Devlaner · martian56 · May 7, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/api/go.mod b/api/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/minio/minio-go/v7 v7.0.98
 	github.com/rabbitmq/amqp091-go v1.10.0
 	github.com/redis/go-redis/v9 v9.17.3
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.50.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/gorm v1.31.1
 )
@@ -63,12 +63,12 @@ require (
 	go.uber.org/mock v0.5.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	modernc.org/libc v1.22.5 // indirect
 	modernc.org/mathutil v1.5.0 // indirect

diff --git a/api/go.sum b/api/go.sum
@@ -191,19 +191,33 @@ golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
 golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
 golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
 golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
 golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
 google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

diff --git a/api/internal/handler/issue.go b/api/internal/handler/issue.go
@@ -434,6 +434,94 @@ func (h *IssueHandler) Delete(c *gin.Context) {
 	c.Status(http.StatusNoContent)
 }
 
+// IsSubscribed reports whether the current user is subscribed to the issue.
+// GET /api/workspaces/:slug/projects/:projectId/issues/:pk/subscribe/
+func (h *IssueHandler) IsSubscribed(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	slug := c.Param("slug")
+	projectID, err := uuid.Parse(c.Param("projectId"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid project ID"})
+		return
+	}
+	iid, ok := issueID(c)
+	if !ok {
+		return
+	}
+	subscribed, err := h.Issue.IsSubscribed(c.Request.Context(), slug, projectID, iid, user.ID)
+	if err != nil {
+		if err == service.ErrIssueNotFound || err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Issue not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to check subscription"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"subscribed": subscribed})
+}
+
+// Subscribe subscribes the current user to issue activity.
+// POST /api/workspaces/:slug/projects/:projectId/issues/:pk/subscribe/
+func (h *IssueHandler) Subscribe(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	slug := c.Param("slug")
+	projectID, err := uuid.Parse(c.Param("projectId"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid project ID"})
+		return
+	}
+	iid, ok := issueID(c)
+	if !ok {
+		return
+	}
+	if err := h.Issue.Subscribe(c.Request.Context(), slug, projectID, iid, user.ID); err != nil {
+		if err == service.ErrIssueNotFound || err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Issue not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to subscribe"})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+
+// Unsubscribe removes the current user's subscription.
+// DELETE /api/workspaces/:slug/projects/:projectId/issues/:pk/subscribe/
+func (h *IssueHandler) Unsubscribe(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	slug := c.Param("slug")
+	projectID, err := uuid.Parse(c.Param("projectId"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid project ID"})
+		return
+	}
+	iid, ok := issueID(c)
+	if !ok {
+		return
+	}
+	if err := h.Issue.Unsubscribe(c.Request.Context(), slug, projectID, iid, user.ID); err != nil {
+		if err == service.ErrIssueNotFound || err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Issue not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to unsubscribe"})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+
 // ListActivities returns the chronological activity log for an issue.
 // GET /api/workspaces/:slug/projects/:projectId/issues/:pk/activities/
 func (h *IssueHandler) ListActivities(c *gin.Context) {

diff --git a/api/internal/handler/notification.go b/api/internal/handler/notification.go
@@ -2,9 +2,11 @@ package handler
 
 import (
 	"net/http"
+	"time"
 
 	"github.com/Devlaner/devlane/api/internal/middleware"
 	"github.com/Devlaner/devlane/api/internal/service"
+	"github.com/Devlaner/devlane/api/internal/store"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
@@ -15,16 +17,31 @@ type NotificationHandler struct {
 }
 
