feat: add GetChangedFiles() method to Gitea client for PR file diffs

Add ChangedFile type and GetChangedFiles() method that calls the Gitea
API endpoint GET /repos/{owner}/{repo}/pulls/{index}/files to retrieve
the list of files changed in a pull request. This is a prerequisite for
displaying changed files in the PR detail view (#189).

Includes unit tests for success and error cases.

Closes leeworks-agents/gitea-mobile#205

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.air.toml

@@ -0,0 +1,44 @@
+root = "."
+testdata_dir = "testdata"
+tmp_dir = "tmp"
+
+[build]
+  args_bin = []
+  bin = "./tmp/main"
+  cmd = "go build -o ./tmp/main ./cmd/server"
+  delay = 500
+  exclude_dir = ["assets", "tmp", "vendor", "testdata", ".git", "node_modules"]
+  exclude_file = []
+  exclude_regex = ["_test\\.go$"]
+  exclude_unchanged = false
+  follow_symlink = false
+  full_bin = ""
+  include_dir = []
+  include_ext = ["go", "html", "css", "js"]
+  include_file = []
+  kill_delay = "0s"
+  log = "build-errors.log"
+  poll = false
+  poll_interval = 0
+  rerun = false
+  rerun_delay = 500
+  send_interrupt = false
+  stop_on_error = false
+
+[color]
+  app = ""
+  build = "yellow"
+  main = "magenta"
+  runner = "green"
+  watcher = "cyan"
+
+[log]
+  main_only = false
+  time = false
+
+[misc]
+  clean_on_exit = true
+
+[screen]
+  clear_on_rebuild = false
+  keep_scroll = true

.gitea/workflows/build.yaml

@@ -15,8 +15,11 @@ jobs:
         with:
           go-version: '1.22'
 
+      - name: Vet
+        run: go vet ./...
+
       - name: Run tests
-        run: go test ./...
+        run: go test -race ./...
 
   build:
     runs-on: ubuntu-latest

Dockerfile

@@ -1,7 +1,7 @@
 # Stage 1: Build
 FROM golang:1.22-alpine AS builder
 WORKDIR /app
-COPY go.mod go.sum ./
+COPY go.mod ./
 RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server

README.md

@@ -0,0 +1,116 @@
+# Gitea Mobile
+
+A mobile-first Progressive Web App (PWA) for managing Gitea issues and pull requests across multiple repositories and organizations from an iPhone. Built with Go, HTMX, and hand-rolled CSS -- no JavaScript frameworks, no build step, no node_modules.
+
+## Tech Stack
+
+| Layer | Choice |
+|-------|--------|
+| Backend | Go + Gitea SDK (`code.gitea.io/sdk/gitea`) |
+| Frontend | HTMX + Go `html/template` + hand-rolled CSS |
+| Container | Multi-stage Dockerfile -> distroless (~15MB) |
+| Deployment | Kustomize manifests + FluxCD GitOps |
+
+## Project Structure
+
+```
+/
+├── cmd/server/main.go          # entrypoint
+├── internal/
+│   ├── config/config.go        # env-based configuration
+│   ├── gitea/client.go         # Gitea SDK wrapper / aggregation layer
+│   ├── handlers/               # HTTP handlers (issues, PRs, triage, settings)
+│   ├── auth/                   # cookie-based token auth
+│   ├── middleware/              # auth middleware, logging
+│   └── templates/              # Go html/template files (for HTMX)
+├── static/                     # CSS, JS (htmx.min.js), icons, manifest
+├── .gitea/workflows/build.yaml # CI pipeline (Gitea Actions)
+├── Dockerfile
+├── flake.nix                   # Nix dev shell with Go + air
+└── go.mod
+```
+
+## Local Development
+
+### Prerequisites
+
+- [Nix](https://nixos.org/download/) with flakes enabled, **or** Go 1.22+
+- A Gitea instance with an API token
+
+### Quick Start
+
+```bash
+# Enter the Nix dev shell (provides Go, gopls, air)
+nix develop
+
+# Set required environment variables
+export GITEA_URL=https://gitea.leeworks.dev
+export SESSION_SECRET=$(openssl rand -hex 32)
+
+# Optional: set a default API token
+export GITEA_TOKEN=your-gitea-api-token
+
+# Start the server with live reload
+air
+```
+
+If you are not using Nix, install Go 1.22+ and [air](https://github.com/air-verse/air) manually, then run the same commands above starting from the export lines.
+
+### Environment Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `GITEA_URL` | Yes | -- | Base URL of the Gitea instance |
+| `SESSION_SECRET` | Yes | -- | HMAC key for signing session cookies (min 32 chars) |
+| `GITEA_TOKEN` | No | -- | Default API token (users can set their own via the settings page) |
+| `LISTEN_ADDR` | No | `:8080` | Server listen address |
+
+### Live Reload with Air
+
+The dev shell includes [air](https://github.com/air-verse/air) for automatic recompilation on file changes. Configuration is in `.air.toml`. Air watches `.go` and `.html` files under `cmd/`, `internal/`, and `static/` and rebuilds/restarts the server automatically.
+
+## Running Tests
+
+```bash
+# Run all tests
+go test ./...
+
+# Run tests with race detection
+go test -race ./...
+```
+
+## Building the Container
+
+```bash
+# Build the Docker image
+docker build -t gitea-mobile .
+
+# Run locally
+docker run -p 8080:8080 \
+  -e GITEA_URL=https://gitea.leeworks.dev \
+  -e SESSION_SECRET=$(openssl rand -hex 32) \
+  gitea-mobile
+```
+
+The Dockerfile uses a multi-stage build: Go binary compiled in an Alpine builder stage, then copied into a distroless image (~15MB final size).
+
+## Deployment
+
+Kubernetes manifests for this app live in the Talos cluster repo under `testing1/first-cluster/apps/gitea-mobile/`. FluxCD syncs from that repo and handles automated image updates via `ImagePolicy` annotations.
+
+Key deployment resources:
+- `deployment.yaml` -- Pod spec with health checks
+- `service.yaml` -- ClusterIP service on port 8080
+- `ingressroute.yaml` -- Traefik IngressRoute for `gitea-mobile.testing.leeworks.dev`
+- `kustomization.yaml` -- Kustomize overlay
+
+## Contributing
+
+1. Fork the repository
+2. Create a feature branch: `git checkout -b feature/your-feature`
+3. Make your changes and add tests
+4. Run `go test -race ./...` to verify
+5. Commit with a clear message referencing the issue number
+6. Push to your fork and open a pull request
+
+All PRs target the fork (`leeworks-agents/gitea-mobile`), not the upstream repo.

SMOKE_TEST.md

@@ -0,0 +1,148 @@
+# Post-Deployment Smoke Test Runbook
+
+Smoke test procedure for verifying gitea-mobile after deployment to the Talos cluster.
+
+## Pre-conditions
+
+Before running the smoke test, confirm:
+
+- [ ] FluxCD has reconciled the latest manifests: `flux get kustomizations -n flux-system`
+- [ ] The gitea-mobile pod is Running: `kubectl get pods -n gitea-mobile`
+- [ ] The IngressRoute is active: `kubectl get ingressroute -n gitea-mobile`
+- [ ] DNS resolves `gitea-mobile.testing.leeworks.dev` to the cluster ingress
+
+## Step 1: Pod Health
+
+```bash
+# Verify the pod is running and ready
+kubectl get pods -n gitea-mobile
+# Expected: STATUS=Running, READY=1/1
+
+# Check pod logs for startup errors
+kubectl logs -n gitea-mobile deployment/gitea-mobile --tail=20
+# Expected: JSON log line with "server starting" message
+```
+
+## Step 2: Health Endpoint
+
+```bash
+# Hit the health check endpoint from inside the cluster
+kubectl exec -n gitea-mobile deployment/gitea-mobile -- wget -qO- http://localhost:8080/health
+# Expected: HTTP 200
+
+# Hit the health check endpoint from outside the cluster
+curl -s -o /dev/null -w "%{http_code}" https://gitea-mobile.testing.leeworks.dev/health
+# Expected: 200
+```
+
+## Step 3: TLS and Ingress
+
+```bash
+# Verify TLS certificate is valid
+curl -vI https://gitea-mobile.testing.leeworks.dev 2>&1 | grep "SSL certificate"
+# Expected: valid certificate from Let's Encrypt or cluster CA
+
+# Verify the app responds with HTML
+curl -s https://gitea-mobile.testing.leeworks.dev | head -5
+# Expected: HTML document with <html> tag
+```
+
+## Step 4: Authentication Flow
+
+1. Open `https://gitea-mobile.testing.leeworks.dev` in a browser
+2. Navigate to the Settings page (`/settings`)
+3. Enter a valid Gitea API token
+4. Submit the form
+5. **Expected**: Token is saved, page confirms success
+6. Navigate back to the Issues tab
+7. **Expected**: Issues load from the Gitea API using the saved token
+
+## Step 5: Core Functionality -- Issues
+
+1. Navigate to the Issues tab (`/issues`)
+2. **Expected**: Cross-org issues load and display with titles, labels, and timestamps
+3. Tap on an issue to expand details
+4. **Expected**: Issue body renders correctly
+5. Use the filter dropdown to filter by repo or label
+6. **Expected**: List updates via HTMX without full page reload
+
+## Step 6: Core Functionality -- Pull Requests
+
+1. Navigate to the PRs tab (`/pulls`)
+2. **Expected**: Pull requests load with review status icons
+3. Tap on a PR to see details
+4. **Expected**: PR diff summary or review status displays correctly
+
+## Step 7: Core Functionality -- Dashboard / Triage Queue
+
+1. Navigate to the Dashboard/Triage tab (`/`)
+2. **Expected**: Unassigned issues and PRs awaiting review appear sorted by priority
+
+## Step 8: Create Issue (Write Operation)
+
+1. Navigate to the new issue form
+2. Fill in title: `[smoke-test] Automated verification`
+3. Fill in body: `This issue was created during smoke testing. Safe to close.`
+4. Submit the form
+5. **Expected**: Issue is created successfully in Gitea
+6. Verify in Gitea web UI that the issue exists
+7. Close and delete the test issue after verification
+
+## Step 9: Apply Label (Write Operation)
+
+1. On any test issue, attempt to apply a label
+2. **Expected**: Label is applied via the Gitea API and reflected in the UI
+
+## Step 10: PWA / iPhone Safari
+
+1. Open `https://gitea-mobile.testing.leeworks.dev` on iPhone Safari
+2. **Expected**: App loads with mobile-optimized layout, no horizontal scroll
+3. Tap "Add to Home Screen" from the Safari share menu
+4. **Expected**: App icon appears on the home screen (apple-touch-icon)
+5. Launch from the home screen
+6. **Expected**: App opens in standalone mode (no Safari browser chrome)
+7. Verify bottom navigation does not overlap with iPhone home indicator
+8. Toggle device dark mode in Settings
+9. **Expected**: App switches between dark and light themes via `prefers-color-scheme`
+10. See issue #93 for the full PWA validation checklist
+
+## Expected Results Summary
+
+| Step | Check | Expected |
+|------|-------|----------|
+| 1 | Pod status | Running, Ready 1/1 |
+| 2 | `/health` | HTTP 200 |
+| 3 | TLS | Valid cert, HTML response |
+| 4 | Auth | Token saved, API calls work |
+| 5 | Issues | List loads, filter works |
+| 6 | PRs | List loads with review status |
+| 7 | Dashboard/Triage | Queue displays correctly at `/` |
+| 8 | Create issue | Issue created in Gitea |
+| 9 | Apply label | Label applied via API |
+| 10 | PWA | Standalone mode, safe areas, dark mode |
+
+## Rollback Procedure
+
+If the deployment is broken or the app is not functioning:
+
+```bash
+# Roll back to the previous deployment revision
+kubectl rollout undo deployment/gitea-mobile -n gitea-mobile
+
+# Verify the rollback
+kubectl rollout status deployment/gitea-mobile -n gitea-mobile
+# Expected: "deployment successfully rolled out"
+
+# Check that the previous image tag is running
+kubectl get deployment gitea-mobile -n gitea-mobile -o jsonpath='{.spec.template.spec.containers[0].image}'
+```
+
+If FluxCD keeps reconciling back to the broken version, suspend reconciliation temporarily:
+
+```bash
+# Suspend Flux reconciliation
+flux suspend kustomization gitea-mobile -n flux-system
+
+# After fixing the issue, resume
+flux resume kustomization gitea-mobile -n flux-system
+```

cmd/server/main.go

@@ -33,7 +33,7 @@ func main() {
 
 	// Apply middleware chain: logging -> auth.
 	var handler http.Handler = mux
-	handler = middleware.Auth(cfg.SessionSecret)(handler)
+	handler = middleware.Auth(cfg.SessionSecret, cfg.GiteaToken)(handler)
 	handler = middleware.Logging()(handler)
 
 	slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)

internal/gitea/client.go

@@ -8,8 +8,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
+	"math"
 	"net/http"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -27,6 +30,11 @@ type Client struct {
 	maxConcurrent int
 	// cacheTTL controls how long cache entries remain valid.
 	cacheTTL time.Duration
+
+	// maxRetries is the maximum number of retries for rate-limited requests.
+	maxRetries int
+	// baseRetryDelay is the initial backoff delay before the first retry.
+	baseRetryDelay time.Duration
 }
 
 type cacheEntry struct {
@@ -105,8 +113,9 @@ type PullRequest struct {
 	Deletions int    `json:"deletions"`
 	CreatedAt time.Time `json:"created_at"`
 	UpdatedAt time.Time `json:"updated_at"`
-	RepoOwner string    `json:"-"` // populated after fetch
-	RepoName  string    `json:"-"` // populated after fetch
+	RepoOwner   string `json:"-"` // populated after fetch
+	RepoName    string `json:"-"` // populated after fetch
+	ReviewState string `json:"-"` // aggregated review state: "approved", "changes_requested", "pending", or ""
 }
 
