bump go deps

Reviewed-on: https://gitea.com/gitea/tea/pulls/988
Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>

.gitea/workflows/test-pr.yml

@@ -12,13 +12,9 @@ jobs:
   #      uses: golang/govulncheck-action@v1
   #      with:
   #        go-version-file: 'go.mod'
-  check-and-test:
+  check-and-unit:
+    name: Lint Build And Unit Coverage
     runs-on: ubuntu-latest
-    env:
-      HTTP_PROXY: ""
-      GITEA_TEA_TEST_URL: "http://gitea:3000"
-      GITEA_TEA_TEST_USERNAME: "test01"
-      GITEA_TEA_TEST_PASSWORD: "test01"
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
@@ -32,14 +28,30 @@ jobs:
           make fmt-check
           make docs-check
           make build
-      - run: curl --noproxy "*" http://gitea:3000/api/v1/version # verify connection to instance
-      - name: test and coverage
+      - name: unit test and coverage
         run: |
-          make test
           make unit-test-coverage
+
+  integration-test:
+    name: Integration Test
+    runs-on: ubuntu-latest
+    env:
+      HTTP_PROXY: ""
+      GITEA_TEA_TEST_URL: "http://gitea:3000"
+      GITEA_TEA_TEST_USERNAME: "test01"
+      GITEA_TEA_TEST_PASSWORD: "test01"
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: 'go.mod'
+      - run: curl --noproxy "*" http://gitea:3000/api/v1/version # verify connection to instance
+      - name: integration test
+        run: |
+          make integration-test
     services:
       gitea:
-        image: docker.gitea.com/gitea:1.25.5
+        image: docker.gitea.com/gitea:1.26.1
         cmd:
           - bash
           - -c

.gitignore

@@ -17,3 +17,5 @@ dist/
 .direnv/
 result
 result-*
+
+.DS_Store

Makefile

@@ -30,7 +30,10 @@ LDFLAGS := -X "code.gitea.io/tea/modules/version.Version=$(TEA_VERSION)" -X "cod
 # override to allow passing additional goflags via make CLI
 override GOFLAGS := $(GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)'
 
-PACKAGES ?= $(shell $(GO) list ./...)
+PACKAGES ?= $(shell $(GO) list ./... | grep -v '^code.gitea.io/tea/tests')
+UNIT_PACKAGES ?= $(PACKAGES)
+INTEGRATION_PACKAGES ?= $(shell $(GO) list ./tests/... 2>/dev/null)
+INTEGRATION_TEST_TAGS ?= testtools
 SOURCES ?= $(shell find . -name "*.go" -type f)
 
 # OS specific vars.
@@ -64,11 +67,11 @@ vet:
 
 .PHONY: lint
 lint:
-	$(GO) run $(GOLANGCI_LINT_PACKAGE) run
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --build-tags testtools
 
 .PHONY: lint-fix
 lint-fix:
-	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --fix
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --build-tags testtools --fix
 
 .PHONY: fmt-check
 fmt-check:
@@ -93,13 +96,24 @@ docs-check:
 		exit 1; \
 	fi;
 
+.PHONY: unit-test
+unit-test:
+	$(GO) test $(UNIT_PACKAGES)
+
+.PHONY: integration-test
+integration-test:
+	@if [ -n "$(INTEGRATION_PACKAGES)" ]; then \
+		$(GO) test -tags='$(INTEGRATION_TEST_TAGS)' $(INTEGRATION_PACKAGES); \
+	else \
+		echo "No integration test packages found"; \
+	fi
+
 .PHONY: test
-test:
-	$(GO) test -tags='sqlite sqlite_unlock_notify' $(PACKAGES)
+test: unit-test integration-test
 
 .PHONY: unit-test-coverage
 unit-test-coverage:
-	$(GO) test -tags='sqlite sqlite_unlock_notify' -cover -coverprofile coverage.out $(PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+	$(GO) test -cover -coverprofile coverage.out $(UNIT_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
 
 .PHONY: tidy
 tidy:
@@ -122,4 +136,3 @@ $(EXECUTABLE): $(SOURCES)
 .PHONY: build-image
 build-image:
 	docker build --build-arg VERSION=$(TEA_VERSION) -t gitea/tea:$(TEA_VERSION_TAG) .
-

cmd/admin.go

@@ -39,6 +39,9 @@ var cmdAdminUsers = cli.Command{
 	},
 	Commands: []*cli.Command{
 		&users.CmdUserList,
+		&users.CmdUserCreate,
+		&users.CmdUserEdit,
+		&users.CmdUserDelete,
 	},
 	Flags: users.CmdUserList.Flags,
 }

cmd/admin/users/create.go

@@ -0,0 +1,220 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package users
+
+import (
+	stdctx "context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"syscall"
+
+	"code.gitea.io/tea/cmd/flags"
+	"code.gitea.io/tea/modules/context"
+	"code.gitea.io/tea/modules/print"
+
+	"code.gitea.io/sdk/gitea"
+	"github.com/urfave/cli/v3"
+	"golang.org/x/term"
+)
+
+// CmdUserCreate represents a sub command of users to create a user
+var CmdUserCreate = cli.Command{
+	Name:        "create",
+	Aliases:     []string{"add", "new"},
+	Usage:       "Create a new user",
+	Description: "Create a new user account",
+	ArgsUsage:   " ", // command does not accept arguments
+	Action:      RunUserCreate,
+	Flags: append([]cli.Flag{
+		&cli.StringFlag{
+			Name:     "username",
+			Aliases:  []string{"u"},
+			Usage:    "Username for the new user (required)",
+			Required: true,
+		},
+		&cli.StringFlag{
+			Name:    "password",
+			Aliases: []string{"p"},
+			Usage:   "Password for the new user (will prompt if not provided)",
+		},
+		&cli.StringFlag{
+			Name:  "password-file",
+			Usage: "Read password from file",
+		},
+		&cli.BoolFlag{
+			Name:  "password-stdin",
+			Usage: "Read password from stdin",
+		},
+		&cli.StringFlag{
+			Name:     "email",
+			Aliases:  []string{"e"},
+			Usage:    "Email address for the new user (required)",
+			Required: true,
+		},
+		&cli.StringFlag{
+			Name:  "full-name",
+			Usage: "Full name for the new user",
+		},
+		&cli.BoolFlag{
+			Name:  "admin",
+			Usage: "Make the user an administrator",
+		},
+		&cli.BoolFlag{
+			Name:  "restricted",
+			Usage: "Make the user restricted",
+		},
+		&cli.BoolFlag{
+			Name:  "prohibit-login",
+			Usage: "Prohibit the user from logging in",
+		},
+		&cli.BoolFlag{
+			Name:  "no-must-change-password",
+			Usage: "Don't require the user to change password on first login (default: password change required)",
+		},
+		&cli.StringFlag{
+			Name:  "visibility",
+			Usage: "Visibility of the user profile (public, limited, private)",
+			Value: "public",
+		},
+	}, flags.AllDefaultFlags...),
+}
+
+// RunUserCreate creates a new user
+func RunUserCreate(_ stdctx.Context, cmd *cli.Command) error {
+	ctx, err := context.InitCommand(cmd)
+	if err != nil {
+		return err
+	}
+
+	username := ctx.String("username")
+	password := ctx.String("password")
+	email := ctx.String("email")
+	fullName := ctx.String("full-name")
+	isAdmin := ctx.Bool("admin")
+	restricted := ctx.Bool("restricted")
+	prohibitLogin := ctx.Bool("prohibit-login")
+	noMustChangePassword := ctx.Bool("no-must-change-password")
+	visibility := ctx.String("visibility")
+
+	// Get password from various sources in priority order
+	if password == "" {
+		if ctx.String("password-file") != "" {
+			// Read from file
+			content, err := os.ReadFile(ctx.String("password-file"))
+			if err != nil {
+				return fmt.Errorf("failed to read password file: %w", err)
+			}
+			password = strings.TrimSpace(string(content))
+		} else if ctx.Bool("password-stdin") {
+			// Read from stdin
+			content, err := io.ReadAll(os.Stdin)
+			if err != nil {
+				return fmt.Errorf("failed to read password from stdin: %w", err)
+			}
+			password = strings.TrimSpace(string(content))
+		} else {
+			// Interactive prompt (hidden input)
+			fmt.Printf("Enter password for '%s': ", username)
+			bytePassword, err := term.ReadPassword(int(syscall.Stdin))
+			if err != nil {
+				return fmt.Errorf("failed to read password: %w", err)
+			}
+			fmt.Println() // Add newline after hidden input
+			password = string(bytePassword)
+
+			if password == "" {
+				return fmt.Errorf("password cannot be empty")
+			}
+
+			// Confirm password (only for interactive mode)
+			fmt.Printf("Confirm password for '%s': ", username)
+			bytePasswordConfirm, err := term.ReadPassword(int(syscall.Stdin))
+			if err != nil {
+				return fmt.Errorf("failed to read password confirmation: %w", err)
+			}
+			fmt.Println() // Add newline after hidden input
+			passwordConfirm := string(bytePasswordConfirm)
+
+			if password != passwordConfirm {
+				return fmt.Errorf("passwords do not match")
+			}
+		}
+	}
+
+	if password == "" {
+		return fmt.Errorf("password cannot be empty")
+	}
+
+	if email == "" {
+		return fmt.Errorf("email is required")
+	}
+
+	client := ctx.Login.Client()
+
+	// Build create options
+	createOpts := gitea.CreateUserOption{
+		LoginName:  username,
+		Username:   username,
+		Password:   password,
+		Email:      email,
+		FullName:   fullName,
+		SendNotify: false,
+	}
+
+	// Set must change password flag (pointer to bool required)
+	// By default, require user to change password on first login
+	// Only set to false if --no-must-change-password flag is explicitly set
+	mustChangePassword := !noMustChangePassword
+	createOpts.MustChangePassword = &mustChangePassword
+
+	vis, err := parseUserVisibility(visibility)
+	if err != nil {
+		return err
+	}
+	createOpts.Visibility = vis
+
+	// Create the user
+	user, _, err := client.AdminCreateUser(createOpts)
+	if err != nil {
+		return err
+	}
+
+	// Admin, Restricted, and ProhibitLogin cannot be set during user creation
+	// We need to update them via AdminEditUser after creation if any of these flags are set
+	if isAdmin || restricted || prohibitLogin {
+		editOpts := gitea.EditUserOption{
+			LoginName: username, // Required field
+		}
+
+		if isAdmin {
+			editOpts.Admin = &isAdmin
+		}
+
+		if restricted {
+			editOpts.Restricted = &restricted
+		}
+
+		if prohibitLogin {
+			editOpts.ProhibitLogin = &prohibitLogin
+		}
+
+		// Update user with admin/restricted/prohibit-login settings
+		_, err = client.AdminEditUser(username, editOpts)
+		if err != nil {
+			return fmt.Errorf("user created but failed to update admin/restricted/prohibit-login status: %w", err)
+		}
+
+		// Refresh user info to reflect the changes
+		user, _, err = client.GetUserInfo(username)
+		if err != nil {
+			return fmt.Errorf("user updated but failed to retrieve updated user info: %w", err)
+		}
+	}
+
+	print.UserDetails(user)
+
+	return nil
+}

cmd/admin/users/delete.go

@@ -0,0 +1,77 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package users
+
+import (
+	stdctx "context"
+	"fmt"
+
+	"code.gitea.io/tea/cmd/flags"
+	"code.gitea.io/tea/modules/context"
+
+	"github.com/urfave/cli/v3"
+)
+
+// CmdUserDelete represents a sub command of users to delete a user
+var CmdUserDelete = cli.Command{
+	Name:        "delete",
+	Aliases:     []string{"rm", "remove"},
+	Usage:       "Delete a user",
+	Description: "Delete a user account",
+	ArgsUsage:   "<username>",
+	Action:      RunUserDelete,
+	Flags: append([]cli.Flag{
+		&cli.BoolFlag{
+			Name:    "confirm",
+			Aliases: []string{"y"},
+			Usage:   "confirm deletion without prompting",
+		},
+	}, flags.AllDefaultFlags...),
+}
+
+// RunUserDelete deletes a user
+func RunUserDelete(_ stdctx.Context, cmd *cli.Command) error {
+	ctx, err := context.InitCommand(cmd)
+	if err != nil {
+		return err
+	}
+
+	if ctx.Args().Len() == 0 {
+		return fmt.Errorf("username is required")
+	}
+
+	client := ctx.Login.Client()
+	username := ctx.Args().First()
+
+	// Get user details first to show what we're deleting
+	user, _, err := client.GetUserInfo(username)
+	if err != nil {
+		return fmt.Errorf("failed to get user info: %w", err)
+	}
+
+	if !ctx.Bool("confirm") {
+		userInfo := fmt.Sprintf("%s (ID: %d)", user.UserName, user.ID)
+		if user.Email != "" {
+			userInfo += fmt.Sprintf(" - %s", user.Email)
+		}
+		if user.IsAdmin {
+			userInfo += " [admin]"
+		}
+		fmt.Printf("Are you sure you want to delete user %s? [y/N] ", userInfo)
+		var response string
+		fmt.Scanln(&response)
+		if !isConfirmationAccepted(response) {
+			fmt.Println("Deletion canceled.")
+			return nil
+		}
+	}
+
+	_, err = client.AdminDeleteUser(username)
+	if err != nil {
+		return fmt.Errorf("failed to delete user: %w", err)
+	}
+
+	fmt.Printf("User '%s' deleted successfully\n", username)
+	return nil
+}

