feat(api): implement pull request assignees and check runs endpoints

- Add PR assignees API with list, assign, and unassign operations - Add PR check runs API with create, update, list, and delete operations - Implement workspace finding by ID method in core service - Update .gitignore to include .env* files while preserving .env.example - Reorder imports in multiple API files for consistency - Format function calls with proper line breaks across PR-related APIs - Add wiki revision comparison endpoint with proper schema definitions - Integrate new API modules into main application setup - Add health check, readiness probe, and OpenAPI endpoints to main server - Configure session management and dependency injection in main application
2026-06-07 23:01:05 +08:00
parent 3a22c4265d
commit d98e4d59e3
38 changed files with 40821 additions and 53 deletions
@@ -0,0 +1,141 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrAssignee;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct UserPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// User ID (UUID) to assign/unassign
+    pub user_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List assignees of a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/assignees",
+    tag = "Pull Requests",
+    operation_id = "prListAssignees",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Assignees listed.", body = ApiResponse<Vec<PrAssignee>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_assignees(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let assignees = service
+        .pr
+        .pr_assignees(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(assignees)))
+}
+
+/// Assign a user to a PR. Assignee is auto-subscribed.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/assignees/{user_id}",
+    tag = "Pull Requests",
+    operation_id = "prAssign",
+    params(UserPath),
+    responses(
+        (status = 201, description = "User assigned.", body = ApiResponse<PrAssignee>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 409, description = "User already assigned", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn assign_user(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<UserPath>,
+) -> Result<HttpResponse, AppError> {
+    let assignee = service
+        .pr
+        .pr_assign(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.user_id,
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(assignee)))
+}
+
+/// Unassign a user from a PR
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/assignees/{user_id}",
+    tag = "Pull Requests",
+    operation_id = "prUnassign",
+    params(UserPath),
+    responses(
+        (status = 200, description = "User unassigned.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Assignee not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn unassign_user(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<UserPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_unassign(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.user_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("User unassigned".to_string())))
+}
@@ -0,0 +1,182 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrCheckRun;
+use crate::service::AppService;
+use crate::service::pr::check_runs::{CreateCheckRunParams, UpdateCheckRunParams};
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct CheckRunPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Check run ID (UUID)
+    pub check_run_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List check runs for a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs",
+    tag = "Pull Requests",
+    operation_id = "prListCheckRuns",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Check runs listed.", body = ApiResponse<Vec<PrCheckRun>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_check_runs(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let runs = service
+        .pr
+        .pr_check_runs(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(runs)))
+}
+
+/// Create a check run. Requires Member role.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs",
+    tag = "Pull Requests",
+    operation_id = "prCreateCheckRun",
+    params(PrPath),
+    request_body(content = CreateCheckRunParams, description = "Check run parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Check run created.", body = ApiResponse<PrCheckRun>),
+        (status = 400, description = "Invalid status", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn create_check_run(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<CreateCheckRunParams>,
+) -> Result<HttpResponse, AppError> {
+    let run = service
+        .pr
+        .pr_create_check_run(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(run)))
+}
+
+/// Update a check run. Requires Member role.
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs/{check_run_id}",
+    tag = "Pull Requests",
+    operation_id = "prUpdateCheckRun",
+    params(CheckRunPath),
+    request_body(content = UpdateCheckRunParams, description = "Check run update parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Check run updated.", body = ApiResponse<PrCheckRun>),
+        (status = 400, description = "Invalid status", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Check run not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn update_check_run(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CheckRunPath>,
+    params: web::Json<UpdateCheckRunParams>,
+) -> Result<HttpResponse, AppError> {
+    let run = service
+        .pr
+        .pr_update_check_run(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.check_run_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(run)))
+}
+
+/// Delete a check run. Requires Admin role.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs/{check_run_id}",
+    tag = "Pull Requests",
+    operation_id = "prDeleteCheckRun",
+    params(CheckRunPath),
+    responses(
+        (status = 200, description = "Check run deleted.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Check run not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn delete_check_run(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CheckRunPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_delete_check_run(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.check_run_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Check run deleted".to_string())))
+}
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;
@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::CreatePrParams;
 use crate::service::AppService;
+use crate::service::pr::core::CreatePrParams;
 use crate::session::Session;

 #[derive(Debug, Deserialize, IntoParams)]
@@ -70,7 +70,12 @@ pub async fn create(
 ) -> Result<HttpResponse, AppError> {
    let pr = service
        .pr
-        .pr_create(&session, &path.workspace_name, &path.repo_name, params.into_inner())
+        .pr_create(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            params.into_inner(),
+        )
        .await?;
    Ok(HttpResponse::Created().json(ApiResponse::new(pr)))
 }
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::service::AppService;
 use crate::session::Session;
@@ -0,0 +1,60 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrEvent;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List PR events (timeline). Returns chronological activity log.
