chore: add .air.toml for live reload dev workflow

Configures air to build ./cmd/server, watch .go/.html/.css/.js files
under the project tree, and auto-restart on changes. Excludes test
files and vendor directories.

Closes leeworks-agents/gitea-mobile#109

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.air.toml

@@ -0,0 +1,44 @@
+root = "."
+testdata_dir = "testdata"
+tmp_dir = "tmp"
+
+[build]
+  args_bin = []
+  bin = "./tmp/main"
+  cmd = "go build -o ./tmp/main ./cmd/server"
+  delay = 500
+  exclude_dir = ["assets", "tmp", "vendor", "testdata", ".git", "node_modules"]
+  exclude_file = []
+  exclude_regex = ["_test\\.go$"]
+  exclude_unchanged = false
+  follow_symlink = false
+  full_bin = ""
+  include_dir = []
+  include_ext = ["go", "html", "css", "js"]
+  include_file = []
+  kill_delay = "0s"
+  log = "build-errors.log"
+  poll = false
+  poll_interval = 0
+  rerun = false
+  rerun_delay = 500
+  send_interrupt = false
+  stop_on_error = false
+
+[color]
+  app = ""
+  build = "yellow"
+  main = "magenta"
+  runner = "green"
+  watcher = "cyan"
+
+[log]
+  main_only = false
+  time = false
+
+[misc]
+  clean_on_exit = true
+
+[screen]
+  clear_on_rebuild = false
+  keep_scroll = true

.gitea/workflows/build.yaml

@@ -16,7 +16,7 @@ jobs:
           go-version: '1.22'
 
       - name: Run tests
-        run: go test ./...
+        run: go test -race ./...
 
   build:
     runs-on: ubuntu-latest

Dockerfile

@@ -1,7 +1,7 @@
 # Stage 1: Build
 FROM golang:1.22-alpine AS builder
 WORKDIR /app
-COPY go.mod go.sum ./
+COPY go.mod ./
 RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server

cmd/server/main.go

@@ -33,7 +33,7 @@ func main() {
 
 	// Apply middleware chain: logging -> auth.
 	var handler http.Handler = mux
-	handler = middleware.Auth(cfg.SessionSecret)(handler)
+	handler = middleware.Auth(cfg.SessionSecret, cfg.GiteaToken)(handler)
 	handler = middleware.Logging()(handler)
 
 	slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)

internal/gitea/client.go

@@ -8,8 +8,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
+	"math"
 	"net/http"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -27,6 +30,11 @@ type Client struct {
 	maxConcurrent int
 	// cacheTTL controls how long cache entries remain valid.
 	cacheTTL time.Duration
+
+	// maxRetries is the maximum number of retries for rate-limited requests.
+	maxRetries int
+	// baseRetryDelay is the initial backoff delay before the first retry.
+	baseRetryDelay time.Duration
 }
 
 type cacheEntry struct {
@@ -105,8 +113,9 @@ type PullRequest struct {
 	Deletions int    `json:"deletions"`
 	CreatedAt time.Time `json:"created_at"`
 	UpdatedAt time.Time `json:"updated_at"`
-	RepoOwner string    `json:"-"` // populated after fetch
-	RepoName  string    `json:"-"` // populated after fetch
+	RepoOwner   string `json:"-"` // populated after fetch
+	RepoName    string `json:"-"` // populated after fetch
+	ReviewState string `json:"-"` // aggregated review state: "approved", "changes_requested", "pending", or ""
 }
 
 // TriageItem represents an item in the triage queue.
@@ -128,39 +137,102 @@ func NewClient(baseURL string) *Client {
 		httpClient: &http.Client{
 			Timeout: 30 * time.Second,
 		},
-		cache:         make(map[string]*cacheEntry),
-		maxConcurrent: 5,
-		cacheTTL:      30 * time.Second,
+		cache:          make(map[string]*cacheEntry),
+		maxConcurrent:  5,
+		cacheTTL:       30 * time.Second,
+		maxRetries:     3,
+		baseRetryDelay: 1 * time.Second,
 	}
 }
 
 // doRequest performs an authenticated HTTP request to the Gitea API.
+// It automatically retries on HTTP 429 (rate limit) responses with
+// exponential backoff, respecting the Retry-After header when present.
 func (c *Client) doRequest(ctx context.Context, token, method, path string, body io.Reader) (*http.Response, error) {
 	url := c.baseURL + "/api/v1" + path
 
-	req, err := http.NewRequestWithContext(ctx, method, url, body)
-	if err != nil {
-		return nil, fmt.Errorf("creating request: %w", err)
-	}
-
-	req.Header.Set("Authorization", "token "+token)
-	req.Header.Set("Accept", "application/json")
+	// Read the body once so we can replay it on retries.
+	var bodyBytes []byte
 	if body != nil {
-		req.Header.Set("Content-Type", "application/json")
+		var err error
+		bodyBytes, err = io.ReadAll(body)
+		if err != nil {
+			return nil, fmt.Errorf("reading request body: %w", err)
+		}
 	}
 
-	resp, err := c.httpClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("executing request: %w", err)
+	var lastErr error
+	for attempt := 0; attempt <= c.maxRetries; attempt++ {
+		// Recreate the body reader for each attempt.
+		var reqBody io.Reader
+		if bodyBytes != nil {
+			reqBody = strings.NewReader(string(bodyBytes))
+		}
+
+		req, err := http.NewRequestWithContext(ctx, method, url, reqBody)
+		if err != nil {
+			return nil, fmt.Errorf("creating request: %w", err)
+		}
+
+		req.Header.Set("Authorization", "token "+token)
+		req.Header.Set("Accept", "application/json")
+		if bodyBytes != nil {
+			req.Header.Set("Content-Type", "application/json")
+		}
+
+		resp, err := c.httpClient.Do(req)
+		if err != nil {
+			return nil, fmt.Errorf("executing request: %w", err)
+		}
+
+		// Not rate-limited: handle normally.
+		if resp.StatusCode != http.StatusTooManyRequests {
+			if resp.StatusCode >= 400 {
+				defer resp.Body.Close()
+				respBody, _ := io.ReadAll(resp.Body)
+				return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
+			}
+			return resp, nil
+		}
+
+		// Rate-limited (429): close body and compute retry delay.
+		resp.Body.Close()
+
+		if attempt == c.maxRetries {
+			lastErr = fmt.Errorf("API rate limit exceeded after %d retries (429)", c.maxRetries)
+			break
+		}
+
+		delay := c.retryDelay(resp, attempt)
+		slog.Warn("rate limited by Gitea API, retrying",
+			"attempt", attempt+1,
+			"max_retries", c.maxRetries,
+			"delay", delay,
+			"path", path,
+		)
+
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(delay):
+			// Continue to next attempt.
+		}
 	}
 
-	if resp.StatusCode >= 400 {
-		defer resp.Body.Close()
-		respBody, _ := io.ReadAll(resp.Body)
-		return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
-	}
+	return nil, lastErr
+}
 