cmd/admin/users/edit.go

@@ -0,0 +1,374 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package users
+
+import (
+	stdctx "context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"syscall"
+
+	"code.gitea.io/tea/cmd/flags"
+	"code.gitea.io/tea/modules/context"
+	"code.gitea.io/tea/modules/print"
+
+	"code.gitea.io/sdk/gitea"
+	"github.com/urfave/cli/v3"
+	"golang.org/x/term"
+)
+
+// CmdUserEdit represents a sub command of users to edit a user
+var CmdUserEdit = cli.Command{
+	Name:        "edit",
+	Aliases:     []string{"update", "e", "u"},
+	Usage:       "Edit a user",
+	Description: "Edit user account properties",
+	ArgsUsage:   "<username>",
+	Action:      RunUserEdit,
+	Flags: append([]cli.Flag{
+		&cli.StringFlag{
+			Name:  "password",
+			Usage: "New password (use empty value --password=\"\" to trigger interactive prompt)",
+			Value: "",
+		},
+		&cli.StringFlag{
+			Name:  "password-file",
+			Usage: "Read password from file",
+		},
+		&cli.BoolFlag{
+			Name:  "password-stdin",
+			Usage: "Read password from stdin",
+		},
+		&cli.StringFlag{
+			Name:    "email",
+			Aliases: []string{"e"},
+			Usage:   "Email address",
+		},
+		&cli.StringFlag{
+			Name:  "full-name",
+			Usage: "Full name",
+		},
+		&cli.StringFlag{
+			Name:  "description",
+			Usage: "User description",
+		},
+		&cli.StringFlag{
+			Name:  "website",
+			Usage: "Website URL",
+		},
+		&cli.StringFlag{
+			Name:  "location",
+			Usage: "Location",
+		},
+		&cli.BoolFlag{
+			Name:  "admin",
+			Usage: "Make the user an administrator",
+		},
+		&cli.BoolFlag{
+			Name:  "no-admin",
+			Usage: "Remove administrator status",
+		},
+		&cli.BoolFlag{
+			Name:  "restricted",
+			Usage: "Make the user restricted",
+		},
+		&cli.BoolFlag{
+			Name:  "no-restricted",
+			Usage: "Remove restricted status",
+		},
+		&cli.BoolFlag{
+			Name:  "prohibit-login",
+			Usage: "Prohibit the user from logging in",
+		},
+		&cli.BoolFlag{
+			Name:  "allow-login",
+			Usage: "Allow the user to log in",
+		},
+		&cli.BoolFlag{
+			Name:  "active",
+			Usage: "Activate the user",
+		},
+		&cli.BoolFlag{
+			Name:  "inactive",
+			Usage: "Deactivate the user",
+		},
+		&cli.BoolFlag{
+			Name:  "no-must-change-password",
+			Usage: "Don't require the user to change password on next login (default: password change required)",
+		},
+		&cli.StringFlag{
+			Name:  "visibility",
+			Usage: "Visibility of the user profile (public, limited, private)",
+		},
+		&cli.IntFlag{
+			Name:  "max-repo-creation",
+			Usage: "Maximum number of repositories the user can create (-1 for unlimited)",
+		},
+		&cli.BoolFlag{
+			Name:  "allow-git-hook",
+			Usage: "Allow the user to use git hooks",
+		},
+		&cli.BoolFlag{
+			Name:  "no-allow-git-hook",
+			Usage: "Disallow the user from using git hooks",
+		},
+		&cli.BoolFlag{
+			Name:  "allow-import-local",
+			Usage: "Allow the user to import local repositories",
+		},
+		&cli.BoolFlag{
+			Name:  "no-allow-import-local",
+			Usage: "Disallow the user from importing local repositories",
+		},
+		&cli.BoolFlag{
+			Name:  "allow-create-organization",
+			Usage: "Allow the user to create organizations",
+		},
+		&cli.BoolFlag{
+			Name:  "no-allow-create-organization",
+			Usage: "Disallow the user from creating organizations",
+		},
+	}, flags.AllDefaultFlags...),
+}
+
+// RunUserEdit edits an existing user
+func RunUserEdit(_ stdctx.Context, cmd *cli.Command) error {
+	ctx, err := context.InitCommand(cmd)
+	if err != nil {
+		return err
+	}
+
+	if ctx.Args().Len() == 0 {
+		return fmt.Errorf("username is required")
+	}
+
+	client := ctx.Login.Client()
+	username := ctx.Args().First()
+
+	// Verify the user exists before attempting an update.
+	_, _, err = client.GetUserInfo(username)
+	if err != nil {
+		return fmt.Errorf("failed to get user info: %w", err)
+	}
+
+	// Build edit options, starting with required LoginName
+	editOpts := gitea.EditUserOption{
+		LoginName: username,
+	}
+
+	// Update email if set
+	if ctx.IsSet("email") {
+		email := ctx.String("email")
+		editOpts.Email = &email
+	}
+
+	// Update full name if set
+	if ctx.IsSet("full-name") {
+		fullName := ctx.String("full-name")
+		editOpts.FullName = &fullName
+	}
+
+	// Update description if set
+	if ctx.IsSet("description") {
+		description := ctx.String("description")
+		editOpts.Description = &description
+	}
+
+	// Update website if set
+	if ctx.IsSet("website") {
+		website := ctx.String("website")
+		editOpts.Website = &website
+	}
+
+	// Update location if set
+	if ctx.IsSet("location") {
+		location := ctx.String("location")
+		editOpts.Location = &location
+	}
+
+	// Handle admin status
+	if ctx.IsSet("admin") {
+		admin := ctx.Bool("admin")
+		editOpts.Admin = &admin
+	} else if ctx.IsSet("no-admin") {
+		admin := false
+		editOpts.Admin = &admin
+	}
+
+	// Handle restricted status
+	if ctx.IsSet("restricted") {
+		restricted := ctx.Bool("restricted")
+		editOpts.Restricted = &restricted
+	} else if ctx.IsSet("no-restricted") {
+		restricted := false
+		editOpts.Restricted = &restricted
+	}
+
+	// Handle prohibit login status
+	if ctx.IsSet("prohibit-login") {
+		prohibitLogin := ctx.Bool("prohibit-login")
+		editOpts.ProhibitLogin = &prohibitLogin
+	} else if ctx.IsSet("allow-login") {
+		prohibitLogin := false
+		editOpts.ProhibitLogin = &prohibitLogin
+	}
+
+	// Handle active status
+	if ctx.IsSet("active") {
+		active := ctx.Bool("active")
+		editOpts.Active = &active
+	} else if ctx.IsSet("inactive") {
+		active := false
+		editOpts.Active = &active
+	}
+
+	// Handle must change password - will be set when password is changed unless flag is set
+
+	// Handle visibility
+	if ctx.IsSet("visibility") {
+		vis, err := parseUserVisibility(ctx.String("visibility"))
+		if err != nil {
+			return err
+		}
+		editOpts.Visibility = vis
+	}
+
+	// Handle max repo creation
+	if ctx.IsSet("max-repo-creation") {
+		maxRepoCreation := ctx.Int("max-repo-creation")
+		editOpts.MaxRepoCreation = &maxRepoCreation
+	}
+
+	// Handle allow git hook
+	if ctx.IsSet("allow-git-hook") {
+		allowGitHook := ctx.Bool("allow-git-hook")
+		editOpts.AllowGitHook = &allowGitHook
+	} else if ctx.IsSet("no-allow-git-hook") {
+		allowGitHook := false
+		editOpts.AllowGitHook = &allowGitHook
+	}
+
+	// Handle allow import local
+	if ctx.IsSet("allow-import-local") {
+		allowImportLocal := ctx.Bool("allow-import-local")
+		editOpts.AllowImportLocal = &allowImportLocal
+	} else if ctx.IsSet("no-allow-import-local") {
+		allowImportLocal := false
+		editOpts.AllowImportLocal = &allowImportLocal
+	}
+
+	// Handle allow create organization
+	if ctx.IsSet("allow-create-organization") {
+		allowCreateOrg := ctx.Bool("allow-create-organization")
+		editOpts.AllowCreateOrganization = &allowCreateOrg
+	} else if ctx.IsSet("no-allow-create-organization") {
+		allowCreateOrg := false
+		editOpts.AllowCreateOrganization = &allowCreateOrg
+	}
+
+	// Handle password if any password flag is set or if password flag was provided (even without value)
+	shouldChangePassword := ctx.IsSet("password") || ctx.IsSet("password-file") || ctx.Bool("password-stdin")
+	if shouldChangePassword {
+		password := ctx.String("password")
+
+		// Get password from various sources in priority order
+		if password == "" {
+			if ctx.IsSet("password-file") && ctx.String("password-file") != "" {
+				// Read from file
+				content, err := os.ReadFile(ctx.String("password-file"))
+				if err != nil {
+					return fmt.Errorf("failed to read password file: %w", err)
+				}
+				password = strings.TrimSpace(string(content))
+			} else if ctx.Bool("password-stdin") {
+				// Read from stdin
+				content, err := io.ReadAll(os.Stdin)
+				if err != nil {
+					return fmt.Errorf("failed to read password from stdin: %w", err)
+				}
+				password = strings.TrimSpace(string(content))
+			} else {
+				// Interactive prompt (hidden input) - triggered when --password is used without value
+				fmt.Printf("Enter new password for '%s': ", username)
+				bytePassword, err := term.ReadPassword(int(syscall.Stdin))
+				if err != nil {
+					return fmt.Errorf("failed to read password: %w", err)
+				}
+				fmt.Println() // Add newline after hidden input
+				password = string(bytePassword)
+
+				if password == "" {
+					return fmt.Errorf("password cannot be empty")
+				}
+
+				// Confirm password (only for interactive mode)
+				fmt.Printf("Confirm new password for '%s': ", username)
+				bytePasswordConfirm, err := term.ReadPassword(int(syscall.Stdin))
+				if err != nil {
+					return fmt.Errorf("failed to read password confirmation: %w", err)
+				}
+				fmt.Println() // Add newline after hidden input
+				passwordConfirm := string(bytePasswordConfirm)
+
+				if password != passwordConfirm {
+					return fmt.Errorf("passwords do not match")
+				}
+			}
+		}
+
+		if password == "" {
+			return fmt.Errorf("password cannot be empty")
+		}
+
+		editOpts.Password = password
+
+		// When password is changed, require user to change password on next login by default
+		// Only set to false if --no-must-change-password flag is explicitly set
+		if !ctx.IsSet("no-must-change-password") {
+			mustChangePassword := true
+			editOpts.MustChangePassword = &mustChangePassword
+		} else {
+			mustChangePassword := false
+			editOpts.MustChangePassword = &mustChangePassword
+		}
+	}
+
+	// Only proceed with update if at least one field is being modified
+	hasChanges := editOpts.Email != nil ||
+		editOpts.FullName != nil ||
+		editOpts.Description != nil ||
+		editOpts.Website != nil ||
+		editOpts.Location != nil ||
+		editOpts.Admin != nil ||
+		editOpts.Restricted != nil ||
+		editOpts.ProhibitLogin != nil ||
+		editOpts.Active != nil ||
+		editOpts.Visibility != nil ||
+		editOpts.MaxRepoCreation != nil ||
+		editOpts.AllowGitHook != nil ||
+		editOpts.AllowImportLocal != nil ||
+		editOpts.AllowCreateOrganization != nil ||
+		editOpts.Password != ""
+
+	if !hasChanges {
+		return fmt.Errorf("no changes specified")
+	}
+
+	// Update the user
+	_, err = client.AdminEditUser(username, editOpts)
+	if err != nil {
+		return fmt.Errorf("failed to update user: %w", err)
+	}
+
+	// Refresh user info to reflect the changes
+	updatedUser, _, err := client.GetUserInfo(username)
+	if err != nil {
+		return fmt.Errorf("user updated but failed to retrieve updated user info: %w", err)
+	}
+
+	print.UserDetails(updatedUser)
+	return nil
+}

cmd/admin/users/shared.go

@@ -0,0 +1,32 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package users
+
+import (
+	"fmt"
+	"strings"
+
+	"code.gitea.io/sdk/gitea"
+)
+
+func parseUserVisibility(visibility string) (*gitea.VisibleType, error) {
+	switch visibility {
+	case "public":
+		vis := gitea.VisibleTypePublic
+		return &vis, nil
+	case "limited":
+		vis := gitea.VisibleTypeLimited
+		return &vis, nil
+	case "private":
+		vis := gitea.VisibleTypePrivate
+		return &vis, nil
+	default:
+		return nil, fmt.Errorf("invalid visibility: %s (must be public, limited, or private)", visibility)
+	}
+}
+
+func isConfirmationAccepted(response string) bool {
+	trimmed := strings.TrimSpace(response)
+	return strings.EqualFold(trimmed, "y") || strings.EqualFold(trimmed, "yes")
+}

cmd/attachments/delete.go

@@ -61,12 +61,20 @@ func runReleaseAttachmentDelete(_ stdctx.Context, cmd *cli.Command) error {
 		return err
 	}
 
-	existing, _, err := client.ListReleaseAttachments(ctx.Owner, ctx.Repo, release.ID, gitea.ListReleaseAttachmentsOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	var existing []*gitea.Attachment
+	for page := 1; ; {
+		page_attachments, resp, err := client.ListReleaseAttachments(ctx.Owner, ctx.Repo, release.ID, gitea.ListReleaseAttachmentsOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
 		if err != nil {
 			return err
 		}
+		existing = append(existing, page_attachments...)
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
 
 	for _, name := range ctx.Args().Slice()[1:] {
 		var attachment *gitea.Attachment

cmd/cmd.go

@@ -45,6 +45,8 @@ func App() *cli.Command {
 			&CmdNotifications,
 			&CmdRepoClone,
 
