feat: embed templates and static assets with go:embed for distroless containers

Replace all runtime template.ParseFiles() calls with template.ParseFS()
using an embedded filesystem, and serve static assets from an embedded FS
via http.FileServerFS(). This eliminates the need for COPY steps in the
Dockerfile and ensures the binary works with readOnlyRootFilesystem: true.

- Add internal/templates/embed.go exposing templates.FS
- Add static/embed.go exposing static.FS
- Update all handlers to use template.ParseFS(templates.FS, ...)
- Update static file server to use http.FileServerFS(static.FS)
- Remove COPY static/ and COPY internal/templates/ from Dockerfile
- Remove TestMain working directory hack (no longer needed)

Closes leeworks-agents/gitea-mobile#231
Closes leeworks-agents/gitea-mobile#220
Closes leeworks-agents/gitea-mobile#221

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/build.yaml

@@ -4,6 +4,9 @@ on:
   push:
     branches:
       - master
+  pull_request:
+    branches:
+      - master
 
 jobs:
   test:
@@ -24,6 +27,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     needs: test
+    if: gitea.event_name == 'push'
     steps:
       - uses: actions/checkout@v4
 

Dockerfile

@@ -1,16 +1,16 @@
 # Stage 1: Build
 FROM golang:1.22-alpine AS builder
 WORKDIR /app
-COPY go.mod ./
+COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /gitea-mobile ./cmd/server
 
 # Stage 2: Runtime
+# Templates and static assets are embedded in the binary via go:embed,
+# so no COPY steps are needed for them.
 FROM gcr.io/distroless/static:nonroot
 COPY --from=builder /gitea-mobile /gitea-mobile
-COPY static/ /static/
-COPY internal/templates/ /templates/
 EXPOSE 8080
 USER nonroot:nonroot
 ENTRYPOINT ["/gitea-mobile"]

cmd/server/main.go

@@ -1,10 +1,14 @@
 package main
 
 import (
+	"context"
 	"log"
 	"log/slog"
 	"net/http"
 	"os"
+	"os/signal"
+	"syscall"
+	"time"
 
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
 	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
@@ -36,8 +40,35 @@ func main() {
 	handler = middleware.Auth(cfg.SessionSecret, cfg.GiteaToken)(handler)
 	handler = middleware.Logging()(handler)
 
-	slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)
+	srv := &http.Server{
-	if err := http.ListenAndServe(cfg.ListenAddr, handler); err != nil {
+		Addr:    cfg.ListenAddr,
-		log.Fatalf("server error: %v", err)
+		Handler: handler,
 	}
+
+	// Channel to receive shutdown signals.
+	quit := make(chan os.Signal, 1)
+	signal.Notify(quit, syscall.SIGTERM, syscall.SIGINT)
+
+	// Start server in a goroutine.
+	go func() {
+		slog.Info("server starting", "addr", cfg.ListenAddr, "gitea_url", cfg.GiteaURL)
+		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Fatalf("server error: %v", err)
+		}
+	}()
+
+	// Block until a shutdown signal is received.
+	sig := <-quit
+	slog.Info("shutdown signal received, draining in-flight requests", "signal", sig.String())
+
+	// Give in-flight requests up to 15 seconds to complete.
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	if err := srv.Shutdown(ctx); err != nil {
+		slog.Error("server forced to shutdown", "error", err)
+		os.Exit(1)
+	}
+
+	slog.Info("server stopped gracefully")
 }

internal/gitea/client.go

@@ -760,6 +760,33 @@ func (c *Client) GetPull(ctx context.Context, token, owner, repo string, index i
 	return &pr, nil
 }
 
