chore: extract inline settings template to internal/templates/settings.html

Move the large inline HTML template from settings.go into a separate
file at internal/templates/settings.html, matching the project convention
used by all other handlers. The template is now loaded at render time
via template.ParseFiles, consistent with dashboard, issues, etc.

Closes leeworks-agents/gitea-mobile#126

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/build.yaml

@@ -16,7 +16,7 @@ jobs:
           go-version: '1.22'
 
       - name: Run tests
-        run: go test ./...
+        run: go test -race ./...
 
   build:
     runs-on: ubuntu-latest

Dockerfile

@@ -1,7 +1,7 @@
 # Stage 1: Build
 FROM golang:1.22-alpine AS builder
 WORKDIR /app
-COPY go.mod go.sum ./
+COPY go.mod ./
 RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server

internal/gitea/client.go

@@ -107,6 +107,7 @@ type PullRequest struct {
 	UpdatedAt time.Time `json:"updated_at"`
 	RepoOwner   string `json:"-"` // populated after fetch
 	RepoName    string `json:"-"` // populated after fetch
+	ReviewState string `json:"-"` // aggregated review state: "approved", "changes_requested", "pending", or ""
 }
 
 // TriageItem represents an item in the triage queue.
@@ -944,6 +945,74 @@ func (c *Client) RenderMarkdown(ctx context.Context, token, text string) (string
 	return string(rendered), nil
 }
 
+// Review represents a single review on a pull request.
+type Review struct {
+	ID   int64  `json:"id"`
+	Body string `json:"body"`
+	State string `json:"state"` // "APPROVED", "REQUEST_CHANGES", "COMMENT", "PENDING"
+	User  struct {
+		Login string `json:"login"`
+	} `json:"user"`
+}
+
+// GetPullReviewState fetches reviews for a PR and returns the aggregate state.
+// Priority: changes_requested > approved > pending > "" (no reviews).
+func (c *Client) GetPullReviewState(ctx context.Context, token, owner, repo string, index int64) string {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/reviews?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+
+	var reviews []Review
+	if err := json.NewDecoder(resp.Body).Decode(&reviews); err != nil {
+		return ""
+	}
+
+	if len(reviews) == 0 {
+		return ""
+	}
+
+	// Aggregate: last non-comment review per user wins, then pick the "worst" state.
+	userState := make(map[string]string)
+	for _, r := range reviews {
+		switch r.State {
+		case "APPROVED", "REQUEST_CHANGES":
+			userState[r.User.Login] = r.State
+		}
+	}
+
+	if len(userState) == 0 {
+		return "pending"
+	}
+
+	for _, s := range userState {
+		if s == "REQUEST_CHANGES" {
+			return "changes_requested"
+		}
+	}
+	return "approved"
+}
+
+// EnrichPullsWithReviewState fetches review state for each PR concurrently.
+func (c *Client) EnrichPullsWithReviewState(ctx context.Context, token string, pulls []PullRequest) {
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+
+	for i := range pulls {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			pulls[idx].ReviewState = c.GetPullReviewState(ctx, token, pulls[idx].RepoOwner, pulls[idx].RepoName, pulls[idx].Number)
+		}(i)
+	}
+	wg.Wait()
+}
+
 // priorityScore returns a numeric score for sorting (lower = higher priority).
 func priorityScore(labels []string) int {
 	for _, l := range labels {