+			&CmdSSHKeys,
+
 			&CmdAdmin,
 
 			&CmdApi,

cmd/issues/list.go

@@ -5,6 +5,7 @@ package issues
 
 import (
 	stdctx "context"
+	"errors"
 	"time"
 
 	"code.gitea.io/tea/cmd/flags"
@@ -77,7 +78,7 @@ func RunIssuesList(_ stdctx.Context, cmd *cli.Command) error {
 			Type:        kind,
 			KeyWord:     ctx.String("keyword"),
 			CreatedBy:   ctx.String("author"),
-			AssignedBy:  ctx.String("assigned-to"),
+			AssignedBy:  ctx.String("assignee"),
 			MentionedBy: ctx.String("mentions"),
 			Labels:      labels,
 			Milestones:  milestones,
@@ -88,13 +89,15 @@ func RunIssuesList(_ stdctx.Context, cmd *cli.Command) error {
 			return err
 		}
 	} else {
+		if ctx.IsSet("assignee") {
+			return errors.New("--assignee requires --repo (global issue search does not support assignee filter)")
+		}
 		issues, _, err = ctx.Login.Client().ListIssues(gitea.ListIssueOption{
 			ListOptions: flags.GetListOptions(cmd),
 			State:       state,
 			Type:        kind,
 			KeyWord:     ctx.String("keyword"),
 			CreatedBy:   ctx.String("author"),
-			AssignedBy:  ctx.String("assigned-to"),
 			MentionedBy: ctx.String("mentions"),
 			Labels:      labels,
 			Milestones:  milestones,

cmd/login/edit.go

@@ -5,11 +5,13 @@ package login
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"os/exec"
 
 	"code.gitea.io/tea/cmd/flags"
 	"code.gitea.io/tea/modules/config"
+	"code.gitea.io/tea/modules/utils"
 
 	"github.com/skratchdot/open-golang/open"
 	"github.com/urfave/cli/v3"
@@ -27,14 +29,17 @@ var CmdLoginEdit = cli.Command{
 }
 
 func runLoginEdit(_ context.Context, _ *cli.Command) error {
+	ymlPath := config.GetConfigPath()
 	if e, ok := os.LookupEnv("EDITOR"); ok && e != "" {
-		cmd := exec.Command(e, config.GetConfigPath())
+		cmd := exec.Command(e, ymlPath)
 		cmd.Stdin = os.Stdin
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
-		if err := cmd.Run(); err != nil {
-			return err
+		return cmd.Run()
 	}
+	if exist, _ := utils.FileExist(ymlPath); !exist {
+		fmt.Printf("Config file does not exist, please run login add first\n")
+		return nil
 	}
-	return open.Start(config.GetConfigPath())
+	return open.Start(ymlPath)
 }

cmd/man.go

@@ -29,7 +29,9 @@ var CmdGenerateManPage = cli.Command{
 	Hidden: true,
 	Flags:  DocRenderFlags,
 	Action: func(ctx context.Context, cmd *cli.Command) error {
-		return RenderDocs(cmd, cmd.Root(), docs.ToMan)
+		return RenderDocs(cmd, cmd.Root(), func(cmd *cli.Command) (string, error) {
+			return docs.ToManWithSection(cmd, 1)
+		})
 	},
 }
 

cmd/organizations/create.go

@@ -4,14 +4,14 @@
 package organizations
 
 import (
-	"fmt"
-
 	stdctx "context"
+	"fmt"
 
 	"code.gitea.io/sdk/gitea"
 	"code.gitea.io/tea/cmd/flags"
 	"code.gitea.io/tea/modules/context"
 	"code.gitea.io/tea/modules/print"
+
 	"github.com/urfave/cli/v3"
 )
 
@@ -25,7 +25,7 @@ var CmdOrganizationCreate = cli.Command{
 	ArgsUsage:   "<organization name>",
 	Flags: []cli.Flag{
 		&cli.StringFlag{
-			Name:    "name",
+			Name:    "full-name",
 			Aliases: []string{"n"},
 		},
 		&cli.StringFlag{
@@ -76,7 +76,7 @@ func RunOrganizationCreate(_ stdctx.Context, cmd *cli.Command) error {
 
 	org, _, err := ctx.Login.Client().CreateOrg(gitea.CreateOrgOption{
 		Name:                      ctx.Args().First(),
-		// FullName: , // not really meaningful for orgs (not displayed in webui, use description instead?)
+		FullName:                  ctx.String("full-name"),
 		Description:               ctx.String("description"),
 		Website:                   ctx.String("website"),
 		Location:                  ctx.String("location"),

cmd/pulls.go

@@ -109,11 +109,20 @@ func runPullDetail(_ stdctx.Context, cmd *cli.Command, index string) error {
 		return err
 	}
 
-	reviews, _, err := client.ListPullReviews(ctx.Owner, ctx.Repo, idx, gitea.ListPullReviewsOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	var reviews []*gitea.PullReview
+	for page := 1; ; {
+		page_reviews, resp, err := client.ListPullReviews(ctx.Owner, ctx.Repo, idx, gitea.ListPullReviewsOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
 		if err != nil {
 			fmt.Printf("error while loading reviews: %v\n", err)
+			break
+		}
+		reviews = append(reviews, page_reviews...)
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
 	}
 
 	if ctx.IsSet("output") {

cmd/pulls/review.go

@@ -6,10 +6,12 @@ package pulls
 import (
 	stdctx "context"
 	"fmt"
+	"os"
 
 	"code.gitea.io/tea/cmd/flags"
 	"code.gitea.io/tea/modules/context"
 	"code.gitea.io/tea/modules/interact"
+	"code.gitea.io/tea/modules/print"
 	"code.gitea.io/tea/modules/utils"
 
 	"github.com/urfave/cli/v3"
@@ -30,11 +32,18 @@ var CmdPullsReview = cli.Command{
 			return err
 		}
 
-		if ctx.Args().Len() != 1 {
-			return fmt.Errorf("must specify a PR index")
+		if !ctx.Args().Present() {
+			return fmt.Errorf("must specify at least one PR index")
 		}
 
-		idx, err := utils.ArgToIndex(ctx.Args().First())
+		// This command is intentionally interactive. Fail early in CI / non-TTY
+		// contexts rather than hanging on prompts.
+		if os.Getenv("CI") != "" || !print.IsInteractive() || interact.IsStdinPiped() {
+			return fmt.Errorf("pull review requires an interactive terminal")
+		}
+
+		for _, arg := range ctx.Args().Slice() {
+			idx, err := utils.ArgToIndex(arg)
 			if err != nil {
 				return err
 			}
@@ -42,6 +51,8 @@ var CmdPullsReview = cli.Command{
 			if err := interact.ReviewPull(ctx, idx); err != nil && !interact.IsQuitting(err) {
 				return err
 			}
+		}
+
 		return nil
 	},
 	Flags: flags.AllDefaultFlags,

cmd/pulls/review_test.go

@@ -0,0 +1,62 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package pulls
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestReview(t *testing.T) {
+	if os.Getenv("GITEA_TEA_TEST_URL") == "" {
+		t.Skip("GITEA_TEA_TEST_URL is not set, skipping test")
+	}
+
+	tests := []struct {
+		name        string
+		args        []string
+		wantErr     bool
+		errContains string
+	}{
+		{
+			name:        "no arguments",
+			args:        []string{},
+			wantErr:     true,
+			errContains: "must specify at least one PR index",
+		},
+		{
+			name:    "one argument",
+			args:    []string{"1"},
+			wantErr: false,
+		},
+		{
+			name:    "two arguments",
+			args:    []string{"1", "2"},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := CmdPullsReview
+			args := append(tt.args, "--repo", "user/repo")
+			err := cmd.Run(context.Background(), args)
+			if tt.wantErr {
+				assert.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+				return
+			}
+			// Don't assert no error, because we expect an error about the missing
+			// remote. Just assert that the error is not the one we're looking for.
+			if err != nil {
+				assert.NotContains(t, err.Error(), "must specify at least one PR index")
+			}
+		})
+	}
+}

cmd/releases/utils.go

@@ -11,13 +11,14 @@ import (
 
 // GetReleaseByTag finds a release by its tag name.
 func GetReleaseByTag(owner, repo, tag string, client *gitea.Client) (*gitea.Release, error) {
-	rl, _, err := client.ListReleases(owner, repo, gitea.ListReleasesOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	for page := 1; ; {
+		rl, resp, err := client.ListReleases(owner, repo, gitea.ListReleasesOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
 		if err != nil {
 			return nil, err
 		}
-	if len(rl) == 0 {
+		if page == 1 && len(rl) == 0 {
 			return nil, fmt.Errorf("repo does not have any release")
 		}
 		for _, r := range rl {
@@ -25,5 +26,10 @@ func GetReleaseByTag(owner, repo, tag string, client *gitea.Client) (*gitea.Rele
 				return r, nil
 			}
 		}
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
 	return nil, fmt.Errorf("release tag does not exist")
 }

cmd/repos.go

@@ -15,13 +15,13 @@ import (
 	"github.com/urfave/cli/v3"
 )
 
-// CmdRepos represents to login a gitea server.
+// CmdRepos represents the command to manage repositories.
 var CmdRepos = cli.Command{
 	Name:        "repos",
 	Aliases:     []string{"repo"},
 	Category:    catEntities,
-	Usage:       "Show repository details",
-	Description: "Show repository details",
+	Usage:       "Manage repositories",
+	Description: "Manage repositories",
 	ArgsUsage:   "[<repo owner>/<repo name>]",
 	Action:      runRepos,
 	Commands: []*cli.Command{

cmd/sshkeys.go

@@ -0,0 +1,32 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	stdctx "context"
+
+	"code.gitea.io/tea/cmd/sshkeys"
+	"github.com/urfave/cli/v3"
+)
+
+// CmdSSHKeys represents the ssh-keys command group
+var CmdSSHKeys = cli.Command{
+	Name:        "ssh-keys",
+	Aliases:     []string{"ssh-key"},
+	Category:    catSetup,
+	Usage:       "Manage SSH public keys",
+	Description: "List, add, or delete SSH public keys on the current user's account",
+	ArgsUsage:   " ",
+	Action:      runSSHKeys,
+	Commands: []*cli.Command{
+		&sshkeys.CmdSSHKeyList,
+		&sshkeys.CmdSSHKeyAdd,
+		&sshkeys.CmdSSHKeyDelete,
+	},
+	Flags: sshkeys.CmdSSHKeyList.Flags,
+}
+
+func runSSHKeys(ctx stdctx.Context, cmd *cli.Command) error {
+	return sshkeys.RunSSHKeyList(ctx, cmd)
+}

cmd/sshkeys/add.go

@@ -0,0 +1,74 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package sshkeys
+
+import (
+	stdctx "context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"code.gitea.io/sdk/gitea"
+	"code.gitea.io/tea/cmd/flags"
+	"code.gitea.io/tea/modules/context"
+
+	"github.com/urfave/cli/v3"
+)
+
+// CmdSSHKeyAdd represents a sub command of ssh-keys to add an SSH public key
+var CmdSSHKeyAdd = cli.Command{
+	Name:        "add",
+	Usage:       "Add an SSH public key",
+	Description: "Add an SSH public key to the current user's profile",
+	ArgsUsage:   "<key-file>",
+	Action:      RunSSHKeyAdd,
+	Flags: append([]cli.Flag{
+		&cli.StringFlag{
+			Name:    "title",
+			Aliases: []string{"t"},
+			Usage:   "Title for the key (defaults to the filename without extension)",
+		},
+	}, flags.LoginOutputFlags...),
+}
+
+// RunSSHKeyAdd reads a public key file and registers it with the Gitea instance
+func RunSSHKeyAdd(_ stdctx.Context, cmd *cli.Command) error {
+	ctx, err := context.InitCommand(cmd)
+	if err != nil {
+		return err
+	}
+
+	if ctx.Args().Len() < 1 {
+		return fmt.Errorf("key file path is required")
+	}
+
+	keyFile := ctx.Args().First()
+	keyBytes, err := os.ReadFile(keyFile)
+	if err != nil {
+		return fmt.Errorf("could not read key file '%s': %w", keyFile, err)
+	}
+
+	keyContent := strings.TrimSpace(string(keyBytes))
+	if keyContent == "" {
+		return fmt.Errorf("key file '%s' is empty", keyFile)
+	}
+
+	title := ctx.String("title")
+	if title == "" {
+		base := filepath.Base(keyFile)
+		title = strings.TrimSuffix(base, filepath.Ext(base))
+	}
+
+	key, _, err := ctx.Login.Client().CreatePublicKey(gitea.CreateKeyOption{
+		Title: title,
+		Key:   keyContent,
+	})
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Key '%s' (id: %d) added successfully.\n", key.Title, key.ID)
+	return nil
+}

cmd/sshkeys/add_test.go

@@ -0,0 +1,33 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package sshkeys
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestKeyTitleFromFilename(t *testing.T) {
+	cases := []struct {
+		input    string
+		expected string
+	}{
+		{"id_ed25519.pub", "id_ed25519"},
+		{"id_rsa.pub", "id_rsa"},
+		{"/home/user/.ssh/id_ed25519.pub", "id_ed25519"},
+		{"mykey", "mykey"}, // no extension
+		{"my.key.pub", "my.key"},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.input, func(t *testing.T) {
+			base := filepath.Base(tc.input)
+			title := strings.TrimSuffix(base, filepath.Ext(base))
+			assert.Equal(t, tc.expected, title)
+		})
+	}
+}

