feat: wire GITEA_TOKEN env var as auth fallback for single-user deployments

Update Auth middleware to accept a fallbackToken parameter. When no per-user cookie token is present and GITEA_TOKEN is set in the environment, the middleware uses the env token instead of redirecting to /settings. Cookie tokens still take precedence over the fallback. Add three new unit tests covering: fallback used when no cookie, cookie takes precedence over fallback, and redirect when neither is set. Closes leeworks-agents/gitea-mobile#125 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merge pull request 'test: unit tests for ListOrgsAndRepos, CreateIssue, ListAllIssues, ListAllPullRequests' (#123 ) from feature/unit-tests-122-121 into master
2026-03-28 13:04:55 +00:00 · 2026-03-28 12:02:34 +00:00 · 2026-03-28 11:05:34 +00:00 · 2026-03-28 07:02:42 +00:00 · 2026-03-28 07:02:36 +00:00 · 2026-03-28 06:06:24 +00:00
12 changed files with 837 additions and 15 deletions
@@ -16,7 +16,7 @@ jobs:
          go-version: '1.22'
      - name: Run tests
-        run: go test ./...
+        run: go test -race ./...
  build:
    runs-on: ubuntu-latest
@@ -1,7 +1,7 @@
 # Stage 1: Build
 FROM golang:1.22-alpine AS builder
 WORKDIR /app
-COPY go.mod go.sum ./
+COPY go.mod ./
 RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server
@@ -33,7 +33,7 @@ func main() {
 	// Apply middleware chain: logging -> auth.
 	var handler http.Handler = mux
-	handler = middleware.Auth(cfg.SessionSecret)(handler)
+	handler = middleware.Auth(cfg.SessionSecret, cfg.GiteaToken)(handler)
 	handler = middleware.Logging()(handler)
 	slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)
@@ -105,8 +105,9 @@ type PullRequest struct {
 	Deletions int    `json:"deletions"`
 	CreatedAt time.Time `json:"created_at"`
 	UpdatedAt time.Time `json:"updated_at"`
-	RepoOwner string    `json:"-"` // populated after fetch
+	RepoOwner   string `json:"-"` // populated after fetch
-	RepoName  string    `json:"-"` // populated after fetch
+	RepoName    string `json:"-"` // populated after fetch
 	ReviewState string `json:"-"` // aggregated review state: "approved", "changes_requested", "pending", or ""
 }
 // TriageItem represents an item in the triage queue.
@@ -944,6 +945,74 @@ func (c *Client) RenderMarkdown(ctx context.Context, token, text string) (string
 	return string(rendered), nil
 }
 // Review represents a single review on a pull request.
 type Review struct {
 	ID   int64  `json:"id"`
 	Body string `json:"body"`
 	State string `json:"state"` // "APPROVED", "REQUEST_CHANGES", "COMMENT", "PENDING"
 	User  struct {
 		Login string `json:"login"`
 	} `json:"user"`
 }
 // GetPullReviewState fetches reviews for a PR and returns the aggregate state.
 // Priority: changes_requested > approved > pending > "" (no reviews).
 func (c *Client) GetPullReviewState(ctx context.Context, token, owner, repo string, index int64) string {
 	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/reviews?limit=50", owner, repo, index)
 	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
 	if err != nil {
 		return ""
 	}
 	defer resp.Body.Close()
 	var reviews []Review
 	if err := json.NewDecoder(resp.Body).Decode(&reviews); err != nil {
 		return ""
 	}
 	if len(reviews) == 0 {
 		return ""
 	}
 	// Aggregate: last non-comment review per user wins, then pick the "worst" state.
 	userState := make(map[string]string)
 	for _, r := range reviews {
 		switch r.State {
 		case "APPROVED", "REQUEST_CHANGES":
 			userState[r.User.Login] = r.State
 		}
 	}
 	if len(userState) == 0 {
 		return "pending"
 	}
 	for _, s := range userState {
 		if s == "REQUEST_CHANGES" {
 			return "changes_requested"
 		}
 	}
 	return "approved"
 }
 // EnrichPullsWithReviewState fetches review state for each PR concurrently.
 func (c *Client) EnrichPullsWithReviewState(ctx context.Context, token string, pulls []PullRequest) {
 	sem := make(chan struct{}, c.maxConcurrent)
 	var wg sync.WaitGroup
 	for i := range pulls {
 		wg.Add(1)
 		go func(idx int) {
 			defer wg.Done()
 			sem <- struct{}{}
 			defer func() { <-sem }()
 			pulls[idx].ReviewState = c.GetPullReviewState(ctx, token, pulls[idx].RepoOwner, pulls[idx].RepoName, pulls[idx].Number)
 		}(i)
 	}
 	wg.Wait()
 }
 // priorityScore returns a numeric score for sorting (lower = higher priority).
