making progress

2026-05-07 02:06:54 +02:00
parent 7b7e2d399c
commit dea186c995
39 changed files with 2021 additions and 67 deletions
@@ -0,0 +1 @@
+ref: refs/heads/master
@@ -0,0 +1,8 @@
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = true
+	ignorecase = true
+	precomposeunicode = true
+[http]
+	receivepack = true
@@ -0,0 +1 @@
+Unnamed repository; edit this file 'description' to name the repository.
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# An example hook script to check the commit log message taken by
+# applypatch from an e-mail message.
+#
+# The hook should exit with non-zero status after issuing an
+# appropriate message if it wants to stop the commit.  The hook is
+# allowed to edit the commit message file.
+#
+# To enable this hook, rename this file to "applypatch-msg".
+
+. git-sh-setup
+commitmsg="$(git rev-parse --git-path hooks/commit-msg)"
+test -x "$commitmsg" && exec "$commitmsg" ${1+"$@"}
+:
@@ -0,0 +1,74 @@
+#!/bin/sh
+#
+# An example hook script to check the commit log message.
+# Called by "git commit" with one argument, the name of the file
+# that has the commit message.  The hook should exit with non-zero
+# status after issuing an appropriate message if it wants to stop the
+# commit.  The hook is allowed to edit the commit message file.
+#
+# To enable this hook, rename this file to "commit-msg".
+
+# Uncomment the below to add a Signed-off-by line to the message.
+# Doing this in a hook is a bad idea in general, but the prepare-commit-msg
+# hook is more suited to it.
+#
+# SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
+# grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
+
+# This example catches duplicate Signed-off-by lines and messages that
+# would confuse 'git am'.
+
+ret=0
+
+test "" = "$(grep '^Signed-off-by: ' "$1" |
+	 sort | uniq -c | sed -e '/^[ 	]*1[ 	]/d')" || {
+	echo >&2 Duplicate Signed-off-by lines.
+	ret=1
+}
+
+comment_re="$(
+	{
+		git config --get-regexp "^core\.comment(char|string)\$" ||
+			echo '#'
+	} | sed -n -e '
+		${
+			s/^[^ ]* //
+			s|[][*./\]|\\&|g
+			s/^auto$/[#;@!$%^&|:]/
+			p
+		}'
+)"
+scissors_line="^${comment_re} -\{8,\} >8 -\{8,\}\$"
+comment_line="^${comment_re}.*"
+blank_line='^[ 	]*$'
+# Disallow lines starting with "diff -" or "Index: " in the body of the
+# message. Stop looking if we see a scissors line.
+line="$(sed -n -e "
+	# Skip comments and blank lines at the start of the file.
+	/${scissors_line}/q
+	/${comment_line}/d
+	/${blank_line}/d
+	# The first paragraph will become the subject header so
+	# does not need to be checked.
+	: subject
+	n
+	/${scissors_line}/q
+	/${blank_line}/!b subject
+	# Check the body of the message for problematic
+	# prefixes.
+	: body
+	n
+	/${scissors_line}/q
+	/${comment_line}/b body
+	/^diff -/{p;q;}
+	/^Index: /{p;q;}
+	b body
+	" "$1")"
+if test -n "$line"
+then
+	echo >&2 "Message contains a diff that will confuse 'git am'."
+	echo >&2 "To fix this indent the diff."
+	ret=1
+fi
+
+exit $ret
@@ -0,0 +1,168 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use IPC::Open2;
+
+# An example hook script to integrate Watchman
+# (https://facebook.github.io/watchman/) with git to speed up detecting
+# new and modified files.
+#
+# The hook is passed a version (currently 2) and last update token
+# formatted as a string and outputs to stdout a new update token and
+# all files that have been modified since the update token. Paths must
+# be relative to the root of the working tree and separated by a single NUL.
+#
+# To enable this hook, rename this file to "query-watchman" and set
+# 'git config core.fsmonitor .git/hooks/query-watchman'
+#
+my ($version, $last_update_token) = @ARGV;
+
+# Uncomment for debugging
+# print STDERR "$0 $version $last_update_token\n";
+
+# Check the hook interface version
+if ($version ne 2) {
+	die "Unsupported query-fsmonitor hook version '$version'.\n" .
+	    "Falling back to scanning...\n";
+}
+
+my $git_work_tree = get_working_dir();
+
+my $json_pkg;
+eval {
+	require JSON::XS;
+	$json_pkg = "JSON::XS";
+	1;
+} or do {
+	require JSON::PP;
+	$json_pkg = "JSON::PP";
+};
+
+launch_watchman();
+
+sub launch_watchman {
+	my $o = watchman_query();
+	if (is_work_tree_watched($o)) {
+		output_result($o->{clock}, @{$o->{files}});
+	}
+}
+
+sub output_result {
+	my ($clockid, @files) = @_;
+
+	# Uncomment for debugging watchman output
+	# open (my $fh, ">", ".git/watchman-output.out");
+	# binmode $fh, ":utf8";
+	# print $fh "$clockid\n@files\n";
+	# close $fh;
+
+	binmode STDOUT, ":utf8";
+	print $clockid;
+	print "\0";
+	local $, = "\0";
+	print @files;
+}
+
+sub watchman_clock {
+	my $response = qx/watchman clock "$git_work_tree"/;
+	die "Failed to get clock id on '$git_work_tree'.\n" .
+		"Falling back to scanning...\n" if $? != 0;
+
+	return $json_pkg->new->utf8->decode($response);
+}
+
+sub watchman_query {
+	my $pid = open2(\*CHLD_OUT, \*CHLD_IN, 'watchman -j --no-pretty')
+	or die "open2() failed: $!\n" .
+	"Falling back to scanning...\n";
+
+	# In the query expression below we're asking for names of files that
+	# changed since $last_update_token but not from the .git folder.
+	#
+	# To accomplish this, we're using the "since" generator to use the
+	# recency index to select candidate nodes and "fields" to limit the
+	# output to file names only. Then we're using the "expression" term to
+	# further constrain the results.
+	my $last_update_line = "";
+	if (substr($last_update_token, 0, 1) eq "c") {
+		$last_update_token = "\"$last_update_token\"";
+		$last_update_line = qq[\n"since": $last_update_token,];
+	}
+	my $query = <<"	END";
+		["query", "$git_work_tree", {$last_update_line
+			"fields": ["name"],
+			"expression": ["not", ["dirname", ".git"]]
+		}]
+	END
+
+	# Uncomment for debugging the watchman query
+	# open (my $fh, ">", ".git/watchman-query.json");
+	# print $fh $query;
+	# close $fh;
+
+	print CHLD_IN $query;
+	close CHLD_IN;
+	my $response = do {local $/; <CHLD_OUT>};
+
+	# Uncomment for debugging the watch response
+	# open ($fh, ">", ".git/watchman-response.json");
+	# print $fh $response;
+	# close $fh;
+
+	die "Watchman: command returned no output.\n" .
+	"Falling back to scanning...\n" if $response eq "";
+	die "Watchman: command returned invalid output: $response\n" .
+	"Falling back to scanning...\n" unless $response =~ /^\{/;
+
+	return $json_pkg->new->utf8->decode($response);
+}
+
+sub is_work_tree_watched {
+	my ($output) = @_;
+	my $error = $output->{error};
+	if ($error and $error =~ m/unable to resolve root .* directory (.*) is not watched/) {
+		my $response = qx/watchman watch "$git_work_tree"/;
+		die "Failed to make watchman watch '$git_work_tree'.\n" .
+		    "Falling back to scanning...\n" if $? != 0;
+		$output = $json_pkg->new->utf8->decode($response);
+		$error = $output->{error};
+		die "Watchman: $error.\n" .
+		"Falling back to scanning...\n" if $error;
+
+		# Uncomment for debugging watchman output
+		# open (my $fh, ">", ".git/watchman-output.out");
+		# close $fh;
+
+		# Watchman will always return all files on the first query so
+		# return the fast "everything is dirty" flag to git and do the
+		# Watchman query just to get it over with now so we won't pay
+		# the cost in git to look up each individual file.
+		my $o = watchman_clock();
+		$error = $o->{error};
+
+		die "Watchman: $error.\n" .
+		"Falling back to scanning...\n" if $error;
+
+		output_result($o->{clock}, ("/"));
+		return 0;
+	}
+
+	die "Watchman: $error.\n" .
+	"Falling back to scanning...\n" if $error;
+
+	return 1;
+}
+
+sub get_working_dir {
+	my $working_dir;
+	if ($^O =~ 'msys' || $^O =~ 'cygwin') {
+		$working_dir = Win32::GetCwd();
+		$working_dir =~ tr/\\/\//;
+	} else {
+		require Cwd;
+		$working_dir = Cwd::cwd();
+	}
+
+	return $working_dir;
+}
@@ -0,0 +1,8 @@
+#!/bin/sh
+#
+# An example hook script to prepare a packed repository for use over
+# dumb transports.
+#
+# To enable this hook, rename this file to "post-update".
+
+exec git update-server-info
@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# An example hook script to verify what is about to be committed
+# by applypatch from an e-mail message.
+#
+# The hook should exit with non-zero status after issuing an
+# appropriate message if it wants to stop the commit.
+#
+# To enable this hook, rename this file to "pre-applypatch".
+
+. git-sh-setup
+precommit="$(git rev-parse --git-path hooks/pre-commit)"
+test -x "$precommit" && exec "$precommit" ${1+"$@"}
+:
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# An example hook script to verify what is about to be committed.
+# Called by "git commit" with no arguments.  The hook should
+# exit with non-zero status after issuing an appropriate message if
+# it wants to stop the commit.
+#
+# To enable this hook, rename this file to "pre-commit".
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+	against=HEAD
+else
+	# Initial commit: diff against an empty tree object
+	against=$(git hash-object -t tree /dev/null)
+fi
+
+# If you want to allow non-ASCII filenames set this variable to true.
+allownonascii=$(git config --type=bool hooks.allownonascii)
+
+# Redirect output to stderr.
+exec 1>&2
+
+# Cross platform projects tend to avoid non-ASCII filenames; prevent
+# them from being added to the repository. We exploit the fact that the
+# printable range starts at the space character and ends with tilde.
+if [ "$allownonascii" != "true" ] &&
+	# Note that the use of brackets around a tr range is ok here, (it's
+	# even required, for portability to Solaris 10's /usr/bin/tr), since
+	# the square bracket bytes happen to fall in the designated range.
+	test $(git diff-index --cached --name-only --diff-filter=A -z $against |
+	  LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+then
+	cat <<\EOF
