feat(api): implement pull request assignees and check runs endpoints

- Add PR assignees API with list, assign, and unassign operations
- Add PR check runs API with create, update, list, and delete operations
- Implement workspace finding by ID method in core service
- Update .gitignore to include .env* files while preserving .env.example
- Reorder imports in multiple API files for consistency
- Format function calls with proper line breaks across PR-related APIs
- Add wiki revision comparison endpoint with proper schema definitions
- Integrate new API modules into main application setup
- Add health check, readiness probe, and OpenAPI endpoints to main server
- Configure session management and dependency injection in main application

.gitignore

@@ -2,5 +2,7 @@
 .idea
 .codegraph
 .claude
+.env*
+!.env.example
 AGENT.md
 CLAUDE.md

api/openapi.rs

@@ -13,6 +13,7 @@ use crate::api::repo::accept_invitation::AcceptInvitationParams;
 use crate::api::repo::set_branch_protection::SetBranchProtectionParams;
 use crate::api::repo::transfer_owner::TransferOwnerParams;
 use crate::api::response::{ApiEmptyResponse, ApiErrorResponse, ApiResponse};
+use crate::api::wiki::compare_revisions::WikiCompareResult;
 use crate::api::workspace::accept_invitation::AcceptInvitationRequest;
 use crate::api::workspace::review_approval::ReviewApprovalRequest;
 use crate::api::workspace::transfer_owner::TransferOwnerRequest;
@@ -24,7 +25,6 @@ use crate::models::prs::{
     PrAssignee, PrCheckRun, PrCommit, PrEvent, PrFile, PrLabel, PrLabelRelation, PrMergeStrategy,
     PrReaction, PrReview, PrReviewComment, PrStatus, PrSubscription, PullRequest,
 };
-use crate::models::wiki::{WikiPage, WikiPageRevision};
 use crate::models::repos::{
     BranchProtectionRule, Repo, RepoBranch, RepoCommitComment, RepoCommitStatus, RepoDeployKey,
     RepoFork, RepoInvitation, RepoMember, RepoRelease, RepoStar, RepoStats, RepoTag, RepoWatch,
@@ -34,6 +34,7 @@ use crate::models::users::{
     User, UserAppearance, UserDevice, UserGpgKey, UserNotifySetting, UserProfile, UserSecurityLog,
     UserSshKey,
 };
+use crate::models::wiki::{WikiPage, WikiPageRevision};
 use crate::models::workspaces::{
     Workspace, WorkspaceAuditLog, WorkspaceBilling, WorkspaceCustomBranding, WorkspaceDomain,
     WorkspaceIntegration, WorkspaceInvitation, WorkspaceMember, WorkspacePendingApproval,
@@ -68,8 +69,6 @@ use crate::service::pr::reviews::{
     AddReplyParams, CreateReviewParams, DismissReviewParams, ReviewCommentParams,
     SubmitReviewParams,
 };
-use crate::api::wiki::compare_revisions::WikiCompareResult;
-use crate::service::wiki::core::{CreateWikiPageParams, UpdateWikiPageParams};
 use crate::service::repo::branches::CreateBranchParams;
 use crate::service::repo::commit_status::{CreateCommitCommentParams, CreateCommitStatusParams};
 use crate::service::repo::core::{CreateRepoParams, UpdateRepoParams};
@@ -94,6 +93,7 @@ use crate::service::user::keys::{AddGpgKeyParams, AddSshKeyParams};
 use crate::service::user::notify::UpdateUserNotifySettingParams;
 use crate::service::user::profile::UpdateUserProfileParams;
 use crate::service::user::security::{UserOAuthInfo, UserPersonalAccessTokenInfo, UserSessionInfo};
+use crate::service::wiki::core::{CreateWikiPageParams, UpdateWikiPageParams};
 use crate::service::workspace::approvals::RequestApprovalParams;
 use crate::service::workspace::billing::UpdateBillingParams;
 use crate::service::workspace::branding::UpdateBrandingParams;

api/pr/assignees.rs

@@ -0,0 +1,141 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrAssignee;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct UserPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// User ID (UUID) to assign/unassign
+    pub user_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List assignees of a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/assignees",
+    tag = "Pull Requests",
+    operation_id = "prListAssignees",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Assignees listed.", body = ApiResponse<Vec<PrAssignee>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_assignees(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let assignees = service
+        .pr
+        .pr_assignees(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(assignees)))
+}
+
+/// Assign a user to a PR. Assignee is auto-subscribed.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/assignees/{user_id}",
+    tag = "Pull Requests",
+    operation_id = "prAssign",
+    params(UserPath),
+    responses(
+        (status = 201, description = "User assigned.", body = ApiResponse<PrAssignee>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 409, description = "User already assigned", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn assign_user(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<UserPath>,
+) -> Result<HttpResponse, AppError> {
+    let assignee = service
+        .pr
+        .pr_assign(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.user_id,
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(assignee)))
+}
+
+/// Unassign a user from a PR
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/assignees/{user_id}",
+    tag = "Pull Requests",
+    operation_id = "prUnassign",
+    params(UserPath),
+    responses(
+        (status = 200, description = "User unassigned.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Assignee not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn unassign_user(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<UserPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_unassign(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.user_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("User unassigned".to_string())))
+}