internal/gitea/client_test.go

@@ -3,6 +3,7 @@ package gitea
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -374,3 +375,580 @@ func sortTriageQueue(queue []TriageItem) {
 		}
 	}
 }
+
+// --- Issue #122: Tests for ListOrgsAndRepos and CreateIssue ---
+
+func TestListOrgsAndRepos(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/api/v1/user/orgs":
+			orgs := []Org{
+				{Name: "org1", FullName: "Organization 1"},
+				{Name: "org2", FullName: "Organization 2"},
+			}
+			json.NewEncoder(w).Encode(orgs)
+		case "/api/v1/orgs/org1/repos":
+			repos := []Repo{
+				{ID: 1, Name: "repo-a", FullName: "org1/repo-a"},
+				{ID: 2, Name: "repo-b", FullName: "org1/repo-b"},
+			}
+			json.NewEncoder(w).Encode(repos)
+		case "/api/v1/orgs/org2/repos":
+			repos := []Repo{
+				{ID: 3, Name: "repo-c", FullName: "org2/repo-c"},
+			}
+			json.NewEncoder(w).Encode(repos)
+		default:
+			t.Errorf("unexpected request path: %s", r.URL.Path)
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	result, err := c.ListOrgsAndRepos(context.Background(), "test-token")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(result) != 2 {
+		t.Fatalf("got %d orgs, want 2", len(result))
+	}
+	if len(result["org1"]) != 2 {
+		t.Errorf("org1 has %d repos, want 2", len(result["org1"]))
+	}
+	if len(result["org2"]) != 1 {
+		t.Errorf("org2 has %d repos, want 1", len(result["org2"]))
+	}
+	if result["org1"][0].Name != "repo-a" {
+		t.Errorf("org1 repos[0].Name = %q, want %q", result["org1"][0].Name, "repo-a")
+	}
+	if result["org2"][0].Name != "repo-c" {
+		t.Errorf("org2 repos[0].Name = %q, want %q", result["org2"][0].Name, "repo-c")
+	}
+}
+
+func TestListOrgsAndRepos_Cached(t *testing.T) {
+	orgCallCount := 0
+	repoCallCount := 0
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/api/v1/user/orgs":
+			orgCallCount++
+			json.NewEncoder(w).Encode([]Org{{Name: "org1"}})
+		case "/api/v1/orgs/org1/repos":
+			repoCallCount++
+			json.NewEncoder(w).Encode([]Repo{{ID: 1, Name: "repo1", FullName: "org1/repo1"}})
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+
+	// First call populates cache.
+	_, err := c.ListOrgsAndRepos(context.Background(), "test-token")
+	if err != nil {
+		t.Fatalf("first call: %v", err)
+	}
+
+	// Second call should use cached orgs and repos (ListOrgs and ListOrgRepos both cache).
+	_, err = c.ListOrgsAndRepos(context.Background(), "test-token")
+	if err != nil {
+		t.Fatalf("second call: %v", err)
+	}
+
+	if orgCallCount != 1 {
+		t.Errorf("org endpoint called %d times, want 1 (cached)", orgCallCount)
+	}
+	if repoCallCount != 1 {
+		t.Errorf("repo endpoint called %d times, want 1 (cached)", repoCallCount)
+	}
+}
+
+func TestCreateIssue(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Errorf("expected POST, got %s", r.Method)
+		}
+		if r.URL.Path != "/api/v1/repos/owner1/repo1/issues" {
+			t.Errorf("unexpected path: %s", r.URL.Path)
+		}
+		if r.Header.Get("Authorization") != "token test-token" {
+			t.Error("missing or wrong Authorization header")
+		}
+
+		var body map[string]interface{}
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			t.Fatalf("failed to decode body: %v", err)
+		}
+		if body["title"] != "Test Issue" {
+			t.Errorf("expected title='Test Issue', got %q", body["title"])
+		}
+		if body["body"] != "Issue body here" {
+			t.Errorf("expected body='Issue body here', got %q", body["body"])
+		}
+
+		issue := map[string]interface{}{
+			"id":         1,
+			"number":     42,
+			"title":      body["title"],
+			"body":       body["body"],
+			"state":      "open",
+			"created_at": "2026-03-28T00:00:00Z",
+			"updated_at": "2026-03-28T00:00:00Z",
+		}
+		w.WriteHeader(http.StatusCreated)
+		json.NewEncoder(w).Encode(issue)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	// Pre-populate cache to verify invalidation.
+	c.setCache("issues-org1", "should-be-invalidated")
+
+	issue, err := c.CreateIssue(context.Background(), "test-token", "owner1", "repo1", "Test Issue", "Issue body here", nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if issue.Title != "Test Issue" {
+		t.Errorf("issue.Title = %q, want %q", issue.Title, "Test Issue")
+	}
+	if issue.Number != 42 {
+		t.Errorf("issue.Number = %d, want 42", issue.Number)
+	}
+	if issue.RepoOwner != "owner1" {
+		t.Errorf("issue.RepoOwner = %q, want %q", issue.RepoOwner, "owner1")
+	}
+	if issue.RepoName != "repo1" {
+		t.Errorf("issue.RepoName = %q, want %q", issue.RepoName, "repo1")
+	}
+
+	// Verify cache was invalidated.
+	_, ok := c.getFromCache("issues-org1")
+	if ok {
+		t.Error("expected cache to be invalidated after CreateIssue")
+	}
+}
+
+func TestCreateIssue_WithLabels(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var body map[string]interface{}
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			t.Fatalf("failed to decode body: %v", err)
+		}
+
+		labels, ok := body["labels"]
+		if !ok {
+			t.Error("expected labels in request body")
+		}
+		labelSlice, ok := labels.([]interface{})
+		if !ok || len(labelSlice) != 2 {
