feat: add Dockerfile and CI workflow

Add multi-stage Dockerfile producing a minimal distroless image and
Gitea Actions CI workflow for automated testing and image publishing.

- Dockerfile: multi-stage build (golang:1.22-alpine -> distroless/static)
  with stripped binary (~15-20MB image), runs as nonroot user
- .dockerignore: excludes .git, docs, nix files from build context
- .gitea/workflows/build.yaml: CI pipeline that runs tests, builds
  Docker image, and pushes to Gitea registry with timestamp+SHA tags
  for Flux image automation

Closes leeworks-agents/gitea-mobile#7

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -0,0 +1,8 @@
+.git
+.gitignore
+*.md
+flake.nix
+flake.lock
+.envrc
+.direnv
+.claude

.gitea/workflows/build.yaml

@@ -0,0 +1,48 @@
+name: Build and Push
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Run tests
+        run: go test ./...
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set image tag
+        id: tag
+        run: |
+          TIMESTAMP=$(date +%Y%m%d%H%M%S)
+          SHA=$(echo ${{ github.sha }} | cut -c1-7)
+          echo "tag=${TIMESTAMP}-${SHA}" >> $GITHUB_OUTPUT
+
+      - name: Build Docker image
+        run: |
+          docker build -t gitea.leeworks.dev/0xwheatyz/gitea-mobile:${{ steps.tag.outputs.tag }} .
+          docker tag gitea.leeworks.dev/0xwheatyz/gitea-mobile:${{ steps.tag.outputs.tag }} \
+            gitea.leeworks.dev/0xwheatyz/gitea-mobile:latest
+
+      - name: Login to Gitea registry
+        run: |
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login gitea.leeworks.dev \
+            -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+
+      - name: Push image
+        run: |
+          docker push gitea.leeworks.dev/0xwheatyz/gitea-mobile:${{ steps.tag.outputs.tag }}
+          docker push gitea.leeworks.dev/0xwheatyz/gitea-mobile:latest

Dockerfile

@@ -0,0 +1,16 @@
+# Stage 1: Build
+FROM golang:1.22-alpine AS builder
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server
+
+# Stage 2: Runtime
+FROM gcr.io/distroless/static:nonroot
+COPY --from=builder /gitea-mobile /gitea-mobile
+COPY static/ /static/
+COPY internal/templates/ /templates/
+EXPOSE 8080
+USER nonroot:nonroot
+ENTRYPOINT ["/gitea-mobile"]

cmd/server/main.go

@@ -1,32 +1,43 @@
 package main
 
 import (
-	"fmt"
 	"log"
+	"log/slog"
 	"net/http"
 	"os"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
+	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/handlers"
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
 
 func main() {
-	addr := os.Getenv("LISTEN_ADDR")
-	if addr == "" {
-		addr = ":8080"
+	// Set up structured logging.
+	slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	})))
+
+	cfg, err := config.Load()
+	if err != nil {
+		log.Fatalf("configuration error: %v", err)
 	}
 
+	// Create Gitea API client.
+	client := giteaclient.NewClient(cfg.GiteaURL)
+
+	// Create handler with all routes.
 	mux := http.NewServeMux()
+	h := handlers.NewHandler(cfg, client)
+	h.RegisterRoutes(mux)
 
-	mux.HandleFunc("GET /health", func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		fmt.Fprintln(w, "ok")
-	})
+	// Apply middleware chain: logging -> auth.
+	var handler http.Handler = mux
+	handler = middleware.Auth(cfg.SessionSecret)(handler)
+	handler = middleware.Logging()(handler)
 
-	mux.HandleFunc("GET /", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/html; charset=utf-8")
-		fmt.Fprintln(w, "<h1>Gitea Mobile</h1><p>Coming soon.</p>")
-	})
-
-	log.Printf("listening on %s", addr)
-	if err := http.ListenAndServe(addr, mux); err != nil {
+	slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)
+	if err := http.ListenAndServe(cfg.ListenAddr, handler); err != nil {
 		log.Fatalf("server error: %v", err)
 	}
 }

internal/auth/cookie.go

@@ -0,0 +1,104 @@
+package auth
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+)
+
+const (
+	cookieName = "gitea_token"
+	cookieMaxAge = 30 * 24 * 60 * 60 // 30 days in seconds
+)
+
+var (
+	ErrInvalidSignature = errors.New("invalid cookie signature")
+	ErrMalformedCookie  = errors.New("malformed cookie value")
+)
+
+// SetTokenCookie stores a Gitea API token in a signed HTTP-only cookie.
+func SetTokenCookie(w http.ResponseWriter, token string, secret string, secure bool) {
+	signed := sign(token, secret)
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     cookieName,
+		Value:    signed,
+		Path:     "/",
+		MaxAge:   cookieMaxAge,
+		HttpOnly: true,
+		Secure:   secure,
+		SameSite: http.SameSiteStrictMode,
+		Expires:  time.Now().Add(30 * 24 * time.Hour),
+	})
+}
+
+// ClearTokenCookie removes the token cookie.
+func ClearTokenCookie(w http.ResponseWriter, secure bool) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     cookieName,
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   secure,
+		SameSite: http.SameSiteStrictMode,
+	})
+}
+
+// GetToken extracts and verifies the Gitea API token from the request cookie.
+// Returns the token string or an error if the cookie is missing or invalid.
+func GetToken(r *http.Request, secret string) (string, error) {
+	cookie, err := r.Cookie(cookieName)
+	if err != nil {
+		return "", err
+	}
+
+	token, err := verify(cookie.Value, secret)
+	if err != nil {
+		return "", err
+	}
+
+	return token, nil
+}
+
+// sign creates a signed cookie value: base64(token).base64(hmac-sha256(token))
+func sign(token string, secret string) string {
+	encodedToken := base64.URLEncoding.EncodeToString([]byte(token))
+	mac := computeHMAC(encodedToken, secret)
+	return fmt.Sprintf("%s.%s", encodedToken, mac)
+}
+
+// verify checks the HMAC signature and returns the original token.
+func verify(signed string, secret string) (string, error) {
+	parts := strings.SplitN(signed, ".", 2)
+	if len(parts) != 2 {
+		return "", ErrMalformedCookie
+	}
+
+	encodedToken := parts[0]
+	providedMAC := parts[1]
+	expectedMAC := computeHMAC(encodedToken, secret)
+
+	if !hmac.Equal([]byte(providedMAC), []byte(expectedMAC)) {
+		return "", ErrInvalidSignature
+	}
+
+	tokenBytes, err := base64.URLEncoding.DecodeString(encodedToken)
+	if err != nil {
+		return "", ErrMalformedCookie
+	}
+
+	return string(tokenBytes), nil
+}
+
+// computeHMAC generates a base64-encoded HMAC-SHA256 of the given data.
+func computeHMAC(data string, secret string) string {
+	h := hmac.New(sha256.New, []byte(secret))
+	h.Write([]byte(data))
+	return base64.URLEncoding.EncodeToString(h.Sum(nil))
+}