 func priorityScore(labels []string) int {
 	for _, l := range labels {
@@ -3,6 +3,7 @@ package gitea
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -374,3 +375,580 @@ func sortTriageQueue(queue []TriageItem) {
 		}
 	}
 }
 // --- Issue #122: Tests for ListOrgsAndRepos and CreateIssue ---
 func TestListOrgsAndRepos(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/api/v1/user/orgs":
 			orgs := []Org{
 				{Name: "org1", FullName: "Organization 1"},
 				{Name: "org2", FullName: "Organization 2"},
 			}
 			json.NewEncoder(w).Encode(orgs)
 		case "/api/v1/orgs/org1/repos":
 			repos := []Repo{
 				{ID: 1, Name: "repo-a", FullName: "org1/repo-a"},
 				{ID: 2, Name: "repo-b", FullName: "org1/repo-b"},
 			}
 			json.NewEncoder(w).Encode(repos)
 		case "/api/v1/orgs/org2/repos":
 			repos := []Repo{
 				{ID: 3, Name: "repo-c", FullName: "org2/repo-c"},
 			}
 			json.NewEncoder(w).Encode(repos)
 		default:
 			t.Errorf("unexpected request path: %s", r.URL.Path)
 			http.NotFound(w, r)
 		}
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	result, err := c.ListOrgsAndRepos(context.Background(), "test-token")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if len(result) != 2 {
 		t.Fatalf("got %d orgs, want 2", len(result))
 	}
 	if len(result["org1"]) != 2 {
 		t.Errorf("org1 has %d repos, want 2", len(result["org1"]))
 	}
 	if len(result["org2"]) != 1 {
 		t.Errorf("org2 has %d repos, want 1", len(result["org2"]))
 	}
 	if result["org1"][0].Name != "repo-a" {
 		t.Errorf("org1 repos[0].Name = %q, want %q", result["org1"][0].Name, "repo-a")
 	}
 	if result["org2"][0].Name != "repo-c" {
 		t.Errorf("org2 repos[0].Name = %q, want %q", result["org2"][0].Name, "repo-c")
 	}
 }
 func TestListOrgsAndRepos_Cached(t *testing.T) {
 	orgCallCount := 0
 	repoCallCount := 0
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/api/v1/user/orgs":
 			orgCallCount++
 			json.NewEncoder(w).Encode([]Org{{Name: "org1"}})
 		case "/api/v1/orgs/org1/repos":
 			repoCallCount++
 			json.NewEncoder(w).Encode([]Repo{{ID: 1, Name: "repo1", FullName: "org1/repo1"}})
 		default:
 			http.NotFound(w, r)
 		}
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	// First call populates cache.
 	_, err := c.ListOrgsAndRepos(context.Background(), "test-token")
 	if err != nil {
 		t.Fatalf("first call: %v", err)
 	}
 	// Second call should use cached orgs and repos (ListOrgs and ListOrgRepos both cache).
 	_, err = c.ListOrgsAndRepos(context.Background(), "test-token")
 	if err != nil {
 		t.Fatalf("second call: %v", err)
 	}
 	if orgCallCount != 1 {
 		t.Errorf("org endpoint called %d times, want 1 (cached)", orgCallCount)
 	}
 	if repoCallCount != 1 {
 		t.Errorf("repo endpoint called %d times, want 1 (cached)", repoCallCount)
 	}
 }
 func TestCreateIssue(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPost {
 			t.Errorf("expected POST, got %s", r.Method)
 		}
 		if r.URL.Path != "/api/v1/repos/owner1/repo1/issues" {
 			t.Errorf("unexpected path: %s", r.URL.Path)
 		}
 		if r.Header.Get("Authorization") != "token test-token" {
 			t.Error("missing or wrong Authorization header")
 		}
 		var body map[string]interface{}
 		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
 			t.Fatalf("failed to decode body: %v", err)
 		}
 		if body["title"] != "Test Issue" {
 			t.Errorf("expected title='Test Issue', got %q", body["title"])
 		}
 		if body["body"] != "Issue body here" {
 			t.Errorf("expected body='Issue body here', got %q", body["body"])
 		}
 		issue := map[string]interface{}{
 			"id":         1,
 			"number":     42,
 			"title":      body["title"],
 			"body":       body["body"],
 			"state":      "open",
 			"created_at": "2026-03-28T00:00:00Z",
 			"updated_at": "2026-03-28T00:00:00Z",
 		}
 		w.WriteHeader(http.StatusCreated)
 		json.NewEncoder(w).Encode(issue)
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	// Pre-populate cache to verify invalidation.