+			t.Errorf("expected 2 labels, got %v", labels)
+		}
+
+		issue := map[string]interface{}{
+			"id":         2,
+			"number":     43,
+			"title":      body["title"],
+			"body":       body["body"],
+			"state":      "open",
+			"created_at": "2026-03-28T00:00:00Z",
+			"updated_at": "2026-03-28T00:00:00Z",
+		}
+		w.WriteHeader(http.StatusCreated)
+		json.NewEncoder(w).Encode(issue)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	issue, err := c.CreateIssue(context.Background(), "test-token", "owner1", "repo1", "Labeled Issue", "body", []int64{10, 20})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if issue.Number != 43 {
+		t.Errorf("issue.Number = %d, want 43", issue.Number)
+	}
+}
+
+// --- Issue #121: Tests for ListAllIssues and ListAllPullRequests ---
+
+// newFanOutServer creates a mock HTTP server that serves orgs, repos, issues, and PRs
+// for testing the fan-out aggregation functions.
+func newFanOutServer(t *testing.T) *httptest.Server {
+	t.Helper()
+
+	now := time.Date(2026, 3, 28, 12, 0, 0, 0, time.UTC)
+
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.URL.Path == "/api/v1/orgs/org1/repos":
+			repos := []Repo{
+				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+					Login string `json:"login"`
+				}{Login: "org1"}},
+				{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
+					Login string `json:"login"`
+				}{Login: "org1"}},
+			}
+			json.NewEncoder(w).Encode(repos)
+
+		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
+			issues := []Issue{
+				{ID: 1, Number: 1, Title: "Issue A1", State: "open", UpdatedAt: now.Add(-1 * time.Hour)},
+				{ID: 2, Number: 2, Title: "Issue A2", State: "open", UpdatedAt: now.Add(-3 * time.Hour)},
+			}
+			json.NewEncoder(w).Encode(issues)
+
+		case r.URL.Path == "/api/v1/repos/org1/repo-b/issues":
+			issues := []Issue{
+				{ID: 3, Number: 1, Title: "Issue B1", State: "open", UpdatedAt: now.Add(-2 * time.Hour)},
+			}
+			json.NewEncoder(w).Encode(issues)
+
+		case r.URL.Path == "/api/v1/repos/org1/repo-a/pulls":
+			prs := []PullRequest{
+				{ID: 10, Number: 5, Title: "PR A1", State: "open", UpdatedAt: now.Add(-30 * time.Minute)},
+			}
+			json.NewEncoder(w).Encode(prs)
+
+		case r.URL.Path == "/api/v1/repos/org1/repo-b/pulls":
+			prs := []PullRequest{
+				{ID: 11, Number: 6, Title: "PR B1", State: "open", UpdatedAt: now.Add(-10 * time.Minute)},
+				{ID: 12, Number: 7, Title: "PR B2", State: "open", UpdatedAt: now.Add(-1 * time.Hour)},
+			}
+			json.NewEncoder(w).Encode(prs)
+
+		default:
+			t.Errorf("unexpected request path: %s", r.URL.Path)
+			http.NotFound(w, r)
+		}
+	}))
+}
+
+func TestListAllIssues_Sorting(t *testing.T) {
+	server := newFanOutServer(t)
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	// Pre-populate org repos cache to avoid needing the /user/orgs endpoint.
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+		{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	result, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(result.Issues) != 3 {
+		t.Fatalf("got %d issues, want 3", len(result.Issues))
+	}
+
+	// Should be sorted by UpdatedAt descending (newest first).
+	// Issue A1 (-1h), Issue B1 (-2h), Issue A2 (-3h).
+	expected := []string{"Issue A1", "Issue B1", "Issue A2"}
+	for i, title := range expected {
+		if result.Issues[i].Title != title {
+			t.Errorf("issues[%d].Title = %q, want %q", i, result.Issues[i].Title, title)
+		}
+	}
+}
+
+func TestListAllIssues_StateFilter(t *testing.T) {
+	stateReceived := ""
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.URL.Path == "/api/v1/orgs/org1/repos":
+			repos := []Repo{
+				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+					Login string `json:"login"`
+				}{Login: "org1"}},
+			}
+			json.NewEncoder(w).Encode(repos)
+		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
+			stateReceived = r.URL.Query().Get("state")
+			json.NewEncoder(w).Encode([]Issue{})
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	_, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "closed", 1, "", "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if stateReceived != "closed" {
+		t.Errorf("state query param = %q, want %q", stateReceived, "closed")
+	}
+}
+
+func TestListAllIssues_DefaultState(t *testing.T) {
+	stateReceived := ""
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.URL.Path == "/api/v1/orgs/org1/repos":
+			json.NewEncoder(w).Encode([]Repo{
+				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+					Login string `json:"login"`
+				}{Login: "org1"}},
+			})
+		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
+			stateReceived = r.URL.Query().Get("state")
+			json.NewEncoder(w).Encode([]Issue{})
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	_, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "", 1, "", "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if stateReceived != "open" {
+		t.Errorf("default state = %q, want %q", stateReceived, "open")
+	}
+}
+
+func TestListAllIssues_RepoFilter(t *testing.T) {
+	server := newFanOutServer(t)