+// ChangedFile represents a file changed in a pull request.
+type ChangedFile struct {
+	Filename    string `json:"filename"`
+	Status      string `json:"status"` // "added", "modified", "removed", "renamed"
+	Additions   int    `json:"additions"`
+	Deletions   int    `json:"deletions"`
+	Changes     int    `json:"changes"`
+	PreviousFilename string `json:"previous_filename,omitempty"`
+}
+
+// GetChangedFiles fetches the list of files changed in a pull request.
+func (c *Client) GetChangedFiles(ctx context.Context, token, owner, repo string, index int64) ([]ChangedFile, error) {
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/files?limit=50", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("fetching changed files: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var files []ChangedFile
+	if err := json.NewDecoder(resp.Body).Decode(&files); err != nil {
+		return nil, fmt.Errorf("decoding changed files: %w", err)
+	}
+
+	return files, nil
+}
+
 // GetIssueComments fetches comments for an issue or pull request.
 func (c *Client) GetIssueComments(ctx context.Context, token, owner, repo string, index int64) ([]Comment, error) {
 	path := fmt.Sprintf("/repos/%s/%s/issues/%d/comments?limit=50", owner, repo, index)
@@ -945,6 +972,40 @@ func (c *Client) SetIssueState(ctx context.Context, token, owner, repo string, i
 	return nil
 }
 
+// MergePull merges a pull request using the specified merge style.
+// Valid styles: "merge", "rebase", "rebase-merge", "squash".
+// If style is empty, defaults to "merge".
+func (c *Client) MergePull(ctx context.Context, token, owner, repo string, index int64, style, title, message string) error {
+	if style == "" {
+		style = "merge"
+	}
+
+	payload := map[string]string{
+		"Do": style,
+	}
+	if title != "" {
+		payload["merge_message_field"] = title
+	}
+	if message != "" {
+		payload["merge_message_field"] = message
+	}
+
+	jsonData, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("marshaling merge request: %w", err)
+	}
+
+	path := fmt.Sprintf("/repos/%s/%s/pulls/%d/merge", owner, repo, index)
+	resp, err := c.doRequest(ctx, token, http.MethodPost, path, strings.NewReader(string(jsonData)))
+	if err != nil {
+		return fmt.Errorf("merging pull request: %w", err)
+	}
+	resp.Body.Close()
+
+	c.InvalidateAll()
+	return nil
+}
+
 // AddComment creates a comment on an issue and returns the created Comment.
 func (c *Client) AddComment(ctx context.Context, token, owner, repo string, index int64, body string) (*Comment, error) {
 	return c.PostComment(ctx, token, owner, repo, index, body)