 	c.setCache("issues-org1", "should-be-invalidated")
 	issue, err := c.CreateIssue(context.Background(), "test-token", "owner1", "repo1", "Test Issue", "Issue body here", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if issue.Title != "Test Issue" {
 		t.Errorf("issue.Title = %q, want %q", issue.Title, "Test Issue")
 	}
 	if issue.Number != 42 {
 		t.Errorf("issue.Number = %d, want 42", issue.Number)
 	}
 	if issue.RepoOwner != "owner1" {
 		t.Errorf("issue.RepoOwner = %q, want %q", issue.RepoOwner, "owner1")
 	}
 	if issue.RepoName != "repo1" {
 		t.Errorf("issue.RepoName = %q, want %q", issue.RepoName, "repo1")
 	}
 	// Verify cache was invalidated.
 	_, ok := c.getFromCache("issues-org1")
 	if ok {
 		t.Error("expected cache to be invalidated after CreateIssue")
 	}
 }
 func TestCreateIssue_WithLabels(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		var body map[string]interface{}
 		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
 			t.Fatalf("failed to decode body: %v", err)
 		}
 		labels, ok := body["labels"]
 		if !ok {
 			t.Error("expected labels in request body")
 		}
 		labelSlice, ok := labels.([]interface{})
 		if !ok || len(labelSlice) != 2 {
 			t.Errorf("expected 2 labels, got %v", labels)
 		}
 		issue := map[string]interface{}{
 			"id":         2,
 			"number":     43,
 			"title":      body["title"],
 			"body":       body["body"],
 			"state":      "open",
 			"created_at": "2026-03-28T00:00:00Z",
 			"updated_at": "2026-03-28T00:00:00Z",
 		}
 		w.WriteHeader(http.StatusCreated)
 		json.NewEncoder(w).Encode(issue)
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	issue, err := c.CreateIssue(context.Background(), "test-token", "owner1", "repo1", "Labeled Issue", "body", []int64{10, 20})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if issue.Number != 43 {
 		t.Errorf("issue.Number = %d, want 43", issue.Number)
 	}
 }
 // --- Issue #121: Tests for ListAllIssues and ListAllPullRequests ---
 // newFanOutServer creates a mock HTTP server that serves orgs, repos, issues, and PRs
 // for testing the fan-out aggregation functions.
 func newFanOutServer(t *testing.T) *httptest.Server {
 	t.Helper()
 	now := time.Date(2026, 3, 28, 12, 0, 0, 0, time.UTC)
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.URL.Path == "/api/v1/orgs/org1/repos":
 			repos := []Repo{
 				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 					Login string `json:"login"`
 				}{Login: "org1"}},
 				{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
 					Login string `json:"login"`
 				}{Login: "org1"}},
 			}
 			json.NewEncoder(w).Encode(repos)
 		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
 			issues := []Issue{
 				{ID: 1, Number: 1, Title: "Issue A1", State: "open", UpdatedAt: now.Add(-1 * time.Hour)},
 				{ID: 2, Number: 2, Title: "Issue A2", State: "open", UpdatedAt: now.Add(-3 * time.Hour)},
 			}
 			json.NewEncoder(w).Encode(issues)
 		case r.URL.Path == "/api/v1/repos/org1/repo-b/issues":
 			issues := []Issue{
 				{ID: 3, Number: 1, Title: "Issue B1", State: "open", UpdatedAt: now.Add(-2 * time.Hour)},
 			}
 			json.NewEncoder(w).Encode(issues)
 		case r.URL.Path == "/api/v1/repos/org1/repo-a/pulls":
 			prs := []PullRequest{
 				{ID: 10, Number: 5, Title: "PR A1", State: "open", UpdatedAt: now.Add(-30 * time.Minute)},
 			}
 			json.NewEncoder(w).Encode(prs)
 		case r.URL.Path == "/api/v1/repos/org1/repo-b/pulls":
 			prs := []PullRequest{
 				{ID: 11, Number: 6, Title: "PR B1", State: "open", UpdatedAt: now.Add(-10 * time.Minute)},
 				{ID: 12, Number: 7, Title: "PR B2", State: "open", UpdatedAt: now.Add(-1 * time.Hour)},
 			}
 			json.NewEncoder(w).Encode(prs)
 		default:
 			t.Errorf("unexpected request path: %s", r.URL.Path)
 			http.NotFound(w, r)
 		}
 	}))
 }
 func TestListAllIssues_Sorting(t *testing.T) {
 	server := newFanOutServer(t)
 	defer server.Close()
 	c := NewClient(server.URL)
 	// Pre-populate org repos cache to avoid needing the /user/orgs endpoint.