api/pr/check_runs.rs

@@ -0,0 +1,182 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrCheckRun;
+use crate::service::AppService;
+use crate::service::pr::check_runs::{CreateCheckRunParams, UpdateCheckRunParams};
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct CheckRunPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Check run ID (UUID)
+    pub check_run_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List check runs for a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs",
+    tag = "Pull Requests",
+    operation_id = "prListCheckRuns",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Check runs listed.", body = ApiResponse<Vec<PrCheckRun>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_check_runs(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let runs = service
+        .pr
+        .pr_check_runs(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(runs)))
+}
+
+/// Create a check run. Requires Member role.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs",
+    tag = "Pull Requests",
+    operation_id = "prCreateCheckRun",
+    params(PrPath),
+    request_body(content = CreateCheckRunParams, description = "Check run parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Check run created.", body = ApiResponse<PrCheckRun>),
+        (status = 400, description = "Invalid status", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn create_check_run(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<CreateCheckRunParams>,
+) -> Result<HttpResponse, AppError> {
+    let run = service
+        .pr
+        .pr_create_check_run(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(run)))
+}
+
+/// Update a check run. Requires Member role.
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs/{check_run_id}",
+    tag = "Pull Requests",
+    operation_id = "prUpdateCheckRun",
+    params(CheckRunPath),
+    request_body(content = UpdateCheckRunParams, description = "Check run update parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Check run updated.", body = ApiResponse<PrCheckRun>),
+        (status = 400, description = "Invalid status", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Check run not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn update_check_run(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CheckRunPath>,
+    params: web::Json<UpdateCheckRunParams>,
+) -> Result<HttpResponse, AppError> {
+    let run = service
+        .pr
+        .pr_update_check_run(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.check_run_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(run)))
+}
+
+/// Delete a check run. Requires Admin role.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/check-runs/{check_run_id}",
+    tag = "Pull Requests",
+    operation_id = "prDeleteCheckRun",
+    params(CheckRunPath),
+    responses(
+        (status = 200, description = "Check run deleted.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Check run not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn delete_check_run(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CheckRunPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_delete_check_run(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.check_run_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Check run deleted".to_string())))
+}

api/pr/close.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;

api/pr/create.rs

@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::CreatePrParams;
 use crate::service::AppService;
+use crate::service::pr::core::CreatePrParams;
 use crate::session::Session;
 
 #[derive(Debug, Deserialize, IntoParams)]
@@ -70,7 +70,12 @@ pub async fn create(
 ) -> Result<HttpResponse, AppError> {
     let pr = service
         .pr
-        .pr_create(&session, &path.workspace_name, &path.repo_name, params.into_inner())
+        .pr_create(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            params.into_inner(),
+        )
         .await?;
     Ok(HttpResponse::Created().json(ApiResponse::new(pr)))
 }

api/pr/delete.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::service::AppService;
 use crate::session::Session;

api/pr/events.rs

@@ -0,0 +1,60 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrEvent;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List PR events (timeline). Returns chronological activity log.
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/events",
+    tag = "Pull Requests",
+    operation_id = "prListEvents",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Events listed.", body = ApiResponse<Vec<PrEvent>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_events(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let events = service
+        .pr
+        .pr_list_events(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(events)))
+}

api/pr/get.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;

api/pr/get_status.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrStatus;
 use crate::service::AppService;

api/pr/labels.rs

@@ -0,0 +1,295 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::{PrLabel, PrLabelRelation};
+use crate::service::AppService;
+use crate::service::pr::labels::{CreatePrLabelParams, UpdatePrLabelParams};
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct RepoPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct LabelPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Label ID (UUID)
+    pub label_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct LabelIdPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Label ID (UUID)
+    pub label_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+// ── Repo-level labels ──
+
+/// List PR labels in a repository
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels",
+    tag = "Pull Requests",
+    operation_id = "prListLabels",
+    params(RepoPath),
+    responses(
+        (status = 200, description = "Labels listed successfully.", body = ApiResponse<Vec<PrLabel>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Repo not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_labels(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<RepoPath>,
+) -> Result<HttpResponse, AppError> {
+    let labels = service
+        .pr
+        .pr_labels(&session, &path.workspace_name, &path.repo_name)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(labels)))
+}
+
+/// Create a PR label. Requires Member role.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels",
+    tag = "Pull Requests",
+    operation_id = "prCreateLabel",
+    params(RepoPath),
+    request_body(content = CreatePrLabelParams, description = "Label creation parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Label created.", body = ApiResponse<PrLabel>),
+        (status = 400, description = "Invalid parameters", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Repo not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn create_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<RepoPath>,
+    params: web::Json<CreatePrLabelParams>,
+) -> Result<HttpResponse, AppError> {
+    let label = service
+        .pr
+        .pr_create_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(label)))
+}
+
+/// Update a PR label. Requires Admin role.
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prUpdateLabel",
+    params(LabelIdPath),
+    request_body(content = UpdatePrLabelParams, description = "Label update parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Label updated.", body = ApiResponse<PrLabel>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Label not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn update_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelIdPath>,
+    params: web::Json<UpdatePrLabelParams>,
+) -> Result<HttpResponse, AppError> {
+    let label = service
+        .pr
+        .pr_update_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.label_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(label)))
+}
+
+/// Delete a PR label. Requires Admin role.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prDeleteLabel",
+    params(LabelIdPath),
+    responses(
+        (status = 200, description = "Label deleted.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Label not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn delete_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelIdPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_delete_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.label_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Label deleted".to_string())))
+}
+
+// ── PR-level label relations ──
+
+/// List labels assigned to a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/labels",
+    tag = "Pull Requests",
+    operation_id = "prListLabelRelations",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Label relations listed.", body = ApiResponse<Vec<PrLabelRelation>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_label_relations(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let rels = service
+        .pr
+        .pr_label_relations(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(rels)))
+}
+
+/// Assign a label to a PR
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prAssignLabel",
+    params(LabelPath),
+    responses(
+        (status = 200, description = "Label assigned.", body = ApiResponse<PrLabelRelation>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR or label not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn assign_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelPath>,
+) -> Result<HttpResponse, AppError> {
+    let rel = service
+        .pr
+        .pr_assign_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.label_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(rel)))
+}
+
+/// Unassign a label from a PR
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/labels/{label_id}",
+    tag = "Pull Requests",
+    operation_id = "prUnassignLabel",
+    params(LabelPath),
+    responses(
+        (status = 200, description = "Label unassigned.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Label not assigned", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn unassign_label(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<LabelPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_unassign_label(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.label_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Label unassigned".to_string())))
+}

api/pr/list.rs

@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::PrListFilters;
 use crate::service::AppService;
+use crate::service::pr::core::PrListFilters;
 use crate::session::Session;
 