internal/gitea/client_test.go

@@ -1456,3 +1456,141 @@ func TestRetryDelay_ExponentialBackoff(t *testing.T) {
 		}
 	}
 }
+
+func TestGetChangedFiles(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			t.Errorf("expected GET, got %s", r.Method)
+		}
+		if r.URL.Path != "/api/v1/repos/owner1/repo1/pulls/5/files" {
+			t.Errorf("unexpected path: %s", r.URL.Path)
+		}
+		if r.Header.Get("Authorization") != "token test-token" {
+			t.Error("missing or wrong Authorization header")
+		}
+
+		files := []ChangedFile{
+			{Filename: "main.go", Status: "modified", Additions: 10, Deletions: 3, Changes: 13},
+			{Filename: "new_file.go", Status: "added", Additions: 25, Deletions: 0, Changes: 25},
+			{Filename: "old_file.go", Status: "removed", Additions: 0, Deletions: 15, Changes: 15},
+		}
+		json.NewEncoder(w).Encode(files)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	files, err := c.GetChangedFiles(context.Background(), "test-token", "owner1", "repo1", 5)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(files) != 3 {
+		t.Fatalf("got %d files, want 3", len(files))
+	}
+	if files[0].Filename != "main.go" {
+		t.Errorf("files[0].Filename = %q, want %q", files[0].Filename, "main.go")
+	}
+	if files[0].Status != "modified" {
+		t.Errorf("files[0].Status = %q, want %q", files[0].Status, "modified")
+	}
+	if files[1].Status != "added" {
+		t.Errorf("files[1].Status = %q, want %q", files[1].Status, "added")
+	}
+	if files[2].Status != "removed" {
+		t.Errorf("files[2].Status = %q, want %q", files[2].Status, "removed")
+	}
+}
+
+func TestGetChangedFiles_Error(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNotFound)
+		fmt.Fprintln(w, `{"message":"pull request not found"}`)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	_, err := c.GetChangedFiles(context.Background(), "test-token", "owner1", "repo1", 999)
+	if err == nil {
+		t.Fatal("expected error for 404 response, got nil")
+	}
+	if !strings.Contains(err.Error(), "404") {
+		t.Errorf("error should contain status code 404, got: %v", err)
+	}
+}
+
+func TestMergePull(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Errorf("expected POST, got %s", r.Method)
+		}
+		if r.URL.Path != "/api/v1/repos/owner1/repo1/pulls/5/merge" {
+			t.Errorf("unexpected path: %s", r.URL.Path)
+		}
+		if r.Header.Get("Authorization") != "token test-token" {
+			t.Error("missing or wrong Authorization header")
+		}
+
+		var body map[string]string
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			t.Fatalf("failed to decode body: %v", err)
+		}
+		if body["Do"] != "squash" {
+			t.Errorf("expected Do=squash, got %q", body["Do"])
+		}
+
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	c.setCache("pulls-org1", "should-be-invalidated")
+
+	err := c.MergePull(context.Background(), "test-token", "owner1", "repo1", 5, "squash", "", "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Verify cache was invalidated.
+	_, ok := c.getFromCache("pulls-org1")
+	if ok {
+		t.Error("expected cache to be invalidated after MergePull")
+	}
+}
+
+func TestMergePull_DefaultStyle(t *testing.T) {
+	var receivedStyle string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var body map[string]string
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			t.Fatalf("failed to decode body: %v", err)
+		}
+		receivedStyle = body["Do"]
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	err := c.MergePull(context.Background(), "test-token", "owner1", "repo1", 5, "", "", "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if receivedStyle != "merge" {
+		t.Errorf("expected default style 'merge', got %q", receivedStyle)
+	}
+}
+
+func TestMergePull_Error(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		fmt.Fprintln(w, `{"message":"not mergeable"}`)
+	}))
+	defer server.Close()
+
+	c := NewClient(server.URL)
+	err := c.MergePull(context.Background(), "test-token", "owner1", "repo1", 5, "merge", "", "")
+	if err == nil {
+		t.Fatal("expected error for 405 response, got nil")
+	}
+	if !strings.Contains(err.Error(), "405") {
+		t.Errorf("error should contain status code 405, got: %v", err)
+	}
+}

internal/handlers/handlers.go

@@ -12,6 +12,8 @@ import (
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/config"
 	giteaclient "gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/gitea"
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/templates"
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/static"
 )
 
 // Handler holds shared dependencies for all HTTP handlers.
@@ -64,8 +66,8 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 	}
 	mux.HandleFunc("/settings", settingsHandler.ServeHTTP)
 
-	// Static files.
+	// Static files — served from embedded filesystem.
-	mux.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
+	mux.Handle("/static/", http.StripPrefix("/static/", http.FileServerFS(static.FS)))
 }
 
 // isHTMX returns true if the request is an HTMX partial request.
@@ -78,6 +80,31 @@ func getToken(r *http.Request) string {
 	return middleware.TokenFromContext(r.Context())
 }
 
+// isTokenError returns true if the error indicates an expired or revoked API token.
+func isTokenError(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	return strings.Contains(msg, "API error 401") || strings.Contains(msg, "API error 403")
+}
+
+// redirectOnTokenError checks if the error is a token auth error and redirects
+// to /settings with an error banner. Returns true if a redirect was performed.
+func redirectOnTokenError(w http.ResponseWriter, r *http.Request, err error) bool {
+	if !isTokenError(err) {
+		return false
+	}
+	slog.Warn("Gitea API token expired or revoked, redirecting to settings", "error", err)
+	if isHTMX(r) {
+		w.Header().Set("HX-Redirect", "/settings?error=token_expired")
+		w.WriteHeader(http.StatusOK)
+	} else {
+		http.Redirect(w, r, "/settings?error=token_expired", http.StatusSeeOther)
+	}
+	return true
+}
+
 // getUserOrgs returns the list of org names the user belongs to.
 func (h *Handler) getUserOrgs(r *http.Request) []string {
 	token := getToken(r)
@@ -210,7 +237,7 @@ func (h *Handler) ErrorInternal(w http.ResponseWriter, r *http.Request) {
 