internal/auth/cookie_test.go

@@ -0,0 +1,89 @@
+package auth
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+const testSecret = "test-secret-that-is-at-least-32-chars-long"
+
+func TestSignAndVerify(t *testing.T) {
+	token := "abc123-gitea-token"
+	signed := sign(token, testSecret)
+
+	got, err := verify(signed, testSecret)
+	if err != nil {
+		t.Fatalf("verify failed: %v", err)
+	}
+	if got != token {
+		t.Errorf("got %q, want %q", got, token)
+	}
+}
+
+func TestVerify_InvalidSignature(t *testing.T) {
+	token := "abc123-gitea-token"
+	signed := sign(token, testSecret)
+
+	_, err := verify(signed, "wrong-secret-that-is-at-least-32-chars")
+	if err != ErrInvalidSignature {
+		t.Errorf("expected ErrInvalidSignature, got %v", err)
+	}
+}
+
+func TestVerify_MalformedCookie(t *testing.T) {
+	_, err := verify("no-dot-separator", testSecret)
+	if err != ErrMalformedCookie {
+		t.Errorf("expected ErrMalformedCookie, got %v", err)
+	}
+}
+
+func TestSetAndGetToken(t *testing.T) {
+	token := "my-gitea-api-token"
+
+	// Create a response recorder to capture the Set-Cookie header.
+	w := httptest.NewRecorder()
+	SetTokenCookie(w, token, testSecret, false)
+
+	// Extract the cookie from the response.
+	resp := w.Result()
+	cookies := resp.Cookies()
+	if len(cookies) == 0 {
+		t.Fatal("expected a cookie to be set")
+	}
+
+	// Create a new request with the cookie.
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.AddCookie(cookies[0])
+
+	got, err := GetToken(req, testSecret)
+	if err != nil {
+		t.Fatalf("GetToken failed: %v", err)
+	}
+	if got != token {
+		t.Errorf("got %q, want %q", got, token)
+	}
+}
+
+func TestGetToken_NoCookie(t *testing.T) {
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+
+	_, err := GetToken(req, testSecret)
+	if err == nil {
+		t.Fatal("expected error for missing cookie")
+	}
+}
+
+func TestClearTokenCookie(t *testing.T) {
+	w := httptest.NewRecorder()
+	ClearTokenCookie(w, false)
+
+	resp := w.Result()
+	cookies := resp.Cookies()
+	if len(cookies) == 0 {
+		t.Fatal("expected a cookie to be set")
+	}
+	if cookies[0].MaxAge != -1 {
+		t.Errorf("MaxAge = %d, want -1", cookies[0].MaxAge)
+	}
+}

internal/config/config.go

@@ -0,0 +1,50 @@
+package config
+
+import (
+	"fmt"
+	"os"
+)
+
+// Config holds application configuration loaded from environment variables.
+type Config struct {
+	// GiteaURL is the base URL of the Gitea instance.
+	GiteaURL string
+
+	// GiteaToken is the default API token (optional; users can set their own via cookie).
+	GiteaToken string
+
+	// ListenAddr is the server listen address.
+	ListenAddr string
+
+	// SessionSecret is the HMAC key for signing session cookies.
+	SessionSecret string
+}
+
+// Load reads configuration from environment variables.
+// Returns an error if required variables are missing.
+func Load() (*Config, error) {
+	cfg := &Config{
+		GiteaURL:      os.Getenv("GITEA_URL"),
+		GiteaToken:    os.Getenv("GITEA_TOKEN"),
+		ListenAddr:    os.Getenv("LISTEN_ADDR"),
+		SessionSecret: os.Getenv("SESSION_SECRET"),
+	}
+
+	if cfg.ListenAddr == "" {
+		cfg.ListenAddr = ":8080"
+	}
+
+	if cfg.GiteaURL == "" {
+		return nil, fmt.Errorf("GITEA_URL environment variable is required")
+	}
+
+	if cfg.SessionSecret == "" {
+		return nil, fmt.Errorf("SESSION_SECRET environment variable is required")
+	}
+
+	if len(cfg.SessionSecret) < 32 {
+		return nil, fmt.Errorf("SESSION_SECRET must be at least 32 characters")
+	}
+
+	return cfg, nil
+}

internal/config/config_test.go

@@ -0,0 +1,89 @@
+package config
+
+import (
+	"os"
+	"testing"
+)
+
+func TestLoad_Success(t *testing.T) {
+	os.Setenv("GITEA_URL", "https://gitea.example.com")
+	os.Setenv("SESSION_SECRET", "test-secret-that-is-at-least-32-chars-long")
+	os.Setenv("LISTEN_ADDR", ":9090")
+	os.Setenv("GITEA_TOKEN", "test-token")
+	defer func() {
+		os.Unsetenv("GITEA_URL")
+		os.Unsetenv("SESSION_SECRET")
+		os.Unsetenv("LISTEN_ADDR")
+		os.Unsetenv("GITEA_TOKEN")
+	}()
+
+	cfg, err := Load()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if cfg.GiteaURL != "https://gitea.example.com" {
+		t.Errorf("GiteaURL = %q, want %q", cfg.GiteaURL, "https://gitea.example.com")
+	}
+	if cfg.ListenAddr != ":9090" {
+		t.Errorf("ListenAddr = %q, want %q", cfg.ListenAddr, ":9090")
+	}
+	if cfg.GiteaToken != "test-token" {
+		t.Errorf("GiteaToken = %q, want %q", cfg.GiteaToken, "test-token")
+	}
+}
+
+func TestLoad_DefaultListenAddr(t *testing.T) {
+	os.Setenv("GITEA_URL", "https://gitea.example.com")
+	os.Setenv("SESSION_SECRET", "test-secret-that-is-at-least-32-chars-long")
+	os.Unsetenv("LISTEN_ADDR")
+	defer func() {
+		os.Unsetenv("GITEA_URL")
+		os.Unsetenv("SESSION_SECRET")
+	}()
+
+	cfg, err := Load()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if cfg.ListenAddr != ":8080" {
+		t.Errorf("ListenAddr = %q, want %q", cfg.ListenAddr, ":8080")
+	}
+}
+
+func TestLoad_MissingGiteaURL(t *testing.T) {
+	os.Unsetenv("GITEA_URL")
+	os.Setenv("SESSION_SECRET", "test-secret-that-is-at-least-32-chars-long")
+	defer os.Unsetenv("SESSION_SECRET")
+
+	_, err := Load()
+	if err == nil {
+		t.Fatal("expected error for missing GITEA_URL")
+	}
+}
+
+func TestLoad_MissingSessionSecret(t *testing.T) {
+	os.Setenv("GITEA_URL", "https://gitea.example.com")
+	os.Unsetenv("SESSION_SECRET")
+	defer os.Unsetenv("GITEA_URL")
+
+	_, err := Load()
+	if err == nil {
+		t.Fatal("expected error for missing SESSION_SECRET")
+	}
+}
+
+func TestLoad_ShortSessionSecret(t *testing.T) {
+	os.Setenv("GITEA_URL", "https://gitea.example.com")
+	os.Setenv("SESSION_SECRET", "tooshort")
+	defer func() {
+		os.Unsetenv("GITEA_URL")
+		os.Unsetenv("SESSION_SECRET")
+	}()
+
+	_, err := Load()
+	if err == nil {
+		t.Fatal("expected error for short SESSION_SECRET")
+	}
+}