cmd/sshkeys/delete.go

@@ -0,0 +1,76 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package sshkeys
+
+import (
+	stdctx "context"
+	"fmt"
+	"strconv"
+
+	"code.gitea.io/tea/cmd/flags"
+	"code.gitea.io/tea/modules/context"
+
+	"github.com/urfave/cli/v3"
+)
+
+// CmdSSHKeyDelete represents a sub command of ssh-keys to delete an SSH key by ID
+var CmdSSHKeyDelete = cli.Command{
+	Name:        "delete",
+	Aliases:     []string{"rm"},
+	Usage:       "Delete an SSH key",
+	Description: "Delete an SSH key from the current user's profile by its numeric ID",
+	ArgsUsage:   "<key-id>",
+	Action:      RunSSHKeyDelete,
+	Flags: append([]cli.Flag{
+		&cli.BoolFlag{
+			Name:    "confirm",
+			Aliases: []string{"y"},
+			Usage:   "Confirm deletion (required)",
+		},
+	}, flags.LoginOutputFlags...),
+}
+
+// RunSSHKeyDelete removes an SSH key by its numeric ID
+func RunSSHKeyDelete(_ stdctx.Context, cmd *cli.Command) error {
+	ctx, err := context.InitCommand(cmd)
+	if err != nil {
+		return err
+	}
+
+	if ctx.Args().Len() < 1 {
+		return fmt.Errorf("key ID is required")
+	}
+
+	keyID, err := strconv.ParseInt(ctx.Args().First(), 10, 64)
+	if err != nil {
+		return fmt.Errorf("invalid key ID '%s': must be a number", ctx.Args().First())
+	}
+
+	client := ctx.Login.Client()
+
+	key, resp, err := client.GetPublicKey(keyID)
+	if err != nil {
+		if resp != nil && resp.StatusCode == 404 {
+			return fmt.Errorf("SSH key with ID %d not found", keyID)
+		}
+		return err
+	}
+
+	if !ctx.Bool("confirm") {
+		fmt.Printf("Are you sure you want to delete SSH key '%s' (id: %d)? [y/N] ", key.Title, keyID)
+		var response string
+		fmt.Scanln(&response)
+		if response != "y" && response != "Y" && response != "yes" {
+			fmt.Println("Deletion canceled.")
+			return nil
+		}
+	}
+
+	if _, err = client.DeletePublicKey(keyID); err != nil {
+		return err
+	}
+
+	fmt.Printf("SSH key '%s' deleted successfully\n", key.Title)
+	return nil
+}

cmd/sshkeys/list.go

@@ -0,0 +1,47 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package sshkeys
+
+import (
+	stdctx "context"
+
+	"code.gitea.io/sdk/gitea"
+	"code.gitea.io/tea/cmd/flags"
+	"code.gitea.io/tea/modules/context"
+	"code.gitea.io/tea/modules/print"
+
+	"github.com/urfave/cli/v3"
+)
+
+// CmdSSHKeyList represents a sub command of ssh-keys to list the current user's SSH keys
+var CmdSSHKeyList = cli.Command{
+	Name:        "list",
+	Aliases:     []string{"ls"},
+	Usage:       "List SSH keys",
+	Description: "List the SSH keys registered for the current user",
+	ArgsUsage:   " ", // command does not accept arguments
+	Action:      RunSSHKeyList,
+	Flags: append([]cli.Flag{
+		&flags.PaginationPageFlag,
+		&flags.PaginationLimitFlag,
+	}, flags.LoginOutputFlags...),
+}
+
+// RunSSHKeyList lists SSH keys for the current user
+func RunSSHKeyList(_ stdctx.Context, cmd *cli.Command) error {
+	ctx, err := context.InitCommand(cmd)
+	if err != nil {
+		return err
+	}
+	client := ctx.Login.Client()
+
+	keys, _, err := client.ListMyPublicKeys(gitea.ListPublicKeysOptions{
+		ListOptions: flags.GetListOptions(cmd),
+	})
+	if err != nil {
+		return err
+	}
+
+	return print.SSHKeysList(keys, ctx.Output)
+}

cmd/webhooks/create.go

@@ -89,14 +89,6 @@ func runWebhooksCreate(ctx stdctx.Context, cmd *cli.Command) error {
 		config["secret"] = secret
 	}
 
-	if branchFilter != "" {
-		config["branch_filter"] = branchFilter
-	}
-
-	if authHeader != "" {
-		config["authorization_header"] = authHeader
-	}
-
 	var hook *gitea.Hook
 	if c.IsGlobal {
 		return fmt.Errorf("global webhooks not yet supported in this version")
@@ -106,6 +98,8 @@ func runWebhooksCreate(ctx stdctx.Context, cmd *cli.Command) error {
 			Config:              config,
 			Events:              events,
 			Active:              active,
+			BranchFilter:        branchFilter,
+			AuthorizationHeader: authHeader,
 		})
 	} else {
 		hook, _, err = client.CreateRepoHook(c.Owner, c.Repo, gitea.CreateHookOption{
@@ -113,6 +107,8 @@ func runWebhooksCreate(ctx stdctx.Context, cmd *cli.Command) error {
 			Config:              config,
 			Events:              events,
 			Active:              active,
+			BranchFilter:        branchFilter,
+			AuthorizationHeader: authHeader,
 		})
 	}
 	if err != nil {

cmd/webhooks/create_test.go

@@ -79,8 +79,6 @@ func TestWebhookConfigConstruction(t *testing.T) {
 		name           string
 		url            string
 		secret         string
-		branchFilter   string
-		authHeader     string
 		expectedKeys   []string
 		expectedValues map[string]string
 	}{
@@ -106,44 +104,16 @@ func TestWebhookConfigConstruction(t *testing.T) {
 				"secret":       "my-secret",
 			},
 		},
-		{
-			name:         "Config with branch filter",
-			url:          "https://example.com/webhook",
-			branchFilter: "main,develop",
-			expectedKeys: []string{"url", "http_method", "content_type", "branch_filter"},
-			expectedValues: map[string]string{
-				"url":           "https://example.com/webhook",
-				"http_method":   "post",
-				"content_type":  "json",
-				"branch_filter": "main,develop",
-			},
-		},
-		{
-			name:         "Config with auth header",
-			url:          "https://example.com/webhook",
-			authHeader:   "Bearer token123",
-			expectedKeys: []string{"url", "http_method", "content_type", "authorization_header"},
-			expectedValues: map[string]string{
-				"url":                  "https://example.com/webhook",
-				"http_method":          "post",
-				"content_type":         "json",
-				"authorization_header": "Bearer token123",
-			},
-		},
 		{
 			name:         "Complete config",
 			url:          "https://example.com/webhook",
 			secret:       "secret123",
-			branchFilter: "main",
-			authHeader:   "X-Token: abc",
-			expectedKeys: []string{"url", "http_method", "content_type", "secret", "branch_filter", "authorization_header"},
+			expectedKeys: []string{"url", "http_method", "content_type", "secret"},
 			expectedValues: map[string]string{
 				"url":          "https://example.com/webhook",
 				"http_method":  "post",
 				"content_type": "json",
 				"secret":       "secret123",
-				"branch_filter":        "main",
-				"authorization_header": "X-Token: abc",
 			},
 		},
 	}
@@ -159,12 +129,6 @@ func TestWebhookConfigConstruction(t *testing.T) {
 			if tt.secret != "" {
 				config["secret"] = tt.secret
 			}
-			if tt.branchFilter != "" {
-				config["branch_filter"] = tt.branchFilter
-			}
-			if tt.authHeader != "" {
-				config["authorization_header"] = tt.authHeader
-			}
 
 			// Check all expected keys exist
 			for _, key := range tt.expectedKeys {
@@ -189,6 +153,8 @@ func TestWebhookCreateOptions(t *testing.T) {
 		events       []string
 		active       bool
 		config       map[string]string
+		branchFilter string
+		authHeader   string
 	}{
 		{
 			name:        "Gitea webhook",
@@ -200,6 +166,8 @@ func TestWebhookCreateOptions(t *testing.T) {
 				"http_method":  "post",
 				"content_type": "json",
 			},
+			branchFilter: "main",
+			authHeader:   "X-Token: abc",
 		},
 		{
 			name:        "Slack webhook",
@@ -232,12 +200,16 @@ func TestWebhookCreateOptions(t *testing.T) {
 				Config:              tt.config,
 				Events:              tt.events,
 				Active:              tt.active,
+				BranchFilter:        tt.branchFilter,
+				AuthorizationHeader: tt.authHeader,
 			}
 
 			assert.Equal(t, gitea.HookType(tt.webhookType), option.Type)
 			assert.Equal(t, tt.events, option.Events)
 			assert.Equal(t, tt.active, option.Active)
 			assert.Equal(t, tt.config, option.Config)
+			assert.Equal(t, tt.branchFilter, option.BranchFilter)
+			assert.Equal(t, tt.authHeader, option.AuthorizationHeader)
 		})
 	}
 }

cmd/webhooks/update.go

@@ -97,11 +97,14 @@ func runWebhooksUpdate(ctx stdctx.Context, cmd *cli.Command) error {
 	if cmd.IsSet("secret") {
 		config["secret"] = cmd.String("secret")
 	}
+	branchFilter := hook.BranchFilter
 	if cmd.IsSet("branch-filter") {
-		config["branch_filter"] = cmd.String("branch-filter")
+		branchFilter = cmd.String("branch-filter")
 	}
+
+	authHeader := hook.AuthorizationHeader
 	if cmd.IsSet("authorization-header") {
-		config["authorization_header"] = cmd.String("authorization-header")
+		authHeader = cmd.String("authorization-header")
 	}
 
 	// Update events if specified
@@ -129,12 +132,16 @@ func runWebhooksUpdate(ctx stdctx.Context, cmd *cli.Command) error {
 			Config:              config,
 			Events:              events,
 			Active:              &active,
+			BranchFilter:        branchFilter,
+			AuthorizationHeader: authHeader,
 		})
 	} else {
 		_, err = client.EditRepoHook(c.Owner, c.Repo, int64(webhookID), gitea.EditHookOption{
 			Config:              config,
 			Events:              events,
 			Active:              &active,
+			BranchFilter:        branchFilter,
+			AuthorizationHeader: authHeader,
 		})
 	}
 	if err != nil {

cmd/webhooks/update_test.go

@@ -130,8 +130,6 @@ func TestUpdateConfigPreservation(t *testing.T) {
 	originalConfig := map[string]string{
 		"url":          "https://old.example.com/webhook",
 		"secret":       "old-secret",
-		"branch_filter":        "main",
-		"authorization_header": "Bearer old-token",
 		"http_method":  "post",
 		"content_type": "json",
 	}
@@ -149,37 +147,18 @@ func TestUpdateConfigPreservation(t *testing.T) {
 			expectedConfig: map[string]string{
 				"url":          "https://new.example.com/webhook",
 				"secret":       "old-secret",
-				"branch_filter":        "main",
-				"authorization_header": "Bearer old-token",
 				"http_method":  "post",
 				"content_type": "json",
 			},
 		},
 		{
-			name: "Update secret and auth header",
+			name: "Update secret",
 			updates: map[string]string{
 				"secret": "new-secret",
-				"authorization_header": "X-Token: new-token",
 			},
 			expectedConfig: map[string]string{
 				"url":          "https://old.example.com/webhook",
 				"secret":       "new-secret",
-				"branch_filter":        "main",
-				"authorization_header": "X-Token: new-token",
-				"http_method":          "post",
-				"content_type":         "json",
-			},
-		},
-		{
-			name: "Clear branch filter",
-			updates: map[string]string{
-				"branch_filter": "",
-			},
-			expectedConfig: map[string]string{
-				"url":                  "https://old.example.com/webhook",
-				"secret":               "old-secret",
-				"branch_filter":        "",
-				"authorization_header": "Bearer old-token",
 				"http_method":  "post",
 				"content_type": "json",
 			},
@@ -190,8 +169,6 @@ func TestUpdateConfigPreservation(t *testing.T) {
 			expectedConfig: map[string]string{
 				"url":          "https://old.example.com/webhook",
 				"secret":       "old-secret",
-				"branch_filter":        "main",
-				"authorization_header": "Bearer old-token",
 				"http_method":  "post",
 				"content_type": "json",
 			},
@@ -217,6 +194,61 @@ func TestUpdateConfigPreservation(t *testing.T) {
 	}
 }
 