 // TriageItem represents an item in the triage queue.
@@ -128,39 +137,102 @@ func NewClient(baseURL string) *Client {
 		httpClient: &http.Client{
 			Timeout: 30 * time.Second,
 		},
-		cache:         make(map[string]*cacheEntry),
-		maxConcurrent: 5,
-		cacheTTL:      30 * time.Second,
+		cache:          make(map[string]*cacheEntry),
+		maxConcurrent:  5,
+		cacheTTL:       30 * time.Second,
+		maxRetries:     3,
+		baseRetryDelay: 1 * time.Second,
 	}
 }
 
 // doRequest performs an authenticated HTTP request to the Gitea API.
+// It automatically retries on HTTP 429 (rate limit) responses with
+// exponential backoff, respecting the Retry-After header when present.
 func (c *Client) doRequest(ctx context.Context, token, method, path string, body io.Reader) (*http.Response, error) {
 	url := c.baseURL + "/api/v1" + path
 
-	req, err := http.NewRequestWithContext(ctx, method, url, body)
-	if err != nil {
-		return nil, fmt.Errorf("creating request: %w", err)
-	}
-
-	req.Header.Set("Authorization", "token "+token)
-	req.Header.Set("Accept", "application/json")
+	// Read the body once so we can replay it on retries.
+	var bodyBytes []byte
 	if body != nil {
-		req.Header.Set("Content-Type", "application/json")
+		var err error
+		bodyBytes, err = io.ReadAll(body)
+		if err != nil {
+			return nil, fmt.Errorf("reading request body: %w", err)
+		}
 	}
 
-	resp, err := c.httpClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("executing request: %w", err)
+	var lastErr error
+	for attempt := 0; attempt <= c.maxRetries; attempt++ {
+		// Recreate the body reader for each attempt.
+		var reqBody io.Reader
+		if bodyBytes != nil {
+			reqBody = strings.NewReader(string(bodyBytes))
+		}
+
+		req, err := http.NewRequestWithContext(ctx, method, url, reqBody)
+		if err != nil {
+			return nil, fmt.Errorf("creating request: %w", err)
+		}
+
+		req.Header.Set("Authorization", "token "+token)
+		req.Header.Set("Accept", "application/json")
+		if bodyBytes != nil {
+			req.Header.Set("Content-Type", "application/json")
+		}
+
+		resp, err := c.httpClient.Do(req)
+		if err != nil {
+			return nil, fmt.Errorf("executing request: %w", err)
+		}
+
+		// Not rate-limited: handle normally.
+		if resp.StatusCode != http.StatusTooManyRequests {
+			if resp.StatusCode >= 400 {
+				defer resp.Body.Close()
+				respBody, _ := io.ReadAll(resp.Body)
+				return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
+			}
+			return resp, nil
+		}
+
+		// Rate-limited (429): close body and compute retry delay.
+		resp.Body.Close()
+
+		if attempt == c.maxRetries {
+			lastErr = fmt.Errorf("API rate limit exceeded after %d retries (429)", c.maxRetries)
+			break
+		}
+
+		delay := c.retryDelay(resp, attempt)
+		slog.Warn("rate limited by Gitea API, retrying",
+			"attempt", attempt+1,
+			"max_retries", c.maxRetries,
+			"delay", delay,
+			"path", path,
+		)
+
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(delay):
+			// Continue to next attempt.
+		}
 	}
 
-	if resp.StatusCode >= 400 {
-		defer resp.Body.Close()
-		respBody, _ := io.ReadAll(resp.Body)
-		return nil, fmt.Errorf("API error %d: %s", resp.StatusCode, string(respBody))
-	}
+	return nil, lastErr
+}
 
-	return resp, nil
+// retryDelay computes the delay before the next retry attempt. It uses the
+// Retry-After header value (in seconds) if present, otherwise falls back to
+// exponential backoff: baseRetryDelay * 2^attempt.
+func (c *Client) retryDelay(resp *http.Response, attempt int) time.Duration {
+	if ra := resp.Header.Get("Retry-After"); ra != "" {
+		if seconds, err := strconv.Atoi(ra); err == nil && seconds > 0 {
+			return time.Duration(seconds) * time.Second
+		}
+	}
+	// Exponential backoff: 1s, 2s, 4s, ...
+	return c.baseRetryDelay * time.Duration(math.Pow(2, float64(attempt)))
 }
 
 // getFromCache returns cached data if still valid.
@@ -308,173 +380,274 @@ func (c *Client) ListOrgsAndRepos(ctx context.Context, token string) (map[string
 	return result, nil
 }
 
-// ListAllIssues fetches all open issues across all repos in the given orgs,
-// using concurrent requests with a semaphore.
-func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string) ([]Issue, error) {
-	cacheKey := fmt.Sprintf("issues-%s", strings.Join(orgs, ","))
-	if cached, ok := c.getFromCache(cacheKey); ok {
-		return cached.([]Issue), nil
-	}
+// PageSize is the number of items returned per page for paginated listings.
+const PageSize = 20
 
-	// First, collect all repos for the given orgs.
-	var allRepos []Repo
-	for _, org := range orgs {
-		repos, err := c.ListOrgRepos(ctx, token, org)
-		if err != nil {
-			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
-		}
-		allRepos = append(allRepos, repos...)
-	}
-
-	// Fan out issue fetching across repos.
-	var allIssues []Issue
-	var mu sync.Mutex
-	sem := make(chan struct{}, c.maxConcurrent)
-	var wg sync.WaitGroup
-	var firstErr error
-
-	for _, repo := range allRepos {
-		wg.Add(1)
-		go func(r Repo) {
-			defer wg.Done()
-			sem <- struct{}{}
-			defer func() { <-sem }()
-
-			path := fmt.Sprintf("/repos/%s/issues?state=open&type=issues&limit=50", r.FullName)
-			resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
-			if err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("fetching issues for %s: %w", r.FullName, err)
-				}
-				mu.Unlock()
-				return
-			}
-			defer resp.Body.Close()
-
-			var issues []Issue
-			if err := json.NewDecoder(resp.Body).Decode(&issues); err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("decoding issues for %s: %w", r.FullName, err)
-				}
-				mu.Unlock()
-				return
-			}
-
-			// Tag each issue with repo info.
-			for i := range issues {
-				issues[i].RepoOwner = r.Owner.Login
-				issues[i].RepoName = r.Name
-			}
-
-			mu.Lock()
-			allIssues = append(allIssues, issues...)
-			mu.Unlock()
-		}(repo)
-	}
-
-	wg.Wait()
-
-	if firstErr != nil {
-		return nil, firstErr
-	}
-
-	// Sort by updated time, newest first.
-	sort.Slice(allIssues, func(i, j int) bool {
-		return allIssues[i].UpdatedAt.After(allIssues[j].UpdatedAt)
-	})
-
-	c.setCache(cacheKey, allIssues)
-	return allIssues, nil
+// PaginatedIssues holds a page of issues along with pagination metadata.
+type PaginatedIssues struct {
+	Issues  []Issue
+	HasMore bool
 }
 
-// ListAllPullRequests fetches all open PRs across all repos in the given orgs.
-func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string) ([]PullRequest, error) {
-	cacheKey := fmt.Sprintf("pulls-%s", strings.Join(orgs, ","))
+// PaginatedPulls holds a page of pull requests along with pagination metadata.
+type PaginatedPulls struct {
+	Pulls   []PullRequest
+	HasMore bool
+}
+
+// ListAllIssues fetches issues across all repos in the given orgs,
+// using concurrent requests with a semaphore. Results are paginated.
+// The label parameter filters issues by label name (empty string means no filter).
+// The repoFilter parameter narrows results to a single repo name (empty means all repos).
+func (c *Client) ListAllIssues(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedIssues, error) {
+	if state == "" {
+		state = "open"
+	}
+	if page < 1 {
+		page = 1
+	}
+
+	cacheKey := fmt.Sprintf("issues-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
+	var allIssues []Issue
 	if cached, ok := c.getFromCache(cacheKey); ok {
-		return cached.([]PullRequest), nil
-	}
-
-	var allRepos []Repo
-	for _, org := range orgs {
-		repos, err := c.ListOrgRepos(ctx, token, org)
-		if err != nil {
-			return nil, fmt.Errorf("listing repos for %s: %w", org, err)
-		}
-		allRepos = append(allRepos, repos...)
-	}
-
-	var allPRs []PullRequest
-	var mu sync.Mutex
-	sem := make(chan struct{}, c.maxConcurrent)
-	var wg sync.WaitGroup
-	var firstErr error
-
-	for _, repo := range allRepos {
-		wg.Add(1)
-		go func(r Repo) {
-			defer wg.Done()
-			sem <- struct{}{}
-			defer func() { <-sem }()
-
-			path := fmt.Sprintf("/repos/%s/pulls?state=open&limit=50", r.FullName)
-			resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+		allIssues = cached.([]Issue)
+	} else {
+		// First, collect all repos for the given orgs.
+		var allRepos []Repo
+		for _, org := range orgs {
+			repos, err := c.ListOrgRepos(ctx, token, org)
 			if err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("fetching PRs for %s: %w", r.FullName, err)
+				return PaginatedIssues{}, fmt.Errorf("listing repos for %s: %w", org, err)
+			}
+			allRepos = append(allRepos, repos...)
+		}
+
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
 				}
-				mu.Unlock()
-				return
 			}
-			defer resp.Body.Close()
+			allRepos = filtered
+		}
 
-			var prs []PullRequest
-			if err := json.NewDecoder(resp.Body).Decode(&prs); err != nil {
-				mu.Lock()
-				if firstErr == nil {
-					firstErr = fmt.Errorf("decoding PRs for %s: %w", r.FullName, err)
+		// Fan out issue fetching across repos.
+		var mu sync.Mutex
+		sem := make(chan struct{}, c.maxConcurrent)
+		var wg sync.WaitGroup
+		var firstErr error
+
+		for _, repo := range allRepos {
+			wg.Add(1)
+			go func(r Repo) {
+				defer wg.Done()
+				sem <- struct{}{}
+				defer func() { <-sem }()
+
+				path := fmt.Sprintf("/repos/%s/issues?state=%s&type=issues&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
 				}
+				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+				if err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("fetching issues for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+				defer resp.Body.Close()
+
+				var issues []Issue
+				if err := json.NewDecoder(resp.Body).Decode(&issues); err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("decoding issues for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+
+				// Tag each issue with repo info.
+				for i := range issues {
+					issues[i].RepoOwner = r.Owner.Login
+					issues[i].RepoName = r.Name
+				}
+
+				mu.Lock()
+				allIssues = append(allIssues, issues...)
 				mu.Unlock()
-				return
-			}
+			}(repo)
+		}
 
-			for i := range prs {
-				prs[i].RepoOwner = r.Owner.Login
-				prs[i].RepoName = r.Name
-			}
+		wg.Wait()
 
-			mu.Lock()
-			allPRs = append(allPRs, prs...)
-			mu.Unlock()
-		}(repo)
+		if firstErr != nil {
+			return PaginatedIssues{}, firstErr
+		}
+
+		// Sort by updated time, newest first.
+		sort.Slice(allIssues, func(i, j int) bool {
+			return allIssues[i].UpdatedAt.After(allIssues[j].UpdatedAt)
+		})
+
+		c.setCache(cacheKey, allIssues)
 	}
 
-	wg.Wait()
-
-	if firstErr != nil {
-		return nil, firstErr
+	// Paginate.
+	start := (page - 1) * PageSize
+	if start >= len(allIssues) {
+		return PaginatedIssues{}, nil
+	}
+	end := start + PageSize
+	hasMore := end < len(allIssues)
+	if end > len(allIssues) {
+		end = len(allIssues)
 	}
 