internal/gitea/client.go

@@ -0,0 +1,625 @@
+// Package gitea provides an aggregation layer over the Gitea API,
+// supporting concurrent fetching across multiple organizations and repos
+// with in-memory caching.
+package gitea
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+)
+
+// Client wraps the Gitea API with aggregation and caching capabilities.
+type Client struct {
+	baseURL    string
+	httpClient *http.Client
+
+	mu    sync.RWMutex
+	cache map[string]*cacheEntry
+
+	// maxConcurrent controls the semaphore size for parallel API calls.
+	maxConcurrent int
+	// cacheTTL controls how long cache entries remain valid.
+	cacheTTL time.Duration
+}
+
+type cacheEntry struct {
+	data      interface{}
+	expiresAt time.Time
+}
+
+// Org represents a Gitea organization.
+type Org struct {
+	Name        string `json:"username"`
+	FullName    string `json:"full_name"`
+	Description string `json:"description"`
+	AvatarURL   string `json:"avatar_url"`
+}
+
+// Repo represents a Gitea repository.
+type Repo struct {
+	ID          int64  `json:"id"`
+	Name        string `json:"name"`
+	FullName    string `json:"full_name"`
+	Description string `json:"description"`
+	Owner       struct {
+		Login string `json:"login"`
+	} `json:"owner"`
+	HTMLURL   string    `json:"html_url"`
+	UpdatedAt time.Time `json:"updated_at"`
+}
+
+// Issue represents a Gitea issue.
+type Issue struct {
+	ID     int64  `json:"id"`
+	Number int64  `json:"number"`
+	Title  string `json:"title"`
+	Body   string `json:"body"`
+	State  string `json:"state"`
+	Labels []struct {
+		ID    int64  `json:"id"`
+		Name  string `json:"name"`
+		Color string `json:"color"`
+	} `json:"labels"`
+	Assignee *struct {
+		Login     string `json:"login"`
+		AvatarURL string `json:"avatar_url"`
+	} `json:"assignee"`
+	Assignees []struct {
+		Login     string `json:"login"`
+		AvatarURL string `json:"avatar_url"`
+	} `json:"assignees"`
+	HTMLURL   string    `json:"html_url"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+	RepoOwner string    `json:"-"` // populated after fetch
+	RepoName  string    `json:"-"` // populated after fetch
+}
+
+// PullRequest represents a Gitea pull request.
+type PullRequest struct {
+	ID     int64  `json:"id"`
+	Number int64  `json:"number"`
+	Title  string `json:"title"`
+	Body   string `json:"body"`
+	State  string `json:"state"`
+	Labels []struct {
+		ID    int64  `json:"id"`
+		Name  string `json:"name"`
+		Color string `json:"color"`
+	} `json:"labels"`
+	User *struct {
+		Login     string `json:"login"`
+		AvatarURL string `json:"avatar_url"`
+	} `json:"user"`
+	Mergeable bool   `json:"mergeable"`
+	HTMLURL   string `json:"html_url"`
+	DiffURL   string `json:"diff_url"`
+	Additions int    `json:"additions"`
+	Deletions int    `json:"deletions"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+	RepoOwner string    `json:"-"` // populated after fetch
+	RepoName  string    `json:"-"` // populated after fetch
+}
+
+// TriageItem represents an item in the triage queue.
+type TriageItem struct {
+	Type      string    // "issue" or "pull"
+	RepoOwner string
+	RepoName  string
+	Number    int64
+	Title     string
+	HTMLURL   string
+	Labels    []string
+	UpdatedAt time.Time
+}
+
+// NewClient creates a new Gitea API client.
+func NewClient(baseURL string) *Client {
+	return &Client{
+		baseURL: strings.TrimRight(baseURL, "/"),
+		httpClient: &http.Client{
+			Timeout: 30 * time.Second,
+		},
+		cache:         make(map[string]*cacheEntry),
+		maxConcurrent: 5,
+		cacheTTL:      30 * time.Second,
+	}
+}
+
+// doRequest performs an authenticated HTTP request to the Gitea API.
+func (c *Client) doRequest(ctx context.Context, token, method, path string, body io.Reader) (*http.Response, error) {
+	url := c.baseURL + "/api/v1" + path
+
+	req, err := http.NewRequestWithContext(ctx, method, url, body)
+	if err != nil {
+		return nil, fmt.Errorf("creating request: %w", err)
+	}
+
+	req.Header.Set("Authorization", "token "+token)
+	req.Header.Set("Accept", "application/json")
+	if body != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("executing request: %w", err)
+	}
+
+	if resp.StatusCode >= 400 {
+		defer resp.Body.Close()
+		respBody, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	return resp, nil
+}
+
+// getFromCache returns cached data if still valid.
+func (c *Client) getFromCache(key string) (interface{}, bool) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	entry, ok := c.cache[key]
+	if !ok || time.Now().After(entry.expiresAt) {
+		return nil, false
+	}
+	return entry.data, true
+}
+
+// setCache stores data in cache with TTL.
+func (c *Client) setCache(key string, data interface{}) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.cache[key] = &cacheEntry{
+		data:      data,
+		expiresAt: time.Now().Add(c.cacheTTL),
+	}
+}
+
+// invalidateCache removes entries matching the given prefix.
+func (c *Client) invalidateCache(prefix string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	for k := range c.cache {
+		if strings.HasPrefix(k, prefix) {
+			delete(c.cache, k)
+		}
+	}
+}
+
+// InvalidateAll clears the entire cache (called on write operations).
+func (c *Client) InvalidateAll() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.cache = make(map[string]*cacheEntry)
+}
+
+// ListOrgs returns the organizations the authenticated user belongs to.
+func (c *Client) ListOrgs(ctx context.Context, token string) ([]Org, error) {
+	cacheKey := "orgs"
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		return cached.([]Org), nil
+	}
+
+	resp, err := c.doRequest(ctx, token, http.MethodGet, "/user/orgs?limit=50", nil)
+	if err != nil {
+		return nil, fmt.Errorf("listing orgs: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var orgs []Org
+	if err := json.NewDecoder(resp.Body).Decode(&orgs); err != nil {
+		return nil, fmt.Errorf("decoding orgs: %w", err)
+	}
+
+	c.setCache(cacheKey, orgs)
+	return orgs, nil
+}
+
+// ListOrgRepos returns all repositories for a given organization.
+func (c *Client) ListOrgRepos(ctx context.Context, token, org string) ([]Repo, error) {
+	cacheKey := fmt.Sprintf("repos-%s", org)
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		return cached.([]Repo), nil
+	}
+
+	var allRepos []Repo
+	page := 1
+	for {
+		path := fmt.Sprintf("/orgs/%s/repos?limit=50&page=%d", org, page)
+		resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+		if err != nil {
+			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
+		}
+
+		var repos []Repo
+		if err := json.NewDecoder(resp.Body).Decode(&repos); err != nil {
+			resp.Body.Close()
+			return nil, fmt.Errorf("decoding repos: %w", err)
+		}
+		resp.Body.Close()
+
+		if len(repos) == 0 {
+			break
+		}
+		allRepos = append(allRepos, repos...)
+		if len(repos) < 50 {
+			break
+		}
+		page++
+	}
+
+	c.setCache(cacheKey, allRepos)
+	return allRepos, nil
+}
+
+// ListOrgsAndRepos returns a map of org name to repos for all orgs the user belongs to.
+func (c *Client) ListOrgsAndRepos(ctx context.Context, token string) (map[string][]Repo, error) {
+	orgs, err := c.ListOrgs(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+
+	result := make(map[string][]Repo)
+	var mu sync.Mutex
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+	var firstErr error
+
+	for _, org := range orgs {
+		wg.Add(1)
+		go func(orgName string) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			repos, err := c.ListOrgRepos(ctx, token, orgName)
+			if err != nil {
+				mu.Lock()
+				if firstErr == nil {
+					firstErr = err
+				}
+				mu.Unlock()
+				return
+			}
+
+			mu.Lock()
+			result[orgName] = repos
+			mu.Unlock()
+		}(org.Name)
+	}
+
+	wg.Wait()
+
+	if firstErr != nil {
+		return nil, firstErr
+	}
+	return result, nil
+}
+
+// ListAllIssues fetches all open issues across all repos in the given orgs,
+// using concurrent requests with a semaphore.