-	return resp, nil
+// retryDelay computes the delay before the next retry attempt. It uses the
+// Retry-After header value (in seconds) if present, otherwise falls back to
+// exponential backoff: baseRetryDelay * 2^attempt.
+func (c *Client) retryDelay(resp *http.Response, attempt int) time.Duration {
+	if ra := resp.Header.Get("Retry-After"); ra != "" {
+		if seconds, err := strconv.Atoi(ra); err == nil && seconds > 0 {
+			return time.Duration(seconds) * time.Second
+		}
+	}
+	// Exponential backoff: 1s, 2s, 4s, ...
+	return c.baseRetryDelay * time.Duration(math.Pow(2, float64(attempt)))
 }
 
 // getFromCache returns cached data if still valid.
@@ -325,7 +397,9 @@ type PaginatedPulls struct {
 
 // ListAllIssues fetches issues across all repos in the given orgs,
 // using concurrent requests with a semaphore. Results are paginated.
-func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string, state string, page int) (PaginatedIssues, error) {
+// The label parameter filters issues by label name (empty string means no filter).
+// The repoFilter parameter narrows results to a single repo name (empty means all repos).
+func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedIssues, error) {
 	if state == "" {
 		state = "open"
 	}
@@ -333,7 +407,7 @@ func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string,
 		page = 1
 	}
 
-	cacheKey := fmt.Sprintf("issues-%s-%s", state, strings.Join(orgs, ","))
+	cacheKey := fmt.Sprintf("issues-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
 	var allIssues []Issue
 	if cached, ok := c.getFromCache(cacheKey); ok {
 		allIssues = cached.([]Issue)
@@ -348,6 +422,17 @@ func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string,
 			allRepos = append(allRepos, repos...)
 		}
 
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
+				}
+			}
+			allRepos = filtered
+		}
+
 		// Fan out issue fetching across repos.
 		var mu sync.Mutex
 		sem := make(chan struct{}, c.maxConcurrent)
@@ -362,6 +447,9 @@ func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string,
 				defer func() { <-sem }()
 
 				path := fmt.Sprintf("/repos/%s/issues?state=%s&type=issues&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
+				}
 				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
 				if err != nil {
 					mu.Lock()
@@ -424,8 +512,9 @@ func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string,
 }
 
 // ListAllPullRequests fetches PRs across all repos in the given orgs.
-// Results are paginated.
-func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string, state string, page int) (PaginatedPulls, error) {
+// Results are paginated. The label parameter filters PRs by label name.
+// The repoFilter parameter narrows results to a single repo name.
+func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedPulls, error) {
 	if state == "" {
 		state = "open"
 	}
@@ -433,7 +522,7 @@ func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []s
 		page = 1
 	}
 
-	cacheKey := fmt.Sprintf("pulls-%s-%s", state, strings.Join(orgs, ","))
+	cacheKey := fmt.Sprintf("pulls-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
 	var allPRs []PullRequest
 	if cached, ok := c.getFromCache(cacheKey); ok {
 		allPRs = cached.([]PullRequest)
@@ -447,6 +536,17 @@ func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []s
 			allRepos = append(allRepos, repos...)
 		}
 
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
+				}
+			}
+			allRepos = filtered
+		}
+
 		var mu sync.Mutex
 		sem := make(chan struct{}, c.maxConcurrent)
 		var wg sync.WaitGroup
@@ -460,6 +560,9 @@ func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []s
 				defer func() { <-sem }()
 
 				path := fmt.Sprintf("/repos/%s/pulls?state=%s&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
+				}
 				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
 				if err != nil {
 					mu.Lock()
@@ -524,7 +627,7 @@ func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string
 	// Collect all open issues across all pages.
 	var issues []Issue
 	for page := 1; ; page++ {
-		result, err := c.ListAllIssues(ctx, token, orgs, "open", page)
+		result, err := c.ListAllIssues(ctx, token, orgs, "open", page, "", "")
 		if err != nil {
 			return nil, fmt.Errorf("fetching issues for triage: %w", err)
 		}
@@ -537,7 +640,7 @@ func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string
 	// Collect all open PRs across all pages.
 	var prs []PullRequest
 	for page := 1; ; page++ {
-		result, err := c.ListAllPullRequests(ctx, token, orgs, "open", page)
+		result, err := c.ListAllPullRequests(ctx, token, orgs, "open", page, "", "")
 		if err != nil {
 			return nil, fmt.Errorf("fetching PRs for triage: %w", err)
 		}
@@ -753,6 +856,49 @@ func (c *Client) ApplyLabel(ctx context.Context, token, owner, repo string, inde
 	return nil
 }
 
+// ListCollaborators fetches the list of collaborators (users with access) for a repo.
+func (c *Client) ListCollaborators(ctx context.Context, token, owner, repo string) ([]string, error) {
+	path := fmt.Sprintf("/repos/%s/%s/collaborators?limit=50", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching collaborators: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var users []struct {
+		Login string `json:"login"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&users); err != nil {
+		return nil, fmt.Errorf("decoding collaborators: %w", err)
+	}
+
+	var logins []string
+	for _, u := range users {
+		logins = append(logins, u.Login)
+	}
+	return logins, nil
+}
+
+// AssignIssue sets the assignees on an issue.
+func (c *Client) AssignIssue(ctx context.Context, token, owner, repo string, index int64, assignees []string) error {
+	payload, err := json.Marshal(map[string]interface{}{
+		"assignees": assignees,
+	})
+	if err != nil {
+		return fmt.Errorf("marshaling assignees: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return fmt.Errorf("assigning issue: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
 // SubmitReview submits a review on a pull request.
 func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, index int64, reviewType, body string) error {
 	payload := map[string]interface{}{
@@ -778,15 +924,20 @@ func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, in
 
 // CloseIssue closes an issue by setting its state to "closed".
 func (c *Client) CloseIssue(ctx context.Context, token, owner, repo string, index int64) error {
-	payload, err := json.Marshal(map[string]string{"state": "closed"})
+	return c.SetIssueState(ctx, token, owner, repo, index, "closed")
+}
+
+// SetIssueState sets an issue's state (e.g. "open" or "closed").
+func (c *Client) SetIssueState(ctx context.Context, token, owner, repo string, index int64, state string) error {
+	payload, err := json.Marshal(map[string]string{"state": state})
 	if err != nil {
-		return fmt.Errorf("marshaling close request: %w", err)
+		return fmt.Errorf("marshaling state change: %w", err)
 	}
 
 	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
 	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
 	if err != nil {
-		return fmt.Errorf("closing issue: %w", err)
+		return fmt.Errorf("setting issue state: %w", err)
 	}
 	resp.Body.Close()
 
@@ -794,6 +945,11 @@ func (c *Client) CloseIssue(ctx context.Context, token, owner, repo string, inde
 	return nil
 }
 
+// AddComment creates a comment on an issue and returns the created Comment.
+func (c *Client) AddComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
+	return c.PostComment(ctx, token, owner, repo, index, body)
+}
+
 // PostComment creates a comment on an issue and returns the created Comment.
 func (c *Client) PostComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
 	payload, err := json.Marshal(map[string]string{"body": body})
@@ -860,6 +1016,74 @@ func (c *Client) RenderMarkdown(ctx context.Context, token, text string) (string
 	return string(rendered), nil
 }
 