-	sort.Slice(allPRs, func(i, j int) bool {
-		return allPRs[i].UpdatedAt.After(allPRs[j].UpdatedAt)
-	})
+	return PaginatedIssues{Issues: allIssues[start:end], HasMore: hasMore}, nil
+}
 
-	c.setCache(cacheKey, allPRs)
-	return allPRs, nil
+// ListAllPullRequests fetches PRs across all repos in the given orgs.
+// Results are paginated. The label parameter filters PRs by label name.
+// The repoFilter parameter narrows results to a single repo name.
+func (c *Client) ListAllPullRequests(ctx context.Context, token string, orgs []string, state string, page int, label string, repoFilter string) (PaginatedPulls, error) {
+	if state == "" {
+		state = "open"
+	}
+	if page < 1 {
+		page = 1
+	}
+
+	cacheKey := fmt.Sprintf("pulls-%s-%s-%s-%s", state, strings.Join(orgs, ","), label, repoFilter)
+	var allPRs []PullRequest
+	if cached, ok := c.getFromCache(cacheKey); ok {
+		allPRs = cached.([]PullRequest)
+	} else {
+		var allRepos []Repo
+		for _, org := range orgs {
+			repos, err := c.ListOrgRepos(ctx, token, org)
+			if err != nil {
+				return PaginatedPulls{}, fmt.Errorf("listing repos for %s: %w", org, err)
+			}
+			allRepos = append(allRepos, repos...)
+		}
+
+		// Filter to a single repo if specified.
+		if repoFilter != "" {
+			var filtered []Repo
+			for _, r := range allRepos {
+				if r.Name == repoFilter {
+					filtered = append(filtered, r)
+				}
+			}
+			allRepos = filtered
+		}
+
+		var mu sync.Mutex
+		sem := make(chan struct{}, c.maxConcurrent)
+		var wg sync.WaitGroup
+		var firstErr error
+
+		for _, repo := range allRepos {
+			wg.Add(1)
+			go func(r Repo) {
+				defer wg.Done()
+				sem <- struct{}{}
+				defer func() { <-sem }()
+
+				path := fmt.Sprintf("/repos/%s/pulls?state=%s&limit=50", r.FullName, state)
+				if label != "" {
+					path += "&labels=" + label
+				}
+				resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+				if err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("fetching PRs for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+				defer resp.Body.Close()
+
+				var prs []PullRequest
+				if err := json.NewDecoder(resp.Body).Decode(&prs); err != nil {
+					mu.Lock()
+					if firstErr == nil {
+						firstErr = fmt.Errorf("decoding PRs for %s: %w", r.FullName, err)
+					}
+					mu.Unlock()
+					return
+				}
+
+				for i := range prs {
+					prs[i].RepoOwner = r.Owner.Login
+					prs[i].RepoName = r.Name
+				}
+
+				mu.Lock()
+				allPRs = append(allPRs, prs...)
+				mu.Unlock()
+			}(repo)
+		}
+
+		wg.Wait()
+
+		if firstErr != nil {
+			return PaginatedPulls{}, firstErr
+		}
+
+		sort.Slice(allPRs, func(i, j int) bool {
+			return allPRs[i].UpdatedAt.After(allPRs[j].UpdatedAt)
+		})
+
+		c.setCache(cacheKey, allPRs)
+	}
+
+	// Paginate.
+	start := (page - 1) * PageSize
+	if start >= len(allPRs) {
+		return PaginatedPulls{}, nil
+	}
+	end := start + PageSize
+	hasMore := end < len(allPRs)
+	if end > len(allPRs) {
+		end = len(allPRs)
+	}
+
+	return PaginatedPulls{Pulls: allPRs[start:end], HasMore: hasMore}, nil
 }
 
 // GetTriageQueue returns unassigned issues and PRs needing review, sorted by priority.
 func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string) ([]TriageItem, error) {
-	issues, err := c.ListAllIssues(ctx, token, orgs)
-	if err != nil {
-		return nil, fmt.Errorf("fetching issues for triage: %w", err)
+	// Collect all open issues across all pages.
+	var issues []Issue
+	for page := 1; ; page++ {
+		result, err := c.ListAllIssues(ctx, token, orgs, "open", page, "", "")
+		if err != nil {
+			return nil, fmt.Errorf("fetching issues for triage: %w", err)
+		}
+		issues = append(issues, result.Issues...)
+		if !result.HasMore {
+			break
+		}
 	}
 
-	prs, err := c.ListAllPullRequests(ctx, token, orgs)
-	if err != nil {
-		return nil, fmt.Errorf("fetching PRs for triage: %w", err)
+	// Collect all open PRs across all pages.
+	var prs []PullRequest
+	for page := 1; ; page++ {
+		result, err := c.ListAllPullRequests(ctx, token, orgs, "open", page, "", "")
+		if err != nil {
+			return nil, fmt.Errorf("fetching PRs for triage: %w", err)
+		}
+		prs = append(prs, result.Pulls...)
+		if !result.HasMore {
+			break
+		}
 	}
 
 	var queue []TriageItem
@@ -530,6 +703,130 @@ func (c *Client) GetTriageQueue(ctx context.Context, token string, orgs []string
 	return queue, nil
 }
 
+// Comment represents a comment on an issue or pull request.
+type Comment struct {
+	ID        int64  `json:"id"`
+	Body      string `json:"body"`
+	User      string `json:"-"` // populated from nested object
+	CreatedAt string `json:"-"` // formatted after fetch
+	RawUser   struct {
+		Login string `json:"login"`
+	} `json:"user"`
+	RawCreatedAt time.Time `json:"created_at"`
+}
+
+// Label represents a Gitea label (used for available labels list).
+type Label struct {
+	ID    int64  `json:"id"`
+	Name  string `json:"name"`
+	Color string `json:"color"`
+}
+
+// GetIssue fetches a single issue by owner, repo, and index.
+func (c *Client) GetIssue(ctx context.Context, token, owner, repo string, index int64) (*Issue, error) {
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching issue: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var issue Issue
+	if err := json.NewDecoder(resp.Body).Decode(&issue); err != nil {
+		return nil, fmt.Errorf("decoding issue: %w", err)
+	}
+
+	issue.RepoOwner = owner
+	issue.RepoName = repo
+	return &issue, nil
+}
+
+// GetPull fetches a single pull request by owner, repo, and index.
+func (c *Client) GetPull(ctx context.Context, token, owner, repo string, index int64) (*PullRequest, error) {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching pull request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var pr PullRequest
+	if err := json.NewDecoder(resp.Body).Decode(&pr); err != nil {
+		return nil, fmt.Errorf("decoding pull request: %w", err)
+	}
+
+	pr.RepoOwner = owner
+	pr.RepoName = repo
+	return &pr, nil
+}
+
+// ChangedFile represents a file changed in a pull request.
+type ChangedFile struct {
+	Filename    string `json:"filename"`
+	Status      string `json:"status"` // "added", "modified", "removed", "renamed"
+	Additions   int    `json:"additions"`
+	Deletions   int    `json:"deletions"`
+	Changes     int    `json:"changes"`
+	PreviousFilename string `json:"previous_filename,omitempty"`
+}
+
+// GetChangedFiles fetches the list of files changed in a pull request.
+func (c *Client) GetChangedFiles(ctx context.Context, token, owner, repo string, index int64) ([]ChangedFile, error) {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/files?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching changed files: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var files []ChangedFile
+	if err := json.NewDecoder(resp.Body).Decode(&files); err != nil {
+		return nil, fmt.Errorf("decoding changed files: %w", err)
+	}
+
+	return files, nil
+}
+
+// GetIssueComments fetches comments for an issue or pull request.
+func (c *Client) GetIssueComments(ctx context.Context, token, owner, repo string, index int64) ([]Comment, error) {
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d/comments?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching comments: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var comments []Comment
+	if err := json.NewDecoder(resp.Body).Decode(&comments); err != nil {
+		return nil, fmt.Errorf("decoding comments: %w", err)
+	}
+
+	// Populate convenience fields.
+	for i := range comments {
+		comments[i].User = comments[i].RawUser.Login
+		comments[i].CreatedAt = comments[i].RawCreatedAt.Format("Jan 2, 2006 15:04")
+	}
+
+	return comments, nil
+}
+
+// GetRepoLabels fetches all labels for a repository.
+func (c *Client) GetRepoLabels(ctx context.Context, token, owner, repo string) ([]Label, error) {
+	path := fmt.Sprintf("/repos/%s/%s/labels?limit=50", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching labels: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var labels []Label
+	if err := json.NewDecoder(resp.Body).Decode(&labels); err != nil {
+		return nil, fmt.Errorf("decoding labels: %w", err)
+	}
+
+	return labels, nil
+}
+
 // CreateIssue creates a new issue in the specified repository.
 func (c *Client) CreateIssue(ctx context.Context, token, owner, repo, title, body string, labels []int64) (*Issue, error) {
 	payload := map[string]interface{}{
@@ -586,6 +883,49 @@ func (c *Client) ApplyLabel(ctx context.Context, token, owner, repo string, inde
 	return nil
 }
 
+// ListCollaborators fetches the list of collaborators (users with access) for a repo.
+func (c *Client) ListCollaborators(ctx context.Context, token, owner, repo string) ([]string, error) {
+	path := fmt.Sprintf("/repos/%s/%s/collaborators?limit=50", owner, repo)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching collaborators: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var users []struct {
+		Login string `json:"login"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&users); err != nil {
+		return nil, fmt.Errorf("decoding collaborators: %w", err)
+	}
+
+	var logins []string
+	for _, u := range users {
+		logins = append(logins, u.Login)
+	}
+	return logins, nil
+}
+
+// AssignIssue sets the assignees on an issue.
+func (c *Client) AssignIssue(ctx context.Context, token, owner, repo string, index int64, assignees []string) error {
+	payload, err := json.Marshal(map[string]interface{}{
+		"assignees": assignees,
+	})
+	if err != nil {
+		return fmt.Errorf("marshaling assignees: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return fmt.Errorf("assigning issue: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
 // SubmitReview submits a review on a pull request.
 func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, index int64, reviewType, body string) error {
 	payload := map[string]interface{}{
@@ -609,6 +949,168 @@ func (c *Client) SubmitReview(ctx context.Context, token, owner, repo string, in
 	return nil
 }
 
+// CloseIssue closes an issue by setting its state to "closed".
+func (c *Client) CloseIssue(ctx context.Context, token, owner, repo string, index int64) error {
+	return c.SetIssueState(ctx, token, owner, repo, index, "closed")
+}
+
+// SetIssueState sets an issue's state (e.g. "open" or "closed").
+func (c *Client) SetIssueState(ctx context.Context, token, owner, repo string, index int64, state string) error {
+	payload, err := json.Marshal(map[string]string{"state": state})
+	if err != nil {
+		return fmt.Errorf("marshaling state change: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPatch, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return fmt.Errorf("setting issue state: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
+// AddComment creates a comment on an issue and returns the created Comment.
+func (c *Client) AddComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
+	return c.PostComment(ctx, token, owner, repo, index, body)
+}
+
+// PostComment creates a comment on an issue and returns the created Comment.
+func (c *Client) PostComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
+	payload, err := json.Marshal(map[string]string{"body": body})
+	if err != nil {
+		return nil, fmt.Errorf("marshaling comment: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/issues/%d/comments", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(payload)))
+	if err != nil {
+		return nil, fmt.Errorf("posting comment: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var comment Comment
+	if err := json.NewDecoder(resp.Body).Decode(&comment); err != nil {
+		return nil, fmt.Errorf("decoding comment: %w", err)
+	}
+
+	// Populate convenience fields.
+	comment.User = comment.RawUser.Login
+	comment.CreatedAt = comment.RawCreatedAt.Format("Jan 2, 2006 15:04")
+
+	c.InvalidateAll()
+	return &comment, nil
+}
+
+// RenderMarkdown renders raw markdown text to HTML using the Gitea API.
+// Falls back to the raw text if the API call fails.
+func (c *Client) RenderMarkdown(ctx context.Context, token, text string) (string, error) {
+	payload, err := json.Marshal(map[string]string{
+		"Text": text,
+		"Mode": "gfm",
+	})
+	if err != nil {
+		return text, fmt.Errorf("marshaling markdown request: %w", err)
+	}
+
+	url := c.baseURL + "/api/v1/markdown"
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, strings.NewReader(string(payload)))
+	if err != nil {
+		return text, fmt.Errorf("creating markdown request: %w", err)
+	}
+
+	req.Header.Set("Authorization", "token "+token)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "text/html")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return text, fmt.Errorf("executing markdown request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		return text, fmt.Errorf("markdown API error %d", resp.StatusCode)
+	}
+
+	rendered, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return text, fmt.Errorf("reading markdown response: %w", err)
+	}
+
+	return string(rendered), nil
+}
+
+// Review represents a single review on a pull request.
+type Review struct {
+	ID   int64  `json:"id"`
+	Body string `json:"body"`
+	State string `json:"state"` // "APPROVED", "REQUEST_CHANGES", "COMMENT", "PENDING"
+	User  struct {
+		Login string `json:"login"`
+	} `json:"user"`
+}
+
+// GetPullReviewState fetches reviews for a PR and returns the aggregate state.
+// Priority: changes_requested > approved > pending > "" (no reviews).
+func (c *Client) GetPullReviewState(ctx context.Context, token, owner, repo string, index int64) string {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/reviews?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+
+	var reviews []Review
+	if err := json.NewDecoder(resp.Body).Decode(&reviews); err != nil {
+		return ""
+	}
+
+	if len(reviews) == 0 {
+		return ""
+	}
+
+	// Aggregate: last non-comment review per user wins, then pick the "worst" state.
+	userState := make(map[string]string)
+	for _, r := range reviews {
+		switch r.State {
+		case "APPROVED", "REQUEST_CHANGES":
+			userState[r.User.Login] = r.State
+		}
+	}
+
+	if len(userState) == 0 {
+		return "pending"
+	}
+
+	for _, s := range userState {
+		if s == "REQUEST_CHANGES" {
+			return "changes_requested"
+		}
+	}
+	return "approved"
+}
+
+// EnrichPullsWithReviewState fetches review state for each PR concurrently.
+func (c *Client) EnrichPullsWithReviewState(ctx context.Context, token string, pulls []PullRequest) {
+	sem := make(chan struct{}, c.maxConcurrent)
+	var wg sync.WaitGroup
+
+	for i := range pulls {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			pulls[idx].ReviewState = c.GetPullReviewState(ctx, token, pulls[idx].RepoOwner, pulls[idx].RepoName, pulls[idx].Number)
+		}(i)
+	}
+	wg.Wait()
+}
+
 // priorityScore returns a numeric score for sorting (lower = higher priority).
 func priorityScore(labels []string) int {
 	for _, l := range labels {