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+		{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	result, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "repo-a")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Only issues from repo-a should be returned.
+	if len(result.Issues) != 2 {
+		t.Fatalf("got %d issues, want 2 (only from repo-a)", len(result.Issues))
+	}
+	for _, issue := range result.Issues {
+		if issue.RepoName != "repo-a" {
+			t.Errorf("issue %q has RepoName=%q, want repo-a", issue.Title, issue.RepoName)
+		}
+	}
+}
+
+func TestListAllIssues_Pagination(t *testing.T) {
+	now := time.Date(2026, 3, 28, 12, 0, 0, 0, time.UTC)
+
+	// Create enough issues to test pagination (PageSize = 20).
+	var issues []Issue
+	for i := 0; i < 25; i++ {
+		issues = append(issues, Issue{
+			ID:        int64(i + 1),
+			Number:    int64(i + 1),
+			Title:     fmt.Sprintf("Issue %d", i+1),
+			State:     "open",
+			UpdatedAt: now.Add(time.Duration(-i) * time.Hour),
+		})
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.URL.Path == "/api/v1/orgs/org1/repos":
+			json.NewEncoder(w).Encode([]Repo{
+				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+					Login string `json:"login"`
+				}{Login: "org1"}},
+			})
+		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
+			json.NewEncoder(w).Encode(issues)
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	// Page 1: should have 20 items with HasMore=true.
+	page1, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
+	if err != nil {
+		t.Fatalf("page 1: %v", err)
+	}
+	if len(page1.Issues) != 20 {
+		t.Errorf("page 1: got %d issues, want 20", len(page1.Issues))
+	}
+	if !page1.HasMore {
+		t.Error("page 1: HasMore should be true")
+	}
+
+	// Page 2: should have 5 items with HasMore=false.
+	page2, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 2, "", "")
+	if err != nil {
+		t.Fatalf("page 2: %v", err)
+	}
+	if len(page2.Issues) != 5 {
+		t.Errorf("page 2: got %d issues, want 5", len(page2.Issues))
+	}
+	if page2.HasMore {
+		t.Error("page 2: HasMore should be false")
+	}
+}
+
+func TestListAllPullRequests_Sorting(t *testing.T) {
+	server := newFanOutServer(t)
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+		{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	result, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(result.Pulls) != 3 {
+		t.Fatalf("got %d PRs, want 3", len(result.Pulls))
+	}
+
+	// Should be sorted by UpdatedAt descending.
+	// PR B1 (-10m), PR A1 (-30m), PR B2 (-1h).
+	expected := []string{"PR B1", "PR A1", "PR B2"}
+	for i, title := range expected {
+		if result.Pulls[i].Title != title {
+			t.Errorf("pulls[%d].Title = %q, want %q", i, result.Pulls[i].Title, title)
+		}
+	}
+}
+
+func TestListAllPullRequests_StateFilter(t *testing.T) {
+	stateReceived := ""
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.URL.Path == "/api/v1/orgs/org1/repos":
+			json.NewEncoder(w).Encode([]Repo{
+				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+					Login string `json:"login"`
+				}{Login: "org1"}},
+			})
+		case r.URL.Path == "/api/v1/repos/org1/repo-a/pulls":
+			stateReceived = r.URL.Query().Get("state")
+			json.NewEncoder(w).Encode([]PullRequest{})
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	_, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "closed", 1, "", "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if stateReceived != "closed" {
+		t.Errorf("state query param = %q, want %q", stateReceived, "closed")
+	}
+}
+
+func TestListAllPullRequests_Pagination(t *testing.T) {
+	now := time.Date(2026, 3, 28, 12, 0, 0, 0, time.UTC)
+
+	var prs []PullRequest
+	for i := 0; i < 25; i++ {
+		prs = append(prs, PullRequest{
+			ID:        int64(i + 1),
+			Number:    int64(i + 1),
+			Title:     fmt.Sprintf("PR %d", i+1),
+			State:     "open",
+			UpdatedAt: now.Add(time.Duration(-i) * time.Hour),
+		})
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.URL.Path == "/api/v1/orgs/org1/repos":
+			json.NewEncoder(w).Encode([]Repo{
+				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+					Login string `json:"login"`
+				}{Login: "org1"}},
+			})
+		case r.URL.Path == "/api/v1/repos/org1/repo-a/pulls":
+			json.NewEncoder(w).Encode(prs)
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("repos-org1", []Repo{
+		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
+			Login string `json:"login"`
+		}{Login: "org1"}},
+	})
+
+	page1, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
+	if err != nil {
+		t.Fatalf("page 1: %v", err)
+	}
+	if len(page1.Pulls) != 20 {
+		t.Errorf("page 1: got %d PRs, want 20", len(page1.Pulls))
+	}
+	if !page1.HasMore {
+		t.Error("page 1: HasMore should be true")
+	}
+
+	page2, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "open", 2, "", "")
+	if err != nil {
+		t.Fatalf("page 2: %v", err)
+	}
+	if len(page2.Pulls) != 5 {
+		t.Errorf("page 2: got %d PRs, want 5", len(page2.Pulls))
+	}
+	if page2.HasMore {
+		t.Error("page 2: HasMore should be false")
+	}
+}