 #[derive(Debug, Deserialize, IntoParams)]

api/pr/list_commits.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrCommit;
 use crate::service::AppService;
@@ -53,7 +53,14 @@ pub async fn list_commits(
 ) -> Result<HttpResponse, AppError> {
     let commits = service
         .pr
-        .pr_commits(&session, &path.workspace_name, &path.repo_name, path.number, query.limit.unwrap_or(50), query.offset.unwrap_or(0))
+        .pr_commits(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
         .await?;
     Ok(HttpResponse::Ok().json(ApiResponse::new(commits)))
 }

api/pr/list_files.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrFile;
 use crate::service::AppService;
@@ -54,7 +54,14 @@ pub async fn list_files(
 ) -> Result<HttpResponse, AppError> {
     let files = service
         .pr
-        .pr_files(&session, &path.workspace_name, &path.repo_name, path.number, query.limit.unwrap_or(50), query.offset.unwrap_or(0))
+        .pr_files(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
         .await?;
     Ok(HttpResponse::Ok().json(ApiResponse::new(files)))
 }

api/pr/lock.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;
@@ -60,7 +60,13 @@ pub async fn lock(
 ) -> Result<HttpResponse, AppError> {
     let pr = service
         .pr
-        .pr_lock(&session, &path.workspace_name, &path.repo_name, path.number, params.locked)
+        .pr_lock(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.locked,
+        )
         .await?;
     Ok(HttpResponse::Ok().json(ApiResponse::new(pr)))
 }

api/pr/mark_ready.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;

api/pr/merge.rs

@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::MergePrParams;
 use crate::service::AppService;
+use crate::service::pr::core::MergePrParams;
 use crate::session::Session;
 
 #[derive(Debug, Deserialize, IntoParams)]
@@ -67,7 +67,13 @@ pub async fn merge(
 ) -> Result<HttpResponse, AppError> {
     let pr = service
         .pr
-        .pr_merge(&session, &path.workspace_name, &path.repo_name, path.number, params.into_inner())
+        .pr_merge(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
         .await?;
     Ok(HttpResponse::Ok().json(ApiResponse::new(pr)))
 }

api/pr/merge_strategy.rs

@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PrMergeStrategy;
-use crate::service::pr::merge_strategy::UpdateMergeStrategyParams;
 use crate::service::AppService;
+use crate::service::pr::merge_strategy::UpdateMergeStrategyParams;
 use crate::session::Session;
 
 #[derive(Debug, Deserialize, IntoParams)]
@@ -92,7 +92,13 @@ pub async fn update_merge_strategy(
 ) -> Result<HttpResponse, AppError> {
     let strategy = service
         .pr
-        .pr_update_merge_strategy(&session, &path.workspace_name, &path.repo_name, path.number, params.into_inner())
+        .pr_update_merge_strategy(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
         .await?;
     Ok(HttpResponse::Ok().json(ApiResponse::new(strategy)))
 }

api/pr/mod.rs

@@ -0,0 +1,161 @@
+pub mod assignees;
+pub mod check_runs;
+pub mod close;
+pub mod create;
+pub mod delete;
+pub mod events;
+pub mod get;
+pub mod get_status;
+pub mod labels;
+pub mod list;
+pub mod list_commits;
+pub mod list_files;
+pub mod lock;
+pub mod mark_ready;
+pub mod merge;
+pub mod merge_strategy;
+pub mod reactions;
+pub mod reopen;
+pub mod reviews;
+pub mod subscriptions;
+pub mod update;
+
+use actix_web::web;
+
+/// Configure PR-level routes under `/workspaces/{workspace_name}/repos/{repo_name}/prs`
+pub fn configure(cfg: &mut web::ServiceConfig) {
+    cfg.service(
+        web::scope("/prs")
+            // Repo-level labels
+            .route("/labels", web::get().to(labels::list_labels))
+            .route("/labels", web::post().to(labels::create_label))
+            .route("/labels/{label_id}", web::put().to(labels::update_label))
+            .route("/labels/{label_id}", web::delete().to(labels::delete_label))
+            // Core
+            .route("", web::get().to(list::list))
+            .route("", web::post().to(create::create))
+            .route("/{number}", web::get().to(get::get))
+            .route("/{number}", web::put().to(update::update))
+            .route("/{number}", web::delete().to(delete::delete))
+            .route("/{number}/close", web::post().to(close::close))
+            .route("/{number}/reopen", web::post().to(reopen::reopen))
+            .route("/{number}/ready", web::post().to(mark_ready::mark_ready))
+            .route("/{number}/lock", web::put().to(lock::lock))
+            .route("/{number}/merge", web::post().to(merge::merge))
+            // Commits & Files
+            .route(
+                "/{number}/commits",
+                web::get().to(list_commits::list_commits),
+            )
+            .route("/{number}/files", web::get().to(list_files::list_files))
+            // Status & Merge Strategy
+            .route("/{number}/status", web::get().to(get_status::get_status))
+            .route(
+                "/{number}/merge-strategy",
+                web::get().to(merge_strategy::get_merge_strategy),
+            )
+            .route(
+                "/{number}/merge-strategy",
+                web::put().to(merge_strategy::update_merge_strategy),
+            )
+            // Labels (PR-level)
+            .route(
+                "/{number}/labels",
+                web::get().to(labels::list_label_relations),
+            )
+            .route(
+                "/{number}/labels/{label_id}",
+                web::post().to(labels::assign_label),
+            )
+            .route(
+                "/{number}/labels/{label_id}",
+                web::delete().to(labels::unassign_label),
+            )
+            // Assignees
+            .route(
+                "/{number}/assignees",
+                web::get().to(assignees::list_assignees),
+            )
+            .route(
+                "/{number}/assignees/{user_id}",
+                web::post().to(assignees::assign_user),
+            )
+            .route(
+                "/{number}/assignees/{user_id}",
+                web::delete().to(assignees::unassign_user),
+            )
+            // Reviews
+            .route("/{number}/reviews", web::get().to(reviews::list_reviews))
+            .route("/{number}/reviews", web::post().to(reviews::create_review))
+            .route(
+                "/{number}/reviews/{review_id}/submit",
+                web::post().to(reviews::submit_review),
+            )
+            .route(
+                "/{number}/reviews/{review_id}/dismiss",
+                web::post().to(reviews::dismiss_review),
+            )
+            .route(
+                "/{number}/reviews/{review_id}/comments",
+                web::get().to(reviews::list_review_comments),
+            )
+            .route(
+                "/{number}/comments/{comment_id}/reply",
+                web::post().to(reviews::add_review_reply),
+            )
+            .route(
+                "/{number}/comments/{comment_id}",
+                web::put().to(reviews::update_review_comment),
+            )
+            .route(
+                "/{number}/comments/{comment_id}",
+                web::delete().to(reviews::delete_review_comment),
+            )
+            // Check Runs
+            .route(
+                "/{number}/check-runs",
+                web::get().to(check_runs::list_check_runs),
+            )
+            .route(
+                "/{number}/check-runs",
+                web::post().to(check_runs::create_check_run),
+            )
+            .route(
+                "/{number}/check-runs/{check_run_id}",
+                web::put().to(check_runs::update_check_run),
+            )
+            .route(
+                "/{number}/check-runs/{check_run_id}",
+                web::delete().to(check_runs::delete_check_run),
+            )
+            // Events
+            .route("/{number}/events", web::get().to(events::list_events))
+            // Reactions
+            .route(
+                "/{number}/reactions",
+                web::get().to(reactions::list_reactions),
+            )
+            .route(
+                "/{number}/reactions",
+                web::post().to(reactions::add_reaction),
+            )
+            .route(
+                "/{number}/reactions/{reaction_id}",
+                web::delete().to(reactions::remove_reaction),
+            )
+            // Subscriptions
+            .route(
+                "/{number}/subscriptions",
+                web::get().to(subscriptions::list_subscriptions),
+            )
+            .route(
+                "/{number}/subscribe",
+                web::post().to(subscriptions::subscribe),
+            )
+            .route(
+                "/{number}/subscribe",
+                web::delete().to(subscriptions::unsubscribe),
+            )
+            .route("/{number}/mute", web::put().to(subscriptions::mute)),
+    );
+}

