card,
+  #issue-list .card,
+  #pull-list .card {
+    margin-bottom: 0;
+  }
+}
+
+/* Respect reduced motion preference */
+@media (prefers-reduced-motion: reduce) {
+  * {
+    animation-duration: 0.01ms !important;
+    transition-duration: 0.01ms !important;
+  }
+}
+
+/* Dark mode is default; light mode override for prefers-color-scheme: light */
+@media (prefers-color-scheme: light) {
+  :root {
+    --bg-primary: #ffffff;
+    --bg-secondary: #f6f8fa;
+    --bg-tertiary: #eaeef2;
+    --border: #d0d7de;
+    --text-primary: #1f2328;
+    --text-secondary: #656d76;
+    --text-link: #0969da;
+    --accent-green: #1a7f37;
+    --accent-red: #cf222e;
+    --accent-yellow: #9a6700;
+    --accent-blue: #0969da;
+    --accent-purple: #8250df;
+  }
+
+  .message.success {
+    background: #dafbe1;
+    border-color: #1a7f37;
+  }
+
+  .message.error {
+    background: #ffebe9;
+    border-color: #cf222e;
+  }
+
+  .message.info {
+    background: #ddf4ff;
+    border-color: #0969da;
+  }
+
+  .btn-primary {
+    background: #1a7f37;
+  }
+
+  .btn-primary:active {
+    background: #116329;
+  }
+
+  .btn-danger {
+    background: #ffebe9;
+    border-color: #cf222e;
+  }
+
+  .type-issue {
+    background: rgba(9, 105, 218, 0.1);
+    border-color: rgba(9, 105, 218, 0.3);
+  }
+
+  .type-pull {
+    background: rgba(26, 127, 55, 0.1);
+    border-color: rgba(26, 127, 55, 0.3);
+  }
+}
+
+/* Error page */
+.error-page {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  min-height: 60vh;
+  text-align: center;
+  padding: var(--spacing-lg);
+}
+
+.error-icon {
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+}
+
+.error-code {
+  font-size: 4rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  line-height: 1;
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-title {
+  font-size: var(--font-xl);
+  color: var(--text-primary);
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-message {
+  font-size: var(--font-base);
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+  max-width: 300px;
+}
+
+.error-home-link {
+  display: inline-block;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  background: var(--accent-blue);
+  color: #fff;
+  border-radius: var(--radius);
+  text-decoration: none;
+  font-size: var(--font-base);
+  font-weight: 500;
+  transition: opacity 0.15s;
+}
+
+.error-home-link:active {
+  opacity: 0.8;
+}

static/sw.js

@@ -0,0 +1,86 @@
+// Service Worker for Gitea Mobile PWA
+// Caches the app shell for offline/fast loading.
+
+const CACHE_NAME = 'gitea-mobile-v2';
+const APP_SHELL = [
+  '/',
+  '/static/style.css',
+  '/static/manifest.json',
+  '/static/icon-192.png',
+  '/static/icon-512.png',
+  '/static/htmx.min.js'
+];
+
+// Install: cache app shell resources.
+self.addEventListener('install', (event) => {
+  event.waitUntil(
+    caches.open(CACHE_NAME).then((cache) => {
+      return cache.addAll(APP_SHELL);
+    })
+  );
+  // Activate immediately.
+  self.skipWaiting();
+});
+
+// Activate: clean up old caches.
+self.addEventListener('activate', (event) => {
+  event.waitUntil(
+    caches.keys().then((cacheNames) => {
+      return Promise.all(
+        cacheNames
+          .filter((name) => name !== CACHE_NAME)
+          .map((name) => caches.delete(name))
+      );
+    })
+  );
+  // Take control of all clients immediately.
+  self.clients.claim();
+});
+
+// Fetch: network-first for API/HTML, cache-first for static assets.
+self.addEventListener('fetch', (event) => {
+  const url = new URL(event.request.url);
+
+  // Cache-first for static assets.
+  if (url.pathname.startsWith('/static/')) {
+    event.respondWith(
+      caches.match(event.request).then((cached) => {
+        return cached || fetch(event.request).then((response) => {
+          // Cache the fetched response for next time.
+          const responseClone = response.clone();
+          caches.open(CACHE_NAME).then((cache) => {
+            cache.put(event.request, responseClone);
+          });
+          return response;
+        });
+      })
+    );
+    return;
+  }
+
+  // Network-first for HTML/API requests.
+  if (event.request.headers.get('accept')?.includes('text/html') ||
+      event.request.headers.get('HX-Request')) {
+    event.respondWith(
+      fetch(event.request)
+        .then((response) => {
+          // Cache successful GET responses.
+          if (event.request.method === 'GET' && response.ok) {
+            const responseClone = response.clone();
+            caches.open(CACHE_NAME).then((cache) => {
+              cache.put(event.request, responseClone);
+            });
+          }
+          return response;
+        })
+        .catch(() => {
+          // Fallback to cache if network fails.
+          return caches.match(event.request);
+        })
+    );
+    return;
+  }
+
+  // Default: network only.
+  event.respondWith(fetch(event.request));
+});