internal/handlers/handlers.go

@@ -55,6 +55,7 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("GET /pulls", h.ListPulls)
 	mux.HandleFunc("GET /pulls/{owner}/{repo}/{index}", h.PullDetail)
 	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
+	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/state", h.SetPullState)
 
 	// Settings (handled separately for auth bypass).
 	settingsHandler := &SettingsHandler{
@@ -411,6 +412,10 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 			if result.HasMore {
 				data.NextPage = page + 1
 			}
+			// Enrich PRs with review state for status icons.
+			if len(data.Pulls) > 0 {
+				h.Client.EnrichPullsWithReviewState(r.Context(), token, data.Pulls)
+			}
 		}
 	}
 
@@ -886,6 +891,53 @@ func (h *Handler) SetIssueState(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
 }
 
+// SetPullState handles POST /pulls/{owner}/{repo}/{index}/state.
+func (h *Handler) SetPullState(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid pull request index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	state := r.FormValue("state")
+	if state != "open" && state != "closed" {
+		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
+		slog.Error("failed to set pull request state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
+		http.Error(w, "failed to update pull request state", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if state == "closed" {
+			fmt.Fprintf(w, `<span class="state-closed" id="pull-state">closed</span>
+<button class="btn btn-secondary" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		} else {
+			fmt.Fprintf(w, `<span class="state-open" id="pull-state">open</span>
+<button class="btn btn-danger" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		}
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/pulls/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
 // AddComment handles POST /issues/{owner}/{repo}/{index}/comment.
 func (h *Handler) AddComment(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)

internal/handlers/settings.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"html/template"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -9,89 +10,7 @@ import (
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
 