api/pr/reactions.rs

@@ -0,0 +1,143 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrReaction;
+use crate::service::AppService;
+use crate::service::pr::reactions::CreateReactionParams;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct ReactionPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Reaction ID (UUID)
+    pub reaction_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List reactions on a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reactions",
+    tag = "Pull Requests",
+    operation_id = "prListReactions",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Reactions listed.", body = ApiResponse<Vec<PrReaction>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_reactions(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let reactions = service
+        .pr
+        .pr_reactions(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(reactions)))
+}
+
+/// Add a reaction to a PR
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reactions",
+    tag = "Pull Requests",
+    operation_id = "prAddReaction",
+    params(PrPath),
+    request_body(content = CreateReactionParams, description = "Reaction parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Reaction added.", body = ApiResponse<PrReaction>),
+        (status = 400, description = "Invalid content or target type", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn add_reaction(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<CreateReactionParams>,
+) -> Result<HttpResponse, AppError> {
+    let reaction = service
+        .pr
+        .pr_add_reaction(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(reaction)))
+}
+
+/// Remove a reaction. Only the reaction author can remove it.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reactions/{reaction_id}",
+    tag = "Pull Requests",
+    operation_id = "prRemoveReaction",
+    params(ReactionPath),
+    responses(
+        (status = 200, description = "Reaction removed.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Cannot remove another user's reaction", body = ApiErrorResponse),
+        (status = 404, description = "Reaction not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn remove_reaction(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReactionPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_remove_reaction(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.reaction_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Reaction removed".to_string())))
+}

api/pr/reopen.rs

@@ -1,8 +1,8 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
 use crate::service::AppService;

api/pr/reviews.rs

@@ -0,0 +1,343 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::{PrReview, PrReviewComment};
+use crate::service::AppService;
+use crate::service::pr::reviews::{
+    AddReplyParams, CreateReviewParams, DismissReviewParams, SubmitReviewParams,
+};
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct ReviewPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Review ID (UUID)
+    pub review_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct CommentPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+    /// Comment ID (UUID)
+    pub comment_id: uuid::Uuid,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List reviews on a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews",
+    tag = "Pull Requests",
+    operation_id = "prListReviews",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Reviews listed.", body = ApiResponse<Vec<PrReview>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_reviews(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let reviews = service
+        .pr
+        .pr_list_reviews(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(reviews)))
+}
+
+/// Create a review. States: pending, approved, changes_requested, commented. Authors cannot approve their own PRs.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews",
+    tag = "Pull Requests",
+    operation_id = "prCreateReview",
+    params(PrPath),
+    request_body(content = CreateReviewParams, description = "Review parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Review created.", body = ApiResponse<PrReview>),
+        (status = 400, description = "Invalid state or self-approval", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn create_review(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<CreateReviewParams>,
+) -> Result<HttpResponse, AppError> {
+    let review = service
+        .pr
+        .pr_create_review(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(review)))
+}
+
+/// Submit a pending review. Changes its state to approved, changes_requested, or commented.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews/{review_id}/submit",
+    tag = "Pull Requests",
+    operation_id = "prSubmitReview",
+    params(ReviewPath),
+    request_body(content = SubmitReviewParams, description = "Submit parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Review submitted.", body = ApiResponse<PrReview>),
+        (status = 400, description = "Invalid state or self-approval", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions", body = ApiErrorResponse),
+        (status = 404, description = "Review not found or already submitted", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn submit_review(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReviewPath>,
+    params: web::Json<SubmitReviewParams>,
+) -> Result<HttpResponse, AppError> {
+    let review = service
+        .pr
+        .pr_submit_review(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.review_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(review)))
+}
+
+/// Dismiss a submitted review. Requires Admin role.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews/{review_id}/dismiss",
+    tag = "Pull Requests",
+    operation_id = "prDismissReview",
+    params(ReviewPath),
+    request_body(content = DismissReviewParams, description = "Dismiss parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Review dismissed.", body = ApiResponse<PrReview>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Review not found or not submitted", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn dismiss_review(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReviewPath>,
+    params: web::Json<DismissReviewParams>,
+) -> Result<HttpResponse, AppError> {
+    let review = service
+        .pr
+        .pr_dismiss_review(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.review_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(review)))
+}
+
+/// List comments for a specific review
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/reviews/{review_id}/comments",
+    tag = "Pull Requests",
+    operation_id = "prListReviewComments",
+    params(ReviewPath, QP),
+    responses(
+        (status = 200, description = "Review comments listed.", body = ApiResponse<Vec<PrReviewComment>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Review not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_review_comments(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<ReviewPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let comments = service
+        .pr
+        .pr_review_comments(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.review_id,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(comments)))
+}
+
+/// Reply to a review comment
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/comments/{comment_id}/reply",
+    tag = "Pull Requests",
+    operation_id = "prAddReviewReply",
+    params(CommentPath),
+    request_body(content = AddReplyParams, description = "Reply parameters", content_type = "application/json"),
+    responses(
+        (status = 201, description = "Reply added.", body = ApiResponse<PrReviewComment>),
+        (status = 400, description = "Empty body", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Comment not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn add_review_reply(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CommentPath>,
+    params: web::Json<AddReplyParams>,
+) -> Result<HttpResponse, AppError> {
+    let comment = service
+        .pr
+        .pr_add_review_reply(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.comment_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(comment)))
+}
+
+/// Update a review comment (own comments only)
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/comments/{comment_id}",
+    tag = "Pull Requests",
+    operation_id = "prUpdateReviewComment",
+    params(CommentPath),
+    request_body(content = AddReplyParams, description = "Update parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Comment updated.", body = ApiResponse<PrReviewComment>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Cannot edit other users' comments", body = ApiErrorResponse),
+        (status = 404, description = "Comment not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn update_review_comment(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CommentPath>,
+    params: web::Json<AddReplyParams>,
+) -> Result<HttpResponse, AppError> {
+    let comment = service
+        .pr
+        .pr_update_review_comment(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.comment_id,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(comment)))
+}
+
+/// Delete a review comment. Own comments or Admin role.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/comments/{comment_id}",
+    tag = "Pull Requests",
+    operation_id = "prDeleteReviewComment",
+    params(CommentPath),
+    responses(
+        (status = 200, description = "Comment deleted.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 403, description = "Cannot delete other users' comments (Admin required)", body = ApiErrorResponse),
+        (status = 404, description = "Comment not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn delete_review_comment(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<CommentPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_delete_review_comment(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            path.comment_id,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Comment deleted".to_string())))
+}