+Error: Attempt to add a non-ASCII file name.
+
+This can cause problems if you want to work with people on other platforms.
+
+To be portable it is advisable to rename the file.
+
+If you know what you are doing you can disable this check using:
+
+  git config hooks.allownonascii true
+EOF
+	exit 1
+fi
+
+# If there are whitespace errors, print the offending file names and fail.
+exec git diff-index --check --cached $against --
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# An example hook script to verify what is about to be committed.
+# Called by "git merge" with no arguments.  The hook should
+# exit with non-zero status after issuing an appropriate message to
+# stderr if it wants to stop the merge commit.
+#
+# To enable this hook, rename this file to "pre-merge-commit".
+
+. git-sh-setup
+test -x "$GIT_DIR/hooks/pre-commit" &&
+        exec "$GIT_DIR/hooks/pre-commit"
+:
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# An example hook script to verify what is about to be pushed.  Called by "git
+# push" after it has checked the remote status, but before anything has been
+# pushed.  If this script exits with a non-zero status nothing will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local oid> <remote ref> <remote oid>
+#
+# This sample shows how to prevent push of commits where the log message starts
+# with "WIP" (work in progress).
+
+remote="$1"
+url="$2"
+
+zero=$(git hash-object --stdin </dev/null | tr '[0-9a-f]' '0')
+
+while read local_ref local_oid remote_ref remote_oid
+do
+	if test "$local_oid" = "$zero"
+	then
+		# Handle delete
+		:
+	else
+		if test "$remote_oid" = "$zero"
+		then
+			# New branch, examine all commits
+			range="$local_oid"
+		else
+			# Update to existing branch, examine new commits
+			range="$remote_oid..$local_oid"
+		fi
+
+		# Check for WIP commit
+		commit=$(git rev-list -n 1 --grep '^WIP' "$range")
+		if test -n "$commit"
+		then
+			echo >&2 "Found WIP commit in $local_ref, not pushing"
+			exit 1
+		fi
+	fi
+done
+
+exit 0
@@ -0,0 +1,169 @@
+#!/bin/sh
+#
+# Copyright (c) 2006, 2008 Junio C Hamano
+#
+# The "pre-rebase" hook is run just before "git rebase" starts doing
+# its job, and can prevent the command from running by exiting with
+# non-zero status.
+#
+# The hook is called with the following parameters:
+#
+# $1 -- the upstream the series was forked from.
+# $2 -- the branch being rebased (or empty when rebasing the current branch).
+#
+# This sample shows how to prevent topic branches that are already
+# merged to 'next' branch from getting rebased, because allowing it
+# would result in rebasing already published history.
+
+publish=next
+basebranch="$1"
+if test "$#" = 2
+then
+	topic="refs/heads/$2"
+else
+	topic=`git symbolic-ref HEAD` ||
+	exit 0 ;# we do not interrupt rebasing detached HEAD
+fi
+
+case "$topic" in
+refs/heads/??/*)
+	;;
+*)
+	exit 0 ;# we do not interrupt others.
+	;;
+esac
+
+# Now we are dealing with a topic branch being rebased
+# on top of master.  Is it OK to rebase it?
+
+# Does the topic really exist?
+git show-ref -q "$topic" || {
+	echo >&2 "No such branch $topic"
+	exit 1
+}
+
+# Is topic fully merged to master?
+not_in_master=`git rev-list --pretty=oneline ^master "$topic"`
+if test -z "$not_in_master"
+then
+	echo >&2 "$topic is fully merged to master; better remove it."
+	exit 1 ;# we could allow it, but there is no point.
+fi
+
+# Is topic ever merged to next?  If so you should not be rebasing it.
+only_next_1=`git rev-list ^master "^$topic" ${publish} | sort`
+only_next_2=`git rev-list ^master           ${publish} | sort`
+if test "$only_next_1" = "$only_next_2"
+then
+	not_in_topic=`git rev-list "^$topic" master`
+	if test -z "$not_in_topic"
+	then
+		echo >&2 "$topic is already up to date with master"
+		exit 1 ;# we could allow it, but there is no point.
+	else
+		exit 0
+	fi
+else
+	not_in_next=`git rev-list --pretty=oneline ^${publish} "$topic"`
+	/usr/bin/perl -e '
+		my $topic = $ARGV[0];
+		my $msg = "* $topic has commits already merged to public branch:\n";
+		my (%not_in_next) = map {
+			/^([0-9a-f]+) /;
+			($1 => 1);
+		} split(/\n/, $ARGV[1]);
+		for my $elem (map {
+				/^([0-9a-f]+) (.*)$/;
+				[$1 => $2];
+			} split(/\n/, $ARGV[2])) {
+			if (!exists $not_in_next{$elem->[0]}) {
+				if ($msg) {
+					print STDERR $msg;
+					undef $msg;
+				}
+				print STDERR " $elem->[1]\n";
+			}
+		}
+	' "$topic" "$not_in_next" "$not_in_master"
+	exit 1
+fi
+
+<<\DOC_END
+
+This sample hook safeguards topic branches that have been
+published from being rewound.
+
+The workflow assumed here is:
+
+ * Once a topic branch forks from "master", "master" is never
+   merged into it again (either directly or indirectly).
+
+ * Once a topic branch is fully cooked and merged into "master",
+   it is deleted.  If you need to build on top of it to correct
+   earlier mistakes, a new topic branch is created by forking at
+   the tip of the "master".  This is not strictly necessary, but
+   it makes it easier to keep your history simple.
+
+ * Whenever you need to test or publish your changes to topic
+   branches, merge them into "next" branch.
+
+The script, being an example, hardcodes the publish branch name
+to be "next", but it is trivial to make it configurable via
+$GIT_DIR/config mechanism.
+
+With this workflow, you would want to know:
+
+(1) ... if a topic branch has ever been merged to "next".  Young
+    topic branches can have stupid mistakes you would rather
+    clean up before publishing, and things that have not been
+    merged into other branches can be easily rebased without
+    affecting other people.  But once it is published, you would
+    not want to rewind it.
+
+(2) ... if a topic branch has been fully merged to "master".
+    Then you can delete it.  More importantly, you should not
+    build on top of it -- other people may already want to
+    change things related to the topic as patches against your
+    "master", so if you need further changes, it is better to
+    fork the topic (perhaps with the same name) afresh from the
+    tip of "master".
+
+Let's look at this example:
+
+		   o---o---o---o---o---o---o---o---o---o "next"
+		  /       /           /           /
+		 /   a---a---b A     /           /
+		/   /               /           /
+	       /   /   c---c---c---c B         /
+	      /   /   /             \         /
+	     /   /   /   b---b C     \       /
+	    /   /   /   /             \     /
+    ---o---o---o---o---o---o---o---o---o---o---o "master"
+
+
+A, B and C are topic branches.
+
+ * A has one fix since it was merged up to "next".
+
+ * B has finished.  It has been fully merged up to "master" and "next",
+   and is ready to be deleted.
+
+ * C has not merged to "next" at all.
+
+We would want to allow C to be rebased, refuse A, and encourage
+B to be deleted.
+
+To compute (1):
+
+	git rev-list ^master ^topic next
+	git rev-list ^master        next
+
+	if these match, topic has not merged in next at all.
+
+To compute (2):
+
+	git rev-list master..topic
+
+	if this is empty, it is fully merged to "master".
+
+DOC_END
@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# An example hook script to make use of push options.
+# The example simply echoes all push options that start with 'echoback='
+# and rejects all pushes when the "reject" push option is used.
+#
+# To enable this hook, rename this file to "pre-receive".
+
+if test -n "$GIT_PUSH_OPTION_COUNT"
+then
+	i=0
+	while test "$i" -lt "$GIT_PUSH_OPTION_COUNT"
+	do
+		eval "value=\$GIT_PUSH_OPTION_$i"
+		case "$value" in
+		echoback=*)
+			echo "echo from the pre-receive-hook: ${value#*=}" >&2
+			;;
+		reject)
+			exit 1
+		esac
+		i=$((i + 1))
+	done
+fi
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# An example hook script to prepare the commit log message.
+# Called by "git commit" with the name of the file that has the
+# commit message, followed by the description of the commit
+# message's source.  The hook's purpose is to edit the commit
+# message file.  If the hook fails with a non-zero status,
+# the commit is aborted.
+#
+# To enable this hook, rename this file to "prepare-commit-msg".
+
+# This hook includes three examples. The first one removes the
+# "# Please enter the commit message..." help message.
+#
+# The second includes the output of "git diff --name-status -r"
+# into the message, just before the "git status" output.  It is
+# commented because it doesn't cope with --amend or with squashed
+# commits.
+#
+# The third example adds a Signed-off-by line to the message, that can
+# still be edited.  This is rarely a good idea.
+
+COMMIT_MSG_FILE=$1
+COMMIT_SOURCE=$2
+SHA1=$3
+
+/usr/bin/perl -i.bak -ne 'print unless(m/^. Please enter the commit message/..m/^#$/)' "$COMMIT_MSG_FILE"
+
+# case "$COMMIT_SOURCE,$SHA1" in
+#  ,|template,)
+#    /usr/bin/perl -i.bak -pe '
+#       print "\n" . `git diff --cached --name-status -r`
+# 	 if /^#/ && $first++ == 0' "$COMMIT_MSG_FILE" ;;
+#  *) ;;
+# esac
+
+# SOB=$(git var GIT_COMMITTER_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
+# git interpret-trailers --in-place --trailer "$SOB" "$COMMIT_MSG_FILE"
+# if test -z "$COMMIT_SOURCE"
+# then
+#   /usr/bin/perl -i.bak -pe 'print "\n" if !$first_line++' "$COMMIT_MSG_FILE"
+# fi
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+# An example hook script to update a checked-out tree on a git push.
+#
+# This hook is invoked by git-receive-pack(1) when it reacts to git
+# push and updates reference(s) in its repository, and when the push
+# tries to update the branch that is currently checked out and the
+# receive.denyCurrentBranch configuration variable is set to
+# updateInstead.
+#
+# By default, such a push is refused if the working tree and the index
+# of the remote repository has any difference from the currently