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/events",
+    tag = "Pull Requests",
+    operation_id = "prListEvents",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Events listed.", body = ApiResponse<Vec<PrEvent>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_events(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let events = service
+        .pr
+        .pr_list_events(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(events)))
+}
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrStatus;
 use crate::service::AppService;
@@ -0,0 +1,295 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::{PrLabel, PrLabelRelation};
+use crate::service::AppService;
+use crate::service::pr::labels::{CreatePrLabelParams, UpdatePrLabelParams};
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct RepoPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct LabelPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Label ID (UUID)
+    pub label_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct LabelIdPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Label ID (UUID)
+    pub label_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+// ── Repo-level labels ──
+
+/// List PR labels in a repository
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels",
+    tag = "Pull Requests",
+    operation_id = "prListLabels",
+    params(RepoPath),
+    responses(
+        (status = 200, description = "Labels listed successfully.", body = ApiResponse<Vec<PrLabel>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Repo not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_labels(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<RepoPath>,
+) -> Result<HttpResponse, AppError> {
+    let labels = service
+        .pr
+        .pr_labels(&session, &path.workspace_name, &path.repo_name)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(labels)))
+}
+
+/// Create a PR label. Requires Member role.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels",
+    tag = "Pull Requests",
+    operation_id = "prCreateLabel",
+    params(RepoPath),
+    request_body(content = CreatePrLabelParams, description = "Label creation parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Label created.", body = ApiResponse<PrLabel>),
+        (status = 400, description = "Invalid parameters", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Repo not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn create_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<RepoPath>,
+    params: web::Json<CreatePrLabelParams>,
+) -> Result<HttpResponse, AppError> {
+    let label = service
+        .pr
+        .pr_create_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(label)))
+}
+
+/// Update a PR label. Requires Admin role.
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prUpdateLabel",
+    params(LabelIdPath),
+    request_body(content = UpdatePrLabelParams, description = "Label update parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Label updated.", body = ApiResponse<PrLabel>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Label not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn update_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelIdPath>,
+    params: web::Json<UpdatePrLabelParams>,
+) -> Result<HttpResponse, AppError> {
+    let label = service
+        .pr
+        .pr_update_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.label_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(label)))
+}
+
+/// Delete a PR label. Requires Admin role.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prDeleteLabel",
+    params(LabelIdPath),
+    responses(
+        (status = 200, description = "Label deleted.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Label not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn delete_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelIdPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_delete_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.label_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Label deleted".to_string())))
+}
+
+// ── PR-level label relations ──
+
+/// List labels assigned to a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/labels",
+    tag = "Pull Requests",
+    operation_id = "prListLabelRelations",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Label relations listed.", body = ApiResponse<Vec<PrLabelRelation>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_label_relations(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let rels = service
+        .pr
+        .pr_label_relations(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(rels)))
+}
+
+/// Assign a label to a PR
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prAssignLabel",
+    params(LabelPath),
+    responses(
+        (status = 200, description = "Label assigned.", body = ApiResponse<PrLabelRelation>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR or label not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn assign_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelPath>,
+) -> Result<HttpResponse, AppError> {
+    let rel = service
+        .pr
+        .pr_assign_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.label_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(rel)))
+}
+
+/// Unassign a label from a PR
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prUnassignLabel",
+    params(LabelPath),
+    responses(
+        (status = 200, description = "Label unassigned.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Label not assigned", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn unassign_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_unassign_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.label_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Label unassigned".to_string())))