 // renderError renders the error template with the given data and status code.
 func (h *Handler) renderError(w http.ResponseWriter, r *http.Request, data errorData) {
-	tmpl, err := template.ParseFiles("internal/templates/error.html")
+	tmpl, err := template.ParseFS(templates.FS, "error.html")
 	if err != nil {
 		slog.Error("failed to parse error template", "error", err)
 		http.Error(w, fmt.Sprintf("%d %s", data.Code, data.Title), data.Code)
@@ -263,6 +290,9 @@ func (h *Handler) Dashboard(w http.ResponseWriter, r *http.Request) {
 
 		queue, err := h.Client.GetTriageQueue(r.Context(), token, queryOrgs)
 		if err != nil {
+			if redirectOnTokenError(w, r, err) {
+				return
+			}
 			slog.Error("failed to get triage queue", "error", err)
 			data.Error = "Error loading triage queue."
 		} else {
@@ -270,7 +300,7 @@ func (h *Handler) Dashboard(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	tmpl, err := template.ParseFiles("internal/templates/dashboard.html")
+	tmpl, err := template.ParseFS(templates.FS, "dashboard.html")
 	if err != nil {
 		slog.Error("failed to parse dashboard template", "error", err)
 		http.Error(w, "template error", http.StatusInternalServerError)
@@ -346,6 +376,9 @@ func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 
 		result, err := h.Client.ListAllIssues(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
 		if err != nil {
+			if redirectOnTokenError(w, r, err) {
+				return
+			}
 			slog.Error("failed to list issues", "error", err)
 			data.Error = "Error loading issues."
 		} else {
@@ -359,7 +392,7 @@ func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 
 	// For HTMX infinite-scroll requests (page > 1), return only the card fragment.
 	if isHTMX(r) && page > 1 {
-		tmpl, err := template.ParseFiles("internal/templates/issues.html")
+		tmpl, err := template.ParseFS(templates.FS, "issues.html")
 		if err != nil {
 			slog.Error("failed to parse issues template", "error", err)
 			http.Error(w, "template error", http.StatusInternalServerError)
@@ -376,7 +409,7 @@ func (h *Handler) ListIssues(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	tmpl, err := template.ParseFiles("internal/templates/issues.html")
+	tmpl, err := template.ParseFS(templates.FS, "issues.html")
 	if err != nil {
 		slog.Error("failed to parse issues template", "error", err)
 		http.Error(w, "template error", http.StatusInternalServerError)
@@ -451,6 +484,9 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 
 		result, err := h.Client.ListAllPullRequests(r.Context(), token, queryOrgs, selectedState, page, selectedLabel, selectedRepo)
 		if err != nil {
+			if redirectOnTokenError(w, r, err) {
+				return
+			}
 			slog.Error("failed to list pull requests", "error", err)
 			data.Error = "Error loading pull requests."
 		} else {
@@ -468,7 +504,7 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 
 	// For HTMX infinite-scroll requests (page > 1), return only the card fragment.
 	if isHTMX(r) && page > 1 {
-		tmpl, err := template.ParseFiles("internal/templates/pulls.html")
+		tmpl, err := template.ParseFS(templates.FS, "pulls.html")
 		if err != nil {
 			slog.Error("failed to parse pulls template", "error", err)
 			http.Error(w, "template error", http.StatusInternalServerError)
@@ -485,7 +521,7 @@ func (h *Handler) ListPulls(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	tmpl, err := template.ParseFiles("internal/templates/pulls.html")
+	tmpl, err := template.ParseFS(templates.FS, "pulls.html")
 	if err != nil {
 		slog.Error("failed to parse pulls template", "error", err)
 		http.Error(w, "template error", http.StatusInternalServerError)
@@ -553,7 +589,7 @@ func (h *Handler) IssueDetail(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Build the content HTML using the template.
-	tmpl, err := template.ParseFiles("internal/templates/issue_detail.html")
+	tmpl, err := template.ParseFS(templates.FS, "issue_detail.html")
 	if err != nil {
 		slog.Error("failed to parse issue_detail template", "error", err)
 		http.Error(w, "template error", http.StatusInternalServerError)
@@ -626,7 +662,7 @@ func (h *Handler) PullDetail(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Build the content HTML using the template.
-	tmpl, err := template.ParseFiles("internal/templates/pull_detail.html")
+	tmpl, err := template.ParseFS(templates.FS, "pull_detail.html")
 	if err != nil {
 		slog.Error("failed to parse pull_detail template", "error", err)
 		http.Error(w, "template error", http.StatusInternalServerError)
@@ -667,7 +703,7 @@ func (h *Handler) NewIssue(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	tmpl, err := template.ParseFiles("internal/templates/create_issue.html")
+	tmpl, err := template.ParseFS(templates.FS, "create_issue.html")
 	if err != nil {
 		slog.Error("failed to parse create_issue template", "error", err)
 		http.Error(w, "template error", http.StatusInternalServerError)