+# checked out commit; when both the working tree and the index match
+# the current commit, they are updated to match the newly pushed tip
+# of the branch. This hook is to be used to override the default
+# behaviour; however the code below reimplements the default behaviour
+# as a starting point for convenient modification.
+#
+# The hook receives the commit with which the tip of the current
+# branch is going to be updated:
+commit=$1
+
+# It can exit with a non-zero status to refuse the push (when it does
+# so, it must not modify the index or the working tree).
+die () {
+	echo >&2 "$*"
+	exit 1
+}
+
+# Or it can make any necessary changes to the working tree and to the
+# index to bring them to the desired state when the tip of the current
+# branch is updated to the new commit, and exit with a zero status.
+#
+# For example, the hook can simply run git read-tree -u -m HEAD "$1"
+# in order to emulate git fetch that is run in the reverse direction
+# with git push, as the two-tree form of git read-tree -u -m is
+# essentially the same as git switch or git checkout that switches
+# branches while keeping the local changes in the working tree that do
+# not interfere with the difference between the branches.
+
+# The below is a more-or-less exact translation to shell of the C code
+# for the default behaviour for git's push-to-checkout hook defined in
+# the push_to_deploy() function in builtin/receive-pack.c.
+#
+# Note that the hook will be executed from the repository directory,
+# not from the working tree, so if you want to perform operations on
+# the working tree, you will have to adapt your code accordingly, e.g.
+# by adding "cd .." or using relative paths.
+
+if ! git update-index -q --ignore-submodules --refresh
+then
+	die "Up-to-date check failed"
+fi
+
+if ! git diff-files --quiet --ignore-submodules --
+then
+	die "Working directory has unstaged changes"
+fi
+
+# This is a rough translation of:
+#
+#   head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX
+if git cat-file -e HEAD 2>/dev/null
+then
+	head=HEAD
+else
+	head=$(git hash-object -t tree --stdin </dev/null)
+fi
+
+if ! git diff-index --quiet --cached --ignore-submodules $head --
+then
+	die "Working directory has staged changes"
+fi
+
+if ! git read-tree -u -m "$commit"
+then
+	die "Could not update working tree to new HEAD"
+fi
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# An example hook script to validate a patch (and/or patch series) before
+# sending it via email.
+#
+# The hook should exit with non-zero status after issuing an appropriate
+# message if it wants to prevent the email(s) from being sent.
+#
+# To enable this hook, rename this file to "sendemail-validate".
+#
+# By default, it will only check that the patch(es) can be applied on top of
+# the default upstream branch without conflicts in a secondary worktree. After
+# validation (successful or not) of the last patch of a series, the worktree
+# will be deleted.
+#
+# The following config variables can be set to change the default remote and
+# remote ref that are used to apply the patches against:
+#
+#   sendemail.validateRemote (default: origin)
+#   sendemail.validateRemoteRef (default: HEAD)
+#
+# Replace the TODO placeholders with appropriate checks according to your
+# needs.
+
+validate_cover_letter () {
+	file="$1"
+	# TODO: Replace with appropriate checks (e.g. spell checking).
+	true
+}
+
+validate_patch () {
+	file="$1"
+	# Ensure that the patch applies without conflicts.
+	git am -3 "$file" || return
+	# TODO: Replace with appropriate checks for this patch
+	# (e.g. checkpatch.pl).
+	true
+}
+
+validate_series () {
+	# TODO: Replace with appropriate checks for the whole series
+	# (e.g. quick build, coding style checks, etc.).
+	true
+}
+
+# main -------------------------------------------------------------------------
+
+if test "$GIT_SENDEMAIL_FILE_COUNTER" = 1
+then
+	remote=$(git config --default origin --get sendemail.validateRemote) &&
+	ref=$(git config --default HEAD --get sendemail.validateRemoteRef) &&
+	worktree=$(mktemp --tmpdir -d sendemail-validate.XXXXXXX) &&
+	git worktree add -fd --checkout "$worktree" "refs/remotes/$remote/$ref" &&
+	git config --replace-all sendemail.validateWorktree "$worktree"
+else
+	worktree=$(git config --get sendemail.validateWorktree)
+fi || {
+	echo "sendemail-validate: error: failed to prepare worktree" >&2
+	exit 1
+}
+
+unset GIT_DIR GIT_WORK_TREE
+cd "$worktree" &&
+
+if grep -q "^diff --git " "$1"
+then
+	validate_patch "$1"
+else
+	validate_cover_letter "$1"
+fi &&
+
+if test "$GIT_SENDEMAIL_FILE_COUNTER" = "$GIT_SENDEMAIL_FILE_TOTAL"
+then
+	git config --unset-all sendemail.validateWorktree &&
+	trap 'git worktree remove -ff "$worktree"' EXIT &&
+	validate_series
+fi
@@ -0,0 +1,128 @@
+#!/bin/sh
+#
+# An example hook script to block unannotated tags from entering.
+# Called by "git receive-pack" with arguments: refname sha1-old sha1-new
+#
+# To enable this hook, rename this file to "update".
+#
+# Config
+# ------
+# hooks.allowunannotated
+#   This boolean sets whether unannotated tags will be allowed into the
+#   repository.  By default they won't be.
+# hooks.allowdeletetag
+#   This boolean sets whether deleting tags will be allowed in the
+#   repository.  By default they won't be.
+# hooks.allowmodifytag
+#   This boolean sets whether a tag may be modified after creation. By default
+#   it won't be.
+# hooks.allowdeletebranch
+#   This boolean sets whether deleting branches will be allowed in the
+#   repository.  By default they won't be.
+# hooks.denycreatebranch
+#   This boolean sets whether remotely creating branches will be denied
+#   in the repository.  By default this is allowed.
+#
+
+# --- Command line
+refname="$1"
+oldrev="$2"
+newrev="$3"
+
+# --- Safety check
+if [ -z "$GIT_DIR" ]; then
+	echo "Don't run this script from the command line." >&2
+	echo " (if you want, you could supply GIT_DIR then run" >&2
+	echo "  $0 <ref> <oldrev> <newrev>)" >&2
+	exit 1
+fi
+
+if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
+	echo "usage: $0 <ref> <oldrev> <newrev>" >&2
+	exit 1
+fi
+
+# --- Config
+allowunannotated=$(git config --type=bool hooks.allowunannotated)
+allowdeletebranch=$(git config --type=bool hooks.allowdeletebranch)
+denycreatebranch=$(git config --type=bool hooks.denycreatebranch)
+allowdeletetag=$(git config --type=bool hooks.allowdeletetag)
+allowmodifytag=$(git config --type=bool hooks.allowmodifytag)
+
+# check for no description
+projectdesc=$(sed -e '1q' "$GIT_DIR/description")
+case "$projectdesc" in
+"Unnamed repository"* | "")
+	echo "*** Project description file hasn't been set" >&2
+	exit 1
+	;;
+esac
+
+# --- Check types
+# if $newrev is 0000...0000, it's a commit to delete a ref.
+zero=$(git hash-object --stdin </dev/null | tr '[0-9a-f]' '0')
+if [ "$newrev" = "$zero" ]; then
+	newrev_type=delete
+else
+	newrev_type=$(git cat-file -t $newrev)
+fi
+
+case "$refname","$newrev_type" in
+	refs/tags/*,commit)
+		# un-annotated tag
+		short_refname=${refname##refs/tags/}
+		if [ "$allowunannotated" != "true" ]; then
+			echo "*** The un-annotated tag, $short_refname, is not allowed in this repository" >&2
+			echo "*** Use 'git tag [ -a | -s ]' for tags you want to propagate." >&2
+			exit 1
+		fi
+		;;
+	refs/tags/*,delete)
+		# delete tag
+		if [ "$allowdeletetag" != "true" ]; then
+			echo "*** Deleting a tag is not allowed in this repository" >&2
+			exit 1
+		fi
+		;;
+	refs/tags/*,tag)
+		# annotated tag
+		if [ "$allowmodifytag" != "true" ] && git rev-parse $refname > /dev/null 2>&1
+		then
+			echo "*** Tag '$refname' already exists." >&2
+			echo "*** Modifying a tag is not allowed in this repository." >&2
+			exit 1
+		fi
+		;;
+	refs/heads/*,commit)
+		# branch
+		if [ "$oldrev" = "$zero" -a "$denycreatebranch" = "true" ]; then
+			echo "*** Creating a branch is not allowed in this repository" >&2
+			exit 1
+		fi
+		;;
+	refs/heads/*,delete)
+		# delete branch
+		if [ "$allowdeletebranch" != "true" ]; then
+			echo "*** Deleting a branch is not allowed in this repository" >&2
+			exit 1
+		fi
+		;;
+	refs/remotes/*,commit)
+		# tracking branch
+		;;
+	refs/remotes/*,delete)
+		# delete tracking branch
+		if [ "$allowdeletebranch" != "true" ]; then
+			echo "*** Deleting a tracking branch is not allowed in this repository" >&2
+			exit 1
+		fi
+		;;
+	*)
+		# Anything else (is there anything else?)
+		echo "*** Update hook: unknown type of update to ref $refname of type $newrev_type" >&2
+		exit 1
+		;;
+esac
+
+# --- Finished
+exit 0
@@ -0,0 +1,6 @@
+# git ls-files --others --exclude-from=.git/info/exclude
+# Lines that start with '#' are comments.
+# For a project mostly in C, the following would be a good set of
+# exclude patterns (uncomment them if you want to use them):
+# *.[oa]
+# *~
@@ -22,6 +22,8 @@ const RegisterPage  = lazy(() => import('./pages/RegisterPage'))
 const DashboardPage     = lazy(() => import('./pages/DashboardPage'))
 const ReposPage         = lazy(() => import('./pages/ReposPage'))
 const RepoPage          = lazy(() => import('./pages/RepoPage'))
+const RepoSettingsPage  = lazy(() => import('./pages/RepoSettingsPage'))
+const RepoIssuesPage    = lazy(() => import('./pages/RepoIssuesPage'))
 const RepoPRsPage       = lazy(() => import('./pages/RepoPRsPage'))
 const PRDetailPage      = lazy(() => import('./pages/PRDetailPage'))
 const PRsPage           = lazy(() => import('./pages/PRsPage'))
@@ -55,17 +57,16 @@ export default function App() {
        <CSRFBootstrap />
        <AuthProvider>
          <Routes>
-            {/* Auth pages — full screen, no shell */}
            <Route path="/login"    element={<S><LoginPage /></S>} />
            <Route path="/register" element={<S><RegisterPage /></S>} />