+}
@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::PrListFilters;
 use crate::service::AppService;
+use crate::service::pr::core::PrListFilters;
 use crate::session::Session;

 #[derive(Debug, Deserialize, IntoParams)]
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrCommit;
 use crate::service::AppService;
@@ -53,7 +53,14 @@ pub async fn list_commits(
 ) -> Result<HttpResponse, AppError> {
    let commits = service
        .pr
-        .pr_commits(&session, &path.workspace_name, &path.repo_name, path.number, query.limit.unwrap_or(50), query.offset.unwrap_or(0))
+        .pr_commits(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
        .await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(commits)))
 }
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrFile;
 use crate::service::AppService;
@@ -54,7 +54,14 @@ pub async fn list_files(
 ) -> Result<HttpResponse, AppError> {
    let files = service
        .pr
-        .pr_files(&session, &path.workspace_name, &path.repo_name, path.number, query.limit.unwrap_or(50), query.offset.unwrap_or(0))
+        .pr_files(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
        .await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(files)))
 }
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;
@@ -60,7 +60,13 @@ pub async fn lock(
 ) -> Result<HttpResponse, AppError> {
    let pr = service
        .pr
-        .pr_lock(&session, &path.workspace_name, &path.repo_name, path.number, params.locked)
+        .pr_lock(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.locked,
+        )
        .await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(pr)))
 }
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;
@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::MergePrParams;
 use crate::service::AppService;
+use crate::service::pr::core::MergePrParams;
 use crate::session::Session;

 #[derive(Debug, Deserialize, IntoParams)]
@@ -67,7 +67,13 @@ pub async fn merge(
 ) -> Result<HttpResponse, AppError> {
    let pr = service
        .pr
-        .pr_merge(&session, &path.workspace_name, &path.repo_name, path.number, params.into_inner())
+        .pr_merge(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
        .await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(pr)))
 }
@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrMergeStrategy;
-use crate::service::pr::merge_strategy::UpdateMergeStrategyParams;
 use crate::service::AppService;
+use crate::service::pr::merge_strategy::UpdateMergeStrategyParams;
 use crate::session::Session;

 #[derive(Debug, Deserialize, IntoParams)]
@@ -92,7 +92,13 @@ pub async fn update_merge_strategy(
 ) -> Result<HttpResponse, AppError> {
    let strategy = service
        .pr
-        .pr_update_merge_strategy(&session, &path.workspace_name, &path.repo_name, path.number, params.into_inner())
+        .pr_update_merge_strategy(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
        .await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(strategy)))
 }
@@ -0,0 +1,161 @@
+pub mod assignees;
+pub mod check_runs;
+pub mod close;
+pub mod create;
+pub mod delete;
+pub mod events;
+pub mod get;
+pub mod get_status;
+pub mod labels;
+pub mod list;
+pub mod list_commits;
+pub mod list_files;
+pub mod lock;
+pub mod mark_ready;
+pub mod merge;
+pub mod merge_strategy;
+pub mod reactions;
+pub mod reopen;
+pub mod reviews;
+pub mod subscriptions;
+pub mod update;
+
+use actix_web::web;
+
+/// Configure PR-level routes under `/workspaces/{workspace_name}/repos/{repo_name}/prs`
+pub fn configure(cfg: &mut web::ServiceConfig) {
+    cfg.service(
+        web::scope("/prs")
+            // Repo-level labels
+            .route("/labels", web::get().to(labels::list_labels))
+            .route("/labels", web::post().to(labels::create_label))
+            .route("/labels/{label_id}", web::put().to(labels::update_label))
+            .route("/labels/{label_id}", web::delete().to(labels::delete_label))
+            // Core
+            .route("", web::get().to(list::list))
+            .route("", web::post().to(create::create))
+            .route("/{number}", web::get().to(get::get))
+            .route("/{number}", web::put().to(update::update))
+            .route("/{number}", web::delete().to(delete::delete))
+            .route("/{number}/close", web::post().to(close::close))
+            .route("/{number}/reopen", web::post().to(reopen::reopen))
+            .route("/{number}/ready", web::post().to(mark_ready::mark_ready))
+            .route("/{number}/lock", web::put().to(lock::lock))
+            .route("/{number}/merge", web::post().to(merge::merge))
+            // Commits & Files
+            .route(
+                "/{number}/commits",
+                web::get().to(list_commits::list_commits),
+            )
+            .route("/{number}/files", web::get().to(list_files::list_files))
+            // Status & Merge Strategy
+            .route("/{number}/status", web::get().to(get_status::get_status))
+            .route(
+                "/{number}/merge-strategy",
+                web::get().to(merge_strategy::get_merge_strategy),
+            )
+            .route(
+                "/{number}/merge-strategy",
+                web::put().to(merge_strategy::update_merge_strategy),
+            )
+            // Labels (PR-level)
+            .route(
+                "/{number}/labels",
+                web::get().to(labels::list_label_relations),