+// Review represents a single review on a pull request.
+type Review struct {
+	ID   int64  `json:"id"`
+	Body string `json:"body"`
+	State string `json:"state"` // "APPROVED", "REQUEST_CHANGES", "COMMENT", "PENDING"
+	User  struct {
+		Login string `json:"login"`
+	} `json:"user"`
+}
+
+// GetPullReviewState fetches reviews for a PR and returns the aggregate state.
+// Priority: changes_requested > approved > pending > "" (no reviews).
+func (c *Client) GetPullReviewState(ctx context.Context, token, owner, repo string, index int64) string {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/reviews?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+
+	var reviews []Review
+	if err := json.NewDecoder(resp.Body).Decode(&reviews); err != nil {
+		return ""
+	}
+
+	if len(reviews) == 0 {
+		return ""
+	}
+
+	// Aggregate: last non-comment review per user wins, then pick the "worst" state.
+	userState := make(map[string]string)
+	for _, r := range reviews {
+		switch r.State {
+		case "APPROVED", "REQUEST_CHANGES":
+			userState[r.User.Login] = r.State
+		}
+	}
+
+	if len(userState) == 0 {
+		return "pending"
+	}
+
+	for _, s := range userState {
+		if s == "REQUEST_CHANGES" {
+			return "changes_requested"
+		}
+	}
+	return "approved"
+}
+
+// EnrichPullsWithReviewState fetches review state for each PR concurrently.
+func (c *Client) EnrichPullsWithReviewState(ctx context.Context, token string, pulls []PullRequest) {
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+
+	for i := range pulls {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			pulls[idx].ReviewState = c.GetPullReviewState(ctx, token, pulls[idx].RepoOwner, pulls[idx].RepoName, pulls[idx].Number)
+		}(i)
+	}
+	wg.Wait()
+}
+
 // priorityScore returns a numeric score for sorting (lower = higher priority).
 func priorityScore(labels []string) int {
 	for _, l := range labels {

internal/handlers/handlers.go

@@ -39,9 +39,13 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 	// Issues.
 	mux.HandleFunc("GET /issues", h.ListIssues)
 	mux.HandleFunc("GET /issues/new", h.NewIssue)
+	mux.HandleFunc("GET /issues/new/labels", h.NewIssueLabels)
 	mux.HandleFunc("POST /issues", h.CreateIssue)
 	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/labels", h.ApplyLabels)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/assignees", h.AssignIssue)
 	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/close", h.CloseIssue)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comments", h.AddComment)
 	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comment", h.AddComment)
 
 	// Issue detail.
@@ -51,6 +55,7 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("GET /pulls", h.ListPulls)
 	mux.HandleFunc("GET /pulls/{owner}/{repo}/{index}", h.PullDetail)
 	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
+	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/state", h.SetPullState)
 
 	// Settings (handled separately for auth bypass).
 	settingsHandler := &SettingsHandler{
@@ -115,6 +120,10 @@ var basePage = template.Must(template.New("base").Parse(`<!DOCTYPE html>
   <script src="/static/htmx.min.js"></script>
 </head>
 <body>
+  <header class="top-bar">
+    <span class="top-bar-title">Gitea Mobile</span>
+    <button class="refresh-btn" hx-get="" hx-target="#main-content" hx-swap="innerHTML" aria-label="Refresh">&#8635;</button>
+  </header>
   <div class="content" id="main-content">
     {{.Content}}
   </div>
@@ -172,28 +181,87 @@ func renderPage(w http.ResponseWriter, r *http.Request, title, activeTab string,
 	}
 }
 
+// errorData holds the template data for error pages.
+type errorData struct {
+	Code    int
+	Title   string
+	Message string
+}
+
+// ErrorNotFound renders a mobile-friendly 404 error page.
+func (h *Handler) ErrorNotFound(w http.ResponseWriter, r *http.Request) {
+	data := errorData{
+		Code:    http.StatusNotFound,
+		Title:   "Page Not Found",
+		Message: "The page you are looking for does not exist or has been moved.",
+	}
+	h.renderError(w, r, data)
+}
+
+// ErrorInternal renders a mobile-friendly 500 error page.
+func (h *Handler) ErrorInternal(w http.ResponseWriter, r *http.Request) {
+	data := errorData{
+		Code:    http.StatusInternalServerError,
+		Title:   "Internal Server Error",
+		Message: "Something went wrong on our end. Please try again later.",
+	}
+	h.renderError(w, r, data)
+}
+
+// renderError renders the error template with the given data and status code.
+func (h *Handler) renderError(w http.ResponseWriter, r *http.Request, data errorData) {
+	tmpl, err := template.ParseFiles("internal/templates/error.html")
+	if err != nil {
+		slog.Error("failed to parse error template", "error", err)
+		http.Error(w, fmt.Sprintf("%d %s", data.Code, data.Title), data.Code)
+		return
+	}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute error template", "error", err)
+		http.Error(w, fmt.Sprintf("%d %s", data.Code, data.Title), data.Code)
+		return
+	}
+
+	w.WriteHeader(data.Code)
+	renderPage(w, r, data.Title, "", buf.String())
+}
+
 // Dashboard handles GET / — the triage queue.
 func (h *Handler) Dashboard(w http.ResponseWriter, r *http.Request) {
 	// Only handle exact root path.
 	if r.URL.Path != "/" {
-		http.NotFound(w, r)
+		h.ErrorNotFound(w, r)
 		return
 	}
 
 	token := getToken(r)
 	orgs := h.getUserOrgs(r)
+	selectedOrg := r.URL.Query().Get("org")
 
 	type dashboardData struct {
-		Items []giteaclient.TriageItem
-		Error string
+		Items       []giteaclient.TriageItem
+		Orgs        []string
+		SelectedOrg string
+		Error       string
 	}
 
-	var data dashboardData
+	data := dashboardData{
+		Orgs:        orgs,
+		SelectedOrg: selectedOrg,
+	}
 
 	if len(orgs) == 0 {
 		data.Error = "No organizations found. Check your token permissions."
 	} else {
-		queue, err := h.Client.GetTriageQueue(r.Context(), token, orgs)
+		// Determine which orgs to query.
+		queryOrgs := orgs
+		if selectedOrg != "" {
+			queryOrgs = []string{selectedOrg}
+		}
+
+		queue, err := h.Client.GetTriageQueue(r.Context(), token, queryOrgs)
 		if err != nil {
 			slog.Error("failed to get triage queue", "error", err)
 			data.Error = "Error loading triage queue."
@@ -229,6 +297,9 @@ func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 		Orgs          []string
 		SelectedOrg   string
 		SelectedState string
+		SelectedLabel string
+		SelectedRepo  string
+		Repos         []string
 		HasMore       bool
 		NextPage      int
 		Error         string
@@ -239,6 +310,8 @@ func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 	if selectedState == "" {
 		selectedState = "open"
 	}
+	selectedLabel := r.URL.Query().Get("label")
+	selectedRepo := r.URL.Query().Get("repo")
 	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
 	if page < 1 {
 		page = 1
@@ -248,6 +321,8 @@ func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 		Orgs:          orgNames,
 		SelectedOrg:   selectedOrg,
 		SelectedState: selectedState,
+		SelectedLabel: selectedLabel,
+		SelectedRepo:  selectedRepo,
 	}
 
 	if len(orgNames) == 0 {
@@ -257,9 +332,19 @@ func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 		queryOrgs := orgNames
 		if selectedOrg != "" {
 			queryOrgs = []string{selectedOrg}
+
+			// Populate repo list for the selected org.
+			repos, err := h.Client.ListOrgRepos(r.Context(), token, selectedOrg)
+			if err != nil {
+				slog.Warn("failed to list repos for org filter", "error", err, "org", selectedOrg)
+			} else {
+				for _, repo := range repos {
+					data.Repos = append(data.Repos, repo.Name)
+				}
+			}
 		}
 