internal/handlers/handlers.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net/http"
 	"strconv"
+	"strings"
 
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
 	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
@@ -37,12 +38,24 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 
 	// Issues.
 	mux.HandleFunc("GET /issues", h.ListIssues)
+	mux.HandleFunc("GET /issues/new", h.NewIssue)
+	mux.HandleFunc("GET /issues/new/labels", h.NewIssueLabels)
 	mux.HandleFunc("POST /issues", h.CreateIssue)
 	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/labels", h.ApplyLabels)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/assignees", h.AssignIssue)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/close", h.CloseIssue)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comments", h.AddComment)
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comment", h.AddComment)
+
+	// Issue detail.
+	mux.HandleFunc("GET /issues/{owner}/{repo}/{index}", h.IssueDetail)
 
 	// Pull requests.
 	mux.HandleFunc("GET /pulls", h.ListPulls)
+	mux.HandleFunc("GET /pulls/{owner}/{repo}/{index}", h.PullDetail)
 	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/review", h.SubmitReview)
+	mux.HandleFunc("POST /pulls/{owner}/{repo}/{index}/state", h.SetPullState)
 
 	// Settings (handled separately for auth bypass).
 	settingsHandler := &SettingsHandler{
@@ -107,6 +120,10 @@ var basePage = template.Must(template.New("base").Parse(`<!DOCTYPE html>
   <script src="/static/htmx.min.js"></script>
 </head>
 <body>
+  <header class="top-bar">
+    <span class="top-bar-title">Gitea Mobile</span>
+    <button class="refresh-btn" hx-get="" hx-target="#main-content" hx-swap="innerHTML" aria-label="Refresh">&#8635;</button>
+  </header>
   <div class="content" id="main-content">
     {{.Content}}
   </div>
@@ -164,169 +181,545 @@ func renderPage(w http.ResponseWriter, r *http.Request, title, activeTab string,
 	}
 }
 
+// errorData holds the template data for error pages.
+type errorData struct {
+	Code    int
+	Title   string
+	Message string
+}
+
+// ErrorNotFound renders a mobile-friendly 404 error page.
+func (h *Handler) ErrorNotFound(w http.ResponseWriter, r *http.Request) {
+	data := errorData{
+		Code:    http.StatusNotFound,
+		Title:   "Page Not Found",
+		Message: "The page you are looking for does not exist or has been moved.",
+	}
+	h.renderError(w, r, data)
+}
+
+// ErrorInternal renders a mobile-friendly 500 error page.
+func (h *Handler) ErrorInternal(w http.ResponseWriter, r *http.Request) {
+	data := errorData{
+		Code:    http.StatusInternalServerError,
+		Title:   "Internal Server Error",
+		Message: "Something went wrong on our end. Please try again later.",
+	}
+	h.renderError(w, r, data)
+}
+
+// renderError renders the error template with the given data and status code.
+func (h *Handler) renderError(w http.ResponseWriter, r *http.Request, data errorData) {
+	tmpl, err := template.ParseFiles("internal/templates/error.html")
+	if err != nil {
+		slog.Error("failed to parse error template", "error", err)
+		http.Error(w, fmt.Sprintf("%d %s", data.Code, data.Title), data.Code)
+		return
+	}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute error template", "error", err)
+		http.Error(w, fmt.Sprintf("%d %s", data.Code, data.Title), data.Code)
+		return
+	}
+
+	w.WriteHeader(data.Code)
+	renderPage(w, r, data.Title, "", buf.String())
+}
+
 // Dashboard handles GET / — the triage queue.
 func (h *Handler) Dashboard(w http.ResponseWriter, r *http.Request) {
 	// Only handle exact root path.
 	if r.URL.Path != "/" {
-		http.NotFound(w, r)
+		h.ErrorNotFound(w, r)
 		return
 	}
 
 	token := getToken(r)
 	orgs := h.getUserOrgs(r)
+	selectedOrg := r.URL.Query().Get("org")
+
+	type dashboardData struct {
+		Items       []giteaclient.TriageItem
+		Orgs        []string
+		SelectedOrg string
+		Error       string
+	}
+
+	data := dashboardData{
+		Orgs:        orgs,
+		SelectedOrg: selectedOrg,
+	}
 
 	if len(orgs) == 0 {
-		renderPage(w, r, "Dashboard", "dashboard",
-			`<h1>Dashboard</h1><p class="empty">No organizations found. Check your token permissions.</p>`)
-		return
+		data.Error = "No organizations found. Check your token permissions."
+	} else {
+		// Determine which orgs to query.
+		queryOrgs := orgs
+		if selectedOrg != "" {
+			queryOrgs = []string{selectedOrg}
+		}
+
+		queue, err := h.Client.GetTriageQueue(r.Context(), token, queryOrgs)
+		if err != nil {
+			slog.Error("failed to get triage queue", "error", err)
+			data.Error = "Error loading triage queue."
+		} else {
+			data.Items = queue
+		}
 	}
 
-	queue, err := h.Client.GetTriageQueue(r.Context(), token, orgs)
+	tmpl, err := template.ParseFiles("internal/templates/dashboard.html")
 	if err != nil {
-		slog.Error("failed to get triage queue", "error", err)
-		renderPage(w, r, "Dashboard", "dashboard",
-			`<h1>Dashboard</h1><p class="empty">Error loading triage queue.</p>`)
+		slog.Error("failed to parse dashboard template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	if len(queue) == 0 {
-		renderPage(w, r, "Dashboard", "dashboard",
-			`<h1>Dashboard</h1><p class="empty">No items need attention. Nice work!</p>`)
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute dashboard template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	content := `<h1>Dashboard</h1>`
-	for _, item := range queue {
-		typeBadge := `<span class="type-badge type-issue">issue</span>`
-		if item.Type == "pull" {
-			typeBadge = `<span class="type-badge type-pull">PR</span>`
-		}
-
-		labels := ""
-		for _, l := range item.Labels {
-			color := "#8b949e"
-			switch l {
-			case "P1":
-				color = "#f85149"
-			case "P2":
-				color = "#d29922"
-			case "P3":
-				color = "#58a6ff"
-			}
-			labels += fmt.Sprintf(`<span class="label" style="color:%s;border:1px solid %s">%s</span>`, color, color, template.HTMLEscapeString(l))
-		}
-
-		content += fmt.Sprintf(`<div class="card">
-  <div class="card-title">%s %s</div>
-  <div class="card-meta">%s/%s #%d %s</div>
-</div>`, typeBadge, template.HTMLEscapeString(item.Title),
-			template.HTMLEscapeString(item.RepoOwner),
-			template.HTMLEscapeString(item.RepoName),
-			item.Number, labels)
-	}
-
-	renderPage(w, r, "Dashboard", "dashboard", content)
+	renderPage(w, r, "Dashboard", "dashboard", buf.String())
 }
 
 // ListIssues handles GET /issues.
 func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
-	orgs := h.getUserOrgs(r)
+	orgNames := h.getUserOrgs(r)
 
-	if len(orgs) == 0 {
-		renderPage(w, r, "Issues", "issues",
-			`<h1>Issues</h1><p class="empty">No organizations found.</p>`)
+	type issuesData struct {
+		Issues        []giteaclient.Issue
+		Orgs          []string
+		SelectedOrg   string
+		SelectedState string
+		SelectedLabel string
+		SelectedRepo  string
+		Repos         []string
+		HasMore       bool
+		NextPage      int
+		Error         string
+	}
+
+	selectedOrg := r.URL.Query().Get("org")
+	selectedState := r.URL.Query().Get("state")
+	if selectedState == "" {
+		selectedState = "open"
+	}
+	selectedLabel := r.URL.Query().Get("label")
+	selectedRepo := r.URL.Query().Get("repo")
+	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
+	if page < 1 {
+		page = 1
+	}
+
+	data := issuesData{
+		Orgs:          orgNames,
+		SelectedOrg:   selectedOrg,
+		SelectedState: selectedState,
+		SelectedLabel: selectedLabel,
+		SelectedRepo:  selectedRepo,
+	}
+
+	if len(orgNames) == 0 {
+		data.Error = "No organizations found."
+	} else {
+		// Filter to selected org if specified.
+		queryOrgs := orgNames
+		if selectedOrg != "" {
+			queryOrgs = []string{selectedOrg}
+
+			// Populate repo list for the selected org.
+			repos, err := h.Client.ListOrgRepos(r.Context(), token, selectedOrg)
+			if err != nil {
+				slog.Warn("failed to list repos for org filter", "error", err, "org", selectedOrg)
+			} else {
+				for _, repo := range repos {
+					data.Repos = append(data.Repos, repo.Name)
+				}
+			}
+		}
+
+		result, err := h.Client.ListAllIssues(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
+		if err != nil {
+			slog.Error("failed to list issues", "error", err)
+			data.Error = "Error loading issues."
+		} else {
+			data.Issues = result.Issues
+			data.HasMore = result.HasMore
+			if result.HasMore {
+				data.NextPage = page + 1
+			}
+		}
+	}
+
+	// For HTMX infinite-scroll requests (page > 1), return only the card fragment.
+	if isHTMX(r) && page > 1 {
+		tmpl, err := template.ParseFiles("internal/templates/issues.html")
+		if err != nil {
+			slog.Error("failed to parse issues template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		var buf strings.Builder
+		if err := tmpl.ExecuteTemplate(&buf, "cards", data); err != nil {
+			slog.Error("failed to execute issues cards template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, buf.String())
 		return
 	}
 
-	issues, err := h.Client.ListAllIssues(r.Context(), token, orgs)
+	tmpl, err := template.ParseFiles("internal/templates/issues.html")
 	if err != nil {
-		slog.Error("failed to list issues", "error", err)
-		renderPage(w, r, "Issues", "issues",
-			`<h1>Issues</h1><p class="empty">Error loading issues.</p>`)
+		slog.Error("failed to parse issues template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	if len(issues) == 0 {
-		renderPage(w, r, "Issues", "issues",
-			`<h1>Issues</h1><p class="empty">No open issues found.</p>`)
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute issues template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	content := `<h1>Issues</h1>`
-	for _, issue := range issues {
-		labels := ""
-		for _, l := range issue.Labels {
-			labels += fmt.Sprintf(`<span class="label" style="color:#%s;border:1px solid #%s">%s</span>`,
-				l.Color, l.Color, template.HTMLEscapeString(l.Name))
-		}
-
-		assignee := ""
-		if issue.Assignee != nil {
-			assignee = fmt.Sprintf(` &middot; %s`, template.HTMLEscapeString(issue.Assignee.Login))
-		}
-
-		content += fmt.Sprintf(`<div class="card">
-  <div class="card-title">%s</div>
-  <div class="card-meta">%s/%s #%d %s%s</div>
-</div>`, template.HTMLEscapeString(issue.Title),
-			template.HTMLEscapeString(issue.RepoOwner),
-			template.HTMLEscapeString(issue.RepoName),
-			issue.Number, labels, assignee)
-	}
-
-	renderPage(w, r, "Issues", "issues", content)
+	renderPage(w, r, "Issues", "issues", buf.String())
 }
 