-var settingsTemplate = template.Must(template.New("settings").Parse(`<!DOCTYPE html>
+const settingsTemplatePath = "internal/templates/settings.html"
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
-  <title>Settings — Gitea Mobile</title>
-  <style>
-    * { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-      background: #0d1117; color: #e6edf3;
-      padding: 1rem;
-      padding-top: max(1rem, env(safe-area-inset-top));
-    }
-    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
-    .card {
-      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
-      padding: 1rem; margin-bottom: 1rem;
-    }
-    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
-    input[type="text"], input[type="password"] {
-      width: 100%; padding: 0.5rem; font-size: 1rem;
-      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
-      color: #e6edf3; margin-bottom: 1rem;
-    }
-    input:focus { outline: none; border-color: #58a6ff; }
-    button {
-      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
-      background: #238636; color: #fff; border: none; border-radius: 6px;
-      cursor: pointer;
-    }
-    button:active { background: #2ea043; }
-    .message {
-      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
-      font-size: 0.875rem;
-    }
-    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
-    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
-    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
-    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
-    .status { font-size: 0.875rem; color: #8b949e; }
-    .status .connected { color: #3fb950; }
-    .logout-btn {
-      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
-    }
-    .logout-btn:active { background: #30363d; }
-  </style>
-</head>
-<body>
-  <h1>Settings</h1>
-
-  {{if .Message}}
-  <div class="message {{.MessageType}}">{{.Message}}</div>
-  {{end}}
-
-  {{if .HasToken}}
-  <div class="card">
-    <p class="status">Status: <span class="connected">Connected</span></p>
-    <p class="hint">A Gitea API token is configured.</p>
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="logout">
-      <button type="submit" class="logout-btn">Remove Token</button>
-    </form>
-  </div>
-  {{end}}
-
-  <div class="card">
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="save">
-      <label for="token">Gitea API Token</label>
-      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
-      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
-      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
-    </form>
-  </div>
-
-  {{if .HasToken}}
-  <p style="text-align:center; margin-top:1rem;">
-    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
-  </p>
-  {{end}}
-</body>
-</html>`))
 
 // SettingsHandler handles GET and POST requests for the settings page.
 type SettingsHandler struct {
@@ -126,8 +45,7 @@ func (h *SettingsHandler) handleGet(w http.ResponseWriter, r *http.Request) {
 	}
 
 	data := settingsData{HasToken: hasToken}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	h.renderSettings(w, data)
-	settingsTemplate.Execute(w, data)
 }
 
 func (h *SettingsHandler) handlePost(w http.ResponseWriter, r *http.Request) {
@@ -172,6 +90,18 @@ func (h *SettingsHandler) renderWithMessage(w http.ResponseWriter, r *http.Reque
 		Message:     msg,
 		MessageType: msgType,
 	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	h.renderSettings(w, data)
-	settingsTemplate.Execute(w, data)
+}
+
+func (h *SettingsHandler) renderSettings(w http.ResponseWriter, data settingsData) {
+	tmpl, err := template.ParseFiles(settingsTemplatePath)
+	if err != nil {
+		slog.Error("failed to parse settings template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := tmpl.Execute(w, data); err != nil {
+		slog.Error("failed to execute settings template", "error", err)
+	}
 }

internal/templates/issues.html

@@ -8,7 +8,7 @@
       <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
       {{end}}
       {{if .Assignee}}
-      <span>{{.Assignee.Login}}</span>
+      <img src="{{.Assignee.AvatarURL}}" alt="{{.Assignee.Login}}" class="avatar" title="Assigned to {{.Assignee.Login}}">
       {{end}}
     </div>
   </div>

internal/templates/pull_detail.html

@@ -4,7 +4,7 @@
 <div class="card">
   <div class="card-meta">
     <span class="type-badge type-pull">PR</span>
-    <span class="state-open">{{.Pull.State}}</span>
+    {{if eq .Pull.State "closed"}}<span class="state-closed">{{.Pull.State}}</span>{{else}}<span class="state-open">{{.Pull.State}}</span>{{end}}
     <span>{{.Pull.RepoOwner}}/{{.Pull.RepoName}} #{{.Pull.Number}}</span>
     {{range .Pull.Labels}}
     <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
@@ -15,6 +15,17 @@
     <span class="diff-del">-{{.Pull.Deletions}}</span>
     {{if .Pull.Mergeable}}<span style="color:var(--accent-green);">Mergeable</span>{{end}}
   </div>
+  <div class="card-meta" style="margin-top:0.5rem;">
+    <span id="state-section">
+      {{if eq .Pull.State "closed"}}
+      <span class="state-closed" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-secondary" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>
+      {{else}}
+      <span class="state-open" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-danger" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>
+      {{end}}
+    </span>
+  </div>
   {{if .RenderedBody}}
   <div class="card-body markdown-body">{{.RenderedBody}}</div>
   {{else if .Pull.Body}}