-		result, err := h.Client.ListAllIssues(r.Context(), token, queryOrgs, selectedState, page)
+		result, err := h.Client.ListAllIssues(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
 		if err != nil {
 			slog.Error("failed to list issues", "error", err)
 			data.Error = "Error loading issues."
@@ -314,23 +399,36 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 	orgNames := h.getUserOrgs(r)
 
 	type pullsData struct {
-		Pulls       []giteaclient.PullRequest
-		Orgs        []string
-		SelectedOrg string
-		HasMore     bool
-		NextPage    int
-		Error       string
+		Pulls         []giteaclient.PullRequest
+		Orgs          []string
+		SelectedOrg   string
+		SelectedState string
+		SelectedLabel string
+		SelectedRepo  string
+		Repos         []string
+		HasMore       bool
+		NextPage      int
+		Error         string
 	}
 
 	selectedOrg := r.URL.Query().Get("org")
+	selectedState := r.URL.Query().Get("state")
+	if selectedState == "" {
+		selectedState = "open"
+	}
+	selectedLabel := r.URL.Query().Get("label")
+	selectedRepo := r.URL.Query().Get("repo")
 	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
 	if page < 1 {
 		page = 1
 	}
 
 	data := pullsData{
-		Orgs:        orgNames,
-		SelectedOrg: selectedOrg,
+		Orgs:          orgNames,
+		SelectedOrg:   selectedOrg,
+		SelectedState: selectedState,
+		SelectedLabel: selectedLabel,
+		SelectedRepo:  selectedRepo,
 	}
 
 	if len(orgNames) == 0 {
@@ -339,9 +437,19 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 		queryOrgs := orgNames
 		if selectedOrg != "" {
 			queryOrgs = []string{selectedOrg}
+
+			// Populate repo list for the selected org.
+			repos, err := h.Client.ListOrgRepos(r.Context(), token, selectedOrg)
+			if err != nil {
+				slog.Warn("failed to list repos for org filter", "error", err, "org", selectedOrg)
+			} else {
+				for _, repo := range repos {
+					data.Repos = append(data.Repos, repo.Name)
+				}
+			}
 		}
 
-		result, err := h.Client.ListAllPullRequests(r.Context(), token, queryOrgs, "open", page)
+		result, err := h.Client.ListAllPullRequests(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
 		if err != nil {
 			slog.Error("failed to list pull requests", "error", err)
 			data.Error = "Error loading pull requests."
@@ -351,6 +459,10 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 			if result.HasMore {
 				data.NextPage = page + 1
 			}
+			// Enrich PRs with review state for status icons.
+			if len(data.Pulls) > 0 {
+				h.Client.EnrichPullsWithReviewState(r.Context(), token, data.Pulls)
+			}
 		}
 	}
 
@@ -423,6 +535,12 @@ func (h *Handler) IssueDetail(w http.ResponseWriter, r *http.Request) {
 		labels = nil
 	}
 
+	collaborators, err := h.Client.ListCollaborators(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to get collaborators", "error", err)
+		collaborators = nil
+	}
+
 	// Render markdown body if present.
 	var renderedBody template.HTML
 	if issue.Body != "" {
@@ -447,6 +565,7 @@ func (h *Handler) IssueDetail(w http.ResponseWriter, r *http.Request) {
 		RenderedBody    template.HTML
 		Comments        []giteaclient.Comment
 		AvailableLabels []giteaclient.Label
+		Collaborators   []string
 	}
 
 	data := templateData{
@@ -454,6 +573,7 @@ func (h *Handler) IssueDetail(w http.ResponseWriter, r *http.Request) {
 		RenderedBody:    renderedBody,
 		Comments:        comments,
 		AvailableLabels: labels,
+		Collaborators:   collaborators,
 	}
 
 	var buf strings.Builder
@@ -498,6 +618,13 @@ func (h *Handler) PullDetail(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	// Fetch comments for this PR (Gitea uses the issues endpoint for PR comments).
+	comments, err := h.Client.GetIssueComments(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Warn("failed to fetch PR comments", "error", err, "owner", owner, "repo", repo, "index", index)
+		// Non-fatal: continue rendering without comments.
+	}
+
 	// Build the content HTML using the template.
 	tmpl, err := template.ParseFiles("internal/templates/pull_detail.html")
 	if err != nil {
@@ -509,11 +636,13 @@ func (h *Handler) PullDetail(w http.ResponseWriter, r *http.Request) {
 	type templateData struct {
 		Pull         *giteaclient.PullRequest
 		RenderedBody template.HTML
+		Comments     []giteaclient.Comment
 	}
 
 	data := templateData{
 		Pull:         pr,
 		RenderedBody: renderedBody,
+		Comments:     comments,
 	}
 
 	var buf strings.Builder
@@ -561,6 +690,38 @@ func (h *Handler) NewIssue(w http.ResponseWriter, r *http.Request) {
 	renderPage(w, r, "New Issue", "issues", buf.String())
 }
 
+// NewIssueLabels handles GET /issues/new/labels — returns label checkboxes for a repo.
+func (h *Handler) NewIssueLabels(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.URL.Query().Get("owner")
+	repo := r.URL.Query().Get("repo")
+
+	if owner == "" || repo == "" {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, `<span class="empty">Select a repository first.</span>`)
+		return
+	}
+
+	labels, err := h.Client.GetRepoLabels(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to fetch labels", "error", err, "owner", owner, "repo", repo)
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, `<span class="empty">Error loading labels.</span>`)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if len(labels) == 0 {
+		fmt.Fprint(w, `<span class="empty">No labels available for this repository.</span>`)
+		return
+	}
+
+	for _, l := range labels {
+		fmt.Fprintf(w, `<label style="display:inline-block;margin:0.25rem 0.5rem 0.25rem 0;cursor:pointer;"><input type="checkbox" name="label_ids" value="%d" style="margin-right:0.25rem;"> <span class="label" style="color:#%s;border:1px solid #%s">%s</span></label>`,
+			l.ID, template.HTMLEscapeString(l.Color), template.HTMLEscapeString(l.Color), template.HTMLEscapeString(l.Name))
+	}
+}
+
 // CreateIssue handles POST /issues.
 func (h *Handler) CreateIssue(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
@@ -574,6 +735,15 @@ func (h *Handler) CreateIssue(w http.ResponseWriter, r *http.Request) {
 	title := r.FormValue("title")
 	body := r.FormValue("body")
 