+            )
+            .route(
+                "/{number}/labels/{label_id}",
+                web::post().to(labels::assign_label),
+            )
+            .route(
+                "/{number}/labels/{label_id}",
+                web::delete().to(labels::unassign_label),
+            )
+            // Assignees
+            .route(
+                "/{number}/assignees",
+                web::get().to(assignees::list_assignees),
+            )
+            .route(
+                "/{number}/assignees/{user_id}",
+                web::post().to(assignees::assign_user),
+            )
+            .route(
+                "/{number}/assignees/{user_id}",
+                web::delete().to(assignees::unassign_user),
+            )
+            // Reviews
+            .route("/{number}/reviews", web::get().to(reviews::list_reviews))
+            .route("/{number}/reviews", web::post().to(reviews::create_review))
+            .route(
+                "/{number}/reviews/{review_id}/submit",
+                web::post().to(reviews::submit_review),
+            )
+            .route(
+                "/{number}/reviews/{review_id}/dismiss",
+                web::post().to(reviews::dismiss_review),
+            )
+            .route(
+                "/{number}/reviews/{review_id}/comments",
+                web::get().to(reviews::list_review_comments),
+            )
+            .route(
+                "/{number}/comments/{comment_id}/reply",
+                web::post().to(reviews::add_review_reply),
+            )
+            .route(
+                "/{number}/comments/{comment_id}",
+                web::put().to(reviews::update_review_comment),
+            )
+            .route(
+                "/{number}/comments/{comment_id}",
+                web::delete().to(reviews::delete_review_comment),
+            )
+            // Check Runs
+            .route(
+                "/{number}/check-runs",
+                web::get().to(check_runs::list_check_runs),
+            )
+            .route(
+                "/{number}/check-runs",
+                web::post().to(check_runs::create_check_run),
+            )
+            .route(
+                "/{number}/check-runs/{check_run_id}",
+                web::put().to(check_runs::update_check_run),
+            )
+            .route(
+                "/{number}/check-runs/{check_run_id}",
+                web::delete().to(check_runs::delete_check_run),
+            )
+            // Events
+            .route("/{number}/events", web::get().to(events::list_events))
+            // Reactions
+            .route(
+                "/{number}/reactions",
+                web::get().to(reactions::list_reactions),
+            )
+            .route(
+                "/{number}/reactions",
+                web::post().to(reactions::add_reaction),
+            )
+            .route(
+                "/{number}/reactions/{reaction_id}",
+                web::delete().to(reactions::remove_reaction),
+            )
+            // Subscriptions
+            .route(
+                "/{number}/subscriptions",
+                web::get().to(subscriptions::list_subscriptions),
+            )
+            .route(
+                "/{number}/subscribe",
+                web::post().to(subscriptions::subscribe),
+            )
+            .route(
+                "/{number}/subscribe",
+                web::delete().to(subscriptions::unsubscribe),
+            )
+            .route("/{number}/mute", web::put().to(subscriptions::mute)),
+    );
+}
@@ -0,0 +1,143 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrReaction;
+use crate::service::AppService;
+use crate::service::pr::reactions::CreateReactionParams;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct ReactionPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Reaction ID (UUID)
+    pub reaction_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List reactions on a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reactions",
+    tag = "Pull Requests",
+    operation_id = "prListReactions",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Reactions listed.", body = ApiResponse<Vec<PrReaction>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_reactions(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let reactions = service
+        .pr
+        .pr_reactions(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(reactions)))
+}
+
+/// Add a reaction to a PR
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reactions",
+    tag = "Pull Requests",
+    operation_id = "prAddReaction",
+    params(PrPath),
+    request_body(content = CreateReactionParams, description = "Reaction parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Reaction added.", body = ApiResponse<PrReaction>),
+        (status = 400, description = "Invalid content or target type", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn add_reaction(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<CreateReactionParams>,
+) -> Result<HttpResponse, AppError> {
+    let reaction = service
+        .pr
+        .pr_add_reaction(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(reaction)))
+}
+
+/// Remove a reaction. Only the reaction author can remove it.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reactions/{reaction_id}",
+    tag = "Pull Requests",
+    operation_id = "prRemoveReaction",
+    params(ReactionPath),
+    responses(
+        (status = 200, description = "Reaction removed.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Cannot remove another user's reaction", body = ApiErrorResponse),