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 		{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	result, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if len(result.Issues) != 3 {
 		t.Fatalf("got %d issues, want 3", len(result.Issues))
 	}
 	// Should be sorted by UpdatedAt descending (newest first).
 	// Issue A1 (-1h), Issue B1 (-2h), Issue A2 (-3h).
 	expected := []string{"Issue A1", "Issue B1", "Issue A2"}
 	for i, title := range expected {
 		if result.Issues[i].Title != title {
 			t.Errorf("issues[%d].Title = %q, want %q", i, result.Issues[i].Title, title)
 		}
 	}
 }
 func TestListAllIssues_StateFilter(t *testing.T) {
 	stateReceived := ""
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.URL.Path == "/api/v1/orgs/org1/repos":
 			repos := []Repo{
 				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 					Login string `json:"login"`
 				}{Login: "org1"}},
 			}
 			json.NewEncoder(w).Encode(repos)
 		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
 			stateReceived = r.URL.Query().Get("state")
 			json.NewEncoder(w).Encode([]Issue{})
 		default:
 			http.NotFound(w, r)
 		}
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	_, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "closed", 1, "", "")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if stateReceived != "closed" {
 		t.Errorf("state query param = %q, want %q", stateReceived, "closed")
 	}
 }
 func TestListAllIssues_DefaultState(t *testing.T) {
 	stateReceived := ""
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.URL.Path == "/api/v1/orgs/org1/repos":
 			json.NewEncoder(w).Encode([]Repo{
 				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 					Login string `json:"login"`
 				}{Login: "org1"}},
 			})
 		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
 			stateReceived = r.URL.Query().Get("state")
 			json.NewEncoder(w).Encode([]Issue{})
 		default:
 			http.NotFound(w, r)
 		}
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	_, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "", 1, "", "")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if stateReceived != "open" {
 		t.Errorf("default state = %q, want %q", stateReceived, "open")
 	}
 }
 func TestListAllIssues_RepoFilter(t *testing.T) {
 	server := newFanOutServer(t)
 	defer server.Close()
 	c := NewClient(server.URL)
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 		{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	result, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "repo-a")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	// Only issues from repo-a should be returned.
 	if len(result.Issues) != 2 {
 		t.Fatalf("got %d issues, want 2 (only from repo-a)", len(result.Issues))
 	}
 	for _, issue := range result.Issues {
 		if issue.RepoName != "repo-a" {
 			t.Errorf("issue %q has RepoName=%q, want repo-a", issue.Title, issue.RepoName)
 		}
 	}
 }
 func TestListAllIssues_Pagination(t *testing.T) {
 	now := time.Date(2026, 3, 28, 12, 0, 0, 0, time.UTC)
 	// Create enough issues to test pagination (PageSize = 20).
 	var issues []Issue
 	for i := 0; i < 25; i++ {
 		issues = append(issues, Issue{
 			ID:        int64(i + 1),
 			Number:    int64(i + 1),
 			Title:     fmt.Sprintf("Issue %d", i+1),
 			State:     "open",
 			UpdatedAt: now.Add(time.Duration(-i) * time.Hour),
 		})
 	}
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.URL.Path == "/api/v1/orgs/org1/repos":
 			json.NewEncoder(w).Encode([]Repo{
 				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 					Login string `json:"login"`
 				}{Login: "org1"}},
 			})
 		case r.URL.Path == "/api/v1/repos/org1/repo-a/issues":
 			json.NewEncoder(w).Encode(issues)
 		default:
 			http.NotFound(w, r)
 		}
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	// Page 1: should have 20 items with HasMore=true.
 	page1, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
 	if err != nil {
 		t.Fatalf("page 1: %v", err)
 	}
 	if len(page1.Issues) != 20 {
 		t.Errorf("page 1: got %d issues, want 20", len(page1.Issues))
 	}
 	if !page1.HasMore {
 		t.Error("page 1: HasMore should be true")
 	}
 	// Page 2: should have 5 items with HasMore=false.
 	page2, err := c.ListAllIssues(context.Background(), "test-token", []string{"org1"}, "open", 2, "", "")
 	if err != nil {
 		t.Fatalf("page 2: %v", err)
 	}
 	if len(page2.Issues) != 5 {
 		t.Errorf("page 2: got %d issues, want 5", len(page2.Issues))
 	}
 	if page2.HasMore {
 		t.Error("page 2: HasMore should be false")
 	}
 }
 func TestListAllPullRequests_Sorting(t *testing.T) {
 	server := newFanOutServer(t)
 	defer server.Close()
 	c := NewClient(server.URL)
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 		{ID: 2, Name: "repo-b", FullName: "org1/repo-b", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	result, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if len(result.Pulls) != 3 {
 		t.Fatalf("got %d PRs, want 3", len(result.Pulls))
 	}
 	// Should be sorted by UpdatedAt descending.