+func TestUpdateBranchFilterAndAuthHeaderHandling(t *testing.T) {
+	tests := []struct {
+		name                   string
+		originalBranchFilter   string
+		originalAuthHeader     string
+		setBranchFilter        bool
+		newBranchFilter        string
+		setAuthorizationHeader bool
+		newAuthHeader          string
+		expectedBranchFilter   string
+		expectedAuthHeader     string
+	}{
+		{
+			name:                 "Preserve values",
+			originalBranchFilter: "main",
+			originalAuthHeader:   "Bearer old-token",
+			expectedBranchFilter: "main",
+			expectedAuthHeader:   "Bearer old-token",
+		},
+		{
+			name:                 "Update branch filter",
+			originalBranchFilter: "main",
+			setBranchFilter:      true,
+			newBranchFilter:      "develop",
+			expectedBranchFilter: "develop",
+			expectedAuthHeader:   "",
+		},
+		{
+			name:                   "Update authorization header",
+			originalAuthHeader:     "Bearer old-token",
+			setAuthorizationHeader: true,
+			newAuthHeader:          "X-Token: new-token",
+			expectedBranchFilter:   "",
+			expectedAuthHeader:     "X-Token: new-token",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			branchFilter := tt.originalBranchFilter
+			if tt.setBranchFilter {
+				branchFilter = tt.newBranchFilter
+			}
+
+			authHeader := tt.originalAuthHeader
+			if tt.setAuthorizationHeader {
+				authHeader = tt.newAuthHeader
+			}
+
+			assert.Equal(t, tt.expectedBranchFilter, branchFilter)
+			assert.Equal(t, tt.expectedAuthHeader, authHeader)
+		})
+	}
+}
+
 func TestUpdateEventsHandling(t *testing.T) {
 	tests := []struct {
 		name           string

docs/CLI.md

@@ -1043,12 +1043,12 @@ Create an organization
 
 **--description, -d**="": 
 
+**--full-name, -n**="": 
+
 **--location, -L**="": 
 
 **--login, -l**="": Use a different Gitea Login. Optional
 
-**--name, -n**="": 
-
 **--repo-admins-can-change-team-access**: 
 
 **--visibility, -v**="": 
@@ -1065,7 +1065,7 @@ Delete users Organizations
 
 ## repos, repo
 
-Show repository details
+Manage repositories
 
 **--fields, -f**="": Comma-separated list of fields to print. Available values:
 			description,forks,id,name,owner,stars,ssh,updated,url,permission,type
@@ -1941,6 +1941,50 @@ Clone a repository locally
 
 **--login, -l**="": Use a different Gitea Login. Optional
 
+## ssh-keys, ssh-key
+
+Manage SSH public keys
+
+**--limit, --lm**="": specify limit of items per page (default: 30)
+
+**--login, -l**="": Use a different Gitea Login. Optional
+
+**--output, -o**="": Output format. (simple, table, csv, tsv, yaml, json)
+
+**--page, -p**="": specify page (default: 1)
+
+### list, ls
+
+List SSH keys
+
+**--limit, --lm**="": specify limit of items per page (default: 30)
+
+**--login, -l**="": Use a different Gitea Login. Optional
+
+**--output, -o**="": Output format. (simple, table, csv, tsv, yaml, json)
+
+**--page, -p**="": specify page (default: 1)
+
+### add
+
+Add an SSH public key
+
+**--login, -l**="": Use a different Gitea Login. Optional
+
+**--output, -o**="": Output format. (simple, table, csv, tsv, yaml, json)
+
+**--title, -t**="": Title for the key (defaults to the filename without extension)
+
+### delete, rm
+
+Delete an SSH key
+
+**--confirm, -y**: Confirm deletion (required)
+
+**--login, -l**="": Use a different Gitea Login. Optional
+
+**--output, -o**="": Output format. (simple, table, csv, tsv, yaml, json)
+
 ## admin, a
 
 Operations requiring admin access on the Gitea instance
@@ -1985,6 +2029,116 @@ List Users
 
 **--repo, -r**="": Override local repository path or gitea repository slug to interact with. Optional
 
+#### create, add, new
+
+Create a new user
+
+**--admin**: Make the user an administrator
+
+**--email, -e**="": Email address for the new user (required)
+
+**--full-name**="": Full name for the new user
+
+**--login, -l**="": Use a different Gitea Login. Optional
+
+**--no-must-change-password**: Don't require the user to change password on first login (default: password change required)
+
+**--output, -o**="": Output format. (simple, table, csv, tsv, yaml, json)
+
+**--password, -p**="": Password for the new user (will prompt if not provided)
+
+**--password-file**="": Read password from file
+
+**--password-stdin**: Read password from stdin
+
+**--prohibit-login**: Prohibit the user from logging in
+
+**--remote, -R**="": Discover Gitea login from remote. Optional
+
+**--repo, -r**="": Override local repository path or gitea repository slug to interact with. Optional
+
+**--restricted**: Make the user restricted
+
+**--username, -u**="": Username for the new user (required)
+
+**--visibility**="": Visibility of the user profile (public, limited, private) (default: "public")
+
+#### edit, update, e, u
+
+Edit a user
+
+**--active**: Activate the user
+
+**--admin**: Make the user an administrator
+
+**--allow-create-organization**: Allow the user to create organizations
+
+**--allow-git-hook**: Allow the user to use git hooks
+
+**--allow-import-local**: Allow the user to import local repositories
+
+**--allow-login**: Allow the user to log in
+
+**--description**="": User description
+
+**--email, -e**="": Email address
+
+**--full-name**="": Full name
+
+**--inactive**: Deactivate the user
+
+**--location**="": Location
+
+**--login, -l**="": Use a different Gitea Login. Optional
+
+**--max-repo-creation**="": Maximum number of repositories the user can create (-1 for unlimited) (default: 0)
+
+**--no-admin**: Remove administrator status
+
+**--no-allow-create-organization**: Disallow the user from creating organizations
+
+**--no-allow-git-hook**: Disallow the user from using git hooks
+
+**--no-allow-import-local**: Disallow the user from importing local repositories
+
+**--no-must-change-password**: Don't require the user to change password on next login (default: password change required)
+
+**--no-restricted**: Remove restricted status
+
+**--output, -o**="": Output format. (simple, table, csv, tsv, yaml, json)
+
+**--password**="": New password (use empty value --password="" to trigger interactive prompt)
+
+**--password-file**="": Read password from file
+
+**--password-stdin**: Read password from stdin
+
+**--prohibit-login**: Prohibit the user from logging in
+
+**--remote, -R**="": Discover Gitea login from remote. Optional
+
+**--repo, -r**="": Override local repository path or gitea repository slug to interact with. Optional
+
+**--restricted**: Make the user restricted
+
+**--visibility**="": Visibility of the user profile (public, limited, private)
+
+**--website**="": Website URL
+
+#### delete, rm, remove
+
+Delete a user
+
+**--confirm, -y**: confirm deletion without prompting
+
+**--login, -l**="": Use a different Gitea Login. Optional
+
+**--output, -o**="": Output format. (simple, table, csv, tsv, yaml, json)
+
+**--remote, -R**="": Discover Gitea login from remote. Optional
+
+**--repo, -r**="": Override local repository path or gitea repository slug to interact with. Optional
+
 ## api
 
 Make an authenticated API request

go.mod

@@ -5,46 +5,46 @@ go 1.26
 require (
 	charm.land/glamour/v2 v2.0.0
 	charm.land/huh/v2 v2.0.3
-	charm.land/lipgloss/v2 v2.0.2
+	charm.land/lipgloss/v2 v2.0.3
 	code.gitea.io/gitea-vet v0.2.3
-	code.gitea.io/sdk/gitea v0.24.1
+	code.gitea.io/sdk/gitea v0.25.1
 	gitea.com/noerw/unidiff-comments v0.0.0-20220822113322-50f4daa0e35c
 	github.com/adrg/xdg v0.5.3
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/enescakir/emoji v1.0.0
-	github.com/go-authgate/sdk-go v0.6.1
-	github.com/go-git/go-git/v5 v5.17.2
+	github.com/go-authgate/sdk-go v0.11.0
+	github.com/go-git/go-git/v5 v5.19.0
 	github.com/muesli/termenv v0.16.0
 	github.com/olekukonko/tablewriter v1.1.4
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli-docs/v3 v3.1.0
-	github.com/urfave/cli/v3 v3.8.0
-	golang.org/x/crypto v0.50.0
+	github.com/urfave/cli/v3 v3.9.0
+	golang.org/x/crypto v0.51.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/sys v0.43.0
-	golang.org/x/term v0.42.0
+	golang.org/x/sys v0.44.0
+	golang.org/x/term v0.43.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	charm.land/bubbles/v2 v2.1.0 // indirect
-	charm.land/bubbletea/v2 v2.0.2 // indirect
+	charm.land/bubbletea/v2 v2.0.6 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/42wim/httpsig v1.2.4 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.4.1 // indirect
-	github.com/alecthomas/chroma/v2 v2.23.1 // indirect
+	github.com/alecthomas/chroma/v2 v2.24.1 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/catppuccin/go v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/colorprofile v0.4.3 // indirect
-	github.com/charmbracelet/ultraviolet v0.0.0-20260330092749-0f94982c930b // indirect
-	github.com/charmbracelet/x/ansi v0.11.6 // indirect
+	github.com/charmbracelet/ultraviolet v0.0.0-20260511121909-c840852527f3 // indirect
+	github.com/charmbracelet/x/ansi v0.11.7 // indirect
 	github.com/charmbracelet/x/exp/ordered v0.1.0 // indirect
-	github.com/charmbracelet/x/exp/slice v0.0.0-20260406091427-a791e22d5143 // indirect
+	github.com/charmbracelet/x/exp/slice v0.0.0-20260511125431-fe5d686e0c99 // indirect
 	github.com/charmbracelet/x/exp/strings v0.1.0 // indirect
 	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/charmbracelet/x/termios v0.1.1 // indirect
@@ -57,13 +57,13 @@ require (
 	github.com/danieljoos/wincred v1.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
-	github.com/dlclark/regexp2 v1.11.5 // indirect
+	github.com/dlclark/regexp2 v1.12.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.19.0 // indirect
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.8.0 // indirect
+	github.com/go-git/go-billy/v5 v5.9.0 // indirect
 	github.com/goccy/go-json v0.10.6 // indirect
 	github.com/godbus/dbus/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
@@ -74,15 +74,15 @@ require (
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.21 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
 	github.com/mattn/go-runewidth v0.0.23 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
-	github.com/olekukonko/errors v1.2.0 // indirect
+	github.com/olekukonko/errors v1.3.0 // indirect
 	github.com/olekukonko/ll v0.1.8 // indirect
-	github.com/pjbgf/sha1cd v0.5.0 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -93,10 +93,10 @@ require (
 	github.com/yuin/goldmark v1.8.2 // indirect
 	github.com/yuin/goldmark-emoji v1.0.6 // indirect
 	github.com/zalando/go-keyring v0.2.8 // indirect
-	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
-	golang.org/x/tools v0.44.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/tools v0.45.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 