-            {/* Shell layout — explicit root path prevents ambiguous wildcard matching */}
            <Route path="/" element={<AppShell />}>
              <Route index element={<S><DashboardPage /></S>} />

-              {/* Repos — nested so /repos/:owner/:repo is unambiguous */}
              <Route path="repos" element={<S><ReposPage /></S>} />
              <Route path="repos/:owner/:repo"                   element={<S><RepoPage /></S>} />
+              <Route path="repos/:owner/:repo/settings"          element={<S><RepoSettingsPage /></S>} />
+              <Route path="repos/:owner/:repo/issues"            element={<S><RepoIssuesPage /></S>} />
              <Route path="repos/:owner/:repo/pulls"             element={<S><RepoPRsPage /></S>} />
              <Route path="repos/:owner/:repo/pulls/:prId"       element={<S><PRDetailPage /></S>} />

@@ -75,7 +76,6 @@ export default function App() {
              <Route path="profile"   element={<S><ProfilePage /></S>} />
              <Route path="settings"  element={<S><SettingsPage /></S>} />

-              {/* 404 within shell — shows a message, does NOT redirect */}
              <Route path="*" element={<NotFound />} />
            </Route>
          </Routes>
@@ -75,6 +75,8 @@ export const api = {
    request(path, schema, { method: 'POST', json: body }),
  put: <T>(path: string, schema: z.ZodType<T>, body: unknown) =>
    request(path, schema, { method: 'PUT', json: body }),
+  patch: <T>(path: string, schema: z.ZodType<T>, body: unknown) =>
+    request(path, schema, { method: 'PATCH', json: body }),
  delete: <T>(path: string, schema: z.ZodType<T>) =>
    request(path, schema, { method: 'DELETE' }),
 }
@@ -0,0 +1,69 @@
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
+import { z } from 'zod'
+import { api } from '../client'
+import type { Issue, IssueState } from '../../types/api'
+
+const issueSchema = z.object({
+  id: z.number(),
+  repoId: z.number(),
+  authorId: z.number(),
+  authorName: z.string(),
+  number: z.number(),
+  title: z.string(),
+  body: z.string(),
+  state: z.enum(['open', 'closed']),
+  createdAt: z.string(),
+  updatedAt: z.string(),
+})
+
+const issuesSchema = z.array(issueSchema)
+
+export function useIssues(owner: string, repo: string, state: IssueState = 'open') {
+  return useQuery({
+    queryKey: ['repos', owner, repo, 'issues', state],
+    queryFn: () =>
+      api.get<Issue[]>(`/api/v1/repos/${owner}/${repo}/issues?state=${state}`, issuesSchema),
+    enabled: Boolean(owner && repo),
+  })
+}
+
+export function useCreateIssue(owner: string, repo: string) {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: (data: { title: string; body?: string }) =>
+      api.post<Issue>(`/api/v1/repos/${owner}/${repo}/issues`, issueSchema, data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['repos', owner, repo, 'issues'] })
+    },
+  })
+}
+
+export function useCloseIssue(owner: string, repo: string) {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: (issueNum: number) =>
+      api.post<Issue>(
+        `/api/v1/repos/${owner}/${repo}/issues/${issueNum}/close`,
+        issueSchema,
+        {},
+      ),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['repos', owner, repo, 'issues'] })
+    },
+  })
+}
+
+export function useReopenIssue(owner: string, repo: string) {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: (issueNum: number) =>
+      api.post<Issue>(
+        `/api/v1/repos/${owner}/${repo}/issues/${issueNum}/reopen`,
+        issueSchema,
+        {},
+      ),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['repos', owner, repo, 'issues'] })
+    },
+  })
+}
@@ -74,6 +74,30 @@ export function useRepoDiff(owner: string, name: string, base: string, head: str
  })
 }

+export function useUpdateRepo(owner: string, name: string) {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: (data: { description?: string; isPrivate?: boolean; defaultBranch?: string }) =>
+      api.patch<Repository>(
+        `/api/v1/repos/${owner}/${name}`,
+        repositorySchema,
+        data,
+      ),
+    onSuccess: (updated) => {
+      queryClient.invalidateQueries({ queryKey: ['repos'] })
+      queryClient.setQueryData(['repos', owner, name], updated)
+    },
+  })
+}
+
+export function useDeleteRepo(owner: string, name: string) {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: () => api.delete(`/api/v1/repos/${owner}/${name}`, z.any()),
+    onSuccess: () => queryClient.invalidateQueries({ queryKey: ['repos'] }),
+  })
+}
+
 export function useCreateRepo() {
  const queryClient = useQueryClient()
  return useMutation({
@@ -0,0 +1,40 @@
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
+import { z } from 'zod'
+import { api } from '../client'
+import type { SSHKey } from '../../types/api'
+
+const sshKeySchema = z.object({
+  id: z.number(),
+  userId: z.number(),
+  title: z.string(),
+  fingerprint: z.string(),
+  publicKey: z.string(),
+  createdAt: z.string(),
+})
+
+const sshKeysSchema = z.array(sshKeySchema)
+
+export function useSSHKeys() {
+  return useQuery({
+    queryKey: ['user', 'keys'],
+    queryFn: () => api.get<SSHKey[]>('/api/v1/user/keys', sshKeysSchema),
+  })
+}
+
+export function useAddSSHKey() {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: (data: { title: string; publicKey: string }) =>
+      api.post<SSHKey>('/api/v1/user/keys', sshKeySchema, data),
+    onSuccess: () => queryClient.invalidateQueries({ queryKey: ['user', 'keys'] }),
+  })
+}
+
+export function useDeleteSSHKey() {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: (keyId: number) =>
+      api.delete(`/api/v1/user/keys/${keyId}`, z.any()),
+    onSuccess: () => queryClient.invalidateQueries({ queryKey: ['user', 'keys'] }),
+  })
+}
@@ -1,6 +1,7 @@
 import { useState } from 'react'
 import { useParams, Link } from 'react-router-dom'
 import { usePR } from '../api/queries/prs'
+import { useRepoDiff } from '../api/queries/repos'
 import { DiffViewer } from '../components/diff/DiffViewer'
 import { MobileComment } from '../components/diff/MobileComment'
 import { Skeleton } from '../ui/Skeleton'
@@ -9,6 +10,11 @@ import { cn } from '../lib/utils'
 export default function PRDetailPage() {
  const { owner = '', repo = '', prId = '' } = useParams<{ owner: string; repo: string; prId: string }>()
  const { data: pr, isLoading, isError } = usePR(owner, repo, parseInt(prId, 10))
+  const { data: diffs } = useRepoDiff(
+    owner, repo,
+    pr?.targetBranch ?? '',
+    pr?.sourceBranch ?? '',
+  )
  const [comment, setComment] = useState<{ file: string; line: number } | null>(null)

  if (isLoading) {
@@ -73,8 +79,7 @@ export default function PRDetailPage() {
          Files changed
        </h2>

-        {/* Demo diff — real diff loads when repo has commits on both branches */}
-        <DiffViewer files={DEMO_DIFF} />
+        <DiffViewer files={diffs ?? []} />
      </div>

      {/* Mobile comment sheet */}
@@ -88,22 +93,3 @@ export default function PRDetailPage() {
  )
 }