+func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string) ([]Issue, error) {
+	cacheKey := fmt.Sprintf("issues-%s", strings.Join(orgs, ","))
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		return cached.([]Issue), nil
+	}
+
+	// First, collect all repos for the given orgs.
+	var allRepos []Repo
+	for _, org := range orgs {
+		repos, err := c.ListOrgRepos(ctx, token, org)
+		if err != nil {
+			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
+		}
+		allRepos = append(allRepos, repos...)
+	}
+
+	// Fan out issue fetching across repos.
+	var allIssues []Issue
+	var mu sync.Mutex
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+	var firstErr error
+
+	for _, repo := range allRepos {
+		wg.Add(1)
+		go func(r Repo) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			path := fmt.Sprintf("/repos/%s/issues?state=open&type=issues&limit=50", r.FullName)
+			resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+			if err != nil {
+				mu.Lock()
+				if firstErr == nil {
+					firstErr = fmt.Errorf("fetching issues for %s: %w", r.FullName, err)
+				}
+				mu.Unlock()
+				return
+			}
+			defer resp.Body.Close()
+
+			var issues []Issue
+			if err := json.NewDecoder(resp.Body).Decode(&issues); err != nil {
+				mu.Lock()
+				if firstErr == nil {
+					firstErr = fmt.Errorf("decoding issues for %s: %w", r.FullName, err)
+				}
+				mu.Unlock()
+				return
+			}
+
+			// Tag each issue with repo info.
+			for i := range issues {
+				issues[i].RepoOwner = r.Owner.Login
+				issues[i].RepoName = r.Name
+			}
+
+			mu.Lock()
+			allIssues = append(allIssues, issues...)
+			mu.Unlock()
+		}(repo)
+	}
+
+	wg.Wait()
+
+	if firstErr != nil {
+		return nil, firstErr
+	}
+
+	// Sort by updated time, newest first.
+	sort.Slice(allIssues, func(i, j int) bool {
+		return allIssues[i].UpdatedAt.After(allIssues[j].UpdatedAt)
+	})
+
+	c.setCache(cacheKey, allIssues)
+	return allIssues, nil
+}
+
+// ListAllPullRequests fetches all open PRs across all repos in the given orgs.
+func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string) ([]PullRequest, error) {
+	cacheKey := fmt.Sprintf("pulls-%s", strings.Join(orgs, ","))
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		return cached.([]PullRequest), nil
+	}
+
+	var allRepos []Repo
+	for _, org := range orgs {
+		repos, err := c.ListOrgRepos(ctx, token, org)
+		if err != nil {
+			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
+		}
+		allRepos = append(allRepos, repos...)
+	}
+
+	var allPRs []PullRequest
+	var mu sync.Mutex
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+	var firstErr error
+
+	for _, repo := range allRepos {
+		wg.Add(1)
+		go func(r Repo) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			path := fmt.Sprintf("/repos/%s/pulls?state=open&limit=50", r.FullName)
+			resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+			if err != nil {
+				mu.Lock()
+				if firstErr == nil {
+					firstErr = fmt.Errorf("fetching PRs for %s: %w", r.FullName, err)
+				}
+				mu.Unlock()
+				return
+			}
+			defer resp.Body.Close()
+
+			var prs []PullRequest
+			if err := json.NewDecoder(resp.Body).Decode(&prs); err != nil {
+				mu.Lock()
+				if firstErr == nil {
+					firstErr = fmt.Errorf("decoding PRs for %s: %w", r.FullName, err)
+				}
+				mu.Unlock()
+				return
+			}
+
+			for i := range prs {
+				prs[i].RepoOwner = r.Owner.Login
+				prs[i].RepoName = r.Name
+			}
+
+			mu.Lock()
+			allPRs = append(allPRs, prs...)
+			mu.Unlock()
+		}(repo)
+	}
+
+	wg.Wait()
+
+	if firstErr != nil {
+		return nil, firstErr
+	}
+
+	sort.Slice(allPRs, func(i, j int) bool {
+		return allPRs[i].UpdatedAt.After(allPRs[j].UpdatedAt)
+	})
+
+	c.setCache(cacheKey, allPRs)
+	return allPRs, nil
+}
+
+// GetTriageQueue returns unassigned issues and PRs needing review, sorted by priority.
+func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string) ([]TriageItem, error) {
+	issues, err := c.ListAllIssues(ctx, token, orgs)
+	if err != nil {
+		return nil, fmt.Errorf("fetching issues for triage: %w", err)
+	}
+
+	prs, err := c.ListAllPullRequests(ctx, token, orgs)
+	if err != nil {
+		return nil, fmt.Errorf("fetching PRs for triage: %w", err)
+	}
+
+	var queue []TriageItem
+
+	// Add unassigned issues.
+	for _, issue := range issues {
+		if issue.Assignee == nil && len(issue.Assignees) == 0 {
+			var labels []string
+			for _, l := range issue.Labels {
+				labels = append(labels, l.Name)
+			}
+			queue = append(queue, TriageItem{
+				Type:      "issue",
+				RepoOwner: issue.RepoOwner,
+				RepoName:  issue.RepoName,
+				Number:    issue.Number,
+				Title:     issue.Title,
+				HTMLURL:   issue.HTMLURL,
+				Labels:    labels,
+				UpdatedAt: issue.UpdatedAt,
+			})
+		}
+	}
+
+	// Add PRs (all open PRs may need review attention).
+	for _, pr := range prs {
+		var labels []string
+		for _, l := range pr.Labels {
+			labels = append(labels, l.Name)
+		}
+		queue = append(queue, TriageItem{
+			Type:      "pull",
+			RepoOwner: pr.RepoOwner,
+			RepoName:  pr.RepoName,
+			Number:    pr.Number,
+			Title:     pr.Title,
+			HTMLURL:   pr.HTMLURL,
+			Labels:    labels,
+			UpdatedAt: pr.UpdatedAt,
+		})
+	}
+
+	// Sort by priority labels (P1 > P2 > P3 > no priority), then by updated time.
+	sort.Slice(queue, func(i, j int) bool {
+		pi := priorityScore(queue[i].Labels)
+		pj := priorityScore(queue[j].Labels)
+		if pi != pj {
+			return pi < pj // lower score = higher priority
+		}
+		return queue[i].UpdatedAt.After(queue[j].UpdatedAt)
+	})
+
+	return queue, nil
+}
+
+// CreateIssue creates a new issue in the specified repository.
+func (c *Client) CreateIssue(ctx context.Context, token, owner, repo, title, body string, labels []int64) (*Issue, error) {
+	payload := map[string]interface{}{
+		"title": title,
+		"body":  body,
+	}
+	if len(labels) > 0 {
+		payload["labels"] = labels
+	}
+
+	jsonData, err := json.Marshal(payload)
+	if err != nil {
+		return nil, fmt.Errorf("marshaling issue: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(jsonData)))
+	if err != nil {
+		return nil, fmt.Errorf("creating issue: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var issue Issue
+	if err := json.NewDecoder(resp.Body).Decode(&issue); err != nil {
+		return nil, fmt.Errorf("decoding created issue: %w", err)
+	}
+
+	issue.RepoOwner = owner
+	issue.RepoName = repo
+
+	c.InvalidateAll() // Invalidate cache after write.
+	return &issue, nil
+}
+
+// ApplyLabel adds a label to an issue.
+func (c *Client) ApplyLabel(ctx context.Context, token, owner, repo string, index int64, labelIDs []int64) error {
+	payload := map[string]interface{}{
+		"labels": labelIDs,
+	}
+
+	jsonData, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("marshaling labels: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d/labels", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(jsonData)))
+	if err != nil {
+		return fmt.Errorf("applying labels: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
+// SubmitReview submits a review on a pull request.
+func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, index int64, reviewType, body string) error {
+	payload := map[string]interface{}{
+		"event": reviewType, // "APPROVED", "REQUEST_CHANGES", "COMMENT"
+		"body":  body,
+	}
+
+	jsonData, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("marshaling review: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/reviews", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(jsonData)))
+	if err != nil {
+		return fmt.Errorf("submitting review: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
+// priorityScore returns a numeric score for sorting (lower = higher priority).
+func priorityScore(labels []string) int {
+	for _, l := range labels {
+		switch l {
+		case "P1":
+			return 1
+		case "P2":
+			return 2
+		case "P3":
+			return 3
+		}
+	}
+	return 4 // no priority label
+}