go.sum

@@ -1,17 +1,17 @@
 charm.land/bubbles/v2 v2.1.0 h1:YSnNh5cPYlYjPxRrzs5VEn3vwhtEn3jVGRBT3M7/I0g=
 charm.land/bubbles/v2 v2.1.0/go.mod h1:l97h4hym2hvWBVfmJDtrEHHCtkIKeTEb3TTJ4ZOB3wY=
-charm.land/bubbletea/v2 v2.0.2 h1:4CRtRnuZOdFDTWSff9r8QFt/9+z6Emubz3aDMnf/dx0=
-charm.land/bubbletea/v2 v2.0.2/go.mod h1:3LRff2U4WIYXy7MTxfbAQ+AdfM3D8Xuvz2wbsOD9OHQ=
+charm.land/bubbletea/v2 v2.0.6 h1:UHN/91OyuhaOFGSrBXQ/hMZD8IO1Uc4BvHlgHXL2WJo=
+charm.land/bubbletea/v2 v2.0.6/go.mod h1:MH/D8ZLlN3op37vQvijKuU29g3rqTp+aQapURFonF9g=
 charm.land/glamour/v2 v2.0.0 h1:IDBoqLEy7Hdpb9VOXN+khLP/XSxtJy1VsHuW/yF87+U=
 charm.land/glamour/v2 v2.0.0/go.mod h1:kjq9WB0s8vuUYZNYey2jp4Lgd9f4cKdzAw88FZtpj/w=
 charm.land/huh/v2 v2.0.3 h1:2cJsMqEPwSywGHvdlKsJyQKPtSJLVnFKyFbsYZTlLkU=
 charm.land/huh/v2 v2.0.3/go.mod h1:93eEveeeqn47MwiC3tf+2atZ2l7Is88rAtmZNZ8x9Wc=
-charm.land/lipgloss/v2 v2.0.2 h1:xFolbF8JdpNkM2cEPTfXEcW1p6NRzOWTSamRfYEw8cs=
-charm.land/lipgloss/v2 v2.0.2/go.mod h1:KjPle2Qd3YmvP1KL5OMHiHysGcNwq6u83MUjYkFvEkM=
+charm.land/lipgloss/v2 v2.0.3 h1:yM2zJ4Cf5Y51b7RHIwioil4ApI/aypFXXVHSwlM6RzU=
+charm.land/lipgloss/v2 v2.0.3/go.mod h1:7myLU9iG/3xluAWzpY/fSxYYHCgoKTie7laxk6ATwXA=
 code.gitea.io/gitea-vet v0.2.3 h1:gdFmm6WOTM65rE8FUBTRzeQZYzXePKSSB1+r574hWwI=
 code.gitea.io/gitea-vet v0.2.3/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE=
-code.gitea.io/sdk/gitea v0.24.1 h1:hpaqcdGcBmfMpV7JSbBJVwE99qo+WqGreJYKrDKEyW8=
-code.gitea.io/sdk/gitea v0.24.1/go.mod h1:5/77BL3sHneCMEiZaMT9lfTvnnibsYxyO48mceCF3qA=
+code.gitea.io/sdk/gitea v0.25.1 h1:yywxWwoV+SdjHtbC6unBiXojWdZOtoHuGhEazEXeWuE=
+code.gitea.io/sdk/gitea v0.25.1/go.mod h1:uDFWYBU8dgZsgOHwe6C/6olxvf8FHguNB3wW1i83fgg=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 gitea.com/noerw/unidiff-comments v0.0.0-20220822113322-50f4daa0e35c h1:8fTkq2UaVkLHZCF+iB4wTxINmVAToe2geZGayk9LMbA=
@@ -29,8 +29,8 @@ github.com/adrg/xdg v0.5.3 h1:xRnxJXne7+oWDatRhR1JLnvuccuIeCoBu2rtuLqQB78=
 github.com/adrg/xdg v0.5.3/go.mod h1:nlTsY+NNiCBGCK2tpm09vRqfVzrc2fLmXGpBLF0zlTQ=
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
-github.com/alecthomas/chroma/v2 v2.23.1 h1:nv2AVZdTyClGbVQkIzlDm/rnhk1E9bU9nXwmZ/Vk/iY=
-github.com/alecthomas/chroma/v2 v2.23.1/go.mod h1:NqVhfBR0lte5Ouh3DcthuUCTUpDC9cxBOfyMbMQPs3o=
+github.com/alecthomas/chroma/v2 v2.24.1 h1:m5ffpfZbIb++k8AqFEKy9uVgY12xIQtBsQlc6DfZJQM=
+github.com/alecthomas/chroma/v2 v2.24.1/go.mod h1:l+ohZ9xRXIbGe7cIW+YZgOGbvuVLjMps/FYN/CwuabI=
 github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
 github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
@@ -53,10 +53,10 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
 github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
-github.com/charmbracelet/ultraviolet v0.0.0-20260330092749-0f94982c930b h1:ASDO9RT6SNKTQN87jO2bRfxHFJq8cgeYdFzivY2gCeM=
-github.com/charmbracelet/ultraviolet v0.0.0-20260330092749-0f94982c930b/go.mod h1:Vo8TffMf0q7Uho/n8e6XpBZvOWtd3g39yX+9P5rRutA=
-github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8=
-github.com/charmbracelet/x/ansi v0.11.6/go.mod h1:2JNYLgQUsyqaiLovhU2Rv/pb8r6ydXKS3NIttu3VGZQ=
+github.com/charmbracelet/ultraviolet v0.0.0-20260511121909-c840852527f3 h1:pxGjlWZFcRQMWAdtjRelpL3Gbu8iYIyuO3Eqbd037Ow=
+github.com/charmbracelet/ultraviolet v0.0.0-20260511121909-c840852527f3/go.mod h1:SnKWaPaTnkTNXJgdgdquu66de12V8pW/b/qlTGaF9xg=
+github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI=
+github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ=
 github.com/charmbracelet/x/conpty v0.1.1 h1:s1bUxjoi7EpqiXysVtC+a8RrvPPNcNvAjfi4jxsAuEs=
 github.com/charmbracelet/x/conpty v0.1.1/go.mod h1:OmtR77VODEFbiTzGE9G1XiRJAga6011PIm4u5fTNZpk=
 github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86 h1:JSt3B+U9iqk37QUU2Rvb6DSBYRLtWqFqfxf8l5hOZUA=
@@ -65,8 +65,8 @@ github.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f h1:pk6g
 github.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f/go.mod h1:IfZAMTHB6XkZSeXUqriemErjAWCCzT0LwjKFYCZyw0I=
 github.com/charmbracelet/x/exp/ordered v0.1.0 h1:55/qLwjIh0gL0Vni+QAWk7T/qRVP6sBf+2agPBgnOFE=
 github.com/charmbracelet/x/exp/ordered v0.1.0/go.mod h1:5UHwmG+is5THxMyCJHNPCn2/ecI07aKNrW+LcResjJ8=
-github.com/charmbracelet/x/exp/slice v0.0.0-20260406091427-a791e22d5143 h1:aEppolah2k9c0LzKX2fk5ryuyQ0Lq8kCOjkvMw1b8o4=
-github.com/charmbracelet/x/exp/slice v0.0.0-20260406091427-a791e22d5143/go.mod h1:vqEfX6xzqW1pKKZUUiFOKg0OQ7bCh54Q2vR/tserrRA=
+github.com/charmbracelet/x/exp/slice v0.0.0-20260511125431-fe5d686e0c99 h1:e4VttUIAVgO4neqnJG80U4BE//1kcvyOrJ5utftPXQE=
+github.com/charmbracelet/x/exp/slice v0.0.0-20260511125431-fe5d686e0c99/go.mod h1:vqEfX6xzqW1pKKZUUiFOKg0OQ7bCh54Q2vR/tserrRA=
 github.com/charmbracelet/x/exp/strings v0.1.0 h1:i69S2XI7uG1u4NLGeJPSYU++Nmjvpo9nwd6aoEm7gkA=
 github.com/charmbracelet/x/exp/strings v0.1.0/go.mod h1:/ehtMPNh9K4odGFkqYJKpIYyePhdp1hLBRvyY4bWkH8=
 github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
@@ -96,8 +96,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davidmz/go-pageant v1.0.2 h1:bPblRCh5jGU+Uptpz6LgMZGD5hJoOt7otgT454WvHn0=
 github.com/davidmz/go-pageant v1.0.2/go.mod h1:P2EDDnMqIwG5Rrp05dTRITj9z2zpGcD9efWSkTNKLIE=
-github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
-github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.12.0 h1:0j4c5qQmnC6XOWNjP3PIXURXN2gWx76rd3KvgdPkCz8=
+github.com/dlclark/regexp2 v1.12.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
@@ -110,18 +110,18 @@ github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
 github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
-github.com/go-authgate/sdk-go v0.6.1 h1:oQREINU63YckTRdJ+0VBmN6ewFSMXa0D862w8624/jw=
-github.com/go-authgate/sdk-go v0.6.1/go.mod h1:55PLAPuu8GDK0omOwG6lx4c+9/T6dJwZd8kecUueLEk=
+github.com/go-authgate/sdk-go v0.11.0 h1:ZTfJ0rzeDn4QBqAmF9VKS3CqlKhE8+0tJxg8OGNtIzo=
+github.com/go-authgate/sdk-go v0.11.0/go.mod h1:sa0ige5wtayj2WcnXlxa8wGuyi5z/c/chc0mXPJTl/Q=
 github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI=
 github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
-github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.17.2 h1:B+nkdlxdYrvyFK4GPXVU8w1U+YkbsgciIR7f2sZJ104=
-github.com/go-git/go-git/v5 v5.17.2/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
+github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc=
+github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
 github.com/goccy/go-json v0.10.6 h1:p8HrPJzOakx/mn/bQtjgNjdTcN+/S6FcG2CTtQOrHVU=
 github.com/goccy/go-json v0.10.6/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
@@ -153,8 +153,8 @@ github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW
 github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
-github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw=
 github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
@@ -168,16 +168,16 @@ github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
 github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
-github.com/olekukonko/errors v1.2.0 h1:10Zcn4GeV59t/EGqJc8fUjtFT/FuUh5bTMzZ1XwmCRo=
-github.com/olekukonko/errors v1.2.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
+github.com/olekukonko/errors v1.3.0 h1:teJvgLGUEqMzBUms+Dj3/3szNqCG/Jdw9iDbum8fR6U=
+github.com/olekukonko/errors v1.3.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
 github.com/olekukonko/ll v0.1.8 h1:ysHCJRGHYKzmBSdz9w5AySztx7lG8SQY+naTGYUbsz8=
 github.com/olekukonko/ll v0.1.8/go.mod h1:RPRC6UcscfFZgjo1nulkfMH5IM0QAYim0LfnMvUuozw=
 github.com/olekukonko/tablewriter v1.1.4 h1:ORUMI3dXbMnRlRggJX3+q7OzQFDdvgbN9nVWj1drm6I=
 github.com/olekukonko/tablewriter v1.1.4/go.mod h1:+kedxuyTtgoZLwif3P1Em4hARJs+mVnzKxmsCL/C5RY=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
-github.com/pjbgf/sha1cd v0.5.0 h1:a+UkboSi1znleCDUNT3M5YxjOnN1fz2FhN48FlwCxs0=
-github.com/pjbgf/sha1cd v0.5.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -209,8 +209,8 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/urfave/cli-docs/v3 v3.1.0 h1:Sa5xm19IpE5gpm6tZzXdfjdFxn67PnEsE4dpXF7vsKw=
 github.com/urfave/cli-docs/v3 v3.1.0/go.mod h1:59d+5Hz1h6GSGJ10cvcEkbIe3j233t4XDqI72UIx7to=
-github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI=
-github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
+github.com/urfave/cli/v3 v3.9.0 h1:AV9lIiPv3ukYnxunaCUsHnEozptYmDN2F0+yWqLMn/c=
+github.com/urfave/cli/v3 v3.9.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
@@ -227,20 +227,20 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -255,21 +255,21 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200325010219-a49f79bcc224/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

modules/config/testtools.go

@@ -0,0 +1,13 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build testtools
+
+package config
+
+import "time"
+
+// AcquireConfigLockForTesting exposes the internal lock helper to integration tests.
+func AcquireConfigLockForTesting(lockPath string, timeout time.Duration) (func() error, error) {
+	return acquireConfigLock(lockPath, timeout)
+}

modules/context/context.go

@@ -83,6 +83,8 @@ func InitCommand(cmd *cli.Command) (*TeaContext, error) {
 		}
 		if repoFlagPathExists {
 			repoPath = repoFlag
+		} else {
+			c.RepoSlug = repoFlag
 		}
 	}
 
@@ -90,12 +92,6 @@ func InitCommand(cmd *cli.Command) (*TeaContext, error) {
 		remoteFlag = config.GetPreferences().FlagDefaults.Remote
 	}
 
-	if repoPath == "" {
-		if repoPath, err = os.Getwd(); err != nil {
-			return nil, err
-		}
-	}
-
 	// Create env login before repo context detection so it participates in remote URL matching
 	var extraLogins []config.Login
 	envLogin := GetLoginByEnvVar()
@@ -108,6 +104,13 @@ func InitCommand(cmd *cli.Command) (*TeaContext, error) {
 
 	// try to read local git repo & extract context: if repoFlag specifies a valid path, read repo in that dir,
 	// otherwise attempt PWD. if no repo is found, continue with default login
+	if c.RepoSlug == "" {
+		if repoPath == "" {
+			if repoPath, err = os.Getwd(); err != nil {
+				return nil, err
+			}
+		}
+
 		if c.LocalRepo, c.Login, c.RepoSlug, err = contextFromLocalRepo(repoPath, remoteFlag, extraLogins); err != nil {
 			if err == errNotAGiteaRepo || err == gogit.ErrRepositoryNotExists {
 				// we can deal with that, commands needing the optional values use ctx.Ensure()
@@ -115,10 +118,6 @@ func InitCommand(cmd *cli.Command) (*TeaContext, error) {
 				return nil, err
 			}
 		}
-
-	if len(repoFlag) != 0 && !repoFlagPathExists {
-		// if repoFlag is not a valid path, use it to override repoSlug
-		c.RepoSlug = repoFlag
 	}
 
 	// If env vars are set, always use the env login (but repo slug was already

modules/interact/issue_create.go

@@ -180,19 +180,25 @@ func fetchIssueSelectables(login *config.Login, owner, repo string, done chan is
 		r.MilestoneList[i] = m.Title
 	}
 
-	labels, _, err := c.ListRepoLabels(owner, repo, gitea.ListLabelsOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	r.LabelMap = make(map[string]int64)
+	r.LabelList = make([]string, 0)
+	for page := 1; ; {
+		labels, resp, err := c.ListRepoLabels(owner, repo, gitea.ListLabelsOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
 		if err != nil {
 			r.Err = err
 			done <- r
 			return
 		}
-	r.LabelMap = make(map[string]int64)
-	r.LabelList = make([]string, len(labels))
-	for i, l := range labels {
+		for _, l := range labels {
 			r.LabelMap[l.Name] = l.ID
-		r.LabelList[i] = l.Name
+			r.LabelList = append(r.LabelList, l.Name)
+		}
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
 	}
 
 	done <- r

modules/print/sshkey.go

@@ -0,0 +1,44 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package print
+
+import (
+	"fmt"
+
+	"code.gitea.io/sdk/gitea"
+)
+
+// SSHKeysList prints a table of SSH public keys
+func SSHKeysList(keys []*gitea.PublicKey, output string) error {
+	if len(keys) == 0 {
+		fmt.Printf("No SSH keys found\n")
+		return nil
+	}
+
+	t := tableWithHeader(
+		"ID",
+		"Title",
+		"Fingerprint",
+		"KeyType",
+		"ReadOnly",
+		"Created",
+	)
+
+	for _, k := range keys {
+		readOnly := "false"
+		if k.ReadOnly {
+			readOnly = "true"
+		}
+		t.addRow(
+			fmt.Sprintf("%d", k.ID),
+			k.Title,
+			k.Fingerprint,
+			k.KeyType,
+			readOnly,
+			FormatTime(k.Created, false),
+		)
+	}
+
+	return t.print(output)
+}