api/pr/subscriptions.rs

@@ -0,0 +1,156 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::prs::PrSubscription;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PrPath {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// PR number (unique within the repository)
+    pub number: i64,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QP {
+    pub limit: Option<i64>,
+    pub offset: Option<i64>,
+}
+
+/// List subscriptions on a PR
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/subscriptions",
+    tag = "Pull Requests",
+    operation_id = "prListSubscriptions",
+    params(PrPath, QP),
+    responses(
+        (status = 200, description = "Subscriptions listed.", body = ApiResponse<Vec<PrSubscription>>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_subscriptions(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    query: web::Query<QP>,
+) -> Result<HttpResponse, AppError> {
+    let subs = service
+        .pr
+        .pr_subscriptions(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(subs)))
+}
+
+/// Subscribe to a PR to receive notifications
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/subscribe",
+    tag = "Pull Requests",
+    operation_id = "prSubscribe",
+    params(PrPath),
+    responses(
+        (status = 200, description = "Subscribed.", body = ApiResponse<PrSubscription>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "PR not found", body = ApiErrorResponse),
+        (status = 409, description = "Already subscribed", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn subscribe(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+) -> Result<HttpResponse, AppError> {
+    let sub = service
+        .pr
+        .pr_subscribe(&session, &path.workspace_name, &path.repo_name, path.number)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(sub)))
+}
+
+/// Unsubscribe from a PR
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/subscribe",
+    tag = "Pull Requests",
+    operation_id = "prUnsubscribe",
+    params(PrPath),
+    responses(
+        (status = 200, description = "Unsubscribed.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Not subscribed", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn unsubscribe(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_unsubscribe(&session, &path.workspace_name, &path.repo_name, path.number)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Unsubscribed".to_string())))
+}
+
+#[derive(Debug, Deserialize, utoipa::ToSchema)]
+pub struct MutePrParams {
+    /// Whether to mute (true) or unmute (false) notifications
+    pub muted: bool,
+}
+
+/// Mute or unmute notifications for a PR
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/prs/{number}/mute",
+    tag = "Pull Requests",
+    operation_id = "prMute",
+    params(PrPath),
+    request_body(content = MutePrParams, description = "Mute/unmute parameters", content_type = "application/json"),
+    responses(
+        (status = 200, description = "Mute status updated.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required", body = ApiErrorResponse),
+        (status = 404, description = "Not subscribed", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn mute(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PrPath>,
+    params: web::Json<MutePrParams>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .pr
+        .pr_mute(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.muted,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new("Mute status updated".to_string())))
+}

api/pr/update.rs

@@ -1,12 +1,12 @@
-use actix_web::{web, HttpResponse};
+use actix_web::{HttpResponse, web};
 use serde::Deserialize;
 use utoipa::IntoParams;
 
-use crate::api::response::{ApiResponse, ApiErrorResponse};
+use crate::api::response::{ApiErrorResponse, ApiResponse};
 use crate::error::AppError;
 use crate::models::prs::PullRequest;
-use crate::service::pr::core::UpdatePrParams;
 use crate::service::AppService;
+use crate::service::pr::core::UpdatePrParams;
 use crate::session::Session;
 
 #[derive(Debug, Deserialize, IntoParams)]
@@ -57,7 +57,13 @@ pub async fn update(
 ) -> Result<HttpResponse, AppError> {
     let pr = service
         .pr
-        .pr_update(&session, &path.workspace_name, &path.repo_name, path.number, params.into_inner())
+        .pr_update(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            path.number,
+            params.into_inner(),
+        )
         .await?;
     Ok(HttpResponse::Ok().json(ApiResponse::new(pr)))
 }