internal/gitea/client_test.go

@@ -0,0 +1,215 @@
+package gitea
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+func TestNewClient(t *testing.T) {
+	c := NewClient("https://gitea.example.com")
+	if c.baseURL != "https://gitea.example.com" {
+		t.Errorf("baseURL = %q, want %q", c.baseURL, "https://gitea.example.com")
+	}
+	if c.maxConcurrent != 5 {
+		t.Errorf("maxConcurrent = %d, want 5", c.maxConcurrent)
+	}
+	if c.cacheTTL != 30*time.Second {
+		t.Errorf("cacheTTL = %v, want 30s", c.cacheTTL)
+	}
+}
+
+func TestNewClient_TrailingSlash(t *testing.T) {
+	c := NewClient("https://gitea.example.com/")
+	if c.baseURL != "https://gitea.example.com" {
+		t.Errorf("baseURL = %q, want trailing slash removed", c.baseURL)
+	}
+}
+
+func TestCache(t *testing.T) {
+	c := NewClient("https://gitea.example.com")
+
+	// Cache miss.
+	_, ok := c.getFromCache("key1")
+	if ok {
+		t.Error("expected cache miss")
+	}
+
+	// Cache set and hit.
+	c.setCache("key1", "value1")
+	val, ok := c.getFromCache("key1")
+	if !ok {
+		t.Fatal("expected cache hit")
+	}
+	if val.(string) != "value1" {
+		t.Errorf("got %q, want %q", val, "value1")
+	}
+
+	// Invalidate.
+	c.invalidateCache("key")
+	_, ok = c.getFromCache("key1")
+	if ok {
+		t.Error("expected cache miss after invalidation")
+	}
+}
+
+func TestCacheExpiry(t *testing.T) {
+	c := NewClient("https://gitea.example.com")
+	c.cacheTTL = 1 * time.Millisecond
+
+	c.setCache("key1", "value1")
+	time.Sleep(5 * time.Millisecond)
+
+	_, ok := c.getFromCache("key1")
+	if ok {
+		t.Error("expected cache miss after TTL expiry")
+	}
+}
+
+func TestInvalidateAll(t *testing.T) {
+	c := NewClient("https://gitea.example.com")
+	c.setCache("key1", "value1")
+	c.setCache("key2", "value2")
+
+	c.InvalidateAll()
+
+	_, ok1 := c.getFromCache("key1")
+	_, ok2 := c.getFromCache("key2")
+	if ok1 || ok2 {
+		t.Error("expected all cache entries to be invalidated")
+	}
+}
+
+func TestPriorityScore(t *testing.T) {
+	tests := []struct {
+		labels []string
+		want   int
+	}{
+		{[]string{"P1", "bug"}, 1},
+		{[]string{"P2"}, 2},
+		{[]string{"P3", "enhancement"}, 3},
+		{[]string{"bug", "enhancement"}, 4},
+		{nil, 4},
+	}
+
+	for _, tt := range tests {
+		got := priorityScore(tt.labels)
+		if got != tt.want {
+			t.Errorf("priorityScore(%v) = %d, want %d", tt.labels, got, tt.want)
+		}
+	}
+}
+
+func TestListOrgs(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/v1/user/orgs" {
+			t.Errorf("unexpected path: %s", r.URL.Path)
+			http.NotFound(w, r)
+			return
+		}
+		if r.Header.Get("Authorization") != "token test-token" {
+			t.Error("missing or wrong Authorization header")
+		}
+
+		orgs := []Org{
+			{Name: "org1", FullName: "Organization 1"},
+			{Name: "org2", FullName: "Organization 2"},
+		}
+		json.NewEncoder(w).Encode(orgs)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	orgs, err := c.ListOrgs(context.Background(), "test-token")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(orgs) != 2 {
+		t.Fatalf("got %d orgs, want 2", len(orgs))
+	}
+	if orgs[0].Name != "org1" {
+		t.Errorf("orgs[0].Name = %q, want %q", orgs[0].Name, "org1")
+	}
+}
+
+func TestListOrgs_Cached(t *testing.T) {
+	callCount := 0
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+		json.NewEncoder(w).Encode([]Org{{Name: "org1"}})
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+
+	// First call should hit the server.
+	_, err := c.ListOrgs(context.Background(), "test-token")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Second call should use cache.
+	_, err = c.ListOrgs(context.Background(), "test-token")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if callCount != 1 {
+		t.Errorf("server called %d times, want 1 (cached)", callCount)
+	}
+}
+
+func TestListOrgRepos(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		repos := []Repo{
+			{ID: 1, Name: "repo1", FullName: "org1/repo1"},
+			{ID: 2, Name: "repo2", FullName: "org1/repo2"},
+		}
+		json.NewEncoder(w).Encode(repos)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	repos, err := c.ListOrgRepos(context.Background(), "test-token", "org1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(repos) != 2 {
+		t.Fatalf("got %d repos, want 2", len(repos))
+	}
+}
+
+func TestGetTriageQueue_Sorting(t *testing.T) {
+	queue := []TriageItem{
+		{Title: "low", Labels: []string{"P3"}, UpdatedAt: time.Now()},
+		{Title: "high", Labels: []string{"P1"}, UpdatedAt: time.Now()},
+		{Title: "medium", Labels: []string{"P2"}, UpdatedAt: time.Now()},
+		{Title: "none", Labels: nil, UpdatedAt: time.Now()},
+	}
+
+	// Apply the same sort as GetTriageQueue.
+	sortTriageQueue(queue)
+
+	expected := []string{"high", "medium", "low", "none"}
+	for i, item := range queue {
+		if item.Title != expected[i] {
+			t.Errorf("queue[%d].Title = %q, want %q", i, item.Title, expected[i])
+		}
+	}
+}
+
+// sortTriageQueue is a test helper applying the same sort as GetTriageQueue.
+func sortTriageQueue(queue []TriageItem) {
+	for i := 0; i < len(queue); i++ {
+		for j := i + 1; j < len(queue); j++ {
+			pi := priorityScore(queue[i].Labels)
+			pj := priorityScore(queue[j].Labels)
+			if pj < pi || (pj == pi && queue[j].UpdatedAt.After(queue[i].UpdatedAt)) {
+				queue[i], queue[j] = queue[j], queue[i]
+			}
+		}
+	}
+}