modules/print/webhook.go

@@ -67,13 +67,21 @@ func WebhookDetails(hook *gitea.Hook) {
 		if method, ok := hook.Config["http_method"]; ok {
 			fmt.Printf("- **HTTP Method**: %s\n", method)
 		}
-		if branchFilter, ok := hook.Config["branch_filter"]; ok && branchFilter != "" {
+		branchFilter := hook.BranchFilter
+		if branchFilter == "" {
+			branchFilter = hook.Config["branch_filter"]
+		}
+		if branchFilter != "" {
 			fmt.Printf("- **Branch Filter**: %s\n", branchFilter)
 		}
 		if _, hasSecret := hook.Config["secret"]; hasSecret {
 			fmt.Printf("- **Secret**: (configured)\n")
 		}
-		if _, hasAuth := hook.Config["authorization_header"]; hasAuth {
+		hasAuth := hook.AuthorizationHeader != ""
+		if !hasAuth {
+			_, hasAuth = hook.Config["authorization_header"]
+		}
+		if hasAuth {
 			fmt.Printf("- **Authorization Header**: (configured)\n")
 		}
 	}

modules/print/webhook_test.go

@@ -84,10 +84,10 @@ func TestWebhookDetails(t *testing.T) {
 					"url":          "https://example.com/webhook",
 					"content_type": "json",
 					"http_method":  "post",
-					"branch_filter":        "main,develop",
 					"secret":       "secret-value",
-					"authorization_header": "Bearer token123",
 				},
+				BranchFilter:        "main,develop",
+				AuthorizationHeader: "Bearer token123",
 				Events:              []string{"push", "pull_request", "issues"},
 				Active:              true,
 				Created:             now.Add(-24 * time.Hour),
@@ -240,14 +240,12 @@ func TestWebhookConfigHandling(t *testing.T) {
 			config: map[string]string{
 				"url":          "https://example.com/webhook",
 				"secret":       "my-secret",
-				"authorization_header": "Bearer token",
 				"content_type": "json",
 				"http_method":  "post",
-				"branch_filter":        "main",
 			},
 			expectedURL:   "https://example.com/webhook",
 			hasSecret:     true,
-			hasAuthHeader: true,
+			hasAuthHeader: false,
 		},
 		{
 			name: "Config with minimal fields",
@@ -344,10 +342,10 @@ func TestWebhookDetailsFormatting(t *testing.T) {
 			"url":          "https://example.com/webhook",
 			"content_type": "json",
 			"http_method":  "post",
-			"branch_filter":        "main,develop",
 			"secret":       "secret-value",
-			"authorization_header": "Bearer token123",
 		},
+		BranchFilter:        "main,develop",
+		AuthorizationHeader: "Bearer token123",
 		Events:              []string{"push", "pull_request", "issues"},
 		Active:              true,
 		Created:             now.Add(-24 * time.Hour),
@@ -379,8 +377,8 @@ func TestWebhookDetailsFormatting(t *testing.T) {
 	assert.Equal(t, "https://example.com/webhook", hook.Config["url"])
 	assert.Equal(t, "json", hook.Config["content_type"])
 	assert.Equal(t, "post", hook.Config["http_method"])
-	assert.Equal(t, "main,develop", hook.Config["branch_filter"])
+	assert.Equal(t, "main,develop", hook.BranchFilter)
 	assert.Contains(t, hook.Config, "secret")
-	assert.Contains(t, hook.Config, "authorization_header")
+	assert.Equal(t, "Bearer token123", hook.AuthorizationHeader)
 	assert.Equal(t, []string{"push", "pull_request", "issues"}, hook.Events)
 }

modules/task/labels.go

@@ -13,8 +13,10 @@ import (
 // ResolveLabelNames returns a list of label IDs for a given list of label names
 func ResolveLabelNames(client *gitea.Client, owner, repo string, labelNames []string) ([]int64, error) {
 	labelIDs := make([]int64, 0, len(labelNames))
-	labels, _, err := client.ListRepoLabels(owner, repo, gitea.ListLabelsOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	page := 1
+	for {
+		labels, resp, err := client.ListRepoLabels(owner, repo, gitea.ListLabelsOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
 		if err != nil {
 			return nil, err
@@ -24,6 +26,11 @@ func ResolveLabelNames(client *gitea.Client, owner, repo string, labelNames []st
 				labelIDs = append(labelIDs, l.ID)
 			}
 		}
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
 	return labelIDs, nil
 }
 

modules/task/login_create.go

@@ -166,12 +166,20 @@ func generateToken(login config.Login, user, pass, otp, scopes string) (string,
 	}
 	client := login.Client(opts...)
 
-	tl, _, err := client.ListAccessTokens(gitea.ListAccessTokensOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	var tl []*gitea.AccessToken
+	for page := 1; ; {
+		page_tokens, resp, err := client.ListAccessTokens(gitea.ListAccessTokensOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
 		if err != nil {
 			return "", err
 		}
+		tl = append(tl, page_tokens...)
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
 	host, _ := os.Hostname()
 	tokenName := host + "-tea"
 

modules/task/login_ssh.go

@@ -19,12 +19,23 @@ import (
 // a matching private key in ~/.ssh/. If no match is found, path is empty.
 func findSSHKey(client *gitea.Client) (string, error) {
 	// get keys registered on gitea instance
-	keys, _, err := client.ListMyPublicKeys(gitea.ListPublicKeysOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	var keys []*gitea.PublicKey
+	for page := 1; ; {
+		page_keys, resp, err := client.ListMyPublicKeys(gitea.ListPublicKeysOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
-	if err != nil || len(keys) == 0 {
+		if err != nil {
 			return "", err
 		}
+		keys = append(keys, page_keys...)
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
+	if len(keys) == 0 {
+		return "", nil
+	}
 
 	// enumerate ~/.ssh/*.pub files
 	glob, err := utils.AbsPathWithExpansion("~/.ssh/*.pub")

modules/task/pull_review_comment.go

@@ -14,12 +14,20 @@ import (
 func ListPullReviewComments(ctx *context.TeaContext, idx int64) ([]*gitea.PullReviewComment, error) {
 	c := ctx.Login.Client()
 
-	reviews, _, err := c.ListPullReviews(ctx.Owner, ctx.Repo, idx, gitea.ListPullReviewsOptions{
-		ListOptions: gitea.ListOptions{Page: -1},
+	var reviews []*gitea.PullReview
+	for page := 1; ; {
+		page_reviews, resp, err := c.ListPullReviews(ctx.Owner, ctx.Repo, idx, gitea.ListPullReviewsOptions{
+			ListOptions: gitea.ListOptions{Page: page, PageSize: 50},
 		})
 		if err != nil {
 			return nil, err
 		}
+		reviews = append(reviews, page_reviews...)
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
 
 	var allComments []*gitea.PullReviewComment
 	for _, review := range reviews {

tests/README.md

@@ -0,0 +1,10 @@
+This directory contains integration tests that exercise tea against external services or external executables.
+
+- Unit tests stay next to the packages they cover.
+- Integration tests live under `tests/` so they can be run separately.
+
+Common targets:
+
+- `make unit-test`
+- `make integration-test`
+- `make test`

tests/integration/admin_users_test.go

@@ -0,0 +1,139 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"code.gitea.io/sdk/gitea"
+	teacmd "code.gitea.io/tea/cmd"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func runAdminCommand(t *testing.T, args []string) error {
+	t.Helper()
+
+	adminCmd := teacmd.CmdAdmin
+	return adminCmd.Run(context.Background(), args)
+}
+
+func createAdminTestUser(t *testing.T, client *gitea.Client, username, password string) {
+	t.Helper()
+
+	mustChangePassword := false
+	user, _, err := client.AdminCreateUser(gitea.CreateUserOption{
+		LoginName:          username,
+		Username:           username,
+		Email:              username + "@example.com",
+		Password:           password,
+		MustChangePassword: &mustChangePassword,
+	})
+	require.NoError(t, err)
+	require.Equal(t, username, user.UserName)
+
+	t.Cleanup(func() {
+		if _, err := client.AdminDeleteUser(username); err != nil {
+			t.Logf("failed to delete integration test user %q: %v", username, err)
+		}
+	})
+}
+
+func TestAdminUsersCreateRequiresEmail(t *testing.T) {
+	login := createIntegrationLogin(t)
+
+	err := runAdminCommand(t, []string{
+		"admin", "users", "create",
+		"--username", fmt.Sprintf("create-no-email-%d", time.Now().UnixNano()),
+		"--password", "secret123",
+		"--login", login.Name,
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "email")
+}
+
+func TestAdminUsersCreateAndDelete(t *testing.T) {
+	login := createIntegrationLogin(t)
+	client := login.Client()
+	username := fmt.Sprintf("tea-admin-create-%d", time.Now().UnixNano())
+
+	err := runAdminCommand(t, []string{
+		"admin", "users", "create",
+		"--username", username,
+		"--email", username + "@example.com",
+		"--password", "secret123",
+		"--admin",
+		"--prohibit-login",
+		"--visibility", "limited",
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	createdUser, _, err := client.GetUserInfo(username)
+	require.NoError(t, err)
+	assert.Equal(t, username, createdUser.UserName)
+	assert.Equal(t, username+"@example.com", createdUser.Email)
+	assert.True(t, createdUser.IsAdmin)
+	assert.True(t, createdUser.ProhibitLogin)
+	assert.Equal(t, gitea.VisibleTypeLimited, createdUser.Visibility)
+
+	err = runAdminCommand(t, []string{
+		"admin", "users", "delete", username,
+		"--confirm",
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	_, _, err = client.GetUserInfo(username)
+	require.Error(t, err)
+}
+
+func TestAdminUsersEdit(t *testing.T) {
+	login := createIntegrationLogin(t)
+	client := login.Client()
+	username := fmt.Sprintf("tea-admin-edit-%d", time.Now().UnixNano())
+	oldPassword := "old-secret"
+	newPassword := "new-secret"
+	createAdminTestUser(t, client, username, oldPassword)
+
+	passwordFile := filepath.Join(t.TempDir(), "password.txt")
+	require.NoError(t, os.WriteFile(passwordFile, []byte(newPassword+"\n"), 0o600))
+
+	err := runAdminCommand(t, []string{
+		"admin", "users", "edit", username,
+		"--email", username + "+new@example.com",
+		"--full-name", "Tea Integration",
+		"--restricted",
+		"--password-file", passwordFile,
+		"--no-must-change-password",
+		"--visibility", "private",
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	updatedUser, _, err := client.GetUserInfo(username)
+	require.NoError(t, err)
+	assert.Equal(t, username+"+new@example.com", updatedUser.Email)
+	assert.Equal(t, "Tea Integration", updatedUser.FullName)
+	assert.True(t, updatedUser.IsActive)
+	assert.True(t, updatedUser.Restricted)
+	assert.False(t, updatedUser.ProhibitLogin)
+	assert.Equal(t, gitea.VisibleTypePrivate, updatedUser.Visibility)
+
+	passwordClient, err := gitea.NewClient(
+		integrationGiteaURL,
+		gitea.SetBasicAuth(username, newPassword),
+		gitea.SetGiteaVersion(""),
+	)
+	require.NoError(t, err)
+
+	me, _, err := passwordClient.GetMyUserInfo()
+	require.NoError(t, err)
+	assert.Equal(t, username, me.UserName)
+}

tests/integration/config_lock_unix_test.go

@@ -3,7 +3,7 @@
 
 //go:build unix
 
-package config
+package integration
 
 import (
 	"fmt"
@@ -12,10 +12,11 @@ import (
 	"path/filepath"
 	"testing"
 	"time"
+
+	"code.gitea.io/tea/modules/config"
 )
 
 func TestConfigLock_CrossProcess(t *testing.T) {
-	// Create a temp directory for test
 	tmpDir, err := os.MkdirTemp("", "tea-lock-test")
 	if err != nil {
 		t.Fatalf("failed to create temp dir: %v", err)
@@ -24,15 +25,16 @@ func TestConfigLock_CrossProcess(t *testing.T) {
 
 	lockPath := filepath.Join(tmpDir, "config.yml.lock")
 
-	// Acquire lock in main process
-	unlock, err := acquireConfigLock(lockPath, 5*time.Second)
+	unlock, err := config.AcquireConfigLockForTesting(lockPath, 5*time.Second)
 	if err != nil {
 		t.Fatalf("failed to acquire lock: %v", err)
 	}
-	defer unlock()
+	defer func() {
+		if err := unlock(); err != nil {
+			t.Fatalf("failed to release lock: %v", err)
+		}
+	}()
 
-	// Spawn a subprocess that tries to acquire the same lock
-	// The subprocess should fail to acquire within timeout
 	script := fmt.Sprintf(`
 package main
 
@@ -48,19 +50,16 @@ func main() {
 	}
 	defer file.Close()
 
-	// Try non-blocking lock
 	err = syscall.Flock(int(file.Fd()), syscall.LOCK_EX|syscall.LOCK_NB)
 	if err != nil {
-		// Lock is held - expected behavior
 		os.Exit(0)
 	}
-	// Lock was acquired - unexpected
+
 	syscall.Flock(int(file.Fd()), syscall.LOCK_UN)
 	os.Exit(1)
 }
 `, lockPath)
 