api/wiki/compare_revisions.rs

@@ -0,0 +1,79 @@
+use actix_web::{HttpResponse, web};
+use serde::{Deserialize, Serialize};
+use utoipa::{IntoParams, ToSchema};
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPageRevision;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Wiki page slug (URL-friendly identifier)
+    pub slug: String,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QueryParams {
+    /// Older version number to compare from
+    pub old_version: i32,
+    /// Newer version number to compare to
+    pub new_version: i32,
+}
+
+/// Result of comparing two wiki page revisions
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+pub struct WikiCompareResult {
+    /// The older revision being compared
+    pub old: WikiPageRevision,
+    /// The newer revision being compared
+    pub new: WikiPageRevision,
+}
+
+/// Compare two wiki page revisions
+///
+/// Compares two versions of a wiki page and returns both revisions.
+/// Requires read access to the repository.
+///
+/// Returns the old and new revisions for client-side diff computation.
+/// The client can compute the diff between the two content snapshots.
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki/{slug}/compare",
+    tag = "Wiki",
+    operation_id = "wikiCompareRevisions",
+    params(PathParams, QueryParams),
+    responses(
+        (status = 200, description = "Revisions compared successfully. Returns old and new revision objects.", body = ApiResponse<WikiCompareResult>),
+        (status = 400, description = "Invalid version numbers", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions to access this repository", body = ApiErrorResponse),
+        (status = 404, description = "Wiki page, revisions, repository, or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn compare_revisions(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+    query: web::Query<QueryParams>,
+) -> Result<HttpResponse, AppError> {
+    let (old, new) = service
+        .repo
+        .wiki_compare_revisions(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            &path.slug,
+            query.old_version,
+            query.new_version,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(WikiCompareResult { old, new })))
+}

api/wiki/create_page.rs

@@ -0,0 +1,66 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPage;
+use crate::service::AppService;
+use crate::service::wiki::core::CreateWikiPageParams;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+}
+
+/// Create a wiki page
+///
+/// Creates a new wiki page in the repository.
+/// Requires at least Member role in the repository.
+///
+/// The title is automatically converted to a URL-friendly slug.
+/// An initial revision is created with the page.
+///
+/// Returns the created wiki page with full metadata.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki",
+    tag = "Wiki",
+    operation_id = "wikiCreatePage",
+    params(PathParams),
+    request_body(
+        content = CreateWikiPageParams,
+        description = "Wiki page creation parameters",
+        content_type = "application/json"
+    ),
+    responses(
+        (status = 201, description = "Wiki page created successfully.", body = ApiResponse<WikiPage>),
+        (status = 400, description = "Invalid parameters: empty title or content", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (requires Member role or higher)", body = ApiErrorResponse),
+        (status = 404, description = "Repository or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn create_page(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+    params: web::Json<CreateWikiPageParams>,
+) -> Result<HttpResponse, AppError> {
+    let page = service
+        .repo
+        .wiki_create_page(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Created().json(ApiResponse::new(page)))
+}

api/wiki/delete_page.rs

@@ -0,0 +1,54 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Wiki page slug (URL-friendly identifier)
+    pub slug: String,
+}
+
+/// Delete a wiki page
+///
+/// Soft-deletes a wiki page. The page is marked as deleted but remains in the database.
+/// Requires Admin role in the repository.
+///
+/// The page and its revision history are preserved but no longer accessible via the API.
+/// Returns success message on completion.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki/{slug}",
+    tag = "Wiki",
+    operation_id = "wikiDeletePage",
+    params(PathParams),
+    responses(
+        (status = 200, description = "Wiki page deleted successfully.", body = ApiResponse<String>),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (requires Admin role)", body = ApiErrorResponse),
+        (status = 404, description = "Wiki page, repository, or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn delete_page(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+) -> Result<HttpResponse, AppError> {
+    service
+        .repo
+        .wiki_delete_page(&session, &path.workspace_name, &path.repo_name, &path.slug)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(
+        "Wiki page deleted successfully".to_string(),
+    )))
+}

api/wiki/get_page.rs

@@ -0,0 +1,50 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPage;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Wiki page slug (URL-friendly identifier)
+    pub slug: String,
+}
+
+/// Get a wiki page
+///
+/// Retrieves a single wiki page by its slug.
+/// Requires read access to the repository.
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki/{slug}",
+    tag = "Wiki",
+    operation_id = "wikiGetPage",
+    params(PathParams),
+    responses(
+        (status = 200, description = "Wiki page retrieved successfully.", body = ApiResponse<WikiPage>),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions to access this repository", body = ApiErrorResponse),
+        (status = 404, description = "Wiki page, repository, or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn get_page(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+) -> Result<HttpResponse, AppError> {
+    let page = service
+        .repo
+        .wiki_get_page(&session, &path.workspace_name, &path.repo_name, &path.slug)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(page)))
+}

api/wiki/get_revision.rs

@@ -0,0 +1,60 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPageRevision;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Wiki page slug (URL-friendly identifier)
+    pub slug: String,
+    /// Revision version number
+    pub version: i32,
+}
+
+/// Get a specific wiki page revision
+///
+/// Retrieves a specific revision of a wiki page by version number.
+/// Requires read access to the repository.
+///
+/// Returns the full revision with content snapshot, editor, and commit message.
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki/{slug}/revisions/{version}",
+    tag = "Wiki",
+    operation_id = "wikiGetRevision",
+    params(PathParams),
+    responses(
+        (status = 200, description = "Revision retrieved successfully.", body = ApiResponse<WikiPageRevision>),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions to access this repository", body = ApiErrorResponse),
+        (status = 404, description = "Wiki page, revision, repository, or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn get_revision(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+) -> Result<HttpResponse, AppError> {
+    let revision = service
+        .repo
+        .wiki_get_revision(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            &path.slug,
+            path.version,
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(revision)))
+}

api/wiki/list_pages.rs

@@ -0,0 +1,67 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPage;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QueryParams {
+    /// Search query to filter pages by title or content
+    pub search: Option<String>,
+    /// Maximum number of pages to return (default: 50, max: 100)
+    pub limit: Option<i64>,
+    /// Number of pages to skip for pagination (default: 0)
+    pub offset: Option<i64>,
+}
+
+/// List wiki pages in a repository
+///
+/// Returns a paginated list of all wiki pages in the repository.
+/// Supports searching by title or content.
+/// Requires read access to the repository.
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki",
+    tag = "Wiki",
+    operation_id = "wikiListPages",
+    params(PathParams, QueryParams),
+    responses(
+        (status = 200, description = "Wiki pages listed successfully.", body = ApiResponse<Vec<WikiPage>>),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions to access this repository", body = ApiErrorResponse),
+        (status = 404, description = "Repository or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_pages(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+    query: web::Query<QueryParams>,
+) -> Result<HttpResponse, AppError> {
+    let pages = service
+        .repo
+        .wiki_list_pages(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            query.search.clone(),
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(pages)))
+}