internal/handlers/integration_test.go

@@ -7,9 +7,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
-	"os"
-	"path/filepath"
-	"runtime"
 	"strings"
 	"testing"
 
@@ -18,26 +15,8 @@ import (
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
 )
 
-// TestMain changes the working directory to the project root so that
+// Note: TestMain is no longer needed because templates and static assets
-// template files can be found by handlers that use relative paths.
+// are embedded at compile time via go:embed. Tests work from any directory.
-func TestMain(m *testing.M) {
-	// Walk up from this source file to find the project root (where go.mod lives).
-	_, filename, _, _ := runtime.Caller(0)
-	dir := filepath.Dir(filename)
-	for {
-		if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil {
-			break
-		}
-		parent := filepath.Dir(dir)
-		if parent == dir {
-			// Reached filesystem root without finding go.mod; run tests from cwd.
-			break
-		}
-		dir = parent
-	}
-	_ = os.Chdir(dir)
-	os.Exit(m.Run())
-}
 
 // mockGiteaAPI starts an httptest server that simulates the Gitea API
 // endpoints needed by the handlers. Returns the server and a cleanup func.

internal/handlers/settings.go

@@ -8,10 +8,9 @@ import (
 
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/auth"
 	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/middleware"
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/templates"
 )
 
-const settingsTemplatePath = "internal/templates/settings.html"
-
 // SettingsHandler handles GET and POST requests for the settings page.
 type SettingsHandler struct {
 	SessionSecret string
@@ -45,6 +44,13 @@ func (h *SettingsHandler) handleGet(w http.ResponseWriter, r *http.Request) {
 	}
 
 	data := settingsData{HasToken: hasToken}
+
+	// Show error banner when redirected due to expired/revoked token.
+	if r.URL.Query().Get("error") == "token_expired" {
+		data.Message = "Your Gitea API token is expired or has been revoked. Please enter a new token."
+		data.MessageType = "error"
+	}
+
 	h.renderSettings(w, data)
 }
 
@@ -94,7 +100,7 @@ func (h *SettingsHandler) renderWithMessage(w http.ResponseWriter, r *http.Reque
 }
 
 func (h *SettingsHandler) renderSettings(w http.ResponseWriter, data settingsData) {
-	tmpl, err := template.ParseFiles(settingsTemplatePath)
+	tmpl, err := template.ParseFS(templates.FS, "settings.html")
 	if err != nil {
 		slog.Error("failed to parse settings template", "error", err)
 		http.Error(w, "template error", http.StatusInternalServerError)

internal/middleware/logging.go

@@ -1,6 +1,8 @@
 package middleware
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"log/slog"
 	"net/http"
 	"time"
@@ -17,21 +19,39 @@ func (rw *responseWriter) WriteHeader(code int) {
 	rw.ResponseWriter.WriteHeader(code)
 }
 