 // ListPulls handles GET /pulls.
 func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)
-	orgs := h.getUserOrgs(r)
+	orgNames := h.getUserOrgs(r)
 
-	if len(orgs) == 0 {
-		renderPage(w, r, "Pull Requests", "pulls",
-			`<h1>Pull Requests</h1><p class="empty">No organizations found.</p>`)
+	type pullsData struct {
+		Pulls         []giteaclient.PullRequest
+		Orgs          []string
+		SelectedOrg   string
+		SelectedState string
+		SelectedLabel string
+		SelectedRepo  string
+		Repos         []string
+		HasMore       bool
+		NextPage      int
+		Error         string
+	}
+
+	selectedOrg := r.URL.Query().Get("org")
+	selectedState := r.URL.Query().Get("state")
+	if selectedState == "" {
+		selectedState = "open"
+	}
+	selectedLabel := r.URL.Query().Get("label")
+	selectedRepo := r.URL.Query().Get("repo")
+	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
+	if page < 1 {
+		page = 1
+	}
+
+	data := pullsData{
+		Orgs:          orgNames,
+		SelectedOrg:   selectedOrg,
+		SelectedState: selectedState,
+		SelectedLabel: selectedLabel,
+		SelectedRepo:  selectedRepo,
+	}
+
+	if len(orgNames) == 0 {
+		data.Error = "No organizations found."
+	} else {
+		queryOrgs := orgNames
+		if selectedOrg != "" {
+			queryOrgs = []string{selectedOrg}
+
+			// Populate repo list for the selected org.
+			repos, err := h.Client.ListOrgRepos(r.Context(), token, selectedOrg)
+			if err != nil {
+				slog.Warn("failed to list repos for org filter", "error", err, "org", selectedOrg)
+			} else {
+				for _, repo := range repos {
+					data.Repos = append(data.Repos, repo.Name)
+				}
+			}
+		}
+
+		result, err := h.Client.ListAllPullRequests(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
+		if err != nil {
+			slog.Error("failed to list pull requests", "error", err)
+			data.Error = "Error loading pull requests."
+		} else {
+			data.Pulls = result.Pulls
+			data.HasMore = result.HasMore
+			if result.HasMore {
+				data.NextPage = page + 1
+			}
+			// Enrich PRs with review state for status icons.
+			if len(data.Pulls) > 0 {
+				h.Client.EnrichPullsWithReviewState(r.Context(), token, data.Pulls)
+			}
+		}
+	}
+
+	// For HTMX infinite-scroll requests (page > 1), return only the card fragment.
+	if isHTMX(r) && page > 1 {
+		tmpl, err := template.ParseFiles("internal/templates/pulls.html")
+		if err != nil {
+			slog.Error("failed to parse pulls template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		var buf strings.Builder
+		if err := tmpl.ExecuteTemplate(&buf, "cards", data); err != nil {
+			slog.Error("failed to execute pulls cards template", "error", err)
+			http.Error(w, "template error", http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, buf.String())
 		return
 	}
 
-	prs, err := h.Client.ListAllPullRequests(r.Context(), token, orgs)
+	tmpl, err := template.ParseFiles("internal/templates/pulls.html")
 	if err != nil {
-		slog.Error("failed to list pull requests", "error", err)
-		renderPage(w, r, "Pull Requests", "pulls",
-			`<h1>Pull Requests</h1><p class="empty">Error loading pull requests.</p>`)
+		slog.Error("failed to parse pulls template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	if len(prs) == 0 {
-		renderPage(w, r, "Pull Requests", "pulls",
-			`<h1>Pull Requests</h1><p class="empty">No open pull requests found.</p>`)
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute pulls template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
 		return
 	}
 
-	content := `<h1>Pull Requests</h1>`
-	for _, pr := range prs {
-		labels := ""
-		for _, l := range pr.Labels {
-			labels += fmt.Sprintf(`<span class="label" style="color:#%s;border:1px solid #%s">%s</span>`,
-				l.Color, l.Color, template.HTMLEscapeString(l.Name))
-		}
+	renderPage(w, r, "Pull Requests", "pulls", buf.String())
+}
 
-		stats := fmt.Sprintf(`<span style="color:#3fb950">+%d</span> <span style="color:#f85149">-%d</span>`, pr.Additions, pr.Deletions)
-		mergeStatus := ""
-		if pr.Mergeable {
-			mergeStatus = `<span style="color:#3fb950;font-size:0.7rem;">mergeable</span>`
-		}
+// IssueDetail handles GET /issues/{owner}/{repo}/{index}.
+func (h *Handler) IssueDetail(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
 
-		content += fmt.Sprintf(`<div class="card">
-  <div class="card-title"><span class="type-badge type-pull">PR</span> %s</div>
-  <div class="card-meta">%s/%s #%d %s %s %s</div>
-</div>`, template.HTMLEscapeString(pr.Title),
-			template.HTMLEscapeString(pr.RepoOwner),
-			template.HTMLEscapeString(pr.RepoName),
-			pr.Number, labels, stats, mergeStatus)
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
 	}
 
-	renderPage(w, r, "Pull Requests", "pulls", content)
+	issue, err := h.Client.GetIssue(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Error("failed to get issue", "error", err, "owner", owner, "repo", repo, "index", index)
+		renderPage(w, r, "Issue Not Found", "issues",
+			`<h1>Issue Not Found</h1><p class="empty">Could not load the requested issue.</p>`)
+		return
+	}
+
+	comments, err := h.Client.GetIssueComments(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Error("failed to get comments", "error", err)
+		comments = nil // non-fatal, render without comments
+	}
+
+	labels, err := h.Client.GetRepoLabels(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to get repo labels", "error", err)
+		labels = nil
+	}
+
+	collaborators, err := h.Client.ListCollaborators(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to get collaborators", "error", err)
+		collaborators = nil
+	}
+
+	// Render markdown body if present.
+	var renderedBody template.HTML
+	if issue.Body != "" {
+		rendered, err := h.Client.RenderMarkdown(r.Context(), token, issue.Body)
+		if err != nil {
+			slog.Warn("failed to render issue body markdown, using plain text", "error", err)
+		} else {
+			renderedBody = template.HTML(rendered)
+		}
+	}
+
+	// Build the content HTML using the template.
+	tmpl, err := template.ParseFiles("internal/templates/issue_detail.html")
+	if err != nil {
+		slog.Error("failed to parse issue_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	type templateData struct {
+		Issue           *giteaclient.Issue
+		RenderedBody    template.HTML
+		Comments        []giteaclient.Comment
+		AvailableLabels []giteaclient.Label
+		Collaborators   []string
+	}
+
+	data := templateData{
+		Issue:           issue,
+		RenderedBody:    renderedBody,
+		Comments:        comments,
+		AvailableLabels: labels,
+		Collaborators:   collaborators,
+	}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute issue_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	renderPage(w, r, fmt.Sprintf("Issue #%d", index), "issues", buf.String())
+}
+
+// PullDetail handles GET /pulls/{owner}/{repo}/{index}.
+func (h *Handler) PullDetail(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid PR index", http.StatusBadRequest)
+		return
+	}
+
+	pr, err := h.Client.GetPull(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Error("failed to get pull request", "error", err, "owner", owner, "repo", repo, "index", index)
+		renderPage(w, r, "PR Not Found", "pulls",
+			`<h1>Pull Request Not Found</h1><p class="empty">Could not load the requested pull request.</p>`)
+		return
+	}
+
+	// Render markdown body if present.
+	var renderedBody template.HTML
+	if pr.Body != "" {
+		rendered, err := h.Client.RenderMarkdown(r.Context(), token, pr.Body)
+		if err != nil {
+			slog.Warn("failed to render PR body markdown, using plain text", "error", err)
+		} else {
+			renderedBody = template.HTML(rendered)
+		}
+	}
+
+	// Fetch comments for this PR (Gitea uses the issues endpoint for PR comments).
+	comments, err := h.Client.GetIssueComments(r.Context(), token, owner, repo, index)
+	if err != nil {
+		slog.Warn("failed to fetch PR comments", "error", err, "owner", owner, "repo", repo, "index", index)
+		// Non-fatal: continue rendering without comments.
+	}
+
+	// Build the content HTML using the template.
+	tmpl, err := template.ParseFiles("internal/templates/pull_detail.html")
+	if err != nil {
+		slog.Error("failed to parse pull_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	type templateData struct {
+		Pull         *giteaclient.PullRequest
+		RenderedBody template.HTML
+		Comments     []giteaclient.Comment
+	}
+
+	data := templateData{
+		Pull:         pr,
+		RenderedBody: renderedBody,
+		Comments:     comments,
+	}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute pull_detail template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	renderPage(w, r, fmt.Sprintf("PR #%d", index), "pulls", buf.String())
+}
+
+// NewIssue handles GET /issues/new — renders the create-issue form.
+func (h *Handler) NewIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+
+	repos, err := h.Client.ListOrgsAndRepos(r.Context(), token)
+	if err != nil {
+		slog.Error("failed to list repos for new issue form", "error", err)
+		renderPage(w, r, "New Issue", "issues",
+			`<h1>New Issue</h1><p class="empty">Error loading repositories.</p>`)
+		return
+	}
+
+	tmpl, err := template.ParseFiles("internal/templates/create_issue.html")
+	if err != nil {
+		slog.Error("failed to parse create_issue template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	type templateData struct {
+		Repos map[string][]giteaclient.Repo
+	}
+
+	data := templateData{Repos: repos}
+
+	var buf strings.Builder
+	if err := tmpl.ExecuteTemplate(&buf, "content", data); err != nil {
+		slog.Error("failed to execute create_issue template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	renderPage(w, r, "New Issue", "issues", buf.String())
+}
+
+// NewIssueLabels handles GET /issues/new/labels — returns label checkboxes for a repo.
+func (h *Handler) NewIssueLabels(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.URL.Query().Get("owner")
+	repo := r.URL.Query().Get("repo")
+
+	if owner == "" || repo == "" {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, `<span class="empty">Select a repository first.</span>`)
+		return
+	}
+
+	labels, err := h.Client.GetRepoLabels(r.Context(), token, owner, repo)
+	if err != nil {
+		slog.Error("failed to fetch labels", "error", err, "owner", owner, "repo", repo)
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, `<span class="empty">Error loading labels.</span>`)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if len(labels) == 0 {
+		fmt.Fprint(w, `<span class="empty">No labels available for this repository.</span>`)
+		return
+	}
+
+	for _, l := range labels {
+		fmt.Fprintf(w, `<label style="display:inline-block;margin:0.25rem 0.5rem 0.25rem 0;cursor:pointer;"><input type="checkbox" name="label_ids" value="%d" style="margin-right:0.25rem;"> <span class="label" style="color:#%s;border:1px solid #%s">%s</span></label>`,
+			l.ID, template.HTMLEscapeString(l.Color), template.HTMLEscapeString(l.Color), template.HTMLEscapeString(l.Name))
+	}
 }
 
 // CreateIssue handles POST /issues.
@@ -342,14 +735,35 @@ func (h *Handler) CreateIssue(w http.ResponseWriter, r *http.Request) {
 	title := r.FormValue("title")
 	body := r.FormValue("body")
 
+	// Parse label IDs from form checkboxes.
+	var labelIDs []int64
+	for _, idStr := range r.Form["label_ids"] {
+		id, err := strconv.ParseInt(idStr, 10, 64)
+		if err == nil {
+			labelIDs = append(labelIDs, id)
+		}
+	}
+
 	if owner == "" || repo == "" || title == "" {
+		if isHTMX(r) {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			w.WriteHeader(http.StatusBadRequest)
+			fmt.Fprint(w, `<span class="empty">owner, repo, and title are required</span>`)
+			return
+		}
 		http.Error(w, "owner, repo, and title are required", http.StatusBadRequest)
 		return
 	}
 
-	issue, err := h.Client.CreateIssue(r.Context(), token, owner, repo, title, body, nil)
+	issue, err := h.Client.CreateIssue(r.Context(), token, owner, repo, title, body, labelIDs)
 	if err != nil {
 		slog.Error("failed to create issue", "error", err)
+		if isHTMX(r) {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			w.WriteHeader(http.StatusInternalServerError)
+			fmt.Fprint(w, `<span class="empty">Failed to create issue. Please try again.</span>`)
+			return
+		}
 		http.Error(w, "failed to create issue", http.StatusInternalServerError)
 		return
 	}
@@ -410,6 +824,210 @@ func (h *Handler) ApplyLabels(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
 }
 