+        (status = 404, description = "Reaction not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn remove_reaction(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReactionPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_remove_reaction(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.reaction_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Reaction removed".to_string())))
+}
@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;
@@ -0,0 +1,343 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::{PrReview, PrReviewComment};
+use crate::service::AppService;
+use crate::service::pr::reviews::{
+    AddReplyParams, CreateReviewParams, DismissReviewParams, SubmitReviewParams,
+};
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct ReviewPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Review ID (UUID)
+    pub review_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct CommentPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Comment ID (UUID)
+    pub comment_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List reviews on a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews",
+    tag = "Pull Requests",
+    operation_id = "prListReviews",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Reviews listed.", body = ApiResponse<Vec<PrReview>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_reviews(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let reviews = service
+        .pr
+        .pr_list_reviews(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(reviews)))
+}
+
+/// Create a review. States: pending, approved, changes_requested, commented. Authors cannot approve their own PRs.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews",
+    tag = "Pull Requests",
+    operation_id = "prCreateReview",
+    params(PrPath),
+    request_body(content = CreateReviewParams, description = "Review parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Review created.", body = ApiResponse<PrReview>),
+        (status = 400, description = "Invalid state or self-approval", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn create_review(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<CreateReviewParams>,
+) -> Result<HttpResponse, AppError> {
+    let review = service
+        .pr
+        .pr_create_review(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(review)))
+}
+
+/// Submit a pending review. Changes its state to approved, changes_requested, or commented.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews/{review_id}/submit",
+    tag = "Pull Requests",
+    operation_id = "prSubmitReview",
+    params(ReviewPath),
+    request_body(content = SubmitReviewParams, description = "Submit parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Review submitted.", body = ApiResponse<PrReview>),
+        (status = 400, description = "Invalid state or self-approval", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Review not found or already submitted", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn submit_review(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReviewPath>,
+    params: web::Json<SubmitReviewParams>,
+) -> Result<HttpResponse, AppError> {
+    let review = service
+        .pr
+        .pr_submit_review(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.review_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(review)))
+}
+
+/// Dismiss a submitted review. Requires Admin role.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews/{review_id}/dismiss",
+    tag = "Pull Requests",
+    operation_id = "prDismissReview",
+    params(ReviewPath),
+    request_body(content = DismissReviewParams, description = "Dismiss parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Review dismissed.", body = ApiResponse<PrReview>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Review not found or not submitted", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn dismiss_review(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReviewPath>,
+    params: web::Json<DismissReviewParams>,
+) -> Result<HttpResponse, AppError> {
+    let review = service
+        .pr
+        .pr_dismiss_review(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.review_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(review)))
+}
+
+/// List comments for a specific review
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews/{review_id}/comments",
+    tag = "Pull Requests",
+    operation_id = "prListReviewComments",
+    params(ReviewPath, QP),
+    responses(
+        (status = 200, description = "Review comments listed.", body = ApiResponse<Vec<PrReviewComment>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Review not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_review_comments(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReviewPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let comments = service
+        .pr
+        .pr_review_comments(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.review_id,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(comments)))
+}
+
+/// Reply to a review comment
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/comments/{comment_id}/reply",
+    tag = "Pull Requests",
+    operation_id = "prAddReviewReply",
+    params(CommentPath),
+    request_body(content = AddReplyParams, description = "Reply parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Reply added.", body = ApiResponse<PrReviewComment>),
+        (status = 400, description = "Empty body", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Comment not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn add_review_reply(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CommentPath>,