-// Demo diff to show the component before real git data is available
-const DEMO_DIFF = [
-  {
-    path: 'README.md',
-    additions: 6,
-    deletions: 1,
-    patch: `@@ -1,3 +1,8 @@
-# Project
-+# My Project
-+
-+A sovereign, federated git collaboration platform.
-+
-+## Features
-+- Fast Go backend
-+- React 18 frontend
-+- ActivityPub federation
- `,
-  },
-]
@@ -0,0 +1,109 @@
+import { useState } from 'react'
+import { useParams, Link } from 'react-router-dom'
+import { useIssues, useCreateIssue, useCloseIssue, useReopenIssue } from '../api/queries/issues'
+import { cn } from '../lib/utils'
+import type { IssueState } from '../types/api'
+
+export default function RepoIssuesPage() {
+  const { owner = '', repo = '' } = useParams<{ owner: string; repo: string }>()
+  const [state, setState] = useState<IssueState>('open')
+  const [showNew, setShowNew] = useState(false)
+
+  const { data: issues, isLoading } = useIssues(owner, repo, state)
+  const createIssue = useCreateIssue(owner, repo)
+  const closeIssue = useCloseIssue(owner, repo)
+  const reopenIssue = useReopenIssue(owner, repo)
+
+  const [title, setTitle] = useState('')
+  const [body, setBody] = useState('')
+
+  const handleCreate = async (e: React.FormEvent) => {
+    e.preventDefault()
+    if (!title.trim()) return
+    await createIssue.mutateAsync({ title: title.trim(), body })
+    setTitle(''); setBody(''); setShowNew(false)
+  }
+
+  return (
+    <div className="max-w-4xl mx-auto px-4 md:px-6 py-6">
+      <div className="flex items-center gap-1 text-sm mb-4">
+        <Link to={`/repos/${owner}/${repo}`} className="text-[#0052CC] hover:underline">{repo}</Link>
+        <span className="text-[#5E6C84]">/</span>
+        <span className="font-semibold text-[#172B4D]">Issues</span>
+      </div>
+
+      <div className="flex items-center justify-between mb-4">
+        <h1 className="text-xl font-semibold text-[#172B4D]">Issues</h1>
+        <button onClick={() => setShowNew(true)}
+          className="px-3 py-2 rounded bg-[#0052CC] text-white text-sm font-medium hover:bg-[#0065FF] min-h-[44px]">
+          New issue
+        </button>
+      </div>
+
+      {showNew && (
+        <form onSubmit={handleCreate} className="mb-6 p-5 border border-[#4C9AFF] rounded bg-white space-y-3">
+          <h2 className="text-sm font-semibold text-[#172B4D]">New Issue</h2>
+          <input value={title} onChange={e => setTitle(e.target.value)} placeholder="Title" required
+            className="w-full border border-[#DFE1E6] rounded px-3 py-2 text-sm focus:outline-none focus:border-[#4C9AFF]" />
+          <textarea value={body} onChange={e => setBody(e.target.value)} placeholder="Description (optional)" rows={4}
+            className="w-full border border-[#DFE1E6] rounded px-3 py-2 text-sm resize-none focus:outline-none focus:border-[#4C9AFF]" />
+          <div className="flex gap-2">
+            <button type="submit" disabled={createIssue.isPending || !title.trim()}
+              className="px-4 py-2 rounded bg-[#0052CC] text-white text-sm hover:bg-[#0065FF] disabled:opacity-50 min-h-[44px]">
+              {createIssue.isPending ? 'Submitting…' : 'Submit'}
+            </button>
+            <button type="button" onClick={() => setShowNew(false)}
+              className="px-4 py-2 rounded border border-[#DFE1E6] text-sm text-[#172B4D] hover:bg-[#F4F5F7] min-h-[44px]">
+              Cancel
+            </button>
+          </div>
+        </form>
+      )}
+
+      <div className="flex gap-1 mb-4 border-b border-[#DFE1E6]">
+        {(['open', 'closed'] as IssueState[]).map(s => {
+          const count = issues?.filter(i => i.state === s).length ?? 0
+          return (
+            <button key={s} onClick={() => setState(s)}
+              className={cn('px-4 py-2 text-sm font-medium capitalize border-b-2 -mb-px min-h-[44px]',
+                state === s ? 'border-[#0052CC] text-[#0052CC]' : 'border-transparent text-[#5E6C84] hover:text-[#172B4D]')}>
+              {s} {count > 0 && `(${count})`}
+            </button>
+          )
+        })}
+      </div>
+
+      {isLoading ? (
+        <p className="text-sm text-[#5E6C84] py-4">Loading…</p>
+      ) : !issues?.length ? (
+        <p className="text-sm text-[#5E6C84] py-8 text-center">No {state} issues.</p>
+      ) : (
+        <div className="flex flex-col gap-2">
+          {issues.map(issue => (
+            <div key={issue.id}
+              className="flex items-start gap-3 p-4 border border-[#DFE1E6] rounded hover:bg-[#FAFBFC]">
+              <svg width="16" height="16" viewBox="0 0 16 16" fill={issue.state === 'open' ? '#00875A' : '#5E6C84'}
+                className="mt-0.5 shrink-0">
+                <path d="M8 1.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm9 3a1 1 0 1 1-2 0 1 1 0 0 1 2 0Zm-.25-6.25a.75.75 0 0 0-1.5 0v3.5a.75.75 0 0 0 1.5 0v-3.5Z"/>
+              </svg>
+              <div className="flex-1 min-w-0">
+                <p className="text-sm font-medium text-[#172B4D]">#{issue.number} {issue.title}</p>
+                <p className="text-xs text-[#5E6C84] mt-0.5">
+                  opened by {issue.authorName} · {new Date(issue.createdAt).toLocaleDateString()}
+                </p>
+              </div>
+              <button
+                onClick={() => issue.state === 'open'
+                  ? closeIssue.mutate(issue.number)
+                  : reopenIssue.mutate(issue.number)
+                }
+                className="text-xs px-3 py-1.5 rounded border border-[#DFE1E6] text-[#5E6C84] hover:bg-[#F4F5F7] shrink-0 min-h-[32px]">
+                {issue.state === 'open' ? 'Close' : 'Reopen'}
+              </button>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  )
+}
@@ -39,7 +39,7 @@ export default function RepoPage() {
        <GettingStarted owner={owner} repoName={repoName} branch={branch} cloneUrl={cloneUrl} />
      ) : (
        <>
-          {/* Branch pill + PR link */}
+          {/* Branch pill + repo nav tabs */}
          <div className="flex items-center gap-3 flex-wrap">
            <div className="flex items-center gap-1.5 px-2.5 py-1.5 border border-[#DFE1E6] rounded text-sm text-[#172B4D]">
              <svg width="14" height="14" fill="none" stroke="currentColor" strokeWidth="1.5" viewBox="0 0 24 24">
@@ -47,9 +47,9 @@ export default function RepoPage() {
              </svg>
              {branch}
            </div>
-            <Link to={`/repos/${owner}/${repoName}/pulls`} className="text-sm text-[#0052CC] hover:underline">
-              Pull requests
-            </Link>
+            <Link to={`/repos/${owner}/${repoName}/issues`} className="text-sm text-[#0052CC] hover:underline">Issues</Link>
+            <Link to={`/repos/${owner}/${repoName}/pulls`} className="text-sm text-[#0052CC] hover:underline">Pull requests</Link>
+            <Link to={`/repos/${owner}/${repoName}/settings`} className="text-sm text-[#5E6C84] hover:text-[#172B4D] hover:underline ml-auto">Settings</Link>
          </div>

          <TreeBrowser owner={owner} repo={repoName} ref={branch} path={path} />
@@ -0,0 +1,92 @@
+import { useState } from 'react'
+import { useParams, Link, useNavigate } from 'react-router-dom'
+import { useRepo, useUpdateRepo, useDeleteRepo } from '../api/queries/repos'
+
+export default function RepoSettingsPage() {
+  const { owner = '', repo: repoName = '' } = useParams<{ owner: string; repo: string }>()
+  const navigate = useNavigate()
+  const { data: repo } = useRepo(owner, repoName)
+  const updateRepo = useUpdateRepo(owner, repoName)
+  const deleteRepo = useDeleteRepo(owner, repoName)
+
+  const [description, setDescription] = useState(repo?.description ?? '')
+  const [isPrivate, setIsPrivate] = useState(repo?.isPrivate ?? false)
+  const [confirmDelete, setConfirmDelete] = useState('')
+  const [saved, setSaved] = useState(false)
+
+  const handleSave = async (e: React.FormEvent) => {
+    e.preventDefault()
+    await updateRepo.mutateAsync({ description, isPrivate })
+    setSaved(true)
+    setTimeout(() => setSaved(false), 2000)
+  }
+
+  const handleDelete = async () => {
+    if (confirmDelete !== repoName) return
+    await deleteRepo.mutateAsync()
+    navigate('/repos')
+  }
+
+  return (
+    <div className="max-w-2xl mx-auto px-4 md:px-6 py-6 space-y-8">
+      <div className="flex items-center gap-1 text-sm">
+        <Link to={`/repos/${owner}/${repoName}`} className="text-[#0052CC] hover:underline">{repoName}</Link>
+        <span className="text-[#5E6C84]">/</span>
+        <span className="font-semibold text-[#172B4D]">Settings</span>
+      </div>
+
+      <h1 className="text-xl font-semibold text-[#172B4D]">Repository Settings</h1>
+
+      <section className="border border-[#DFE1E6] rounded-lg overflow-hidden">
+        <div className="px-5 py-4 border-b border-[#DFE1E6] bg-[#FAFBFC]">
+          <h2 className="text-sm font-semibold text-[#172B4D]">General</h2>
+        </div>
+        <form onSubmit={handleSave} className="px-5 py-5 space-y-4">
+          <div>
+            <label className="block text-xs font-semibold text-[#172B4D] mb-1">Repository name</label>
+            <input value={repoName} disabled
+              className="w-full border border-[#DFE1E6] rounded px-3 py-2 text-sm bg-[#F4F5F7] text-[#5E6C84] cursor-not-allowed" />
+            <p className="text-xs text-[#5E6C84] mt-1">Renaming requires migrating git remotes — coming soon.</p>
+          </div>
+          <div>
+            <label className="block text-xs font-semibold text-[#172B4D] mb-1">Description</label>
+            <input value={description} onChange={e => setDescription(e.target.value)}
+              placeholder="Short description of this repository"
+              className="w-full border border-[#DFE1E6] rounded px-3 py-2 text-sm focus:outline-none focus:border-[#4C9AFF]" />
+          </div>
+          <label className="flex items-center gap-2 cursor-pointer">
+            <input type="checkbox" checked={isPrivate} onChange={e => setIsPrivate(e.target.checked)} />
+            <span className="text-sm text-[#172B4D]">Private repository</span>
+          </label>
+          <div className="flex items-center gap-3">
+            <button type="submit" disabled={updateRepo.isPending}
+              className="px-4 py-2 rounded bg-[#0052CC] text-white text-sm font-medium hover:bg-[#0065FF] disabled:opacity-50 min-h-[44px]">
+              {updateRepo.isPending ? 'Saving…' : 'Save changes'}
+            </button>
+            {saved && <span className="text-xs text-[#00875A] font-medium">Saved!</span>}
+          </div>
+        </form>
+      </section>
+
+      <section className="border border-[#FFEBE6] rounded-lg overflow-hidden">
+        <div className="px-5 py-4 border-b border-[#FFEBE6] bg-[#FFEBE6]/50">
+          <h2 className="text-sm font-semibold text-[#BF2600]">Danger zone</h2>
+        </div>
+        <div className="px-5 py-5 space-y-3">
+          <p className="text-sm text-[#172B4D] font-medium">Delete this repository</p>
+          <p className="text-xs text-[#5E6C84]">
+            This action is permanent. Type <code className="font-mono bg-[#F4F5F7] px-1 rounded">{repoName}</code> to confirm.
+          </p>
+          <input value={confirmDelete} onChange={e => setConfirmDelete(e.target.value)}
+            placeholder={repoName}
+            className="w-full border border-[#DE350B] rounded px-3 py-2 text-sm focus:outline-none focus:border-[#DE350B]" />
+          <button onClick={handleDelete}
+            disabled={confirmDelete !== repoName || deleteRepo.isPending}
+            className="px-4 py-2 rounded bg-[#DE350B] text-white text-sm font-medium hover:bg-[#BF2600] disabled:opacity-40 min-h-[44px]">
+            {deleteRepo.isPending ? 'Deleting…' : 'Delete repository'}
+          </button>
+        </div>
+      </section>
+    </div>
+  )
+}
@@ -1,6 +1,7 @@
 import { useState } from 'react'
 import { Link } from 'react-router-dom'
 import { useAuth } from '../contexts/AuthContext'
+import { useSSHKeys, useAddSSHKey, useDeleteSSHKey } from '../api/queries/sshkeys'