+// AssignIssue handles POST /issues/{owner}/{repo}/{index}/assignees.
+func (h *Handler) AssignIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	assignee := r.FormValue("assignee")
+	if assignee == "" {
+		http.Error(w, "assignee is required", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.AssignIssue(r.Context(), token, owner, repo, index, []string{assignee}); err != nil {
+		slog.Error("failed to assign issue", "error", err, "owner", owner, "repo", repo, "index", index, "assignee", assignee)
+		http.Error(w, "failed to assign issue", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprintf(w, `<span style="color:#3fb950">Assigned to %s</span>`, template.HTMLEscapeString(assignee))
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// CloseIssue handles POST /issues/{owner}/{repo}/{index}/close.
+func (h *Handler) CloseIssue(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.CloseIssue(r.Context(), token, owner, repo, index); err != nil {
+		slog.Error("failed to close issue", "error", err, "owner", owner, "repo", repo, "index", index)
+		http.Error(w, "failed to close issue", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("HX-Redirect", fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index))
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// SetIssueState handles POST /issues/{owner}/{repo}/{index}/state.
+func (h *Handler) SetIssueState(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	state := r.FormValue("state")
+	if state != "open" && state != "closed" {
+		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
+		slog.Error("failed to set issue state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
+		http.Error(w, "failed to update issue state", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if state == "closed" {
+			fmt.Fprintf(w, `<span class="state-closed" id="issue-state">closed</span>
+<button class="btn btn-secondary" hx-post="/issues/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen Issue</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		} else {
+			fmt.Fprintf(w, `<span class="state-open" id="issue-state">open</span>
+<button class="btn btn-danger" hx-post="/issues/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close Issue</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		}
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// SetPullState handles POST /pulls/{owner}/{repo}/{index}/state.
+func (h *Handler) SetPullState(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid pull request index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	state := r.FormValue("state")
+	if state != "open" && state != "closed" {
+		http.Error(w, "state must be 'open' or 'closed'", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Client.SetIssueState(r.Context(), token, owner, repo, index, state); err != nil {
+		slog.Error("failed to set pull request state", "error", err, "owner", owner, "repo", repo, "index", index, "state", state)
+		http.Error(w, "failed to update pull request state", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if state == "closed" {
+			fmt.Fprintf(w, `<span class="state-closed" id="pull-state">closed</span>
+<button class="btn btn-secondary" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		} else {
+			fmt.Fprintf(w, `<span class="state-open" id="pull-state">open</span>
+<button class="btn btn-danger" hx-post="/pulls/%s/%s/%d/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>`,
+				template.HTMLEscapeString(owner), template.HTMLEscapeString(repo), index)
+		}
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/pulls/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
+// AddComment handles POST /issues/{owner}/{repo}/{index}/comment.
+func (h *Handler) AddComment(w http.ResponseWriter, r *http.Request) {
+	token := getToken(r)
+	owner := r.PathValue("owner")
+	repo := r.PathValue("repo")
+	indexStr := r.PathValue("index")
+
+	index, err := strconv.ParseInt(indexStr, 10, 64)
+	if err != nil {
+		http.Error(w, "invalid issue index", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	body := r.FormValue("body")
+	if body == "" {
+		http.Error(w, "comment body is required", http.StatusBadRequest)
+		return
+	}
+
+	comment, err := h.Client.PostComment(r.Context(), token, owner, repo, index, body)
+	if err != nil {
+		slog.Error("failed to post comment", "error", err, "owner", owner, "repo", repo, "index", index)
+		http.Error(w, "failed to post comment", http.StatusInternalServerError)
+		return
+	}
+
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprintf(w, `<div class="card comment">
+  <div class="card-meta">%s &middot; %s</div>
+  <div class="card-body">%s</div>
+</div>`, template.HTMLEscapeString(comment.User), template.HTMLEscapeString(comment.CreatedAt), template.HTMLEscapeString(comment.Body))
+		return
+	}
+
+	http.Redirect(w, r, fmt.Sprintf("/issues/%s/%s/%d", owner, repo, index), http.StatusSeeOther)
+}
+
 // SubmitReview handles POST /pulls/{owner}/{repo}/{index}/review.
 func (h *Handler) SubmitReview(w http.ResponseWriter, r *http.Request) {
 	token := getToken(r)

internal/handlers/handlers_test.go

@@ -135,6 +135,135 @@ func TestSubmitReview_MissingEventType(t *testing.T) {
 	}
 }
 
+func TestSetIssueState_InvalidState(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestSetIssueState_InvalidIndex(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/state", h.SetIssueState)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/abc/state", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestAddComment_EmptyBody(t *testing.T) {
+	h := newTestHandler()
+	mux := http.NewServeMux()
+	mux.HandleFunc("POST /issues/{owner}/{repo}/{index}/comments", h.AddComment)
+
+	req := httptest.NewRequest(http.MethodPost, "/issues/org/repo/1/comments", nil)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	w := httptest.NewRecorder()
+
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusBadRequest)
+	}
+}
+
+func TestErrorNotFound(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404'")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
+func TestErrorInternal(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/error", nil)
+	w := httptest.NewRecorder()
+
+	h.ErrorInternal(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusInternalServerError)
+	}
+	body := w.Body.String()
+	if body == "" {
+		t.Error("expected non-empty response body")
+	}
+	if !contains(body, "500") {
+		t.Error("expected body to contain '500'")
+	}
+	if !contains(body, "Internal Server Error") {
+		t.Error("expected body to contain 'Internal Server Error'")
+	}
+}
+
+func TestDashboard_NonRootPath_Returns404(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/unknown/path", nil)
+	w := httptest.NewRecorder()
+
+	h.Dashboard(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	if !contains(body, "404") {
+		t.Error("expected body to contain '404' for non-root path")
+	}
+}
+
+func TestErrorNotFound_HTMX(t *testing.T) {
+	h := newTestHandler()
+	req := httptest.NewRequest(http.MethodGet, "/nonexistent", nil)
+	req.Header.Set("HX-Request", "true")
+	w := httptest.NewRecorder()
+
+	h.ErrorNotFound(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusNotFound)
+	}
+	body := w.Body.String()
+	// HTMX response should not contain DOCTYPE.
+	if contains(body, "<!DOCTYPE") {
+		t.Error("HTMX response should not contain DOCTYPE")
+	}
+	if !contains(body, "Page Not Found") {
+		t.Error("expected body to contain 'Page Not Found'")
+	}
+}
+
 func contains(s, substr string) bool {
 	return len(s) >= len(substr) && searchString(s, substr)
 }

internal/handlers/settings.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"html/template"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -9,89 +10,7 @@ import (
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
 
-var settingsTemplate = template.Must(template.New("settings").Parse(`<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
-  <title>Settings — Gitea Mobile</title>
-  <style>
-    * { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-      background: #0d1117; color: #e6edf3;
-      padding: 1rem;
-      padding-top: max(1rem, env(safe-area-inset-top));
-    }
-    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
-    .card {
-      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
-      padding: 1rem; margin-bottom: 1rem;
-    }
-    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
-    input[type="text"], input[type="password"] {
-      width: 100%; padding: 0.5rem; font-size: 1rem;
-      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
-      color: #e6edf3; margin-bottom: 1rem;
-    }
-    input:focus { outline: none; border-color: #58a6ff; }
-    button {
-      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
-      background: #238636; color: #fff; border: none; border-radius: 6px;
-      cursor: pointer;
-    }
-    button:active { background: #2ea043; }
-    .message {
-      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
-      font-size: 0.875rem;
-    }
-    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
-    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
-    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
-    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
-    .status { font-size: 0.875rem; color: #8b949e; }
-    .status .connected { color: #3fb950; }
-    .logout-btn {
-      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
-    }
-    .logout-btn:active { background: #30363d; }
-  </style>
-</head>
-<body>
-  <h1>Settings</h1>
-
-  {{if .Message}}
-  <div class="message {{.MessageType}}">{{.Message}}</div>
-  {{end}}
-
-  {{if .HasToken}}
-  <div class="card">
-    <p class="status">Status: <span class="connected">Connected</span></p>
-    <p class="hint">A Gitea API token is configured.</p>
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="logout">
-      <button type="submit" class="logout-btn">Remove Token</button>
-    </form>
-  </div>
-  {{end}}
-
-  <div class="card">
-    <form method="POST" action="/settings">
-      <input type="hidden" name="action" value="save">
-      <label for="token">Gitea API Token</label>
-      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
-      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
-      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
-    </form>
-  </div>
-
-  {{if .HasToken}}
-  <p style="text-align:center; margin-top:1rem;">
-    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
-  </p>
-  {{end}}
-</body>
-</html>`))
+const settingsTemplatePath = "internal/templates/settings.html"
 
 // SettingsHandler handles GET and POST requests for the settings page.
 type SettingsHandler struct {
@@ -126,8 +45,7 @@ func (h *SettingsHandler) handleGet(w http.ResponseWriter, r *http.Request) {
 	}
 
 	data := settingsData{HasToken: hasToken}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
 }
 
 func (h *SettingsHandler) handlePost(w http.ResponseWriter, r *http.Request) {
@@ -172,6 +90,18 @@ func (h *SettingsHandler) renderWithMessage(w http.ResponseWriter, r *http.Reque
 		Message:     msg,
 		MessageType: msgType,
 	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	settingsTemplate.Execute(w, data)
+	h.renderSettings(w, data)
+}
+
+func (h *SettingsHandler) renderSettings(w http.ResponseWriter, data settingsData) {
+	tmpl, err := template.ParseFiles(settingsTemplatePath)
+	if err != nil {
+		slog.Error("failed to parse settings template", "error", err)
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := tmpl.Execute(w, data); err != nil {
+		slog.Error("failed to execute settings template", "error", err)
+	}
 }

internal/middleware/auth.go

@@ -23,9 +23,12 @@ func TokenFromContext(ctx context.Context) string {
 }
 
 // Auth returns middleware that checks for a valid token cookie.
+// If no cookie token is found and fallbackToken is non-empty, the fallback
+// token is used instead (useful for single-user or service-account deployments
+// where GITEA_TOKEN is set in the environment).
 // Unauthenticated requests are redirected to the settings page.
 // The /health, /settings, and /static/ paths are exempt from auth.
-func Auth(sessionSecret string) func(http.Handler) http.Handler {
+func Auth(sessionSecret, fallbackToken string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Skip auth for exempt paths.
@@ -37,6 +40,13 @@ func Auth(sessionSecret string) func(http.Handler) http.Handler {
 
 			token, err := auth.GetToken(r, sessionSecret)
 			if err != nil || token == "" {
+				// Fall back to environment token if available.
+				if fallbackToken != "" {
+					slog.Debug("using fallback token from environment", "path", path)
+					ctx := context.WithValue(r.Context(), TokenContextKey, fallbackToken)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
 				slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
 				http.Redirect(w, r, "/settings", http.StatusSeeOther)
 				return

internal/middleware/auth_test.go

@@ -11,7 +11,7 @@ import (
 const testSecret = "test-secret-that-is-at-least-32-chars-long"
 
 func TestAuth_HealthBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -25,7 +25,7 @@ func TestAuth_HealthBypass(t *testing.T) {
 }
 
 func TestAuth_SettingsBypass(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -39,7 +39,7 @@ func TestAuth_SettingsBypass(t *testing.T) {
 }
 
 func TestAuth_RedirectWithoutToken(t *testing.T) {
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -57,7 +57,7 @@ func TestAuth_RedirectWithoutToken(t *testing.T) {
 
 func TestAuth_PassWithToken(t *testing.T) {
 	called := false
-	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		called = true
 		token := TokenFromContext(r.Context())
 		if token != "my-token" {
@@ -83,3 +83,72 @@ func TestAuth_PassWithToken(t *testing.T) {
 		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
 	}
 }
+
+func TestAuth_FallbackToken_UsedWhenNoCookie(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "env-fallback-token" {
+			t.Errorf("token = %q, want %q", token, "env-fallback-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called with fallback token")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_FallbackToken_CookieTakesPrecedence(t *testing.T) {
+	called := false
+	handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "cookie-token" {
+			t.Errorf("token = %q, want %q (cookie should take precedence over fallback)", token, "cookie-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Set a cookie token.
+	cookieW := httptest.NewRecorder()
+	auth.SetTokenCookie(cookieW, "cookie-token", testSecret, false)
+	cookie := cookieW.Result().Cookies()[0]
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.AddCookie(cookie)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_NoFallbackToken_RedirectsWithoutCookie(t *testing.T) {
+	handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/issues", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusSeeOther {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
+	}
+	if loc := w.Header().Get("Location"); loc != "/settings" {
+		t.Errorf("Location = %q, want %q", loc, "/settings")
+	}
+}

internal/templates/create_issue.html

@@ -1,23 +1,29 @@
 {{define "content"}}
 <h1>Create Issue</h1>
 
-<form hx-post="/issues" hx-swap="innerHTML" hx-target="#main-content">
+<div id="form-error" class="empty" style="display:none;"></div>
+
+<form id="create-issue-form" hx-post="/issues" hx-swap="innerHTML" hx-target="#main-content">
   <div class="form-group">
     <label for="repo-select">Repository</label>
-    <select id="repo-select" name="owner_repo" required>
-      <option value="">Select a repository...</option>
+    <input list="repo-options" id="repo-select" name="owner_repo"
+           placeholder="Type to search repositories..." required autocomplete="off">
+    <datalist id="repo-options">
       {{range $org, $repos := .Repos}}
-      <optgroup label="{{$org}}">
         {{range $repos}}
         <option value="{{.Owner.Login}}/{{.Name}}">{{.FullName}}</option>
         {{end}}
-      </optgroup>
       {{end}}
-    </select>
+    </datalist>
     <input type="hidden" name="owner" id="owner-input">
     <input type="hidden" name="repo" id="repo-input">
   </div>
 