 	// PR B1 (-10m), PR A1 (-30m), PR B2 (-1h).
 	expected := []string{"PR B1", "PR A1", "PR B2"}
 	for i, title := range expected {
 		if result.Pulls[i].Title != title {
 			t.Errorf("pulls[%d].Title = %q, want %q", i, result.Pulls[i].Title, title)
 		}
 	}
 }
 func TestListAllPullRequests_StateFilter(t *testing.T) {
 	stateReceived := ""
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.URL.Path == "/api/v1/orgs/org1/repos":
 			json.NewEncoder(w).Encode([]Repo{
 				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 					Login string `json:"login"`
 				}{Login: "org1"}},
 			})
 		case r.URL.Path == "/api/v1/repos/org1/repo-a/pulls":
 			stateReceived = r.URL.Query().Get("state")
 			json.NewEncoder(w).Encode([]PullRequest{})
 		default:
 			http.NotFound(w, r)
 		}
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	_, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "closed", 1, "", "")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if stateReceived != "closed" {
 		t.Errorf("state query param = %q, want %q", stateReceived, "closed")
 	}
 }
 func TestListAllPullRequests_Pagination(t *testing.T) {
 	now := time.Date(2026, 3, 28, 12, 0, 0, 0, time.UTC)
 	var prs []PullRequest
 	for i := 0; i < 25; i++ {
 		prs = append(prs, PullRequest{
 			ID:        int64(i + 1),
 			Number:    int64(i + 1),
 			Title:     fmt.Sprintf("PR %d", i+1),
 			State:     "open",
 			UpdatedAt: now.Add(time.Duration(-i) * time.Hour),
 		})
 	}
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.URL.Path == "/api/v1/orgs/org1/repos":
 			json.NewEncoder(w).Encode([]Repo{
 				{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 					Login string `json:"login"`
 				}{Login: "org1"}},
 			})
 		case r.URL.Path == "/api/v1/repos/org1/repo-a/pulls":
 			json.NewEncoder(w).Encode(prs)
 		default:
 			http.NotFound(w, r)
 		}
 	}))
 	defer server.Close()
 	c := NewClient(server.URL)
 	c.setCache("repos-org1", []Repo{
 		{ID: 1, Name: "repo-a", FullName: "org1/repo-a", Owner: struct {
 			Login string `json:"login"`
 		}{Login: "org1"}},
 	})
 	page1, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "open", 1, "", "")
 	if err != nil {
 		t.Fatalf("page 1: %v", err)
 	}
 	if len(page1.Pulls) != 20 {
 		t.Errorf("page 1: got %d PRs, want 20", len(page1.Pulls))
 	}
 	if !page1.HasMore {
 		t.Error("page 1: HasMore should be true")
 	}
 	page2, err := c.ListAllPullRequests(context.Background(), "test-token", []string{"org1"}, "open", 2, "", "")
 	if err != nil {
 		t.Fatalf("page 2: %v", err)
 	}
 	if len(page2.Pulls) != 5 {
 		t.Errorf("page 2: got %d PRs, want 5", len(page2.Pulls))
 	}
 	if page2.HasMore {
 		t.Error("page 2: HasMore should be false")
 	}
 }
@@ -55,6 +55,7 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("GET /pulls", h.ListPulls)
 	mux.HandleFunc("GET /pulls/{owner}/{repo}/{index}", h.PullDetail)
 	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
 	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/state", h.SetPullState)
 	// Settings (handled separately for auth bypass).
 	settingsHandler := &SettingsHandler{
@@ -411,6 +412,10 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 			if result.HasMore {
 				data.NextPage = page + 1
 			}
 			// Enrich PRs with review state for status icons.
 			if len(data.Pulls) > 0 {
 				h.Client.EnrichPullsWithReviewState(r.Context(), token, data.Pulls)
 			}
 		}
 	}
@@ -886,6 +891,53 @@ func (h *Handler) SetIssueState(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
 }
 // SetPullState handles POST /pulls/{owner}/{repo}/{index}/state.