 export default function SettingsPage() {
  const { user, logout } = useAuth()
@@ -58,15 +59,7 @@ export default function SettingsPage() {
        </form>
      </section>

-      {/* SSH keys placeholder */}
-      <section className="border border-[#DFE1E6] rounded-lg overflow-hidden">
-        <div className="px-5 py-4 border-b border-[#DFE1E6] bg-[#FAFBFC]">
-          <h2 className="text-sm font-semibold text-[#172B4D]">SSH keys</h2>
-        </div>
-        <div className="px-5 py-5 text-sm text-[#5E6C84]">
-          SSH key management coming soon.
-        </div>
-      </section>
+      <SSHKeySection />

      {/* Danger zone */}
      <section className="border border-[#FFEBE6] rounded-lg overflow-hidden">
@@ -100,3 +93,75 @@ function Row({ label, value }: { label: string; value?: string }) {
    </div>
  )
 }
+
+function SSHKeySection() {
+  const { data: keys } = useSSHKeys()
+  const addKey = useAddSSHKey()
+  const deleteKey = useDeleteSSHKey()
+  const [showAdd, setShowAdd] = useState(false)
+  const [title, setTitle] = useState('')
+  const [publicKey, setPublicKey] = useState('')
+
+  const handleAdd = async (e: React.FormEvent) => {
+    e.preventDefault()
+    await addKey.mutateAsync({ title, publicKey })
+    setTitle(''); setPublicKey(''); setShowAdd(false)
+  }
+
+  return (
+    <section className="border border-[#DFE1E6] rounded-lg overflow-hidden">
+      <div className="px-5 py-4 border-b border-[#DFE1E6] bg-[#FAFBFC] flex items-center justify-between">
+        <h2 className="text-sm font-semibold text-[#172B4D]">SSH keys</h2>
+        <button onClick={() => setShowAdd(s => !s)}
+          className="text-xs text-[#0052CC] hover:underline font-medium">
+          {showAdd ? 'Cancel' : '+ Add key'}
+        </button>
+      </div>
+
+      {showAdd && (
+        <form onSubmit={handleAdd} className="px-5 py-4 border-b border-[#DFE1E6] space-y-3 bg-[#FAFBFC]">
+          <div>
+            <label className="block text-xs font-semibold text-[#172B4D] mb-1">Title</label>
+            <input value={title} onChange={e => setTitle(e.target.value)} required placeholder="e.g. MacBook Pro"
+              className="w-full border border-[#DFE1E6] rounded px-3 py-2 text-sm focus:outline-none focus:border-[#4C9AFF]" />
+          </div>
+          <div>
+            <label className="block text-xs font-semibold text-[#172B4D] mb-1">Public key</label>
+            <textarea value={publicKey} onChange={e => setPublicKey(e.target.value)} required rows={3}
+              placeholder="ssh-ed25519 AAAA… or ssh-rsa AAAA…"
+              className="w-full border border-[#DFE1E6] rounded px-3 py-2 text-xs font-mono resize-none focus:outline-none focus:border-[#4C9AFF]" />
+          </div>
+          {addKey.isError && (
+            <p className="text-xs text-[#DE350B]">{addKey.error instanceof Error ? addKey.error.message : 'Error'}</p>
+          )}
+          <button type="submit" disabled={addKey.isPending}
+            className="px-4 py-2 rounded bg-[#0052CC] text-white text-sm font-medium hover:bg-[#0065FF] disabled:opacity-50 min-h-[44px]">
+            {addKey.isPending ? 'Adding…' : 'Add SSH key'}
+          </button>
+        </form>
+      )}
+
+      {!keys?.length ? (
+        <div className="px-5 py-5 text-sm text-[#5E6C84]">No SSH keys added yet.</div>
+      ) : (
+        <ul>
+          {keys.map(key => (
+            <li key={key.id} className="flex items-center gap-3 px-5 py-3 border-b border-[#DFE1E6] last:border-0">
+              <svg width="16" height="16" fill="none" stroke="#5E6C84" strokeWidth="1.5" viewBox="0 0 24 24" className="shrink-0">
+                <path strokeLinecap="round" strokeLinejoin="round" d="M15.75 5.25a3 3 0 0 1 3 3m3 0a6 6 0 0 1-7.029 5.912c-.563-.097-1.159.026-1.563.43L10.5 17.25H8.25v2.25H6v2.25H2.25v-2.818c0-.597.237-1.17.659-1.591l6.499-6.499c.404-.404.527-1 .43-1.563A6 6 0 0 1 21.75 8.25Z" />
+              </svg>
+              <div className="flex-1 min-w-0">
+                <p className="text-sm font-medium text-[#172B4D] truncate">{key.title}</p>
+                <p className="text-xs font-mono text-[#5E6C84] truncate">{key.fingerprint}</p>
+              </div>
+              <button onClick={() => deleteKey.mutate(key.id)}
+                className="text-xs px-3 py-1.5 rounded border border-[#DE350B] text-[#DE350B] hover:bg-[#FFEBE6] shrink-0 min-h-[32px]">
+                Delete
+              </button>
+            </li>
+          ))}
+        </ul>
+      )}
+    </section>
+  )
+}
@@ -62,6 +62,30 @@ export interface Pipeline {
  updatedAt: string
 }