internal/templates/pulls.html

@@ -12,7 +12,13 @@
       {{end}}
       <span class="diff-add">+{{.Additions}}</span>
       <span class="diff-del">-{{.Deletions}}</span>
-      {{if .Mergeable}}<span style="color:var(--accent-green);font-size:0.7rem;">mergeable</span>{{end}}
+      {{if eq .ReviewState "approved"}}<span class="review-badge review-approved" title="Approved">&#10003;</span>
+      {{else if eq .ReviewState "changes_requested"}}<span class="review-badge review-changes" title="Changes requested">&#10007;</span>
+      {{else if eq .ReviewState "pending"}}<span class="review-badge review-pending" title="Awaiting review">&#9202;</span>
+      {{end}}
+      {{if .Mergeable}}<span class="merge-badge merge-ready" title="Ready to merge">&#9654; Ready</span>
+      {{else}}<span class="merge-badge merge-conflicts" title="Has conflicts or not mergeable">Conflicts</span>
+      {{end}}
     </div>
   </div>
   {{end}}

internal/templates/settings.html

@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <title>Settings — Gitea Mobile</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: #0d1117; color: #e6edf3;
+      padding: 1rem;
+      padding-top: max(1rem, env(safe-area-inset-top));
+    }
+    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+    .card {
+      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
+      padding: 1rem; margin-bottom: 1rem;
+    }
+    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
+    input[type="text"], input[type="password"] {
+      width: 100%; padding: 0.5rem; font-size: 1rem;
+      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
+      color: #e6edf3; margin-bottom: 1rem;
+    }
+    input:focus { outline: none; border-color: #58a6ff; }
+    button {
+      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
+      background: #238636; color: #fff; border: none; border-radius: 6px;
+      cursor: pointer;
+    }
+    button:active { background: #2ea043; }
+    .message {
+      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
+      font-size: 0.875rem;
+    }
+    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
+    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
+    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
+    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
+    .status { font-size: 0.875rem; color: #8b949e; }
+    .status .connected { color: #3fb950; }
+    .logout-btn {
+      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
+    }
+    .logout-btn:active { background: #30363d; }
+  </style>
+</head>
+<body>
+  <h1>Settings</h1>
+
+  {{if .Message}}
+  <div class="message {{.MessageType}}">{{.Message}}</div>
+  {{end}}
+
+  {{if .HasToken}}
+  <div class="card">
+    <p class="status">Status: <span class="connected">Connected</span></p>
+    <p class="hint">A Gitea API token is configured.</p>
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="logout">
+      <button type="submit" class="logout-btn">Remove Token</button>
+    </form>
+  </div>
+  {{end}}
+
+  <div class="card">
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="save">
+      <label for="token">Gitea API Token</label>
+      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
+      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
+      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
+    </form>
+  </div>
+
+  {{if .HasToken}}
+  <p style="text-align:center; margin-top:1rem;">
+    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
+  </p>
+  {{end}}
+</body>
+</html>

static/style.css

@@ -419,6 +419,29 @@ a:active {
   vertical-align: middle;
 }
 
+/* Review status badges */
+.review-badge {
+  font-size: 0.7rem;
+  font-weight: 600;
+  padding: 1px 4px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.review-approved { color: var(--accent-green); }
+.review-changes { color: var(--accent-red); }
+.review-pending { color: var(--accent-yellow); }
+
+/* Merge status badges */
+.merge-badge {
+  font-size: 0.65rem;
+  font-weight: 600;
+  padding: 1px 5px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.merge-ready { color: var(--accent-green); border: 1px solid var(--accent-green); }
+.merge-conflicts { color: var(--accent-red); border: 1px solid var(--accent-red); }
+
 /* Empty state */
 .empty {
   text-align: center;
@@ -487,13 +510,17 @@ a:active {
     max-width: 960px;
   }
 
-  .card-grid {
+  .card-grid,
+  #issue-list,
+  #pull-list {
     display: grid;
     grid-template-columns: repeat(2, 1fr);
     gap: var(--spacing-sm);
   }
 
-  .card-grid .card {
+  .card-grid .card,
+  #issue-list .card,
+  #pull-list .card {
     margin-bottom: 0;
   }
 }