+	// Parse label IDs from form checkboxes.
+	var labelIDs []int64
+	for _, idStr := range r.Form["label_ids"] {
+		id, err := strconv.ParseInt(idStr, 10, 64)
+		if err == nil {
+			labelIDs = append(labelIDs, id)
+		}
+	}
+
 	if owner == "" || repo == "" || title == "" {
 		if isHTMX(r) {
 			w.Header().Set("Content-Type", "text/html; charset=utf-8")
@@ -585,7 +755,7 @@ func (h *Handler) CreateIssue(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	issue, err := h.Client.CreateIssue(r.Context(), token, owner, repo, title, body, nil)
+	issue, err := h.Client.CreateIssue(r.Context(), token, owner, repo, title, body, labelIDs)
 	if err != nil {
 		slog.Error("failed to create issue", "error", err)
 		if isHTMX(r) {
@@ -654,6 +824,45 @@ func (h *Handler) ApplyLabels(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
 }
 
+// AssignIssue handles POST /issues/{owner}/{repo}/{index}/assignees.
+func (h *Handler) AssignIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	assignee := r.FormValue("assignee")
+	if assignee == "" {
+		http.Error(w, "assignee is required", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.AssignIssue(r.Context(), token, owner, repo, index, []string{assignee}); err != nil {
+		slog.Error("failed to assign issue", "error", err, "owner", owner, "repo", repo, "index", index, "assignee", assignee)
+		http.Error(w, "failed to assign issue", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprintf(w, `<span style="color:#3fb950">Assigned to %s</span>`, template.HTMLEscapeString(assignee))
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
 // CloseIssue handles POST /issues/{owner}/{repo}/{index}/close.
 func (h *Handler) CloseIssue(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
@@ -682,6 +891,100 @@ func (h *Handler) CloseIssue(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
 }
 
+// SetIssueState handles POST /issues/{owner}/{repo}/{index}/state.
+func (h *Handler) SetIssueState(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	state := r.FormValue("state")
+	if state != "open" && state != "closed" {
+		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
+		slog.Error("failed to set issue state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
+		http.Error(w, "failed to update issue state", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if state == "closed" {
+			fmt.Fprintf(w, `<span class="state-closed" id="issue-state">closed</span>
+<button class="btn btn-secondary" hx-post="/issues/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen Issue</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		} else {
+			fmt.Fprintf(w, `<span class="state-open" id="issue-state">open</span>
+<button class="btn btn-danger" hx-post="/issues/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close Issue</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		}
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// SetPullState handles POST /pulls/{owner}/{repo}/{index}/state.
+func (h *Handler) SetPullState(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid pull request index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	state := r.FormValue("state")
+	if state != "open" && state != "closed" {
+		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
+		slog.Error("failed to set pull request state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
+		http.Error(w, "failed to update pull request state", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if state == "closed" {
+			fmt.Fprintf(w, `<span class="state-closed" id="pull-state">closed</span>
+<button class="btn btn-secondary" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		} else {
+			fmt.Fprintf(w, `<span class="state-open" id="pull-state">open</span>
+<button class="btn btn-danger" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		}
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/pulls/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
 // AddComment handles POST /issues/{owner}/{repo}/{index}/comment.
 func (h *Handler) AddComment(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)

internal/handlers/handlers_test.go

@@ -135,6 +135,135 @@ func TestSubmitReview_MissingEventType(t *testing.T) {
 	}
 }
 
+func TestSetIssueState_InvalidState(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestSetIssueState_InvalidIndex(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/abc/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestAddComment_EmptyBody(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comments", h.AddComment)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/comments", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestErrorNotFound(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404'")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
+func TestErrorInternal(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/error", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorInternal(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusInternalServerError)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "500") {
+		t.Error("expected body to contain '500'")
+	}
+	if !contains(body, "Internal Server Error") {
+		t.Error("expected body to contain 'Internal Server Error'")
+	}
+}
+
+func TestDashboard_NonRootPath_Returns404(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/unknown/path", nil)
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404' for non-root path")
+	}
+}
+
+func TestErrorNotFound_HTMX(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	req.Header.Set("HX-Request", "true")
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	// HTMX response should not contain DOCTYPE.
+	if contains(body, "<!DOCTYPE") {
+		t.Error("HTMX response should not contain DOCTYPE")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
 func contains(s, substr string) bool {
 	return len(s) >= len(substr) && searchString(s, substr)
 }

internal/handlers/settings.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"html/template"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -9,89 +10,7 @@ import (
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
 
-var settingsTemplate = template.Must(template.New("settings").Parse(`<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
-  <title>Settings — Gitea Mobile</title>
-  <style>
-    * { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-      background: #0d1117; color: #e6edf3;
-      padding: 1rem;
-      padding-top: max(1rem, env(safe-area-inset-top));
-    }
-    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
-    .card {
-      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
-      padding: 1rem; margin-bottom: 1rem;
-    }
-    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
-    input[type="text"], input[type="password"] {
-      width: 100%; padding: 0.5rem; font-size: 1rem;
-      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
-      color: #e6edf3; margin-bottom: 1rem;
-    }
-    input:focus { outline: none; border-color: #58a6ff; }
-    button {
-      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
-      background: #238636; color: #fff; border: none; border-radius: 6px;
-      cursor: pointer;
-    }
-    button:active { background: #2ea043; }
-    .message {
-      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
-      font-size: 0.875rem;
-    }
-    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
-    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
-    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
-    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
-    .status { font-size: 0.875rem; color: #8b949e; }
-    .status .connected { color: #3fb950; }
-    .logout-btn {
-      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
-    }
-    .logout-btn:active { background: #30363d; }
-  </style>
-</head>
-<body>
-  <h1>Settings</h1>
-
-  {{if .Message}}
-  <div class="message {{.MessageType}}">{{.Message}}</div>
-  {{end}}
-
-  {{if .HasToken}}
-  <div class="card">
-    <p class="status">Status: <span class="connected">Connected</span></p>
-    <p class="hint">A Gitea API token is configured.</p>
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="logout">
-      <button type="submit" class="logout-btn">Remove Token</button>
-    </form>
-  </div>
-  {{end}}
-
-  <div class="card">
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="save">
-      <label for="token">Gitea API Token</label>
-      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
-      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
-      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
-    </form>
-  </div>
-
-  {{if .HasToken}}
-  <p style="text-align:center; margin-top:1rem;">
-    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
-  </p>
-  {{end}}
-</body>
-</html>`))
+const settingsTemplatePath = "internal/templates/settings.html"
 