+export type IssueState = 'open' | 'closed'
+
+export interface Issue {
+  id: number
+  repoId: number
+  authorId: number
+  authorName: string
+  number: number
+  title: string
+  body: string
+  state: IssueState
+  createdAt: string
+  updatedAt: string
+}
+
+export interface SSHKey {
+  id: number
+  userId: number
+  title: string
+  fingerprint: string
+  publicKey: string
+  createdAt: string
+}
+
 export interface ApiError {
  error: string
  status: number
@@ -0,0 +1,195 @@
+package handlers
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+	"golang.org/x/crypto/bcrypt"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/config"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type GitHTTPHandler struct {
+	db  *xorm.Engine
+	cfg *config.Config
+}
+
+func NewGitHTTPHandler(db *xorm.Engine, cfg *config.Config) *GitHTTPHandler {
+	return &GitHTTPHandler{db: db, cfg: cfg}
+}
+
+// ServeGit is the entry point for all git smart-HTTP requests.
+// URL shape: /{owner}/{repo}.git/{service}
+func (h *GitHTTPHandler) ServeGit(w http.ResponseWriter, r *http.Request) {
+	owner := chi.URLParam(r, "owner")
+	repoGit := chi.URLParam(r, "repoGit") // e.g. "myrepo.git"
+	repoName := strings.TrimSuffix(repoGit, ".git")
+
+	// Resolve repo from DB
+	var ownerUser models.User
+	if found, _ := h.db.Where("username = ?", owner).Get(&ownerUser); !found {
+		http.NotFound(w, r)
+		return
+	}
+	var repo models.Repository
+	if found, _ := h.db.Where("owner_id = ? AND name = ?", ownerUser.ID, repoName).Get(&repo); !found {
+		http.NotFound(w, r)
+		return
+	}
+
+	// Determine service from URL / query string
+	service := r.URL.Query().Get("service")
+	if service == "" {
+		// POST bodies encode the service in the path
+		path := r.URL.Path
+		if strings.HasSuffix(path, "/git-upload-pack") {
+			service = "git-upload-pack"
+		} else if strings.HasSuffix(path, "/git-receive-pack") {
+			service = "git-receive-pack"
+		}
+	}
+
+	// Require authentication for push; allow anonymous read for public repos
+	var authedUser string
+	user, authed := h.basicAuth(r)
+	if authed {
+		authedUser = user
+	} else if service == "git-receive-pack" || repo.IsPrivate {
+		w.Header().Set("WWW-Authenticate", `Basic realm="ForgeBucket"`)
+		http.Error(w, "authentication required", http.StatusUnauthorized)
+		return
+	}
+
+	// Build PATH_INFO: /{reponame}.git/{suffix}
+	// chi wildcard gives us everything after /{owner}/{repoGit}
+	suffix := chi.URLParam(r, "*")
+	if suffix == "" {
+		suffix = "/"
+	} else if !strings.HasPrefix(suffix, "/") {
+		suffix = "/" + suffix
+	}
+	pathInfo := "/" + repoGit + suffix
+
+	projectRoot := filepath.Dir(repo.DiskPath)
+
+	env := []string{
+		"GIT_PROJECT_ROOT=" + projectRoot,
+		"GIT_HTTP_EXPORT_ALL=1",
+		"PATH_INFO=" + pathInfo,
+		"QUERY_STRING=" + r.URL.RawQuery,
+		"REQUEST_METHOD=" + r.Method,
+		"SERVER_PROTOCOL=HTTP/1.1",
+		"SERVER_SOFTWARE=ForgeBucket/1.0",
+		"REMOTE_ADDR=" + r.RemoteAddr,
+		"HOME=/tmp",
+		"GIT_TERMINAL_PROMPT=0",
+	}
+	if ct := r.Header.Get("Content-Type"); ct != "" {
+		env = append(env, "CONTENT_TYPE="+ct)
+	}
+	if cl := r.ContentLength; cl > 0 {
+		env = append(env, "CONTENT_LENGTH="+strconv.FormatInt(cl, 10))
+	}
+	if authedUser != "" {
+		env = append(env, "REMOTE_USER="+authedUser)
+	}
+
+	gitExec, err := exec.LookPath("git")
+	if err != nil {
+		http.Error(w, "git not found on server", http.StatusInternalServerError)
+		return
+	}
+
+	if err := runGitBackend(r.Context(), w, r.Body, gitExec, env); err != nil {
+		http.Error(w, fmt.Sprintf("git http-backend: %v", err), http.StatusInternalServerError)
+	}
+}
+
+// basicAuth validates HTTP Basic Auth credentials against the DB.
+func (h *GitHTTPHandler) basicAuth(r *http.Request) (username string, ok bool) {
+	u, p, hasAuth := r.BasicAuth()
+	if !hasAuth {
+		return "", false
+	}
+	var user models.User
+	found, _ := h.db.Where("username = ?", u).Get(&user)
+	if !found {
+		return "", false
+	}
+	if bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(p)) != nil {
+		return "", false
+	}
+	return u, true
+}
+
+// runGitBackend executes `git http-backend` as a CGI subprocess and forwards
+// its response (headers + body) to the HTTP response writer.
+func runGitBackend(ctx context.Context, w http.ResponseWriter, body io.Reader, gitExec string, env []string) error {
+	cmd := exec.CommandContext(ctx, gitExec, "http-backend")
+	cmd.Env = env
+
+	pr, pw := io.Pipe()
+	cmd.Stdout = pw
+	cmd.Stdin = body
+
+	var stderrBuf strings.Builder
+	cmd.Stderr = &stderrBuf
+
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("start: %w", err)
+	}
+
+	// Close write-end of pipe once git finishes
+	done := make(chan error, 1)
+	go func() {
+		err := cmd.Wait()
+		pw.Close()
+		done <- err
+	}()
+
+	// Parse CGI response: headers then body
+	br := bufio.NewReader(pr)
+	statusCode := http.StatusOK
+
+	for {
+		line, err := br.ReadString('\n')
+		line = strings.TrimRight(line, "\r\n")
+		if line == "" {
+			break
+		}
+		if strings.HasPrefix(line, "Status:") {
+			rest := strings.TrimSpace(strings.TrimPrefix(line, "Status:"))
+			if parts := strings.SplitN(rest, " ", 2); len(parts) >= 1 {
+				if code, e := strconv.Atoi(parts[0]); e == nil {
+					statusCode = code
+				}
+			}
+		} else if idx := strings.Index(line, ":"); idx > 0 {
+			key := strings.TrimSpace(line[:idx])
+			val := strings.TrimSpace(line[idx+1:])
+			w.Header().Set(key, val)
+		}
+		if err != nil {
+			break
+		}
+	}
+
+	w.WriteHeader(statusCode)
+	io.Copy(w, br) //nolint:errcheck
+
+	waitErr := <-done
+	if waitErr != nil && stderrBuf.Len() > 0 {
+		return fmt.Errorf("%w: %s", waitErr, stderrBuf.String())
+	}
+	return waitErr
+}
@@ -0,0 +1,167 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"github.com/go-chi/chi/v5"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/api/middleware"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type IssueHandler struct {
+	db *xorm.Engine
+}
+
+func NewIssueHandler(db *xorm.Engine) *IssueHandler {
+	return &IssueHandler{db: db}
+}
+
+type issueResponse struct {
+	models.Issue
+	AuthorName string `json:"authorName"`
+}
+
+func (h *IssueHandler) enrichIssue(issue *models.Issue) issueResponse {
+	var author models.User
+	h.db.ID(issue.AuthorID).Get(&author)
+	return issueResponse{Issue: *issue, AuthorName: author.Username}
+}
+
+func (h *IssueHandler) List(w http.ResponseWriter, r *http.Request) {
+	repoID, ok := h.repoID(w, r)
+	if !ok {
+		return
+	}
+
+	state := r.URL.Query().Get("state")
+	if state == "" {
+		state = "open"
+	}
+
+	var issues []models.Issue
+	if err := h.db.Where("repo_id = ? AND state = ?", repoID, state).
+		OrderBy("id DESC").Find(&issues); err != nil {
+		jsonError(w, "could not list issues", http.StatusInternalServerError)
+		return
+	}
+
+	result := make([]issueResponse, len(issues))
+	for i := range issues {
+		result[i] = h.enrichIssue(&issues[i])
+	}
+	if result == nil {
+		result = []issueResponse{}
+	}
+	jsonOK(w, result)
+}
+
+func (h *IssueHandler) Create(w http.ResponseWriter, r *http.Request) {
+	repoID, ok := h.repoID(w, r)
+	if !ok {
+		return
+	}
+	authorID, _ := middleware.UserIDFromContext(r.Context())
+
+	var body struct {
+		Title string `json:"title"`
+		Body  string `json:"body"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Title == "" {
+		jsonError(w, "title is required", http.StatusBadRequest)
+		return
+	}
+
+	// Auto-increment issue number per repo
+	count, _ := h.db.Where("repo_id = ?", repoID).Count(&models.Issue{})
+	number := int(count) + 1
+
+	issue := &models.Issue{
+		RepoID:   repoID,
+		AuthorID: authorID,
+		Number:   number,
+		Title:    body.Title,
+		Body:     body.Body,
+		State:    models.IssueStateOpen,
+	}
+	if _, err := h.db.Insert(issue); err != nil {
+		jsonError(w, "could not create issue", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(h.enrichIssue(issue))
+}
+
+func (h *IssueHandler) Get(w http.ResponseWriter, r *http.Request) {
+	issue, ok := h.lookupIssue(w, r)
+	if !ok {
+		return
+	}
+	jsonOK(w, h.enrichIssue(issue))
+}
+
+func (h *IssueHandler) Close(w http.ResponseWriter, r *http.Request) {
+	issue, ok := h.lookupIssue(w, r)
+	if !ok {
+		return
+	}
+	issue.State = models.IssueStateClosed
+	if _, err := h.db.ID(issue.ID).Cols("state").Update(issue); err != nil {
+		jsonError(w, "could not close issue", http.StatusInternalServerError)
+		return
+	}
+	jsonOK(w, h.enrichIssue(issue))
+}
+
+func (h *IssueHandler) Reopen(w http.ResponseWriter, r *http.Request) {
+	issue, ok := h.lookupIssue(w, r)
+	if !ok {
+		return
+	}
+	issue.State = models.IssueStateOpen
+	if _, err := h.db.ID(issue.ID).Cols("state").Update(issue); err != nil {
+		jsonError(w, "could not reopen issue", http.StatusInternalServerError)
+		return
+	}
+	jsonOK(w, h.enrichIssue(issue))
+}
+
+func (h *IssueHandler) repoID(w http.ResponseWriter, r *http.Request) (int64, bool) {
+	ownerName := chi.URLParam(r, "owner")
+	repoName := chi.URLParam(r, "repo")
+
+	var owner models.User
+	if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return 0, false
+	}
+	var repo models.Repository
+	if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return 0, false
+	}
+	return repo.ID, true
+}
+
+func (h *IssueHandler) lookupIssue(w http.ResponseWriter, r *http.Request) (*models.Issue, bool) {
+	repoID, ok := h.repoID(w, r)
+	if !ok {
+		return nil, false
+	}
+	issueNum, err := strconv.Atoi(chi.URLParam(r, "issueNum"))
+	if err != nil {
+		jsonError(w, "invalid issue number", http.StatusBadRequest)
+		return nil, false
+	}
+	var issue models.Issue
+	if found, _ := h.db.Where("repo_id = ? AND number = ?", repoID, issueNum).Get(&issue); !found {
+		jsonError(w, "issue not found", http.StatusNotFound)
+		return nil, false
+	}
+	return &issue, true
+}
@@ -51,13 +51,9 @@ func (h *RepoHandler) List(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// Fetch owner username once (all repos belong to the same user in this query)
-	var owner models.User
-	h.db.ID(userID).Get(&owner)
-
 	result := make([]repoResponse, len(repos))
-	for i, repo := range repos {
-		result[i] = repoResponse{Repository: repo, OwnerName: owner.Username}
+	for i := range repos {
+		result[i] = h.withOwnerName(&repos[i])
 	}
 	jsonOK(w, result)
 }
@@ -193,6 +189,64 @@ func (h *RepoHandler) Commits(w http.ResponseWriter, r *http.Request) {
 	jsonOK(w, commits)
 }