internal/handlers/handlers.go

@@ -0,0 +1,479 @@
+// Package handlers implements HTTP handlers for the Gitea Mobile application.
+package handlers
+
+import (
+	"fmt"
+	"html/template"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
+	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
+)
+
+// Handler holds shared dependencies for all HTTP handlers.
+type Handler struct {
+	Config *config.Config
+	Client *giteaclient.Client
+}
+
+// NewHandler creates a new Handler with the given config and client.
+func NewHandler(cfg *config.Config, client *giteaclient.Client) *Handler {
+	return &Handler{
+		Config: cfg,
+		Client: client,
+	}
+}
+
+// RegisterRoutes registers all HTTP routes on the given ServeMux.
+func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
+	// Health endpoint.
+	mux.HandleFunc("GET /health", h.Health)
+
+	// Dashboard / triage.
+	mux.HandleFunc("GET /", h.Dashboard)
+
+	// Issues.
+	mux.HandleFunc("GET /issues", h.ListIssues)
+	mux.HandleFunc("POST /issues", h.CreateIssue)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/labels", h.ApplyLabels)
+
+	// Pull requests.
+	mux.HandleFunc("GET /pulls", h.ListPulls)
+	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
+
+	// Settings (handled separately for auth bypass).
+	settingsHandler := &SettingsHandler{
+		SessionSecret: h.Config.SessionSecret,
+		SecureCookies: true,
+	}
+	mux.HandleFunc("/settings", settingsHandler.ServeHTTP)
+
+	// Static files.
+	mux.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
+}
+
+// isHTMX returns true if the request is an HTMX partial request.
+func isHTMX(r *http.Request) bool {
+	return r.Header.Get("HX-Request") == "true"
+}
+
+// getToken extracts the user's Gitea API token from request context.
+func getToken(r *http.Request) string {
+	return middleware.TokenFromContext(r.Context())
+}
+
+// getUserOrgs returns the list of org names the user belongs to.
+func (h *Handler) getUserOrgs(r *http.Request) []string {
+	token := getToken(r)
+	if token == "" {
+		return nil
+	}
+
+	orgs, err := h.Client.ListOrgs(r.Context(), token)
+	if err != nil {
+		slog.Error("failed to list orgs", "error", err)
+		return nil
+	}
+
+	var names []string
+	for _, org := range orgs {
+		names = append(names, org.Name)
+	}
+	return names
+}
+
+// Health handles GET /health for Kubernetes probes.
+func (h *Handler) Health(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprintln(w, "ok")
+}
+
+// basePage is the full HTML wrapper used for non-HTMX requests.
+var basePage = template.Must(template.New("base").Parse(`<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <title>{{.Title}} — Gitea Mobile</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: #0d1117; color: #e6edf3;
+      padding-bottom: calc(60px + env(safe-area-inset-bottom));
+    }
+    .content { padding: 1rem; padding-top: max(1rem, env(safe-area-inset-top)); }
+    h1 { font-size: 1.25rem; margin-bottom: 1rem; }
+    .card {
+      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
+      padding: 0.75rem; margin-bottom: 0.5rem;
+    }
+    .card-title { font-weight: 600; font-size: 0.9rem; margin-bottom: 0.25rem; }
+    .card-meta { font-size: 0.75rem; color: #8b949e; }
+    .label {
+      display: inline-block; font-size: 0.7rem; padding: 2px 6px;
+      border-radius: 10px; font-weight: 500; margin-right: 4px;
+    }
+    .type-badge {
+      font-size: 0.65rem; text-transform: uppercase; font-weight: 700;
+      padding: 1px 5px; border-radius: 4px; margin-right: 4px;
+    }
+    .type-issue { background: #1f6feb22; color: #58a6ff; border: 1px solid #1f6feb44; }
+    .type-pull { background: #23863622; color: #3fb950; border: 1px solid #23863644; }
+    .empty { text-align: center; color: #8b949e; padding: 2rem 1rem; }
+    .bottom-nav {
+      position: fixed; bottom: 0; left: 0; right: 0;
+      background: #161b22; border-top: 1px solid #30363d;
+      display: flex; justify-content: space-around; align-items: center;
+      height: 56px;
+      padding-bottom: env(safe-area-inset-bottom);
+    }
+    .bottom-nav a {
+      color: #8b949e; text-decoration: none; font-size: 0.7rem;
+      display: flex; flex-direction: column; align-items: center; padding: 4px 0;
+    }
+    .bottom-nav a.active { color: #58a6ff; }
+    .bottom-nav svg { width: 22px; height: 22px; margin-bottom: 2px; }
+  </style>
+  <script src="https://unpkg.com/htmx.org@1.9.10"></script>
+</head>
+<body>
+  <div class="content" id="main-content">
+    {{.Content}}
+  </div>
+  <nav class="bottom-nav">
+    <a href="/" {{if eq .ActiveTab "dashboard"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M3 9l9-7 9 7v11a2 2 0 01-2 2H5a2 2 0 01-2-2V9z"/></svg>
+      Dashboard
+    </a>
+    <a href="/issues" {{if eq .ActiveTab "issues"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>
+      Issues
+    </a>
+    <a href="/pulls" {{if eq .ActiveTab "pulls"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="18" cy="18" r="3"/><circle cx="6" cy="6" r="3"/><path d="M6 21V9a9 9 0 009 9"/></svg>
+      PRs
+    </a>
+    <a href="/settings" {{if eq .ActiveTab "settings"}}class="active"{{end}}>
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="3"/><path d="M19.4 15a1.65 1.65 0 00.33 1.82l.06.06a2 2 0 010 2.83 2 2 0 01-2.83 0l-.06-.06a1.65 1.65 0 00-1.82-.33 1.65 1.65 0 00-1 1.51V21a2 2 0 01-4 0v-.09A1.65 1.65 0 009 19.4a1.65 1.65 0 00-1.82.33l-.06.06a2 2 0 01-2.83-2.83l.06-.06A1.65 1.65 0 004.68 15a1.65 1.65 0 00-1.51-1H3a2 2 0 010-4h.09A1.65 1.65 0 004.6 9a1.65 1.65 0 00-.33-1.82l-.06-.06a2 2 0 012.83-2.83l.06.06A1.65 1.65 0 009 4.68a1.65 1.65 0 001-1.51V3a2 2 0 014 0v.09a1.65 1.65 0 001 1.51 1.65 1.65 0 001.82-.33l.06-.06a2 2 0 012.83 2.83l-.06.06A1.65 1.65 0 0019.4 9a1.65 1.65 0 001.51 1H21a2 2 0 010 4h-.09a1.65 1.65 0 00-1.51 1z"/></svg>
+      Settings
+    </a>
+  </nav>
+</body>
+</html>`))
+
+type pageData struct {
+	Title     string
+	ActiveTab string
+	Content   template.HTML
+}
+
+// renderPage renders either a full page (for regular requests) or just the
+// content fragment (for HTMX requests).
+func renderPage(w http.ResponseWriter, r *http.Request, title, activeTab string, content string) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+
+	if isHTMX(r) {
+		fmt.Fprint(w, content)
+		return
+	}
+
+	data := pageData{
+		Title:     title,
+		ActiveTab: activeTab,
+		Content:   template.HTML(content),
+	}
+	if err := basePage.Execute(w, data); err != nil {
+		slog.Error("template render error", "error", err)
+	}
+}
+
+// Dashboard handles GET / — the triage queue.
+func (h *Handler) Dashboard(w http.ResponseWriter, r *http.Request) {
+	// Only handle exact root path.
+	if r.URL.Path != "/" {
+		http.NotFound(w, r)
+		return
+	}
+
+	token := getToken(r)
+	orgs := h.getUserOrgs(r)
+
+	if len(orgs) == 0 {
+		renderPage(w, r, "Dashboard", "dashboard",
+			`<h1>Dashboard</h1><p class="empty">No organizations found. Check your token permissions.</p>`)
+		return
+	}
+
+	queue, err := h.Client.GetTriageQueue(r.Context(), token, orgs)
+	if err != nil {
+		slog.Error("failed to get triage queue", "error", err)
+		renderPage(w, r, "Dashboard", "dashboard",
+			`<h1>Dashboard</h1><p class="empty">Error loading triage queue.</p>`)
+		return
+	}
+
+	if len(queue) == 0 {
+		renderPage(w, r, "Dashboard", "dashboard",
+			`<h1>Dashboard</h1><p class="empty">No items need attention. Nice work!</p>`)
+		return
+	}
+
+	content := `<h1>Dashboard</h1>`
+	for _, item := range queue {
+		typeBadge := `<span class="type-badge type-issue">issue</span>`
+		if item.Type == "pull" {
+			typeBadge = `<span class="type-badge type-pull">PR</span>`
+		}
+
+		labels := ""
+		for _, l := range item.Labels {
+			color := "#8b949e"
+			switch l {
+			case "P1":
+				color = "#f85149"
+			case "P2":
+				color = "#d29922"
+			case "P3":
+				color = "#58a6ff"
+			}
+			labels += fmt.Sprintf(`<span class="label" style="color:%s;border:1px solid %s">%s</span>`, color, color, template.HTMLEscapeString(l))
+		}
+
+		content += fmt.Sprintf(`<div class="card">
+  <div class="card-title">%s %s</div>
+  <div class="card-meta">%s/%s #%d %s</div>
+</div>`, typeBadge, template.HTMLEscapeString(item.Title),
+			template.HTMLEscapeString(item.RepoOwner),
+			template.HTMLEscapeString(item.RepoName),
+			item.Number, labels)
+	}
+
+	renderPage(w, r, "Dashboard", "dashboard", content)
+}
+
+// ListIssues handles GET /issues.
+func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	orgs := h.getUserOrgs(r)
+
+	if len(orgs) == 0 {
+		renderPage(w, r, "Issues", "issues",
+			`<h1>Issues</h1><p class="empty">No organizations found.</p>`)
+		return
+	}
+
+	issues, err := h.Client.ListAllIssues(r.Context(), token, orgs)
+	if err != nil {
+		slog.Error("failed to list issues", "error", err)
+		renderPage(w, r, "Issues", "issues",
+			`<h1>Issues</h1><p class="empty">Error loading issues.</p>`)
+		return
+	}
+
+	if len(issues) == 0 {
+		renderPage(w, r, "Issues", "issues",
+			`<h1>Issues</h1><p class="empty">No open issues found.</p>`)
+		return
+	}
+
+	content := `<h1>Issues</h1>`
+	for _, issue := range issues {
+		labels := ""
+		for _, l := range issue.Labels {
+			labels += fmt.Sprintf(`<span class="label" style="color:#%s;border:1px solid #%s">%s</span>`,
+				l.Color, l.Color, template.HTMLEscapeString(l.Name))
+		}
+
+		assignee := ""
+		if issue.Assignee != nil {
+			assignee = fmt.Sprintf(` &middot; %s`, template.HTMLEscapeString(issue.Assignee.Login))
+		}
+
+		content += fmt.Sprintf(`<div class="card">
+  <div class="card-title">%s</div>
+  <div class="card-meta">%s/%s #%d %s%s</div>
+</div>`, template.HTMLEscapeString(issue.Title),
+			template.HTMLEscapeString(issue.RepoOwner),
+			template.HTMLEscapeString(issue.RepoName),
+			issue.Number, labels, assignee)
+	}
+
+	renderPage(w, r, "Issues", "issues", content)
+}
+
+// ListPulls handles GET /pulls.
+func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	orgs := h.getUserOrgs(r)
+
+	if len(orgs) == 0 {
+		renderPage(w, r, "Pull Requests", "pulls",
+			`<h1>Pull Requests</h1><p class="empty">No organizations found.</p>`)
+		return
+	}
+
+	prs, err := h.Client.ListAllPullRequests(r.Context(), token, orgs)
+	if err != nil {
+		slog.Error("failed to list pull requests", "error", err)
+		renderPage(w, r, "Pull Requests", "pulls",
+			`<h1>Pull Requests</h1><p class="empty">Error loading pull requests.</p>`)
+		return
+	}
+
+	if len(prs) == 0 {
+		renderPage(w, r, "Pull Requests", "pulls",
+			`<h1>Pull Requests</h1><p class="empty">No open pull requests found.</p>`)
+		return
+	}
+
+	content := `<h1>Pull Requests</h1>`
+	for _, pr := range prs {
+		labels := ""
+		for _, l := range pr.Labels {
+			labels += fmt.Sprintf(`<span class="label" style="color:#%s;border:1px solid #%s">%s</span>`,
+				l.Color, l.Color, template.HTMLEscapeString(l.Name))
+		}
+
+		stats := fmt.Sprintf(`<span style="color:#3fb950">+%d</span> <span style="color:#f85149">-%d</span>`, pr.Additions, pr.Deletions)
+		mergeStatus := ""
+		if pr.Mergeable {
+			mergeStatus = `<span style="color:#3fb950;font-size:0.7rem;">mergeable</span>`
+		}
+
+		content += fmt.Sprintf(`<div class="card">
+  <div class="card-title"><span class="type-badge type-pull">PR</span> %s</div>
+  <div class="card-meta">%s/%s #%d %s %s %s</div>
+</div>`, template.HTMLEscapeString(pr.Title),
+			template.HTMLEscapeString(pr.RepoOwner),
+			template.HTMLEscapeString(pr.RepoName),
+			pr.Number, labels, stats, mergeStatus)
+	}
+
+	renderPage(w, r, "Pull Requests", "pulls", content)
+}
+
+// CreateIssue handles POST /issues.
+func (h *Handler) CreateIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	owner := r.FormValue("owner")
+	repo := r.FormValue("repo")
+	title := r.FormValue("title")
+	body := r.FormValue("body")
+
+	if owner == "" || repo == "" || title == "" {
+		http.Error(w, "owner, repo, and title are required", http.StatusBadRequest)
+		return
+	}
+
+	issue, err := h.Client.CreateIssue(r.Context(), token, owner, repo, title, body, nil)
+	if err != nil {
+		slog.Error("failed to create issue", "error", err)
+		http.Error(w, "failed to create issue", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("HX-Redirect", fmt.Sprintf("/issues/%s/%s/%d", owner, repo, issue.Number))
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, issue.Number), http.StatusSeeOther)
+}
+
+// ApplyLabels handles POST /issues/{owner}/{repo}/{index}/labels.
+func (h *Handler) ApplyLabels(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	var labelIDs []int64
+	for _, idStr := range r.Form["label_id"] {
+		id, err := strconv.ParseInt(idStr, 10, 64)
+		if err != nil {
+			continue
+		}
+		labelIDs = append(labelIDs, id)
+	}
+
+	if len(labelIDs) == 0 {
+		http.Error(w, "no labels specified", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.ApplyLabel(r.Context(), token, owner, repo, index, labelIDs); err != nil {
+		slog.Error("failed to apply labels", "error", err, "owner", owner, "repo", repo, "index", index)
+		http.Error(w, "failed to apply labels", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprint(w, `<span style="color:#3fb950">Labels applied</span>`)
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// SubmitReview handles POST /pulls/{owner}/{repo}/{index}/review.
+func (h *Handler) SubmitReview(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid PR index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	reviewType := r.FormValue("event") // APPROVED, REQUEST_CHANGES, COMMENT
+	body := r.FormValue("body")
+
+	if reviewType == "" {
+		http.Error(w, "review event type is required", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SubmitReview(r.Context(), token, owner, repo, index, reviewType, body); err != nil {
+		slog.Error("failed to submit review", "error", err, "owner", owner, "repo", repo, "index", index)
+		http.Error(w, "failed to submit review", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprint(w, `<span style="color:#3fb950">Review submitted</span>`)
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/pulls/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}