 func (h *Handler) SetPullState(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
 	owner := r.PathValue("owner")
 	repo := r.PathValue("repo")
 	indexStr := r.PathValue("index")
 	index, err := strconv.ParseInt(indexStr, 10, 64)
 	if err != nil {
 		http.Error(w, "invalid pull request index", http.StatusBadRequest)
 		return
 	}
 	if err := r.ParseForm(); err != nil {
 		http.Error(w, "bad request", http.StatusBadRequest)
 		return
 	}
 	state := r.FormValue("state")
 	if state != "open" && state != "closed" {
 		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
 		return
 	}
 	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
 		slog.Error("failed to set pull request state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
 		http.Error(w, "failed to update pull request state", http.StatusInternalServerError)
 		return
 	}
 	if isHTMX(r) {
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 		if state == "closed" {
 			fmt.Fprintf(w, `<span class="state-closed" id="pull-state">closed</span>
 <button class="btn btn-secondary" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>`,
 				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
 		} else {
 			fmt.Fprintf(w, `<span class="state-open" id="pull-state">open</span>
 <button class="btn btn-danger" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>`,
 				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
 		}
 		return
 	}
 	http.Redirect(w, r, fmt.Sprintf("/pulls/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
 }
 // AddComment handles POST /issues/{owner}/{repo}/{index}/comment.
 func (h *Handler) AddComment(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
@@ -23,9 +23,12 @@ func TokenFromContext(ctx context.Context) string {
 }
 // Auth returns middleware that checks for a valid token cookie.
 // If no cookie token is found and fallbackToken is non-empty, the fallback
 // token is used instead (useful for single-user or service-account deployments
 // where GITEA_TOKEN is set in the environment).
 // Unauthenticated requests are redirected to the settings page.
 // The /health, /settings, and /static/ paths are exempt from auth.
-func Auth(sessionSecret string) func(http.Handler) http.Handler {
+func Auth(sessionSecret, fallbackToken string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Skip auth for exempt paths.
@@ -37,6 +40,13 @@ func Auth(sessionSecret string) func(http.Handler) http.Handler {
 			token, err := auth.GetToken(r, sessionSecret)
 			if err != nil || token == "" {
 				// Fall back to environment token if available.
 				if fallbackToken != "" {
 					slog.Debug("using fallback token from environment", "path", path)
 					ctx := context.WithValue(r.Context(), TokenContextKey, fallbackToken)
 					next.ServeHTTP(w, r.WithContext(ctx))
 					return
 				}
 				slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
 				http.Redirect(w, r, "/settings", http.StatusSeeOther)
 				return
@@ -11,7 +11,7 @@ import (
 const testSecret = "test-secret-that-is-at-least-32-chars-long"
 func TestAuth_HealthBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -25,7 +25,7 @@ func TestAuth_HealthBypass(t *testing.T) {
 }
 func TestAuth_SettingsBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -39,7 +39,7 @@ func TestAuth_SettingsBypass(t *testing.T) {
 }
 func TestAuth_RedirectWithoutToken(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -57,7 +57,7 @@ func TestAuth_RedirectWithoutToken(t *testing.T) {
 func TestAuth_PassWithToken(t *testing.T) {
 	called := false
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		called = true
 		token := TokenFromContext(r.Context())
 		if token != "my-token" {
@@ -83,3 +83,72 @@ func TestAuth_PassWithToken(t *testing.T) {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
 	}
 }
 func TestAuth_FallbackToken_UsedWhenNoCookie(t *testing.T) {
 	called := false
 	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		called = true
 		token := TokenFromContext(r.Context())
 		if token != "env-fallback-token" {
 			t.Errorf("token = %q, want %q", token, "env-fallback-token")
 		}
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	if !called {
 		t.Error("next handler was not called with fallback token")
 	}
 	if w.Code != http.StatusOK {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
 	}
 }
 func TestAuth_FallbackToken_CookieTakesPrecedence(t *testing.T) {
 	called := false
 	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		called = true
 		token := TokenFromContext(r.Context())
 		if token != "cookie-token" {
 			t.Errorf("token = %q, want %q (cookie should take precedence over fallback)", token, "cookie-token")
 		}
 		w.WriteHeader(http.StatusOK)
 	}))
 	// Set a cookie token.