api/wiki/list_revisions.rs

@@ -0,0 +1,69 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPageRevision;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Wiki page slug (URL-friendly identifier)
+    pub slug: String,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QueryParams {
+    /// Maximum number of revisions to return (default: 50, max: 100)
+    pub limit: Option<i64>,
+    /// Number of revisions to skip for pagination (default: 0)
+    pub offset: Option<i64>,
+}
+
+/// List wiki page revisions
+///
+/// Returns a paginated list of all revisions for a wiki page, sorted by version (newest first).
+/// Requires read access to the repository.
+///
+/// Each revision includes the full content snapshot at that version,
+/// the editor who made the change, and an optional commit message.
+#[utoipa::path(
+    get,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki/{slug}/revisions",
+    tag = "Wiki",
+    operation_id = "wikiListRevisions",
+    params(PathParams, QueryParams),
+    responses(
+        (status = 200, description = "Revisions listed successfully.", body = ApiResponse<Vec<WikiPageRevision>>),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions to access this repository", body = ApiErrorResponse),
+        (status = 404, description = "Wiki page, repository, or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn list_revisions(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+    query: web::Query<QueryParams>,
+) -> Result<HttpResponse, AppError> {
+    let revisions = service
+        .repo
+        .wiki_get_revisions(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            &path.slug,
+            query.limit.unwrap_or(50),
+            query.offset.unwrap_or(0),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(revisions)))
+}

api/wiki/mod.rs

@@ -0,0 +1,38 @@
+pub mod compare_revisions;
+pub mod create_page;
+pub mod delete_page;
+pub mod get_page;
+pub mod get_revision;
+pub mod list_pages;
+pub mod list_revisions;
+pub mod revert_page;
+pub mod update_page;
+
+use actix_web::web;
+
+/// Configure wiki routes under `/workspaces/{workspace_name}/repos/{repo_name}/wiki`
+pub fn configure(cfg: &mut web::ServiceConfig) {
+    cfg.service(
+        web::scope("/wiki")
+            // Pages
+            .route("", web::get().to(list_pages::list_pages))
+            .route("", web::post().to(create_page::create_page))
+            .route("/{slug}", web::get().to(get_page::get_page))
+            .route("/{slug}", web::put().to(update_page::update_page))
+            .route("/{slug}", web::delete().to(delete_page::delete_page))
+            .route("/{slug}/revert", web::post().to(revert_page::revert_page))
+            // Revisions
+            .route(
+                "/{slug}/revisions",
+                web::get().to(list_revisions::list_revisions),
+            )
+            .route(
+                "/{slug}/revisions/{version}",
+                web::get().to(get_revision::get_revision),
+            )
+            .route(
+                "/{slug}/compare",
+                web::get().to(compare_revisions::compare_revisions),
+            ),
+    );
+}

api/wiki/revert_page.rs

@@ -0,0 +1,72 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPage;
+use crate::service::AppService;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Wiki page slug (URL-friendly identifier)
+    pub slug: String,
+}
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct QueryParams {
+    /// Target version number to revert to
+    pub version: i32,
+    /// Optional commit message describing the revert
+    pub commit_message: Option<String>,
+}
+
+/// Revert a wiki page to a historical version
+///
+/// Reverts the wiki page to a specified historical version.
+/// Requires at least Member role in the repository.
+///
+/// This creates a new revision with the content from the target version.
+/// The current content is not lost; it remains in the revision history.
+///
+/// Returns the updated wiki page with the reverted content.
+#[utoipa::path(
+    post,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki/{slug}/revert",
+    tag = "Wiki",
+    operation_id = "wikiRevertPage",
+    params(PathParams, QueryParams),
+    responses(
+        (status = 200, description = "Wiki page reverted successfully.", body = ApiResponse<WikiPage>),
+        (status = 400, description = "Invalid version number", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (requires Member role or higher)", body = ApiErrorResponse),
+        (status = 404, description = "Wiki page, revision, repository, or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn revert_page(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+    query: web::Query<QueryParams>,
+) -> Result<HttpResponse, AppError> {
+    let page = service
+        .repo
+        .wiki_revert_to_version(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            &path.slug,
+            query.version,
+            query.commit_message.clone(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(page)))
+}

api/wiki/update_page.rs

@@ -0,0 +1,70 @@
+use actix_web::{HttpResponse, web};
+use serde::Deserialize;
+use utoipa::IntoParams;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::wiki::WikiPage;
+use crate::service::AppService;
+use crate::service::wiki::core::UpdateWikiPageParams;
+use crate::session::Session;
+
+#[derive(Debug, Deserialize, IntoParams)]
+pub struct PathParams {
+    /// Workspace name (unique identifier)
+    pub workspace_name: String,
+    /// Repository name (unique within the workspace)
+    pub repo_name: String,
+    /// Wiki page slug (URL-friendly identifier)
+    pub slug: String,
+}
+
+/// Update a wiki page
+///
+/// Updates an existing wiki page's title, content, or both.
+/// Requires at least Member role in the repository.
+///
+/// A new revision is automatically created with the changes.
+/// Optionally include a commit message to describe the changes.
+///
+/// All fields are optional; only provided fields are updated.
+/// Returns the updated wiki page.
+#[utoipa::path(
+    put,
+    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/wiki/{slug}",
+    tag = "Wiki",
+    operation_id = "wikiUpdatePage",
+    params(PathParams),
+    request_body(
+        content = UpdateWikiPageParams,
+        description = "Wiki page update parameters (all fields optional)",
+        content_type = "application/json"
+    ),
+    responses(
+        (status = 200, description = "Wiki page updated successfully.", body = ApiResponse<WikiPage>),
+        (status = 400, description = "Invalid parameters", body = ApiErrorResponse),
+        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
+        (status = 403, description = "Insufficient permissions (requires Member role or higher)", body = ApiErrorResponse),
+        (status = 404, description = "Wiki page, repository, or workspace not found", body = ApiErrorResponse),
+        (status = 500, description = "Internal server error", body = ApiErrorResponse),
+    ),
+    security(("session_cookie" = []))
+)]
+pub async fn update_page(
+    service: web::Data<AppService>,
+    session: Session,
+    path: web::Path<PathParams>,
+    params: web::Json<UpdateWikiPageParams>,
+) -> Result<HttpResponse, AppError> {
+    let page = service
+        .repo
+        .wiki_update_page(
+            &session,
+            &path.workspace_name,
+            &path.repo_name,
+            &path.slug,
+            params.into_inner(),
+        )
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(page)))
+}