 // List returns notifications for the current user in the workspace.
-// GET /api/workspaces/:slug/notifications/
+// GET /api/workspaces/:slug/notifications/?unread_only=true|false&mentions=true|false
 func (h *NotificationHandler) List(c *gin.Context) {
 	user := middleware.GetUser(c)
 	if user == nil {
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
 		return
 	}
 	slug := c.Param("slug")
-	unreadOnly := c.Query("unread_only") == "true"
-	list, err := h.Notification.List(c.Request.Context(), slug, user.ID, unreadOnly)
+	opts := store.ListOpts{
+		UnreadOnly:   c.Query("unread_only") == "true",
+		MentionsOnly: c.Query("mentions") == "true",
+	}
+	switch c.Query("archived") {
+	case "true":
+		t := true
+		opts.Archived = &t
+		// Archived view should also surface snoozed rows so users can manage
+		// them — otherwise a row that was both archived and snoozed becomes
+		// invisible until the snooze expires.
+		opts.IncludeSnoozed = true
+	case "all":
+		opts.IncludeArchived = true
+		opts.IncludeSnoozed = true
+	}
+	list, err := h.Notification.List(c.Request.Context(), slug, user.ID, opts)
 	if err != nil {
 		if err == service.ErrProjectForbidden {
 			c.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
@@ -36,6 +53,28 @@ func (h *NotificationHandler) List(c *gin.Context) {
 	c.JSON(http.StatusOK, list)
 }
 
+// UnreadCount returns the number of unread notifications for the current user
+// in the workspace, with the mentions count broken out for the bell badge.
+// GET /api/workspaces/:slug/notifications/unread-count/
+func (h *NotificationHandler) UnreadCount(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	slug := c.Param("slug")
+	total, mentions, err := h.Notification.UnreadCount(c.Request.Context(), slug, user.ID)
+	if err != nil {
+		if err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to count notifications"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"total": total, "mentions": mentions})
+}
+
 // MarkRead marks a notification as read.
 // POST /api/workspaces/:slug/notifications/:id/read/
 func (h *NotificationHandler) MarkRead(c *gin.Context) {
@@ -60,6 +99,139 @@ func (h *NotificationHandler) MarkRead(c *gin.Context) {
 	c.Status(http.StatusNoContent)
 }
 
+// SnoozeRequest is the body for the Snooze endpoint.
+type SnoozeRequest struct {
+	Until time.Time `json:"until"`
+}
+
+// Snooze hides a notification until the given timestamp.
+// POST /api/workspaces/:slug/notifications/:id/snooze/   body: {"until": "2026-05-06T09:00:00Z"}
+func (h *NotificationHandler) Snooze(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid notification ID"})
+		return
+	}
+	var req SnoozeRequest
+	if err := c.ShouldBindJSON(&req); err != nil || req.Until.IsZero() {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request"})
+		return
+	}
+	if err := h.Notification.Snooze(c.Request.Context(), id, user.ID, req.Until); err != nil {
+		switch err {
+		case service.ErrProjectForbidden:
+			c.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
+		case service.ErrInvalidSnooze:
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Snooze time must be in the future"})
+		default:
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to snooze"})
+		}
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+
+// Unsnooze clears a notification's snooze.
+// DELETE /api/workspaces/:slug/notifications/:id/snooze/
+func (h *NotificationHandler) Unsnooze(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid notification ID"})
+		return
+	}
+	if err := h.Notification.Unsnooze(c.Request.Context(), id, user.ID); err != nil {
+		if err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to unsnooze"})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+
+// Archive flags a notification as archived for the receiver.
+// POST /api/workspaces/:slug/notifications/:id/archive/
+func (h *NotificationHandler) Archive(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid notification ID"})
+		return
+	}
+	if err := h.Notification.Archive(c.Request.Context(), id, user.ID); err != nil {
+		if err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to archive"})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+
+// Unarchive restores an archived notification.
+// DELETE /api/workspaces/:slug/notifications/:id/archive/
+func (h *NotificationHandler) Unarchive(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid notification ID"})
+		return
+	}
+	if err := h.Notification.Unarchive(c.Request.Context(), id, user.ID); err != nil {
+		if err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to unarchive"})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+
+// MarkUnread re-flags a previously-read notification.
+// DELETE /api/workspaces/:slug/notifications/:id/read/
+func (h *NotificationHandler) MarkUnread(c *gin.Context) {
+	user := middleware.GetUser(c)
+	if user == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
+		return
+	}
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid notification ID"})
+		return
+	}
+	if err := h.Notification.MarkUnread(c.Request.Context(), id, user.ID); err != nil {
+		if err == service.ErrProjectForbidden {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to mark unread"})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+
 // MarkAllRead marks all workspace notifications as read for the current user.
 // POST /api/workspaces/:slug/notifications/mark-all-read/
 func (h *NotificationHandler) MarkAllRead(c *gin.Context) {