internal/handlers/handlers_test.go

@@ -0,0 +1,149 @@
+package handlers
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
+	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
+)
+
+func newTestHandler() *Handler {
+	cfg := &config.Config{
+		GiteaURL:      "https://gitea.example.com",
+		SessionSecret: "test-secret-that-is-at-least-32-chars-long",
+		ListenAddr:    ":8080",
+	}
+	client := giteaclient.NewClient(cfg.GiteaURL)
+	return NewHandler(cfg, client)
+}
+
+func TestHealth(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/health", nil)
+	w := httptest.NewRecorder()
+
+	h.Health(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+	if body := w.Body.String(); body != "ok\n" {
+		t.Errorf("body = %q, want %q", body, "ok\n")
+	}
+}
+
+func TestDashboard_NoToken(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+	// Without a token in context, should show "No organizations found."
+	if body := w.Body.String(); body == "" {
+		t.Error("expected non-empty response body")
+	}
+}
+
+func TestDashboard_HTMX(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("HX-Request", "true")
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	// HTMX request should not include full HTML page wrapper.
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	// Should NOT contain DOCTYPE for HTMX fragment.
+	if contains(body, "<!DOCTYPE") {
+		t.Error("HTMX response should not contain DOCTYPE")
+	}
+}
+
+func TestIsHTMX(t *testing.T) {
+	tests := []struct {
+		header string
+		want   bool
+	}{
+		{"true", true},
+		{"false", false},
+		{"", false},
+	}
+
+	for _, tt := range tests {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		if tt.header != "" {
+			req.Header.Set("HX-Request", tt.header)
+		}
+		if got := isHTMX(req); got != tt.want {
+			t.Errorf("isHTMX(HX-Request=%q) = %v, want %v", tt.header, got, tt.want)
+		}
+	}
+}
+
+func TestCreateIssue_MissingFields(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodPost, "/issues", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	h.CreateIssue(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestApplyLabels_InvalidIndex(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/labels", h.ApplyLabels)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/abc/labels", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestSubmitReview_MissingEventType(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
+
+	req := httptest.NewRequest(http.MethodPost, "/pulls/org/repo/1/review", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && searchString(s, substr)
+}
+
+func searchString(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}