 	cookieW := httptest.NewRecorder()
 	auth.SetTokenCookie(cookieW, "cookie-token", testSecret, false)
 	cookie := cookieW.Result().Cookies()[0]
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.AddCookie(cookie)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	if !called {
 		t.Error("next handler was not called")
 	}
 	if w.Code != http.StatusOK {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
 	}
 }
 func TestAuth_NoFallbackToken_RedirectsWithoutCookie(t *testing.T) {
 	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/issues", nil)
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
 	if w.Code != http.StatusSeeOther {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
 	}
 	if loc := w.Header().Get("Location"); loc != "/settings" {
 		t.Errorf("Location = %q, want %q", loc, "/settings")
 	}
 }
@@ -8,7 +8,7 @@
      <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
      {{end}}
      {{if .Assignee}}
-      <span>{{.Assignee.Login}}</span>
+      <img src="{{.Assignee.AvatarURL}}" alt="{{.Assignee.Login}}" class="avatar" title="Assigned to {{.Assignee.Login}}">
      {{end}}
    </div>
  </div>
@@ -4,7 +4,7 @@
 <div class="card">
  <div class="card-meta">
    <span class="type-badge type-pull">PR</span>
-    <span class="state-open">{{.Pull.State}}</span>
+    {{if eq .Pull.State "closed"}}<span class="state-closed">{{.Pull.State}}</span>{{else}}<span class="state-open">{{.Pull.State}}</span>{{end}}
    <span>{{.Pull.RepoOwner}}/{{.Pull.RepoName}} #{{.Pull.Number}}</span>
    {{range .Pull.Labels}}
    <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
@@ -15,6 +15,17 @@
    <span class="diff-del">-{{.Pull.Deletions}}</span>
    {{if .Pull.Mergeable}}<span style="color:var(--accent-green);">Mergeable</span>{{end}}
  </div>
  <div class="card-meta" style="margin-top:0.5rem;">
    <span id="state-section">
      {{if eq .Pull.State "closed"}}
      <span class="state-closed" id="pull-state">{{.Pull.State}}</span>
      <button class="btn btn-secondary" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>
      {{else}}
      <span class="state-open" id="pull-state">{{.Pull.State}}</span>
      <button class="btn btn-danger" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>
      {{end}}
    </span>
  </div>
  {{if .RenderedBody}}
  <div class="card-body markdown-body">{{.RenderedBody}}</div>
  {{else if .Pull.Body}}
@@ -12,7 +12,13 @@
      {{end}}
      <span class="diff-add">+{{.Additions}}</span>
      <span class="diff-del">-{{.Deletions}}</span>
-      {{if .Mergeable}}<span style="color:var(--accent-green);font-size:0.7rem;">mergeable</span>{{end}}
+      {{if eq .ReviewState "approved"}}<span class="review-badge review-approved" title="Approved">&#10003;</span>
      {{else if eq .ReviewState "changes_requested"}}<span class="review-badge review-changes" title="Changes requested">&#10007;</span>
      {{else if eq .ReviewState "pending"}}<span class="review-badge review-pending" title="Awaiting review">&#9202;</span>
      {{end}}
      {{if .Mergeable}}<span class="merge-badge merge-ready" title="Ready to merge">&#9654; Ready</span>
      {{else}}<span class="merge-badge merge-conflicts" title="Has conflicts or not mergeable">Conflicts</span>
      {{end}}
    </div>
  </div>
  {{end}}
@@ -419,6 +419,29 @@ a:active {
  vertical-align: middle;
 }
 /* Review status badges */
 .review-badge {
  font-size: 0.7rem;
  font-weight: 600;
  padding: 1px 4px;
  border-radius: var(--radius-pill);
  vertical-align: middle;
 }
 .review-approved { color: var(--accent-green); }
 .review-changes { color: var(--accent-red); }
 .review-pending { color: var(--accent-yellow); }
 /* Merge status badges */
 .merge-badge {
  font-size: 0.65rem;
  font-weight: 600;
  padding: 1px 5px;
  border-radius: var(--radius-pill);
  vertical-align: middle;
 }
 .merge-ready { color: var(--accent-green); border: 1px solid var(--accent-green); }
 .merge-conflicts { color: var(--accent-red); border: 1px solid var(--accent-red); }
 /* Empty state */
 .empty {
  text-align: center;
@@ -487,13 +510,17 @@ a:active {
    max-width: 960px;
  }
-  .card-grid {
+  .card-grid,
  #issue-list,
  #pull-list {
    display: grid;
    grid-template-columns: repeat(2, 1fr);
    gap: var(--spacing-sm);
  }
-  .card-grid .card {
+  .card-grid .card,
  #issue-list .card,
  #pull-list .card {
    margin-bottom: 0;
  }
 }
Author	SHA1	Message	Date
agent-company	feae2e19a1	feat: wire GITEA_TOKEN env var as auth fallback for single-user deployments Update Auth middleware to accept a fallbackToken parameter. When no per-user cookie token is present and GITEA_TOKEN is set in the environment, the middleware uses the env token instead of redirecting to /settings. Cookie tokens still take precedence over the fallback. Add three new unit tests covering: fallback used when no cookie, cookie takes precedence over fallback, and redirect when neither is set. Closes leeworks-agents/gitea-mobile#125 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 13:04:55 +00:00