 // SettingsHandler handles GET and POST requests for the settings page.
 type SettingsHandler struct {
@@ -126,8 +45,7 @@ func (h *SettingsHandler) handleGet(w http.ResponseWriter, r *http.Request) {
 	}
 
 	data := settingsData{HasToken: hasToken}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
 }
 
 func (h *SettingsHandler) handlePost(w http.ResponseWriter, r *http.Request) {
@@ -172,6 +90,18 @@ func (h *SettingsHandler) renderWithMessage(w http.ResponseWriter, r *http.Reque
 		Message:     msg,
 		MessageType: msgType,
 	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
+}
+
+func (h *SettingsHandler) renderSettings(w http.ResponseWriter, data settingsData) {
+	tmpl, err := template.ParseFiles(settingsTemplatePath)
+	if err != nil {
+		slog.Error("failed to parse settings template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := tmpl.Execute(w, data); err != nil {
+		slog.Error("failed to execute settings template", "error", err)
+	}
 }

internal/middleware/auth.go

@@ -23,9 +23,12 @@ func TokenFromContext(ctx context.Context) string {
 }
 
 // Auth returns middleware that checks for a valid token cookie.
+// If no cookie token is found and fallbackToken is non-empty, the fallback
+// token is used instead (useful for single-user or service-account deployments
+// where GITEA_TOKEN is set in the environment).
 // Unauthenticated requests are redirected to the settings page.
 // The /health, /settings, and /static/ paths are exempt from auth.
-func Auth(sessionSecret string) func(http.Handler) http.Handler {
+func Auth(sessionSecret, fallbackToken string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Skip auth for exempt paths.
@@ -37,6 +40,13 @@ func Auth(sessionSecret string) func(http.Handler) http.Handler {
 
 			token, err := auth.GetToken(r, sessionSecret)
 			if err != nil || token == "" {
+				// Fall back to environment token if available.
+				if fallbackToken != "" {
+					slog.Debug("using fallback token from environment", "path", path)
+					ctx := context.WithValue(r.Context(), TokenContextKey, fallbackToken)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
 				slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
 				http.Redirect(w, r, "/settings", http.StatusSeeOther)
 				return

internal/middleware/auth_test.go

@@ -11,7 +11,7 @@ import (
 const testSecret = "test-secret-that-is-at-least-32-chars-long"
 
 func TestAuth_HealthBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -25,7 +25,7 @@ func TestAuth_HealthBypass(t *testing.T) {
 }
 
 func TestAuth_SettingsBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -39,7 +39,7 @@ func TestAuth_SettingsBypass(t *testing.T) {
 }
 
 func TestAuth_RedirectWithoutToken(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -57,7 +57,7 @@ func TestAuth_RedirectWithoutToken(t *testing.T) {
 
 func TestAuth_PassWithToken(t *testing.T) {
 	called := false
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		called = true
 		token := TokenFromContext(r.Context())
 		if token != "my-token" {
@@ -83,3 +83,72 @@ func TestAuth_PassWithToken(t *testing.T) {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
 	}
 }
+
+func TestAuth_FallbackToken_UsedWhenNoCookie(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "env-fallback-token" {
+			t.Errorf("token = %q, want %q", token, "env-fallback-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called with fallback token")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_FallbackToken_CookieTakesPrecedence(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "cookie-token" {
+			t.Errorf("token = %q, want %q (cookie should take precedence over fallback)", token, "cookie-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Set a cookie token.
+	cookieW := httptest.NewRecorder()
+	auth.SetTokenCookie(cookieW, "cookie-token", testSecret, false)
+	cookie := cookieW.Result().Cookies()[0]
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.AddCookie(cookie)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_NoFallbackToken_RedirectsWithoutCookie(t *testing.T) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/issues", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusSeeOther {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
+	}
+	if loc := w.Header().Get("Location"); loc != "/settings" {
+		t.Errorf("Location = %q, want %q", loc, "/settings")
+	}
+}

internal/templates/create_issue.html

@@ -6,20 +6,24 @@
 <form id="create-issue-form" hx-post="/issues" hx-swap="innerHTML" hx-target="#main-content">
   <div class="form-group">
     <label for="repo-select">Repository</label>
-    <select id="repo-select" name="owner_repo" required>
-      <option value="">Select a repository...</option>
+    <input list="repo-options" id="repo-select" name="owner_repo"
+           placeholder="Type to search repositories..." required autocomplete="off">
+    <datalist id="repo-options">
       {{range $org, $repos := .Repos}}
-      <optgroup label="{{$org}}">
         {{range $repos}}
         <option value="{{.Owner.Login}}/{{.Name}}">{{.FullName}}</option>
         {{end}}
-      </optgroup>
       {{end}}
-    </select>
+    </datalist>
     <input type="hidden" name="owner" id="owner-input">
     <input type="hidden" name="repo" id="repo-input">
   </div>
 
+  <div class="form-group" id="label-section" style="display:none;">
+    <label>Labels</label>
+    <div id="label-list"></div>
+  </div>
+
   <div class="form-group">
     <label for="title">Title</label>
     <input type="text" id="title" name="title" placeholder="Issue title" required>
@@ -40,9 +44,16 @@
     var repoInput = document.getElementById('repo-input');
     var formError = document.getElementById('form-error');
 
+    // Build a set of valid repo values for validation.
+    var validRepos = {};
+    var options = document.getElementById('repo-options').options;
+    for (var i = 0; i < options.length; i++) {
+      validRepos[options[i].value] = true;
+    }
+
     function splitOwnerRepo() {
       var val = repoSelect.value;
-      if (val) {
+      if (val && val.indexOf('/') !== -1) {
         var parts = val.split('/');
         ownerInput.value = parts[0] || '';
         repoInput.value = parts[1] || '';
@@ -52,7 +63,39 @@
       }
     }
 
-    repoSelect.addEventListener('change', splitOwnerRepo);
+    var debounceTimer = null;
+    repoSelect.addEventListener('input', function() {
+      clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(function() {
+        splitOwnerRepo();
+        var labelSection = document.getElementById('label-section');
+        var labelList = document.getElementById('label-list');
+        if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+          labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+          labelSection.style.display = 'block';
+          htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+        } else {
+          labelSection.style.display = 'none';
+          labelList.innerHTML = '';
+        }
+      }, 300);
+    });
+
+    // Also handle the change event for when a datalist option is selected directly.
+    repoSelect.addEventListener('change', function() {
+      clearTimeout(debounceTimer);
+      splitOwnerRepo();
+      var labelSection = document.getElementById('label-section');
+      var labelList = document.getElementById('label-list');
+      if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+        labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+        labelSection.style.display = 'block';
+        htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+      } else {
+        labelSection.style.display = 'none';
+        labelList.innerHTML = '';
+      }
+    });
 