+func (h *RepoHandler) Update(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+
+	var body struct {
+		Description *string `json:"description"`
+		IsPrivate   *bool   `json:"isPrivate"`
+		DefaultBranch *string `json:"defaultBranch"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	cols := []string{}
+	if body.Description != nil {
+		repo.Description = *body.Description
+		cols = append(cols, "description")
+	}
+	if body.IsPrivate != nil {
+		repo.IsPrivate = *body.IsPrivate
+		cols = append(cols, "is_private")
+	}
+	if body.DefaultBranch != nil {
+		repo.DefaultBranch = *body.DefaultBranch
+		cols = append(cols, "default_branch")
+	}
+
+	if len(cols) > 0 {
+		if _, err := h.db.ID(repo.ID).Cols(cols...).Update(repo); err != nil {
+			jsonError(w, "could not update repository", http.StatusInternalServerError)
+			return
+		}
+	}
+	jsonOK(w, h.withOwnerName(repo))
+}
+
+func (h *RepoHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if callerID != repo.OwnerID {
+		jsonError(w, "only the owner can delete a repository", http.StatusForbidden)
+		return
+	}
+
+	if _, err := h.db.ID(repo.ID).Delete(&models.Repository{}); err != nil {
+		jsonError(w, "could not delete repository", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
 func (h *RepoHandler) Diff(w http.ResponseWriter, r *http.Request) {
 	repo, ok := h.lookupRepo(w, r)
 	if !ok {
@@ -0,0 +1,106 @@
+package handlers
+
+import (
+	"crypto/md5"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+	"golang.org/x/crypto/ssh"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/api/middleware"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type SSHKeyHandler struct {
+	db *xorm.Engine
+}
+
+func NewSSHKeyHandler(db *xorm.Engine) *SSHKeyHandler {
+	return &SSHKeyHandler{db: db}
+}
+
+func (h *SSHKeyHandler) List(w http.ResponseWriter, r *http.Request) {
+	userID, _ := middleware.UserIDFromContext(r.Context())
+	var keys []models.SSHKey
+	if err := h.db.Where("user_id = ?", userID).Find(&keys); err != nil {
+		jsonError(w, "could not list SSH keys", http.StatusInternalServerError)
+		return
+	}
+	if keys == nil {
+		keys = []models.SSHKey{}
+	}
+	jsonOK(w, keys)
+}
+
+func (h *SSHKeyHandler) Add(w http.ResponseWriter, r *http.Request) {
+	userID, _ := middleware.UserIDFromContext(r.Context())
+
+	var body struct {
+		Title     string `json:"title"`
+		PublicKey string `json:"publicKey"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if body.Title == "" || body.PublicKey == "" {
+		jsonError(w, "title and publicKey are required", http.StatusBadRequest)
+		return
+	}
+
+	// Parse and validate the public key
+	pubKeyBytes := []byte(strings.TrimSpace(body.PublicKey))
+	pub, _, _, _, err := ssh.ParseAuthorizedKey(pubKeyBytes)
+	if err != nil {
+		jsonError(w, "invalid SSH public key format", http.StatusBadRequest)
+		return
+	}
+
+	// Compute MD5 fingerprint (standard display format)
+	fingerprint := fingerprintMD5(pub)
+
+	key := &models.SSHKey{
+		UserID:      userID,
+		Title:       body.Title,
+		Fingerprint: fingerprint,
+		PublicKey:   strings.TrimSpace(body.PublicKey),
+	}
+	if _, err := h.db.Insert(key); err != nil {
+		jsonError(w, "key already exists or could not be saved", http.StatusConflict)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(key)
+}
+
+func (h *SSHKeyHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	userID, _ := middleware.UserIDFromContext(r.Context())
+	keyID, err := strconv.ParseInt(chi.URLParam(r, "keyID"), 10, 64)
+	if err != nil {
+		jsonError(w, "invalid key ID", http.StatusBadRequest)
+		return
+	}
+
+	n, err := h.db.Where("id = ? AND user_id = ?", keyID, userID).Delete(&models.SSHKey{})
+	if err != nil || n == 0 {
+		jsonError(w, "key not found", http.StatusNotFound)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func fingerprintMD5(pub ssh.PublicKey) string {
+	hash := md5.Sum(pub.Marshal())
+	parts := make([]string, len(hash))
+	for i, b := range hash {
+		parts[i] = fmt.Sprintf("%02x", b)
+	}
+	return strings.Join(parts, ":")
+}
@@ -40,6 +40,30 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
 	prH      := handlers.NewPRHandler(engine)
 	pipeH    := handlers.NewPipelineHandler(engine)
 	wsH      := handlers.NewWSHandler()
+	gitH     := handlers.NewGitHTTPHandler(engine, cfg)
+	issueH   := handlers.NewIssueHandler(engine)
+	sshKeyH  := handlers.NewSSHKeyHandler(engine)
+
+	// ── Git smart-HTTP transport ───────────────────────────────────────────────
+	// These routes MUST be registered before the SPA catch-all and outside CSRF.
+	// Git clients use HTTP Basic Auth, not the cookie/CSRF flow.
+	r.Route("/{owner}/{repoGit}", func(r chi.Router) {
+		// Only activate for paths ending in .git
+		r.Use(func(next http.Handler) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+				rg := chi.URLParam(req, "repoGit")
+				if len(rg) < 5 || rg[len(rg)-4:] != ".git" {
+					// Not a git URL — skip to the next router
+					http.NotFound(w, req)
+					return
+				}
+				next.ServeHTTP(w, req)
+			})
+		})
+		r.Get("/info/refs", gitH.ServeGit)
+		r.Post("/git-upload-pack", gitH.ServeGit)
+		r.Post("/git-receive-pack", gitH.ServeGit)
+	})

 	r.Route("/api/v1", func(r chi.Router) {

@@ -71,11 +95,18 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi

 			r.Get("/me", userH.Me)

+			// SSH key management
+			r.Get("/user/keys", sshKeyH.List)
+			r.With(csrf).Post("/user/keys", sshKeyH.Add)
+			r.With(csrf).Delete("/user/keys/{keyID}", sshKeyH.Delete)
+
 			r.Route("/repos", func(r chi.Router) {
 				r.Get("/", repoH.List)
 				r.With(csrf).Post("/", repoH.Create)
 				r.Route("/{owner}/{repo}", func(r chi.Router) {
 					r.Get("/", repoH.Get)
+					r.With(csrf).Patch("/", repoH.Update)
+					r.With(csrf).Delete("/", repoH.Delete)
 					r.Get("/tree", repoH.Tree)
 					r.Get("/blob", repoH.Blob)
 					r.Get("/commits", repoH.Commits)
@@ -87,6 +118,13 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
 						r.With(csrf).Post("/{prID}/merge", prH.Merge)
 						r.With(csrf).Post("/{prID}/close", prH.Close)
 					})
+					r.Route("/issues", func(r chi.Router) {
+						r.Get("/", issueH.List)
+						r.With(csrf).Post("/", issueH.Create)
+						r.Get("/{issueNum}", issueH.Get)
+						r.With(csrf).Post("/{issueNum}/close", issueH.Close)
+						r.With(csrf).Post("/{issueNum}/reopen", issueH.Reopen)
+					})
 					r.Route("/pipelines", func(r chi.Router) {
 						r.Get("/", pipeH.List)
 						r.Get("/{runID}", pipeH.Get)
@@ -54,12 +54,15 @@ func IsEmpty(repoPath string) bool {
 }

 func Init(path string) error {
-	// git init --bare works even if the directory doesn't exist yet
 	cmd := exec.Command("git", "init", "--bare", path)
 	cmd.Env = []string{"GIT_TERMINAL_PROMPT=0", "HOME=/tmp"}
 	if out, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("git init --bare: %w: %s", err, out)
 	}
+	// Allow pushes over HTTP (git http-backend checks this config key)
+	cfg := exec.Command("git", "-C", path, "config", "http.receivepack", "true")
+	cfg.Env = []string{"GIT_TERMINAL_PROMPT=0", "HOME=/tmp"}
+	_ = cfg.Run()
 	return nil
 }

@@ -0,0 +1,22 @@
+package models
+
+import "time"
+
+type IssueState string
+
+const (
+	IssueStateOpen   IssueState = "open"
+	IssueStateClosed IssueState = "closed"
+)
+
+type Issue struct {
+	ID        int64      `xorm:"'id' pk autoincr"                   json:"id"`
+	RepoID    int64      `xorm:"'repo_id' notnull index"            json:"repoId"`
+	AuthorID  int64      `xorm:"'author_id' notnull index"          json:"authorId"`
+	Number    int        `xorm:"'number' notnull"                   json:"number"`
+	Title     string     `xorm:"'title' notnull varchar(255)"       json:"title"`
+	Body      string     `xorm:"'body' text"                        json:"body"`
+	State     IssueState `xorm:"'state' default 'open' varchar(16)" json:"state"`
+	CreatedAt time.Time  `xorm:"'created_at' created"               json:"createdAt"`
+	UpdatedAt time.Time  `xorm:"'updated_at' updated"               json:"updatedAt"`
+}
@@ -6,10 +6,15 @@ import (
 )

 func Run(engine *xorm.Engine) error {
-	return engine.Sync2(
+	if err := engine.Sync2(
 		&models.User{},
 		&models.Repository{},
 		&models.PullRequest{},
 		&models.FederationActor{},
-	)
+		&models.Issue{},
+		&models.SSHKey{},
+	); err != nil {
+		return err
+	}
+	return Run002(engine)
 }
@@ -0,0 +1,13 @@
+package migrations
+
+import (
+	"github.com/forgeo/forgebucket/internal/models"
+	"xorm.io/xorm"
+)
+
+func Run002(engine *xorm.Engine) error {
+	return engine.Sync2(
+		&models.Issue{},
+		&models.SSHKey{},
+	)
+}
@@ -0,0 +1,12 @@
+package models
+
+import "time"
+
+type SSHKey struct {
+	ID          int64     `xorm:"'id' pk autoincr"              json:"id"`
+	UserID      int64     `xorm:"'user_id' notnull index"       json:"userId"`
+	Title       string    `xorm:"'title' notnull varchar(255)"  json:"title"`
+	Fingerprint string    `xorm:"'fingerprint' notnull unique"  json:"fingerprint"`
+	PublicKey   string    `xorm:"'public_key' text notnull"     json:"publicKey"`
+	CreatedAt   time.Time `xorm:"'created_at' created"          json:"createdAt"`
+}
				`@@ -0,0 +1 @@`
				`Unnamed repository; edit this file 'description' to name the repository.`