+    params: web::Json<AddReplyParams>,
+) -> Result<HttpResponse, AppError> {
+    let comment = service
+        .pr
+        .pr_add_review_reply(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.comment_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(comment)))
+}
+
+/// Update a review comment (own comments only)
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/comments/{comment_id}",
+    tag = "Pull Requests",
+    operation_id = "prUpdateReviewComment",
+    params(CommentPath),
+    request_body(content = AddReplyParams, description = "Update parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Comment updated.", body = ApiResponse<PrReviewComment>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Cannot edit other users' comments", body = ApiErrorResponse),
+        (status = 404, description = "Comment not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn update_review_comment(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CommentPath>,
+    params: web::Json<AddReplyParams>,
+) -> Result<HttpResponse, AppError> {
+    let comment = service
+        .pr
+        .pr_update_review_comment(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.comment_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(comment)))
+}
+
+/// Delete a review comment. Own comments or Admin role.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/comments/{comment_id}",
+    tag = "Pull Requests",
+    operation_id = "prDeleteReviewComment",
+    params(CommentPath),
+    responses(
+        (status = 200, description = "Comment deleted.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Cannot delete other users' comments (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Comment not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn delete_review_comment(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CommentPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_delete_review_comment(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.comment_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Comment deleted".to_string())))
+}
@@ -0,0 +1,156 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrSubscription;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List subscriptions on a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/subscriptions",
+    tag = "Pull Requests",
+    operation_id = "prListSubscriptions",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Subscriptions listed.", body = ApiResponse<Vec<PrSubscription>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_subscriptions(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let subs = service
+        .pr
+        .pr_subscriptions(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(subs)))
+}
+
+/// Subscribe to a PR to receive notifications
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/subscribe",
+    tag = "Pull Requests",
+    operation_id = "prSubscribe",
+    params(PrPath),
+    responses(
+        (status = 200, description = "Subscribed.", body = ApiResponse<PrSubscription>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 409, description = "Already subscribed", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn subscribe(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+) -> Result<HttpResponse, AppError> {
+    let sub = service
+        .pr
+        .pr_subscribe(&session, &path.workspace_name, &path.repo_name, path.number)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(sub)))
+}
+
+/// Unsubscribe from a PR
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/subscribe",
+    tag = "Pull Requests",
+    operation_id = "prUnsubscribe",
+    params(PrPath),
+    responses(
+        (status = 200, description = "Unsubscribed.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Not subscribed", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn unsubscribe(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_unsubscribe(&session, &path.workspace_name, &path.repo_name, path.number)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Unsubscribed".to_string())))
+}
+
+#[derive(Debug, Deserialize, utoipa::ToSchema)]
+pub struct MutePrParams {
+    /// Whether to mute (true) or unmute (false) notifications
+    pub muted: bool,
+}
+
+/// Mute or unmute notifications for a PR
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/mute",
+    tag = "Pull Requests",
+    operation_id = "prMute",
+    params(PrPath),
+    request_body(content = MutePrParams, description = "Mute/unmute parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Mute status updated.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Not subscribed", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn mute(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<MutePrParams>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_mute(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.muted,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Mute status updated".to_string())))
+}
@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;

-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::UpdatePrParams;
 use crate::service::AppService;
+use crate::service::pr::core::UpdatePrParams;
 use crate::session::Session;

 #[derive(Debug, Deserialize, IntoParams)]
@@ -57,7 +57,13 @@ pub async fn update(
 ) -> Result<HttpResponse, AppError> {
    let pr = service
        .pr
-        .pr_update(&session, &path.workspace_name, &path.repo_name, path.number, params.into_inner())
+        .pr_update(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
        .await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(pr)))
 }