     // Validate before HTMX submit.
     document.getElementById('create-issue-form').addEventListener('htmx:configRequest', function(evt) {
@@ -63,6 +106,12 @@
         formError.style.display = 'block';
         return false;
       }
+      if (!validRepos[repoSelect.value]) {
+        evt.preventDefault();
+        formError.textContent = 'Please select a valid repository from the list.';
+        formError.style.display = 'block';
+        return false;
+      }
       formError.style.display = 'none';
     });
 

internal/templates/dashboard.html

@@ -1,6 +1,17 @@
 {{define "content"}}
 <h1>Dashboard</h1>
 
+{{if gt (len .Orgs) 1}}
+<div class="filter-bar">
+  <select name="org" hx-get="/" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+</div>
+{{end}}
+
 {{if .Error}}
 <p class="empty">{{.Error}}</p>
 {{else if not .Items}}

internal/templates/error.html

@@ -0,0 +1,23 @@
+{{define "content"}}
+<div class="error-page">
+  <div class="error-icon">
+    {{if eq .Code 404}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <circle cx="11" cy="11" r="8"/>
+      <line x1="21" y1="21" x2="16.65" y2="16.65"/>
+      <line x1="8" y1="11" x2="14" y2="11"/>
+    </svg>
+    {{else}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"/>
+      <line x1="12" y1="9" x2="12" y2="13"/>
+      <line x1="12" y1="17" x2="12.01" y2="17"/>
+    </svg>
+    {{end}}
+  </div>
+  <h1 class="error-code">{{.Code}}</h1>
+  <p class="error-title">{{.Title}}</p>
+  <p class="error-message">{{.Message}}</p>
+  <a href="/" class="error-home-link">Go to Dashboard</a>
+</div>
+{{end}}

internal/templates/issue_detail.html

@@ -3,7 +3,15 @@
 
 <div class="card">
   <div class="card-meta">
-    <span class="state-open">{{.Issue.State}}</span>
+    <span id="state-section">
+      {{if eq .Issue.State "closed"}}
+      <span class="state-closed" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-secondary" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen Issue</button>
+      {{else}}
+      <span class="state-open" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-danger" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close Issue</button>
+      {{end}}
+    </span>
     <span>{{.Issue.RepoOwner}}/{{.Issue.RepoName}} #{{.Issue.Number}}</span>
     {{range .Issue.Labels}}
     <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
@@ -18,6 +26,7 @@
 
 {{if .Comments}}
 <h2>Comments</h2>
+<div id="comments-list">
 {{range .Comments}}
 <div class="comment">
   <div class="comment-header">
@@ -27,10 +36,33 @@
   <div class="comment-body">{{.Body}}</div>
 </div>
 {{end}}
+</div>
+{{else}}
+<div id="comments-list"></div>
 {{end}}
 
+<div class="card" style="margin-top:1rem;">
+  <h2>Add Comment</h2>
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/comments" hx-target="#comments-list" hx-swap="beforeend" hx-on::after-request="if(event.detail.successful) this.reset()">
+    <textarea name="body" rows="4" placeholder="Write a comment..." required style="width:100%;margin-bottom:0.5rem;"></textarea>
+    <button type="submit" class="btn btn-primary" style="width:auto;padding:0.5rem 1rem;">Comment</button>
+  </form>
+</div>
+
 <div class="card" style="margin-top:1rem;">
   <h2>Actions</h2>
+  {{if .Collaborators}}
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/assignees" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
+    <div class="filter-bar" style="margin-bottom:0.5rem;">
+      <select name="assignee">
+        {{range .Collaborators}}
+        <option value="{{.}}">{{.}}</option>
+        {{end}}
+      </select>
+      <button type="submit" class="btn btn-secondary" style="width:auto;padding:0.5rem 1rem;">Assign</button>
+    </div>
+  </form>
+  {{end}}
   <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/labels" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
     <div class="filter-bar" style="margin-bottom:0.5rem;">
       <select name="label_id">

internal/templates/issues.html

@@ -8,13 +8,13 @@
       <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
       {{end}}
       {{if .Assignee}}
-      <span>{{.Assignee.Login}}</span>
+      <img src="{{.Assignee.AvatarURL}}" alt="{{.Assignee.Login}}" class="avatar" title="Assigned to {{.Assignee.Login}}">
       {{end}}
     </div>
   </div>
   {{end}}
   {{if .HasMore}}
-  <div class="scroll-sentinel" hx-get="/issues?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+  <div class="scroll-sentinel" hx-get="/issues?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
     <div class="spinner htmx-indicator"></div>
   </div>
   {{end}}
@@ -24,16 +24,25 @@
 <h1>Issues</h1>
 
 <div class="filter-bar">
-  <select name="org" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state']">
+  <select name="org" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
     <option value="">All orgs</option>
     {{range .Orgs}}
     <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
     {{end}}
   </select>
-  <select name="state" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org']">
+  {{if .Repos}}
+  <select name="repo" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
     <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
     <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
   </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/issues" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
 </div>
 
 {{if .Error}}

internal/templates/layout.html

@@ -13,6 +13,10 @@
   <script src="/static/htmx.min.js"></script>
 </head>
 <body>
+  <header class="top-bar">
+    <span class="top-bar-title">Gitea Mobile</span>
+    <button class="refresh-btn" hx-get="" hx-target="#main-content" hx-swap="innerHTML" aria-label="Refresh">&#8635;</button>
+  </header>
   <div class="content" id="main-content">
     {{template "content" .}}
   </div>

internal/templates/pull_detail.html

@@ -4,7 +4,7 @@
 <div class="card">
   <div class="card-meta">
     <span class="type-badge type-pull">PR</span>
-    <span class="state-open">{{.Pull.State}}</span>
+    {{if eq .Pull.State "closed"}}<span class="state-closed">{{.Pull.State}}</span>{{else}}<span class="state-open">{{.Pull.State}}</span>{{end}}
     <span>{{.Pull.RepoOwner}}/{{.Pull.RepoName}} #{{.Pull.Number}}</span>
     {{range .Pull.Labels}}
     <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
@@ -15,6 +15,17 @@
     <span class="diff-del">-{{.Pull.Deletions}}</span>
     {{if .Pull.Mergeable}}<span style="color:var(--accent-green);">Mergeable</span>{{end}}
   </div>
+  <div class="card-meta" style="margin-top:0.5rem;">
+    <span id="state-section">
+      {{if eq .Pull.State "closed"}}
+      <span class="state-closed" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-secondary" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>
+      {{else}}
+      <span class="state-open" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-danger" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>
+      {{end}}
+    </span>
+  </div>
   {{if .RenderedBody}}
   <div class="card-body markdown-body">{{.RenderedBody}}</div>
   {{else if .Pull.Body}}
@@ -46,4 +57,21 @@
     <button type="submit" class="btn btn-primary">Submit Review</button>
   </form>
 </div>
+
+{{if .Comments}}
+<h2>Comments</h2>
+<div id="comments-list">
+{{range .Comments}}
+<div class="comment">
+  <div class="comment-header">
+    <strong>{{.User}}</strong>
+    <span>{{.CreatedAt}}</span>
+  </div>
+  <div class="comment-body">{{.Body}}</div>
+</div>
+{{end}}
+</div>
+{{else}}
+<p class="empty" style="margin-top:1rem;">No comments yet.</p>
+{{end}}
 {{end}}