internal/handlers/settings.go

@@ -0,0 +1,177 @@
+package handlers
+
+import (
+	"html/template"
+	"net/http"
+	"strings"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/auth"
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
+)
+
+var settingsTemplate = template.Must(template.New("settings").Parse(`<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <title>Settings — Gitea Mobile</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: #0d1117; color: #e6edf3;
+      padding: 1rem;
+      padding-top: max(1rem, env(safe-area-inset-top));
+    }
+    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+    .card {
+      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
+      padding: 1rem; margin-bottom: 1rem;
+    }
+    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
+    input[type="text"], input[type="password"] {
+      width: 100%; padding: 0.5rem; font-size: 1rem;
+      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
+      color: #e6edf3; margin-bottom: 1rem;
+    }
+    input:focus { outline: none; border-color: #58a6ff; }
+    button {
+      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
+      background: #238636; color: #fff; border: none; border-radius: 6px;
+      cursor: pointer;
+    }
+    button:active { background: #2ea043; }
+    .message {
+      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
+      font-size: 0.875rem;
+    }
+    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
+    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
+    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
+    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
+    .status { font-size: 0.875rem; color: #8b949e; }
+    .status .connected { color: #3fb950; }
+    .logout-btn {
+      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
+    }
+    .logout-btn:active { background: #30363d; }
+  </style>
+</head>
+<body>
+  <h1>Settings</h1>
+
+  {{if .Message}}
+  <div class="message {{.MessageType}}">{{.Message}}</div>
+  {{end}}
+
+  {{if .HasToken}}
+  <div class="card">
+    <p class="status">Status: <span class="connected">Connected</span></p>
+    <p class="hint">A Gitea API token is configured.</p>
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="logout">
+      <button type="submit" class="logout-btn">Remove Token</button>
+    </form>
+  </div>
+  {{end}}
+
+  <div class="card">
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="save">
+      <label for="token">Gitea API Token</label>
+      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
+      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
+      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
+    </form>
+  </div>
+
+  {{if .HasToken}}
+  <p style="text-align:center; margin-top:1rem;">
+    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
+  </p>
+  {{end}}
+</body>
+</html>`))
+
+// SettingsHandler handles GET and POST requests for the settings page.
+type SettingsHandler struct {
+	SessionSecret string
+	SecureCookies bool
+}
+
+type settingsData struct {
+	HasToken    bool
+	Message     string
+	MessageType string // "success", "error", "info"
+}
+
+// ServeHTTP handles the settings page.
+func (h *SettingsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodGet:
+		h.handleGet(w, r)
+	case http.MethodPost:
+		h.handlePost(w, r)
+	default:
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+func (h *SettingsHandler) handleGet(w http.ResponseWriter, r *http.Request) {
+	hasToken := false
+	if token := middleware.TokenFromContext(r.Context()); token != "" {
+		hasToken = true
+	} else if _, err := auth.GetToken(r, h.SessionSecret); err == nil {
+		hasToken = true
+	}
+
+	data := settingsData{HasToken: hasToken}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	settingsTemplate.Execute(w, data)
+}
+
+func (h *SettingsHandler) handlePost(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		h.renderWithMessage(w, r, "Failed to parse form.", "error")
+		return
+	}
+
+	action := r.FormValue("action")
+
+	switch action {
+	case "logout":
+		auth.ClearTokenCookie(w, h.SecureCookies)
+		h.renderWithMessage(w, r, "Token removed successfully.", "success")
+		return
+
+	case "save":
+		token := strings.TrimSpace(r.FormValue("token"))
+		if token == "" {
+			h.renderWithMessage(w, r, "Token cannot be empty.", "error")
+			return
+		}
+
+		auth.SetTokenCookie(w, token, h.SessionSecret, h.SecureCookies)
+		// After saving, redirect to dashboard.
+		http.Redirect(w, r, "/", http.StatusSeeOther)
+		return
+
+	default:
+		h.renderWithMessage(w, r, "Unknown action.", "error")
+	}
+}
+
+func (h *SettingsHandler) renderWithMessage(w http.ResponseWriter, r *http.Request, msg, msgType string) {
+	hasToken := false
+	if _, err := auth.GetToken(r, h.SessionSecret); err == nil {
+		hasToken = true
+	}
+
+	data := settingsData{
+		HasToken:    hasToken,
+		Message:     msg,
+		MessageType: msgType,
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	settingsTemplate.Execute(w, data)
+}

internal/middleware/auth.go

@@ -0,0 +1,54 @@
+package middleware
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/auth"
+)
+
+// contextKey is a private type for context keys in this package.
+type contextKey string
+
+const (
+	// TokenContextKey is the context key for the Gitea API token.
+	TokenContextKey contextKey = "gitea_token"
+)
+
+// TokenFromContext extracts the Gitea API token from the request context.
+func TokenFromContext(ctx context.Context) string {
+	token, _ := ctx.Value(TokenContextKey).(string)
+	return token
+}
+
+// Auth returns middleware that checks for a valid token cookie.
+// Unauthenticated requests are redirected to the settings page.
+// The /health, /settings, and /static/ paths are exempt from auth.
+func Auth(sessionSecret string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Skip auth for exempt paths.
+			path := r.URL.Path
+			if path == "/health" || path == "/settings" || hasPrefix(path, "/static/") {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			token, err := auth.GetToken(r, sessionSecret)
+			if err != nil || token == "" {
+				slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
+				http.Redirect(w, r, "/settings", http.StatusSeeOther)
+				return
+			}
+
+			// Inject token into request context.
+			ctx := context.WithValue(r.Context(), TokenContextKey, token)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+func hasPrefix(s, prefix string) bool {
+	return len(s) >= len(prefix) && s[:len(prefix)] == prefix
+}

internal/middleware/auth_test.go

@@ -0,0 +1,85 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/auth"
+)
+
+const testSecret = "test-secret-that-is-at-least-32-chars-long"
+
+func TestAuth_HealthBypass(t *testing.T) {
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/health", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_SettingsBypass(t *testing.T) {
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/settings", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_RedirectWithoutToken(t *testing.T) {
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusSeeOther {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
+	}
+	if loc := w.Header().Get("Location"); loc != "/settings" {
+		t.Errorf("Location = %q, want %q", loc, "/settings")
+	}
+}
+
+func TestAuth_PassWithToken(t *testing.T) {
+	called := false
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "my-token" {
+			t.Errorf("token = %q, want %q", token, "my-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Set a token cookie.
+	cookieW := httptest.NewRecorder()
+	auth.SetTokenCookie(cookieW, "my-token", testSecret, false)
+	cookie := cookieW.Result().Cookies()[0]
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.AddCookie(cookie)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}

internal/middleware/logging.go

@@ -0,0 +1,38 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+	"time"
+)
+
+// responseWriter wraps http.ResponseWriter to capture the status code.
+type responseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (rw *responseWriter) WriteHeader(code int) {
+	rw.statusCode = code
+	rw.ResponseWriter.WriteHeader(code)
+}
+
+// Logging returns middleware that logs each HTTP request with structured logging.
+func Logging() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			start := time.Now()
+			rw := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+
+			next.ServeHTTP(rw, r)
+
+			slog.Info("http request",
+				"method", r.Method,
+				"path", r.URL.Path,
+				"status", rw.statusCode,
+				"duration", time.Since(start).String(),
+				"remote", r.RemoteAddr,
+			)
+		})
+	}
+}