+  <div class="form-group" id="label-section" style="display:none;">
+    <label>Labels</label>
+    <div id="label-list"></div>
+  </div>
+
   <div class="form-group">
     <label for="title">Title</label>
     <input type="text" id="title" name="title" placeholder="Issue title" required>
@@ -32,11 +38,88 @@
 </form>
 
 <script>
-  // Split owner/repo from select into hidden fields.
-  document.getElementById('repo-select').addEventListener('change', function() {
-    var parts = this.value.split('/');
-    document.getElementById('owner-input').value = parts[0] || '';
-    document.getElementById('repo-input').value = parts[1] || '';
-  });
+  (function() {
+    var repoSelect = document.getElementById('repo-select');
+    var ownerInput = document.getElementById('owner-input');
+    var repoInput = document.getElementById('repo-input');
+    var formError = document.getElementById('form-error');
+
+    // Build a set of valid repo values for validation.
+    var validRepos = {};
+    var options = document.getElementById('repo-options').options;
+    for (var i = 0; i < options.length; i++) {
+      validRepos[options[i].value] = true;
+    }
+
+    function splitOwnerRepo() {
+      var val = repoSelect.value;
+      if (val && val.indexOf('/') !== -1) {
+        var parts = val.split('/');
+        ownerInput.value = parts[0] || '';
+        repoInput.value = parts[1] || '';
+      } else {
+        ownerInput.value = '';
+        repoInput.value = '';
+      }
+    }
+
+    var debounceTimer = null;
+    repoSelect.addEventListener('input', function() {
+      clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(function() {
+        splitOwnerRepo();
+        var labelSection = document.getElementById('label-section');
+        var labelList = document.getElementById('label-list');
+        if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+          labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+          labelSection.style.display = 'block';
+          htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+        } else {
+          labelSection.style.display = 'none';
+          labelList.innerHTML = '';
+        }
+      }, 300);
+    });
+
+    // Also handle the change event for when a datalist option is selected directly.
+    repoSelect.addEventListener('change', function() {
+      clearTimeout(debounceTimer);
+      splitOwnerRepo();
+      var labelSection = document.getElementById('label-section');
+      var labelList = document.getElementById('label-list');
+      if (ownerInput.value && repoInput.value && validRepos[repoSelect.value]) {
+        labelList.innerHTML = '<span class="empty">Loading labels...</span>';
+        labelSection.style.display = 'block';
+        htmx.ajax('GET', '/issues/new/labels?owner=' + encodeURIComponent(ownerInput.value) + '&repo=' + encodeURIComponent(repoInput.value), {target: '#label-list', swap: 'innerHTML'});
+      } else {
+        labelSection.style.display = 'none';
+        labelList.innerHTML = '';
+      }
+    });
+
+    // Validate before HTMX submit.
+    document.getElementById('create-issue-form').addEventListener('htmx:configRequest', function(evt) {
+      splitOwnerRepo();
+      if (!ownerInput.value || !repoInput.value) {
+        evt.preventDefault();
+        formError.textContent = 'Please select a repository before submitting.';
+        formError.style.display = 'block';
+        return false;
+      }
+      if (!validRepos[repoSelect.value]) {
+        evt.preventDefault();
+        formError.textContent = 'Please select a valid repository from the list.';
+        formError.style.display = 'block';
+        return false;
+      }
+      formError.style.display = 'none';
+    });
+
+    // Show server-side errors inline on HTMX error responses.
+    document.getElementById('create-issue-form').addEventListener('htmx:responseError', function(evt) {
+      formError.textContent = evt.detail.xhr.responseText || 'An error occurred. Please try again.';
+      formError.style.display = 'block';
+    });
+  })();
 </script>
 {{end}}

internal/templates/dashboard.html

@@ -1,6 +1,17 @@
 {{define "content"}}
 <h1>Dashboard</h1>
 
+{{if gt (len .Orgs) 1}}
+<div class="filter-bar">
+  <select name="org" hx-get="/" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+</div>
+{{end}}
+
 {{if .Error}}
 <p class="empty">{{.Error}}</p>
 {{else if not .Items}}

internal/templates/error.html

@@ -0,0 +1,23 @@
+{{define "content"}}
+<div class="error-page">
+  <div class="error-icon">
+    {{if eq .Code 404}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <circle cx="11" cy="11" r="8"/>
+      <line x1="21" y1="21" x2="16.65" y2="16.65"/>
+      <line x1="8" y1="11" x2="14" y2="11"/>
+    </svg>
+    {{else}}
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" width="64" height="64">
+      <path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"/>
+      <line x1="12" y1="9" x2="12" y2="13"/>
+      <line x1="12" y1="17" x2="12.01" y2="17"/>
+    </svg>
+    {{end}}
+  </div>
+  <h1 class="error-code">{{.Code}}</h1>
+  <p class="error-title">{{.Title}}</p>
+  <p class="error-message">{{.Message}}</p>
+  <a href="/" class="error-home-link">Go to Dashboard</a>
+</div>
+{{end}}

internal/templates/issue_detail.html

@@ -3,19 +3,30 @@
 
 <div class="card">
   <div class="card-meta">
-    <span class="state-open">{{.Issue.State}}</span>
+    <span id="state-section">
+      {{if eq .Issue.State "closed"}}
+      <span class="state-closed" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-secondary" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen Issue</button>
+      {{else}}
+      <span class="state-open" id="issue-state">{{.Issue.State}}</span>
+      <button class="btn btn-danger" hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close Issue</button>
+      {{end}}
+    </span>
     <span>{{.Issue.RepoOwner}}/{{.Issue.RepoName}} #{{.Issue.Number}}</span>
     {{range .Issue.Labels}}
     <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
     {{end}}
   </div>
-  {{if .Issue.Body}}
+  {{if .RenderedBody}}
+  <div class="card-body markdown-body">{{.RenderedBody}}</div>
+  {{else if .Issue.Body}}
   <div class="card-body">{{.Issue.Body}}</div>
   {{end}}
 </div>
 
 {{if .Comments}}
 <h2>Comments</h2>
+<div id="comments-list">
 {{range .Comments}}
 <div class="comment">
   <div class="comment-header">
@@ -25,10 +36,33 @@
   <div class="comment-body">{{.Body}}</div>
 </div>
 {{end}}
+</div>
+{{else}}
+<div id="comments-list"></div>
 {{end}}
 
+<div class="card" style="margin-top:1rem;">
+  <h2>Add Comment</h2>
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/comments" hx-target="#comments-list" hx-swap="beforeend" hx-on::after-request="if(event.detail.successful) this.reset()">
+    <textarea name="body" rows="4" placeholder="Write a comment..." required style="width:100%;margin-bottom:0.5rem;"></textarea>
+    <button type="submit" class="btn btn-primary" style="width:auto;padding:0.5rem 1rem;">Comment</button>
+  </form>
+</div>
+
 <div class="card" style="margin-top:1rem;">
   <h2>Actions</h2>
+  {{if .Collaborators}}
+  <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/assignees" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
+    <div class="filter-bar" style="margin-bottom:0.5rem;">
+      <select name="assignee">
+        {{range .Collaborators}}
+        <option value="{{.}}">{{.}}</option>
+        {{end}}
+      </select>
+      <button type="submit" class="btn btn-secondary" style="width:auto;padding:0.5rem 1rem;">Assign</button>
+    </div>
+  </form>
+  {{end}}
   <form hx-post="/issues/{{.Issue.RepoOwner}}/{{.Issue.RepoName}}/{{.Issue.Number}}/labels" hx-swap="outerHTML" style="margin-bottom:0.5rem;">
     <div class="filter-bar" style="margin-bottom:0.5rem;">
       <select name="label_id">

internal/templates/issues.html

@@ -1,25 +1,4 @@
-{{define "content"}}
-<h1>Issues</h1>
-
-<div class="filter-bar">
-  <select name="org" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state']">
-    <option value="">All orgs</option>
-    {{range .Orgs}}
-    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
-    {{end}}
-  </select>
-  <select name="state" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org']">
-    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
-    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
-  </select>
-</div>
-
-{{if .Error}}
-<p class="empty">{{.Error}}</p>
-{{else if not .Issues}}
-<p class="empty">No issues found.</p>
-{{else}}
-<div id="issue-list">
+{{define "cards"}}
   {{range .Issues}}
   <div class="card" hx-get="/issues/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
     <div class="card-title">{{.Title}}</div>
@@ -29,16 +8,50 @@
       <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
       {{end}}
       {{if .Assignee}}
-      <span>{{.Assignee.Login}}</span>
+      <img src="{{.Assignee.AvatarURL}}" alt="{{.Assignee.Login}}" class="avatar" title="Assigned to {{.Assignee.Login}}">
       {{end}}
     </div>
   </div>
   {{end}}
   {{if .HasMore}}
-  <div class="scroll-sentinel" hx-get="/issues?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+  <div class="scroll-sentinel" hx-get="/issues?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
     <div class="spinner htmx-indicator"></div>
   </div>
   {{end}}
+{{end}}
+
+{{define "content"}}
+<h1>Issues</h1>
+
+<div class="filter-bar">
+  <select name="org" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+  {{if .Repos}}
+  <select name="repo" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/issues" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
+    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
+    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
+  </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/issues" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
+</div>
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Issues}}
+<p class="empty">No issues found.</p>
+{{else}}
+<div id="issue-list">
+  {{template "cards" .}}
 </div>
 {{end}}
 {{end}}

internal/templates/layout.html

@@ -13,6 +13,10 @@
   <script src="/static/htmx.min.js"></script>
 </head>
 <body>
+  <header class="top-bar">
+    <span class="top-bar-title">Gitea Mobile</span>
+    <button class="refresh-btn" hx-get="" hx-target="#main-content" hx-swap="innerHTML" aria-label="Refresh">&#8635;</button>
+  </header>
   <div class="content" id="main-content">
     {{template "content" .}}
   </div>

internal/templates/pull_detail.html

@@ -4,7 +4,7 @@
 <div class="card">
   <div class="card-meta">
     <span class="type-badge type-pull">PR</span>
-    <span class="state-open">{{.Pull.State}}</span>
+    {{if eq .Pull.State "closed"}}<span class="state-closed">{{.Pull.State}}</span>{{else}}<span class="state-open">{{.Pull.State}}</span>{{end}}
     <span>{{.Pull.RepoOwner}}/{{.Pull.RepoName}} #{{.Pull.Number}}</span>
     {{range .Pull.Labels}}
     <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
@@ -15,7 +15,20 @@
     <span class="diff-del">-{{.Pull.Deletions}}</span>
     {{if .Pull.Mergeable}}<span style="color:var(--accent-green);">Mergeable</span>{{end}}
   </div>
-  {{if .Pull.Body}}
+  <div class="card-meta" style="margin-top:0.5rem;">
+    <span id="state-section">
+      {{if eq .Pull.State "closed"}}
+      <span class="state-closed" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-secondary" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"open"}' hx-target="#state-section" hx-swap="innerHTML">Reopen PR</button>
+      {{else}}
+      <span class="state-open" id="pull-state">{{.Pull.State}}</span>
+      <button class="btn btn-danger" hx-post="/pulls/{{.Pull.RepoOwner}}/{{.Pull.RepoName}}/{{.Pull.Number}}/state" hx-vals='{"state":"closed"}' hx-target="#state-section" hx-swap="innerHTML">Close PR</button>
+      {{end}}
+    </span>
+  </div>
+  {{if .RenderedBody}}
+  <div class="card-body markdown-body">{{.RenderedBody}}</div>
+  {{else if .Pull.Body}}
   <div class="card-body">{{.Pull.Body}}</div>
   {{end}}
 </div>
@@ -44,4 +57,21 @@
     <button type="submit" class="btn btn-primary">Submit Review</button>
   </form>
 </div>
+
+{{if .Comments}}
+<h2>Comments</h2>
+<div id="comments-list">
+{{range .Comments}}
+<div class="comment">
+  <div class="comment-header">
+    <strong>{{.User}}</strong>
+    <span>{{.CreatedAt}}</span>
+  </div>
+  <div class="comment-body">{{.Body}}</div>
+</div>
+{{end}}
+</div>
+{{else}}
+<p class="empty" style="margin-top:1rem;">No comments yet.</p>
+{{end}}
 {{end}}