internal/templates/pulls.html

@@ -12,12 +12,18 @@
       {{end}}
       <span class="diff-add">+{{.Additions}}</span>
       <span class="diff-del">-{{.Deletions}}</span>
-      {{if .Mergeable}}<span style="color:var(--accent-green);font-size:0.7rem;">mergeable</span>{{end}}
+      {{if eq .ReviewState "approved"}}<span class="review-badge review-approved" title="Approved">&#10003;</span>
+      {{else if eq .ReviewState "changes_requested"}}<span class="review-badge review-changes" title="Changes requested">&#10007;</span>
+      {{else if eq .ReviewState "pending"}}<span class="review-badge review-pending" title="Awaiting review">&#9202;</span>
+      {{end}}
+      {{if .Mergeable}}<span class="merge-badge merge-ready" title="Ready to merge">&#9654; Ready</span>
+      {{else}}<span class="merge-badge merge-conflicts" title="Has conflicts or not mergeable">Conflicts</span>
+      {{end}}
     </div>
   </div>
   {{end}}
   {{if .HasMore}}
-  <div class="scroll-sentinel" hx-get="/pulls?page={{.NextPage}}&org={{.SelectedOrg}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+  <div class="scroll-sentinel" hx-get="/pulls?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
     <div class="spinner htmx-indicator"></div>
   </div>
   {{end}}
@@ -27,18 +33,31 @@
 <h1>Pull Requests</h1>
 
 <div class="filter-bar">
-  <select name="org" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+  <select name="org" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
     <option value="">All orgs</option>
     {{range .Orgs}}
     <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
     {{end}}
   </select>
+  {{if .Repos}}
+  <select name="repo" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
+    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
+    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
+  </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/pulls" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
 </div>
 
 {{if .Error}}
 <p class="empty">{{.Error}}</p>
 {{else if not .Pulls}}
-<p class="empty">No open pull requests found.</p>
+<p class="empty">No {{.SelectedState}} pull requests found.</p>
 {{else}}
 <div id="pull-list">
   {{template "cards" .}}

internal/templates/settings.html

@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <title>Settings — Gitea Mobile</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: #0d1117; color: #e6edf3;
+      padding: 1rem;
+      padding-top: max(1rem, env(safe-area-inset-top));
+    }
+    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+    .card {
+      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
+      padding: 1rem; margin-bottom: 1rem;
+    }
+    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
+    input[type="text"], input[type="password"] {
+      width: 100%; padding: 0.5rem; font-size: 1rem;
+      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
+      color: #e6edf3; margin-bottom: 1rem;
+    }
+    input:focus { outline: none; border-color: #58a6ff; }
+    button {
+      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
+      background: #238636; color: #fff; border: none; border-radius: 6px;
+      cursor: pointer;
+    }
+    button:active { background: #2ea043; }
+    .message {
+      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
+      font-size: 0.875rem;
+    }
+    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
+    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
+    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
+    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
+    .status { font-size: 0.875rem; color: #8b949e; }
+    .status .connected { color: #3fb950; }
+    .logout-btn {
+      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
+    }
+    .logout-btn:active { background: #30363d; }
+  </style>
+</head>
+<body>
+  <h1>Settings</h1>
+
+  {{if .Message}}
+  <div class="message {{.MessageType}}">{{.Message}}</div>
+  {{end}}
+
+  {{if .HasToken}}
+  <div class="card">
+    <p class="status">Status: <span class="connected">Connected</span></p>
+    <p class="hint">A Gitea API token is configured.</p>
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="logout">
+      <button type="submit" class="logout-btn">Remove Token</button>
+    </form>
+  </div>
+  {{end}}
+
+  <div class="card">
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="save">
+      <label for="token">Gitea API Token</label>
+      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
+      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
+      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
+    </form>
+  </div>
+
+  {{if .HasToken}}
+  <p style="text-align:center; margin-top:1rem;">
+    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
+  </p>
+  {{end}}
+</body>
+</html>

static/style.css

@@ -47,10 +47,53 @@ body {
   -moz-osx-font-smoothing: grayscale;
 }
 
+/* Top bar */
+.top-bar {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  padding-top: max(var(--spacing-sm), env(safe-area-inset-top));
+  background: var(--bg-secondary);
+  border-bottom: 1px solid var(--border);
+}
+
+.top-bar-title {
+  font-size: var(--font-base);
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.refresh-btn {
+  background: none;
+  border: none;
+  color: var(--text-secondary);
+  font-size: 1.4rem;
+  padding: var(--spacing-xs) var(--spacing-sm);
+  cursor: pointer;
+  -webkit-tap-highlight-color: transparent;
+  line-height: 1;
+  border-radius: var(--radius-sm);
+  transition: color 0.15s ease, background 0.15s ease;
+}
+
+.refresh-btn:active {
+  color: var(--accent-blue);
+  background: var(--bg-tertiary);
+}
+
+.refresh-btn.htmx-request {
+  animation: spin 0.6s linear infinite;
+  pointer-events: none;
+}
+
 /* Content area */
 .content {
   padding: var(--spacing-lg);
-  padding-top: max(var(--spacing-lg), env(safe-area-inset-top));
+  padding-top: var(--spacing-lg);
   max-width: 640px;
   margin: 0 auto;
 }
@@ -376,6 +419,29 @@ a:active {
   vertical-align: middle;
 }
 
+/* Review status badges */
+.review-badge {
+  font-size: 0.7rem;
+  font-weight: 600;
+  padding: 1px 4px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.review-approved { color: var(--accent-green); }
+.review-changes { color: var(--accent-red); }
+.review-pending { color: var(--accent-yellow); }
+
+/* Merge status badges */
+.merge-badge {
+  font-size: 0.65rem;
+  font-weight: 600;
+  padding: 1px 5px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.merge-ready { color: var(--accent-green); border: 1px solid var(--accent-green); }
+.merge-conflicts { color: var(--accent-red); border: 1px solid var(--accent-red); }
+
 /* Empty state */
 .empty {
   text-align: center;
@@ -444,13 +510,17 @@ a:active {
     max-width: 960px;
   }
 
-  .card-grid {
+  .card-grid,
+  #issue-list,
+  #pull-list {
     display: grid;
     grid-template-columns: repeat(2, 1fr);
     gap: var(--spacing-sm);
   }
 
-  .card-grid .card {
+  .card-grid .card,
+  #issue-list .card,
+  #pull-list .card {
     margin-bottom: 0;
   }
 }
@@ -475,3 +545,56 @@ a:active {
     --text-link: #0969da;
   }
 }
+
+/* Error page */
+.error-page {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  min-height: 60vh;
+  text-align: center;
+  padding: var(--spacing-lg);
+}
+
+.error-icon {
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+}
+
+.error-code {
+  font-size: 4rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  line-height: 1;
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-title {
+  font-size: var(--font-xl);
+  color: var(--text-primary);
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-message {
+  font-size: var(--font-base);
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+  max-width: 300px;
+}
+
+.error-home-link {
+  display: inline-block;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  background: var(--accent-blue);
+  color: #fff;
+  border-radius: var(--radius);
+  text-decoration: none;
+  font-size: var(--font-base);
+  font-weight: 500;
+  transition: opacity 0.15s;
+}
+
+.error-home-link:active {
+  opacity: 0.8;
+}