-// Logging returns middleware that logs each HTTP request with structured logging.
+// generateRequestID creates a short random hex string for request tracing.
+func generateRequestID() string {
+	b := make([]byte, 8)
+	if _, err := rand.Read(b); err != nil {
+		return "unknown"
+	}
+	return hex.EncodeToString(b)
+}
+
+// Logging returns middleware that logs each HTTP request with structured fields:
+// method, path, status, duration (ms), request-id, and remote address.
 func Logging() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			start := time.Now()
+			requestID := generateRequestID()
 			rw := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
 
+			// Set request ID header for downstream correlation.
+			w.Header().Set("X-Request-ID", requestID)
+
 			next.ServeHTTP(rw, r)
 
+			duration := time.Since(start)
 			slog.Info("http request",
 				"method", r.Method,
 				"path", r.URL.Path,
 				"status", rw.statusCode,
-				"duration", time.Since(start).String(),
+				"duration_ms", duration.Milliseconds(),
+				"duration", duration.String(),
+				"request_id", requestID,
 				"remote", r.RemoteAddr,
+				"user_agent", r.UserAgent(),
 			)
 		})
 	}

internal/templates/embed.go

@@ -0,0 +1,9 @@
+// Package templates provides embedded HTML template files.
+package templates
+
+import "embed"
+
+// FS contains all HTML template files embedded at compile time.
+//
+//go:embed *.html
+var FS embed.FS

internal/templates/issue_detail.html

@@ -14,7 +14,7 @@
     </span>
     <span>{{.Issue.RepoOwner}}/{{.Issue.RepoName}} #{{.Issue.Number}}</span>
     {{range .Issue.Labels}}
-    <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+    <span class="label label-pill" style="background-color:#{{.Color}};color:#fff;border:1px solid #{{.Color}}">{{.Name}}</span>
     {{end}}
   </div>
   {{if .RenderedBody}}

internal/templates/issues.html

@@ -5,7 +5,7 @@
     <div class="card-meta">
       <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
       {{range .Labels}}
-      <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+      <span class="label label-pill" style="background-color:#{{.Color}};color:#fff;border:1px solid #{{.Color}}">{{.Name}}</span>
       {{end}}
       {{if .Assignee}}
       <img src="{{.Assignee.AvatarURL}}" alt="{{.Assignee.Login}}" class="avatar" title="Assigned to {{.Assignee.Login}}">

internal/templates/pull_detail.html

@@ -7,7 +7,7 @@
     {{if eq .Pull.State "closed"}}<span class="state-closed">{{.Pull.State}}</span>{{else}}<span class="state-open">{{.Pull.State}}</span>{{end}}
     <span>{{.Pull.RepoOwner}}/{{.Pull.RepoName}} #{{.Pull.Number}}</span>
     {{range .Pull.Labels}}
-    <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+    <span class="label label-pill" style="background-color:#{{.Color}};color:#fff;border:1px solid #{{.Color}}">{{.Name}}</span>
     {{end}}
   </div>
   <div class="card-meta" style="margin-top:0.5rem;">

internal/templates/pulls.html

@@ -8,7 +8,7 @@
     <div class="card-meta">
       <span>{{.RepoOwner}}/{{.RepoName}} #{{.Number}}</span>
       {{range .Labels}}
-      <span class="label" style="color:#{{.Color}};border:1px solid #{{.Color}}">{{.Name}}</span>
+      <span class="label label-pill" style="background-color:#{{.Color}};color:#fff;border:1px solid #{{.Color}}">{{.Name}}</span>
       {{end}}
       <span class="diff-add">+{{.Additions}}</span>
       <span class="diff-del">-{{.Deletions}}</span>

static/embed.go

@@ -0,0 +1,10 @@
+// Package static provides embedded static asset files (CSS, JS, icons, etc.).
+package static
+
+import "embed"
+
+// FS contains all static asset files embedded at compile time.
+// Files are served via http.FileServerFS in the handlers package.
+//
+//go:embed *.css *.js *.json *.png
+var FS embed.FS

static/style.css

@@ -176,6 +176,11 @@ a:active {
   white-space: nowrap;
 }
 
+.label-pill {
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.4);
+  font-weight: 600;
+}
+
 .type-badge {
   font-size: 0.65rem;
   text-transform: uppercase;