AI-Manager	417104c617	Merge pull request 'test: unit tests for ListOrgsAndRepos, CreateIssue, ListAllIssues, ListAllPullRequests' (#123 ) from feature/unit-tests-122-121 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-28 12:02:34 +00:00
agent-company	d65676afe6	test: add unit tests for ListOrgsAndRepos, CreateIssue, ListAllIssues, ListAllPullRequests Add comprehensive unit tests using mock HTTP servers for four key aggregation methods in the Gitea client. Tests cover correct API integration, caching behavior, sorting, state filtering, repo filtering, pagination, and label handling. Closes leeworks-agents/gitea-mobile#122 Closes leeworks-agents/gitea-mobile#121 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 11:05:34 +00:00
AI-Manager	a0f786e894	Merge pull request 'feat: tablet 2-column grid layout for issue and PR lists' (#108 ) from feature/tablet-grid-layout-105 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-28 07:02:42 +00:00
AI-Manager	80aebe8e9f	Merge pull request 'chore: add -race flag to CI test step' (#107 ) from fix/ci-runner-and-race-95-103 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-28 07:02:36 +00:00
agent-company	b74e9de04d	feat: implement tablet 2-column grid layout for issue and PR lists Add grid layout at >= 640px breakpoint for #issue-list and #pull-list containers, matching the existing .card-grid tablet behavior. Cards render in a 2-column grid on tablet while maintaining single-column on mobile. Closes leeworks-agents/gitea-mobile#105 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 06:06:24 +00:00
agent-company	c51ec5f752	chore: add -race flag to CI test step for concurrency bug detection The aggregation layer uses sync.RWMutex and errgroup for concurrent API fan-out. Enable the Go race detector in CI to catch data races early. Closes leeworks-agents/gitea-mobile#103 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 06:05:37 +00:00
AI-Manager	5c54d587aa	Merge pull request 'feat: add review status and merge indicator to PR list' (#102 ) from feature/pr-status-icons-97 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-28 05:03:26 +00:00
AI-Manager	c9e883da87	Merge pull request 'feat: display assignee avatar in issue list rows' (#101 ) from feature/assignee-avatar-98 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-28 05:03:13 +00:00
agent-company	b0c060efae	feat: add review status icon and merge status indicator to PR list rows Add per-PR review state aggregation by fetching reviews concurrently via the existing semaphore pattern. Display review status (approved, changes requested, awaiting) and merge status (ready/conflicts) as compact badges in each PR card row. - Add ReviewState field to PullRequest struct - Add GetPullReviewState() and EnrichPullsWithReviewState() to client - Call enrichment in ListPulls handler after fetching PRs - Update pulls template with review and merge badges - Add CSS for .review-badge and .merge-badge classes Closes leeworks-agents/gitea-mobile#97 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 03:07:52 +00:00
agent-company	047e90cd76	feat: display assignee avatar in issue list rows Replace plain-text assignee login with a circular avatar image using the existing .avatar CSS class. Includes title attribute for accessibility. Unassigned issues show no avatar. Closes leeworks-agents/gitea-mobile#98 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 03:06:00 +00:00
AI-Manager	f1652bb77a	Merge pull request 'feat: add close/reopen action to PR detail view' (#92 ) from feature/pr-close-reopen-91 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-27 20:42:09 +00:00
agent-company	dbcfbe9138	feat: add close/reopen action to PR detail view Add POST /pulls/{owner}/{repo}/{index}/state handler that reuses the existing SetIssueState Gitea API call (PRs share the issues state endpoint). The PR detail template now shows a Close PR / Reopen PR button with HTMX for seamless state toggling without full page reload. Also fixes the state badge to use the correct CSS class when a PR is closed. Closes leeworks-agents/gitea-mobile#91 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 20:05:21 +00:00
AI-Manager	732cedda3d	Merge pull request 'fix: remove go.sum from Dockerfile COPY (no external deps)' (#90 ) from fix/dockerfile-go-sum-89 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-27 18:04:01 +00:00
agent-company	937da1962b	fix: remove go.sum from Dockerfile COPY since project has no external dependencies The project uses only Go stdlib with zero external dependencies, so go.sum does not exist. The Dockerfile COPY instruction fails when go.sum is missing. Closes leeworks-agents/gitea-mobile#89 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 18:03:03 +00:00
AI-Manager	42a61b4428	Merge pull request 'feat: make repo selector searchable on create issue form' (#88 ) from feature/searchable-repo-selector-87 into master Build and Push / test (push) Has been cancelled Details Build and Push / build (push) Has been cancelled Details	2026-03-27 16:43:35 +00:00