-	// Write and run the test script
 	scriptPath := filepath.Join(tmpDir, "locktest.go")
 	if err := os.WriteFile(scriptPath, []byte(script), 0o600); err != nil {
 		t.Fatalf("failed to write test script: %v", err)
@@ -78,5 +77,4 @@ func main() {
 			t.Errorf("subprocess execution failed: %v", err)
 		}
 	}
-	// Exit code 0 means lock was properly held - success
 }

tests/integration/context_init_test.go

@@ -0,0 +1,59 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"os"
+	"os/exec"
+	"testing"
+
+	"code.gitea.io/tea/modules/config"
+	teacontext "code.gitea.io/tea/modules/context"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli/v3"
+)
+
+func TestInitCommand_WithRepoSlugSkipsLocalRepoDetection(t *testing.T) {
+	tmpDir := t.TempDir()
+	config.SetConfigForTesting(config.LocalConfig{
+		Logins: []config.Login{{
+			Name:    "test-login",
+			URL:     "https://gitea.example.com",
+			Token:   "token",
+			User:    "login-user",
+			Default: true,
+		}},
+	})
+
+	cmd := exec.Command("git", "init", "--object-format=sha256", tmpDir)
+	cmd.Env = os.Environ()
+	require.NoError(t, cmd.Run())
+
+	oldWd, err := os.Getwd()
+	require.NoError(t, err)
+	require.NoError(t, os.Chdir(tmpDir))
+	t.Cleanup(func() {
+		require.NoError(t, os.Chdir(oldWd))
+	})
+
+	cliCmd := cli.Command{
+		Name: "branches",
+		Flags: []cli.Flag{
+			&cli.StringFlag{Name: "login"},
+			&cli.StringFlag{Name: "repo"},
+			&cli.StringFlag{Name: "remote"},
+			&cli.StringFlag{Name: "output"},
+		},
+	}
+	require.NoError(t, cliCmd.Set("repo", "owner/repo"))
+
+	ctx, err := teacontext.InitCommand(&cliCmd)
+	require.NoError(t, err)
+	require.Equal(t, "owner", ctx.Owner)
+	require.Equal(t, "repo", ctx.Repo)
+	require.Equal(t, "owner/repo", ctx.RepoSlug)
+	require.Nil(t, ctx.LocalRepo)
+	require.NotNil(t, ctx.Login)
+	require.Equal(t, "test-login", ctx.Login.Name)
+}

tests/integration/git_repo_test.go

@@ -1,7 +1,7 @@
 // Copyright 2025 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package git
+package integration
 
 import (
 	"os"
@@ -9,11 +9,11 @@ import (
 	"path/filepath"
 	"testing"
 
+	teagit "code.gitea.io/tea/modules/git"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestRepoFromPath_Worktree(t *testing.T) {
-	// Create a temporary directory for test
 	tmpDir, err := os.MkdirTemp("", "tea-worktree-test-*")
 	assert.NoError(t, err)
 	defer os.RemoveAll(tmpDir)
@@ -21,21 +21,17 @@ func TestRepoFromPath_Worktree(t *testing.T) {
 	mainRepoPath := filepath.Join(tmpDir, "main-repo")
 	worktreePath := filepath.Join(tmpDir, "worktree")
 
-	// Initialize main repository
 	cmd := exec.Command("git", "init", mainRepoPath)
 	assert.NoError(t, cmd.Run())
 
-	// Configure git for the test
 	cmd = exec.Command("git", "-C", mainRepoPath, "config", "user.email", "test@example.com")
 	assert.NoError(t, cmd.Run())
 	cmd = exec.Command("git", "-C", mainRepoPath, "config", "user.name", "Test User")
 	assert.NoError(t, cmd.Run())
 
-	// Add a remote to the main repository
 	cmd = exec.Command("git", "-C", mainRepoPath, "remote", "add", "origin", "https://gitea.com/owner/repo.git")
 	assert.NoError(t, cmd.Run())
 
-	// Create an initial commit (required for worktree)
 	readmePath := filepath.Join(mainRepoPath, "README.md")
 	err = os.WriteFile(readmePath, []byte("# Test Repo\n"), 0o644)
 	assert.NoError(t, err)
@@ -44,19 +40,14 @@ func TestRepoFromPath_Worktree(t *testing.T) {
 	cmd = exec.Command("git", "-C", mainRepoPath, "commit", "-m", "Initial commit")
 	assert.NoError(t, cmd.Run())
 
-	// Create a worktree
 	cmd = exec.Command("git", "-C", mainRepoPath, "worktree", "add", worktreePath, "-b", "test-branch")
 	assert.NoError(t, cmd.Run())
 
-	// Test: Open repository from worktree path
-	repo, err := RepoFromPath(worktreePath)
+	repo, err := teagit.RepoFromPath(worktreePath)
 	assert.NoError(t, err, "Should be able to open worktree")
 
-	// Test: Read config from worktree (should read from main repo's config)
 	config, err := repo.Config()
 	assert.NoError(t, err, "Should be able to read config")
-
-	// Verify that remotes are accessible from worktree
 	assert.NotEmpty(t, config.Remotes, "Should be able to read remotes from worktree")
 	assert.Contains(t, config.Remotes, "origin", "Should have origin remote")
 	assert.Equal(t, "https://gitea.com/owner/repo.git", config.Remotes["origin"].URLs[0], "Should have correct remote URL")

tests/integration/helpers_test.go

@@ -0,0 +1,104 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"code.gitea.io/sdk/gitea"
+	"code.gitea.io/tea/modules/config"
+	"code.gitea.io/tea/modules/task"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	integrationGiteaURL string
+	integrationUsername string
+	integrationPassword string
+	integrationToken    string
+	integrationTokenID  int64
+	integrationSetupErr error
+	integrationClient   *gitea.Client
+)
+
+func TestMain(m *testing.M) {
+	integrationGiteaURL = os.Getenv("GITEA_TEA_TEST_URL")
+	integrationUsername = os.Getenv("GITEA_TEA_TEST_USERNAME")
+	integrationPassword = os.Getenv("GITEA_TEA_TEST_PASSWORD")
+
+	if integrationGiteaURL != "" {
+		if integrationUsername == "" || integrationPassword == "" {
+			integrationSetupErr = fmt.Errorf("GITEA_TEA_TEST_USERNAME and GITEA_TEA_TEST_PASSWORD are required for integration tests")
+		} else {
+			integrationClient, integrationSetupErr = gitea.NewClient(
+				integrationGiteaURL,
+				gitea.SetBasicAuth(integrationUsername, integrationPassword),
+				gitea.SetGiteaVersion(""),
+			)
+			if integrationSetupErr == nil {
+				tokenName := fmt.Sprintf("tea-integration-%d", time.Now().UnixNano())
+				var token *gitea.AccessToken
+				token, _, integrationSetupErr = integrationClient.CreateAccessToken(gitea.CreateAccessTokenOption{
+					Name:   tokenName,
+					Scopes: []gitea.AccessTokenScope{gitea.AccessTokenScopeAll},
+				})
+				if integrationSetupErr == nil {
+					integrationToken = token.Token
+					integrationTokenID = token.ID
+				}
+			}
+		}
+	}
+
+	exitCode := m.Run()
+
+	if integrationClient != nil && integrationTokenID != 0 {
+		if _, err := integrationClient.DeleteAccessToken(integrationTokenID); err != nil {
+			fmt.Fprintf(os.Stderr, "failed to delete integration token %d: %v\n", integrationTokenID, err)
+			if exitCode == 0 {
+				exitCode = 1
+			}
+		}
+	}
+
+	os.Exit(exitCode)
+}
+
+func useTempConfigPath(t *testing.T) string {
+	t.Helper()
+
+	configPath := filepath.Join(t.TempDir(), "config.yml")
+	config.SetConfigPathForTesting(configPath)
+	config.SetConfigForTesting(config.LocalConfig{})
+	t.Cleanup(func() {
+		config.SetConfigForTesting(config.LocalConfig{})
+		config.SetConfigPathForTesting("")
+	})
+
+	return configPath
+}
+
+func createIntegrationLogin(t *testing.T) *config.Login {
+	t.Helper()
+
+	_ = useTempConfigPath(t)
+	if integrationGiteaURL == "" {
+		t.Skip("GITEA_TEA_TEST_URL is not set, skipping integration test")
+	}
+	require.NoError(t, integrationSetupErr)
+
+	require.NotEmpty(t, integrationToken, "integration token setup failed")
+
+	require.NoError(t, task.CreateLogin("integration", integrationToken, "", "", "", "", "", integrationGiteaURL, "", "", true, false, false, false))
+
+	login, err := config.GetLoginByName("integration")
+	require.NoError(t, err)
+	require.NotNil(t, login)
+
+	return login
+}

tests/integration/repos_create_test.go

@@ -1,28 +1,26 @@
 // Copyright 2025 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package repos
+package integration
 
 import (
 	"context"
 	"fmt"
-	"os"
 	"testing"
 	"time"
 
 	"code.gitea.io/sdk/gitea"
-	"code.gitea.io/tea/modules/task"
+	"code.gitea.io/tea/cmd/repos"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/urfave/cli/v3"
 )
 
 func TestCreateRepoObjectFormat(t *testing.T) {
-	giteaURL := os.Getenv("GITEA_TEA_TEST_URL")
-	if giteaURL == "" {
-		t.Skip("GITEA_TEA_TEST_URL is not set, skipping test")
-	}
-
+	login := createIntegrationLogin(t)
+	client := login.Client()
 	timestamp := time.Now().Unix()
+
 	tests := []struct {
 		name        string
 		args        []string
@@ -56,22 +54,15 @@ func TestCreateRepoObjectFormat(t *testing.T) {
 		},
 	}
 
-	giteaUserName := os.Getenv("GITEA_TEA_TEST_USERNAME")
-	giteaUserPasword := os.Getenv("GITEA_TEA_TEST_PASSWORD")
-
-	err := task.CreateLogin("test", "", giteaUserName, giteaUserPasword, "", "", "", giteaURL, "", "", true, false, false, false)
-	if err != nil && err.Error() != "login name 'test' has already been used" {
-		t.Fatal(err)
-	}
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			reposCmd := &cli.Command{
 				Name:     "repos",
-				Commands: []*cli.Command{&CmdRepoCreate},
+				Commands: []*cli.Command{&repos.CmdRepoCreate},
 			}
-			tt.args = append(tt.args, "--login", "test")
+
 			args := append([]string{"repos", "create"}, tt.args...)
+			args = append(args, "--login", login.Name)
 
 			err := reposCmd.Run(context.Background(), args)
 			if tt.wantErr {
@@ -82,7 +73,12 @@ func TestCreateRepoObjectFormat(t *testing.T) {
 				return
 			}
 
-			assert.NoError(t, err)
+			require.NoError(t, err)
+			t.Cleanup(func() {
+				if _, delErr := client.DeleteRepo(login.User, tt.wantOpts.Name); delErr != nil {
+					t.Logf("failed to delete integration test repo %q: %v", tt.wantOpts.Name, delErr)
+				}
+			})
 		})
 	}
 }

tests/integration/sshkeys_test.go

@@ -0,0 +1,115 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strconv"
+	"testing"
+	"time"
+
+	"code.gitea.io/sdk/gitea"
+	sshkeyscmd "code.gitea.io/tea/cmd/sshkeys"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli/v3"
+	"golang.org/x/crypto/ssh"
+)
+
+// generateTestPublicKey creates a fresh ed25519 keypair and returns a temp
+// file path containing the public key in authorized_keys format.
+func generateTestPublicKey(t *testing.T) string {
+	t.Helper()
+
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+
+	sshPub, err := ssh.NewPublicKey(priv.Public())
+	require.NoError(t, err)
+
+	pubKeyStr := fmt.Sprintf("ssh-ed25519 %s tea-test-key", base64.StdEncoding.EncodeToString(sshPub.Marshal()))
+
+	f, err := os.CreateTemp(t.TempDir(), "test-*.pub")
+	require.NoError(t, err)
+	_, err = f.WriteString(pubKeyStr)
+	require.NoError(t, err)
+	require.NoError(t, f.Close())
+
+	return f.Name()
+}
+
+func sshKeysCmd() *cli.Command {
+	return &cli.Command{
+		Name: "ssh-keys",
+		Commands: []*cli.Command{
+			&sshkeyscmd.CmdSSHKeyList,
+			&sshkeyscmd.CmdSSHKeyAdd,
+			&sshkeyscmd.CmdSSHKeyDelete,
+		},
+	}
+}
+
+func TestSSHKeyAddAndDelete(t *testing.T) {
+	login := createIntegrationLogin(t)
+	pubKeyFile := generateTestPublicKey(t)
+	keyTitle := fmt.Sprintf("tea-test-%d", time.Now().Unix())
+
+	cmd := sshKeysCmd()
+	client := login.Client()
+
+	err := cmd.Run(context.Background(), []string{
+		"ssh-keys", "add", pubKeyFile,
+		"--title", keyTitle,
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	keys, _, err := client.ListMyPublicKeys(gitea.ListPublicKeysOptions{
+		ListOptions: gitea.ListOptions{Page: -1},
+	})
+	require.NoError(t, err)
+
+	var addedKey *gitea.PublicKey
+	for _, key := range keys {
+		if key.Title == keyTitle {
+			addedKey = key
+			break
+		}
+	}
+	require.NotNil(t, addedKey, "added key not found in key list")
+
+	t.Cleanup(func() {
+		client.DeletePublicKey(addedKey.ID) //nolint:errcheck
+	})
+
+	err = cmd.Run(context.Background(), []string{
+		"ssh-keys", "delete", strconv.FormatInt(addedKey.ID, 10),
+		"--confirm",
+		"--login", login.Name,
+	})
+	assert.NoError(t, err)
+
+	_, resp, err := client.GetPublicKey(addedKey.ID)
+	assert.Error(t, err)
+	if assert.NotNil(t, resp) {
+		assert.Equal(t, 404, resp.StatusCode)
+	}
+}
+
+func TestSSHKeyList(t *testing.T) {
+	login := createIntegrationLogin(t)
+
+	cmd := sshKeysCmd()
+	err := cmd.Run(context.Background(), []string{
+		"ssh-keys", "list",
+		"--login", login.Name,
+	})
+	assert.NoError(t, err)
+}