internal/templates/pulls.html

@@ -1,21 +1,4 @@
-{{define "content"}}
-<h1>Pull Requests</h1>
-
-<div class="filter-bar">
-  <select name="org" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
-    <option value="">All orgs</option>
-    {{range .Orgs}}
-    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
-    {{end}}
-  </select>
-</div>
-
-{{if .Error}}
-<p class="empty">{{.Error}}</p>
-{{else if not .Pulls}}
-<p class="empty">No open pull requests found.</p>
-{{else}}
-<div id="pull-list">
+{{define "cards"}}
   {{range .Pulls}}
   <div class="card" hx-get="/pulls/{{.RepoOwner}}/{{.RepoName}}/{{.Number}}" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true">
     <div class="card-title">
@@ -29,10 +12,55 @@
       {{end}}
       <span class="diff-add">+{{.Additions}}</span>
       <span class="diff-del">-{{.Deletions}}</span>
-      {{if .Mergeable}}<span style="color:var(--accent-green);font-size:0.7rem;">mergeable</span>{{end}}
+      {{if eq .ReviewState "approved"}}<span class="review-badge review-approved" title="Approved">&#10003;</span>
+      {{else if eq .ReviewState "changes_requested"}}<span class="review-badge review-changes" title="Changes requested">&#10007;</span>
+      {{else if eq .ReviewState "pending"}}<span class="review-badge review-pending" title="Awaiting review">&#9202;</span>
+      {{end}}
+      {{if .Mergeable}}<span class="merge-badge merge-ready" title="Ready to merge">&#9654; Ready</span>
+      {{else}}<span class="merge-badge merge-conflicts" title="Has conflicts or not mergeable">Conflicts</span>
+      {{end}}
     </div>
   </div>
   {{end}}
+  {{if .HasMore}}
+  <div class="scroll-sentinel" hx-get="/pulls?page={{.NextPage}}&org={{.SelectedOrg}}&state={{.SelectedState}}&label={{.SelectedLabel}}&repo={{.SelectedRepo}}" hx-trigger="revealed" hx-swap="outerHTML" hx-target="this">
+    <div class="spinner htmx-indicator"></div>
+  </div>
+  {{end}}
+{{end}}
+
+{{define "content"}}
+<h1>Pull Requests</h1>
+
+<div class="filter-bar">
+  <select name="org" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='state'],[name='label']">
+    <option value="">All orgs</option>
+    {{range .Orgs}}
+    <option value="{{.}}" {{if eq . $.SelectedOrg}}selected{{end}}>{{.}}</option>
+    {{end}}
+  </select>
+  {{if .Repos}}
+  <select name="repo" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='label']">
+    <option value="">All repos</option>
+    {{range .Repos}}<option value="{{.}}" {{if eq . $.SelectedRepo}}selected{{end}}>{{.}}</option>{{end}}
+  </select>
+  {{end}}
+  <select name="state" hx-get="/pulls" hx-trigger="change" hx-target="#main-content" hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='repo'],[name='label']">
+    <option value="open" {{if eq .SelectedState "open"}}selected{{end}}>Open</option>
+    <option value="closed" {{if eq .SelectedState "closed"}}selected{{end}}>Closed</option>
+  </select>
+  <input type="text" name="label" placeholder="Filter by label..." value="{{.SelectedLabel}}"
+         hx-get="/pulls" hx-trigger="input changed delay:400ms" hx-target="#main-content"
+         hx-swap="innerHTML" hx-push-url="true" hx-include="[name='org'],[name='state'],[name='repo']">
+</div>
+
+{{if .Error}}
+<p class="empty">{{.Error}}</p>
+{{else if not .Pulls}}
+<p class="empty">No {{.SelectedState}} pull requests found.</p>
+{{else}}
+<div id="pull-list">
+  {{template "cards" .}}
 </div>
 {{end}}
 {{end}}

internal/templates/settings.html

@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
+  <title>Settings — Gitea Mobile</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: #0d1117; color: #e6edf3;
+      padding: 1rem;
+      padding-top: max(1rem, env(safe-area-inset-top));
+    }
+    h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+    .card {
+      background: #161b22; border: 1px solid #30363d; border-radius: 8px;
+      padding: 1rem; margin-bottom: 1rem;
+    }
+    label { display: block; font-size: 0.875rem; color: #8b949e; margin-bottom: 0.5rem; }
+    input[type="text"], input[type="password"] {
+      width: 100%; padding: 0.5rem; font-size: 1rem;
+      background: #0d1117; border: 1px solid #30363d; border-radius: 6px;
+      color: #e6edf3; margin-bottom: 1rem;
+    }
+    input:focus { outline: none; border-color: #58a6ff; }
+    button {
+      width: 100%; padding: 0.75rem; font-size: 1rem; font-weight: 600;
+      background: #238636; color: #fff; border: none; border-radius: 6px;
+      cursor: pointer;
+    }
+    button:active { background: #2ea043; }
+    .message {
+      padding: 0.75rem; border-radius: 6px; margin-bottom: 1rem;
+      font-size: 0.875rem;
+    }
+    .message.success { background: #0d2818; border: 1px solid #238636; color: #3fb950; }
+    .message.error { background: #2d1117; border: 1px solid #da3633; color: #f85149; }
+    .message.info { background: #0c1d2e; border: 1px solid #1f6feb; color: #58a6ff; }
+    .hint { font-size: 0.75rem; color: #8b949e; margin-top: 0.25rem; margin-bottom: 1rem; }
+    .status { font-size: 0.875rem; color: #8b949e; }
+    .status .connected { color: #3fb950; }
+    .logout-btn {
+      background: #21262d; border: 1px solid #30363d; margin-top: 0.5rem;
+    }
+    .logout-btn:active { background: #30363d; }
+  </style>
+</head>
+<body>
+  <h1>Settings</h1>
+
+  {{if .Message}}
+  <div class="message {{.MessageType}}">{{.Message}}</div>
+  {{end}}
+
+  {{if .HasToken}}
+  <div class="card">
+    <p class="status">Status: <span class="connected">Connected</span></p>
+    <p class="hint">A Gitea API token is configured.</p>
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="logout">
+      <button type="submit" class="logout-btn">Remove Token</button>
+    </form>
+  </div>
+  {{end}}
+
+  <div class="card">
+    <form method="POST" action="/settings">
+      <input type="hidden" name="action" value="save">
+      <label for="token">Gitea API Token</label>
+      <input type="password" id="token" name="token" placeholder="Enter your Gitea API token" required>
+      <p class="hint">Generate a token at your Gitea instance under Settings &rarr; Applications.</p>
+      <button type="submit">{{if .HasToken}}Update Token{{else}}Save Token{{end}}</button>
+    </form>
+  </div>
+
+  {{if .HasToken}}
+  <p style="text-align:center; margin-top:1rem;">
+    <a href="/" style="color:#58a6ff; text-decoration:none;">Back to Dashboard</a>
+  </p>
+  {{end}}
+</body>
+</html>

static/style.css

@@ -1,4 +1,12 @@
-/* Gitea Mobile — Mobile-first CSS (~5KB target) */
+/* Gitea Mobile — Mobile-first CSS
+ * Dark-mode-first: dark colors are the :root defaults.
+ * Light mode is applied via @media (prefers-color-scheme: light).
+ *
+ * Size note: The original ~5KB target was based on the initial Phase 1 scope.
+ * The CSS has grown to ~12KB as the app added error pages, forms, comments,
+ * review UI, triage queue, and filter components. All rules are in active use.
+ * Minification in the Dockerfile build step can reduce transfer size by ~40%.
+ */
 
 /* Reset */
 *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
@@ -47,10 +55,53 @@ body {
   -moz-osx-font-smoothing: grayscale;
 }
 
+/* Top bar */
+.top-bar {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  padding-top: max(var(--spacing-sm), env(safe-area-inset-top));
+  background: var(--bg-secondary);
+  border-bottom: 1px solid var(--border);
+}
+
+.top-bar-title {
+  font-size: var(--font-base);
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.refresh-btn {
+  background: none;
+  border: none;
+  color: var(--text-secondary);
+  font-size: 1.4rem;
+  padding: var(--spacing-xs) var(--spacing-sm);
+  cursor: pointer;
+  -webkit-tap-highlight-color: transparent;
+  line-height: 1;
+  border-radius: var(--radius-sm);
+  transition: color 0.15s ease, background 0.15s ease;
+}
+
+.refresh-btn:active {
+  color: var(--accent-blue);
+  background: var(--bg-tertiary);
+}
+
+.refresh-btn.htmx-request {
+  animation: spin 0.6s linear infinite;
+  pointer-events: none;
+}
+
 /* Content area */
 .content {
   padding: var(--spacing-lg);
-  padding-top: max(var(--spacing-lg), env(safe-area-inset-top));
+  padding-top: var(--spacing-lg);
   max-width: 640px;
   margin: 0 auto;
 }
@@ -376,6 +427,29 @@ a:active {
   vertical-align: middle;
 }
 
+/* Review status badges */
+.review-badge {
+  font-size: 0.7rem;
+  font-weight: 600;
+  padding: 1px 4px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.review-approved { color: var(--accent-green); }
+.review-changes { color: var(--accent-red); }
+.review-pending { color: var(--accent-yellow); }
+
+/* Merge status badges */
+.merge-badge {
+  font-size: 0.65rem;
+  font-weight: 600;
+  padding: 1px 5px;
+  border-radius: var(--radius-pill);
+  vertical-align: middle;
+}
+.merge-ready { color: var(--accent-green); border: 1px solid var(--accent-green); }
+.merge-conflicts { color: var(--accent-red); border: 1px solid var(--accent-red); }
+
 /* Empty state */
 .empty {
   text-align: center;
@@ -444,13 +518,17 @@ a:active {
     max-width: 960px;
   }
 
-  .card-grid {
+  .card-grid,
+  #issue-list,
+  #pull-list {
     display: grid;
     grid-template-columns: repeat(2, 1fr);
     gap: var(--spacing-sm);
   }
 
-  .card-grid .card {
+  .card-grid .card,
+  #issue-list .card,
+  #pull-list .card {
     margin-bottom: 0;
   }
 }
@@ -463,7 +541,7 @@ a:active {
   }
 }
 
-/* Dark mode is default; light mode override if needed */
+/* Dark mode is default; light mode override for prefers-color-scheme: light */
 @media (prefers-color-scheme: light) {
   :root {
     --bg-primary: #ffffff;
@@ -473,5 +551,101 @@ a:active {
     --text-primary: #1f2328;
     --text-secondary: #656d76;
     --text-link: #0969da;
+    --accent-green: #1a7f37;
+    --accent-red: #cf222e;
+    --accent-yellow: #9a6700;
+    --accent-blue: #0969da;
+    --accent-purple: #8250df;
+  }
+
+  .message.success {
+    background: #dafbe1;
+    border-color: #1a7f37;
+  }
+
+  .message.error {
+    background: #ffebe9;
+    border-color: #cf222e;
+  }
+
+  .message.info {
+    background: #ddf4ff;
+    border-color: #0969da;
+  }
+
+  .btn-primary {
+    background: #1a7f37;
+  }
+
+  .btn-primary:active {
+    background: #116329;
+  }
+
+  .btn-danger {
+    background: #ffebe9;
+    border-color: #cf222e;
+  }
+
+  .type-issue {
+    background: rgba(9, 105, 218, 0.1);
+    border-color: rgba(9, 105, 218, 0.3);
+  }
+
+  .type-pull {
+    background: rgba(26, 127, 55, 0.1);
+    border-color: rgba(26, 127, 55, 0.3);
   }
 }
+
+/* Error page */
+.error-page {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  min-height: 60vh;
+  text-align: center;
+  padding: var(--spacing-lg);
+}
+
+.error-icon {
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+}
+
+.error-code {
+  font-size: 4rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  line-height: 1;
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-title {
+  font-size: var(--font-xl);
+  color: var(--text-primary);
+  margin-bottom: var(--spacing-sm);
+}
+
+.error-message {
+  font-size: var(--font-base);
+  color: var(--text-secondary);
+  margin-bottom: var(--spacing-lg);
+  max-width: 300px;
+}
+
+.error-home-link {
+  display: inline-block;
+  padding: var(--spacing-sm) var(--spacing-lg);
+  background: var(--accent-blue);
+  color: #fff;
+  border-radius: var(--radius);
+  text-decoration: none;
+  font-size: var(--font-base);
+  font-weight: 500;
+  transition: opacity 0.15s;
+}
+
+.error-home-link:active {
+  opacity: 0.8;
+}