gen_openapi.rs

@@ -1,9 +1,8 @@
-use utoipa::OpenApi;
 use appks::api::openapi::OpenApiDoc;
+use utoipa::OpenApi;
 
 fn main() {
-    let json = OpenApiDoc::openapi()
+    let json = OpenApiDoc::openapi().to_pretty_json();
-        .to_pretty_json();
     if let Ok(json) = json {
         if let Err(e) = std::fs::write("openapi.json", json) {
             eprintln!("{}", e);

main.rs

@@ -1,3 +1,124 @@
-fn main() {
+use std::sync::Arc;
-    println!("Hello, world!");
+
+use actix_web::cookie::Key;
+use actix_web::{App, HttpResponse, HttpServer, web};
+use appks::api::openapi::OpenApiDoc;
+use appks::api::routes::init_routes;
+use appks::cache::AppCache;
+use appks::cache::redis::AppRedis;
+use appks::config::AppConfig;
+use appks::error::{AppError, AppResult};
+use appks::etcd::EtcdRegistry;
+use appks::models::db::AppDatabase;
+use appks::queue::NatsQueue;
+use appks::service::AppService;
+use appks::session::{RedisSessionStore, SessionMiddleware};
+use appks::storage::s3::AppS3Storage;
+use sqlx::Executor;
+use utoipa::OpenApi;
+
+#[actix_web::main]
+async fn main() -> AppResult<()> {
+    tracing_subscriber::fmt::init();
+
+    let config = AppConfig::load();
+    validate_session_secret(&config)?;
+
+    tracing::info!("starting AppKS");
+
+    let db = AppDatabase::from_config(&config).await?;
+    db.writer().execute("SELECT 1").await?;
+
+    let redis = AppRedis::from_config(&config)?;
+    let cache = Arc::new(AppCache::from_config(&config)?);
+    let storage = AppS3Storage::from_config(&config).await?;
+
+    let registry = Arc::new(EtcdRegistry::connect(&config).await?);
+    registry.start_discovery().await?;
+    if config.get_env_or("APP_ETCD_REGISTER_SELF", false)? {
+        registry
+            .register_self(&config.rpc_self_service_name()?)
+            .await?;
+    }
+
+    let nats = Arc::new(NatsQueue::connect(&config).await?);
+    nats.ensure_stream("IM", vec!["im.>".to_string()]).await?;
+
+    let service = AppService::new(
+        env!("CARGO_PKG_VERSION").to_string(),
+        db.clone(),
+        redis.clone(),
+        cache,
+        config.clone(),
+        storage,
+        registry,
+        nats,
+    );
+
+    let host = config.get_env_or::<String>("APP_HTTP_HOST", "0.0.0.0".to_string())?;
+    let port = config.get_env_or::<u16>("APP_HTTP_PORT", 8000)?;
+    let workers = config.get_env_or::<usize>(
+        "APP_HTTP_WORKERS",
+        std::thread::available_parallelism()
+            .map(|n| n.get())
+            .unwrap_or(1),
+    )?;
+    let bind_addr = format!("{host}:{port}");
+    let session_key = build_session_key(&config)?;
+
+    tracing::info!(addr = %bind_addr, workers, "http server listening");
+
+    HttpServer::new(move || {
+        let session_store = RedisSessionStore::new(redis.clone());
+        let session_middleware =
+            SessionMiddleware::from_app_config(session_store, session_key.clone(), &config)
+                .expect("valid session configuration");
+
+        App::new()
+            .app_data(web::Data::new(service.clone()))
+            .wrap(session_middleware)
+            .route("/healthz", web::get().to(healthz))
+            .route("/readyz", web::get().to(readyz))
+            .route("/openapi.json", web::get().to(openapi_json))
+            .configure(init_routes)
+    })
+    .workers(workers)
+    .bind(bind_addr)?
+    .run()
+    .await?;
+
+    db.close().await;
+    Ok(())
+}
+
+async fn healthz() -> HttpResponse {
+    HttpResponse::Ok().json(serde_json::json!({ "status": "ok" }))
+}
+
+async fn readyz(service: web::Data<AppService>) -> Result<HttpResponse, AppError> {
+    service.ctx.db.writer().execute("SELECT 1").await?;
+    Ok(HttpResponse::Ok().json(serde_json::json!({ "status": "ready" })))
+}
+
+async fn openapi_json() -> HttpResponse {
+    HttpResponse::Ok().json(OpenApiDoc::openapi())
+}
+
+fn build_session_key(config: &AppConfig) -> AppResult<Key> {
+    let secret = session_secret(config)?;
+    Ok(Key::derive_from(secret.as_bytes()))
+}
+
+fn validate_session_secret(config: &AppConfig) -> AppResult<()> {
+    session_secret(config).map(|_| ())
+}
+
+fn session_secret(config: &AppConfig) -> AppResult<String> {
+    let secret = config
+        .env
+        .get("APP_SESSION_SECRET")
+        .map(|s| s.trim())
+        .filter(|s| s.len() >= 32)
+        .ok_or_else(|| AppError::Config("APP_SESSION_SECRET must be at least 32 bytes".into()))?;
+    Ok(secret.to_string())
 }

service/workspace/core.rs

@@ -500,10 +500,7 @@ impl WorkspaceService {
         }
     }
 
-    pub async fn find_workspace_by_id(
+    pub async fn find_workspace_by_id(&self, workspace_id: Uuid) -> Result<Workspace, AppError> {
-        &self,
-        workspace_id: Uuid,
-    ) -> Result<Workspace, AppError> {
         sqlx::query_as::<_, Workspace>(
             "SELECT id, owner_id, name, description, avatar_url, visibility, plan, status, \
              default_role, is_personal, archived_at, created_at, updated_at, deleted_at \