392 Commits

Author	SHA1	Message	Date
jmiller	d2d7c0a762	feat: add ability to edit API token scopes (#697) ... Add PATCH /users/{username}/tokens/{id} API endpoint and web UI edit button so token scopes can be modified after creation without having to delete and recreate the token.	2026-06-25 09:57:59 -05:00
Jonathan Miller	3a405033ae	feat: add product tier admin UI with CRUD and license counts (#627) ... Admin page at /-/admin/license-tiers for managing product tiers: - Tier list with key, name, repos, max domains, license count, sort order - Create new tier form with repo input - Delete tier (blocked if active licenses exist) - Nav item added to admin sidebar	2026-06-20 20:14:24 -05:00
Jonathan Miller	9b9e5ae964	feat(settings): separate update server page from metadata ... - /settings/metadata: project identity + custom fields - /settings/updateserver: enable, platform, visibility, gating, keys - Update server nav link shown when LicensingEnabled - Old /settings/licensing and /settings/manifest redirect	2026-06-09 23:34:26 -05:00
Jonathan Miller	e1ca5cdfc4	feat(settings): consolidate manifest + custom fields into metadata page ... - Merge project identity (manifest), update server config, and custom fields into single /settings/metadata page - Three sections: Project Identity, Update Server, Custom Fields - Old /settings/manifest and /settings/licensing redirect to /metadata - Single nav link replaces two separate entries	2026-06-09 23:24:35 -05:00
Jonathan Miller	1caf26453f	feat: issue metadata API + org wiki tab with internal/external mode ... Issue Status/Priority/Type API: - Expose status_id, priority_id, type_id (with resolved names) on Issue API struct - New endpoints: GET /orgs/{org}/issue-statuses, /issue-priorities, /issue-types - CreateIssue and EditIssue handlers accept status_id, priority_id, type_id - MCP tools: 5 new tools + updated create/update with metadata params Org Wiki Tab: - Convention repos: wiki (public) and wiki-private (members-only) - Inline wiki rendering with markdown pipeline, sidebar, footer, page list - Public/private view dropdown (same UX as org profile README selector) - External wiki mode: link to outside URL from wiki tab - Wiki mode setting in org settings (internal vs external with URL field) - Migration 354: add wiki_mode and wiki_url to user table	2026-06-09 10:20:54 -05:00
Jonathan Miller	37d59e7b59	feat(cdn): built-in CDN for release asset delivery (#561) ... Add CDN system that serves release assets via a dedicated hostname (e.g., cdn.mokoconsulting.tech) with per-asset public/private toggles, IP/referrer allowlists, and aggressive caching headers. - Host-based routing intercepts CDN domain before auth middleware - Per-attachment cdn_public flag controls CDN visibility - Releases in an update stream are excluded from CDN (update server takes precedence) - CORS, ETag, Cache-Control headers for downstream CDN compatibility - IP/CIDR and referrer domain allowlists for abuse prevention	2026-06-07 11:07:30 -05:00
Jonathan Miller	2cc4f7c047	feat: org settings for Issue Types + MCP SSE hosted + npm auto-publish ... - Org settings page for managing Issue Type definitions (CRUD) - MCP SSE endpoint deployed at git.mokoconsulting.tech/mcp/ - npm auto-publish workflow on MCP source changes to main	2026-06-06 19:52:55 -05:00
Jonathan Miller	dd1454c3cf	feat(issues): first-class Type field + status/priority/type badges in issue list ... - IssueTypeDef model with auto-seed defaults (Bug, Feature, Enhancement, Task, Documentation, Security) - Migration v350 adding issue_type_def table + type_id on issues - Type dropdown in issue sidebar - Type, Priority, Status colored badges in issue list view - Status/Priority/Type definitions loaded in issue list handler	2026-06-06 17:12:44 -05:00
Jonathan Miller	72708b5a99	feat(security): add Security tab to repo navigation (#508) ... Add a top-level Security tab in the repo header (visible to admins only) showing alerts, scan controls, and severity badges. Links to settings page for scanner configuration. Alert file paths link directly to the source file.	2026-06-06 16:35:55 -05:00
Jonathan Miller	f7c1904625	feat(security): built-in security scanning platform (#508) ... Add a pluggable security scanning framework with secret detection as the first scanner module. Scans run on push to default branch and on-demand via the Security settings page. Includes: - Scanner interface for pluggable scanner types - Secret scanner with 15 built-in patterns (AWS, GitHub, Stripe, etc.) - SecurityAlert model with fingerprint-based dedup - SecurityScannerConfig per-repo settings - Migration v349 for security tables - Repo settings Security page with alerts table - Scan Now button for on-demand scanning - Alert resolve/dismiss actions - Push-time scanning in post-receive hook	2026-06-06 16:23:08 -05:00
Jonathan Miller	55c2f81c58	feat(issues): org-level priority field with customizable levels (#509) ... Add org-level issue priority definitions that appear in the issue sidebar. Each priority has a name, color, sort order, and optional default flag. Follows the same architecture as custom statuses (#502). Includes: - IssuePriorityDef model with CRUD operations - Migration v348 adding issue_priority_def table + priority_id on issues - Org settings UI for managing priorities - Issue sidebar dropdown for selecting priority Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 11:52:44 -05:00
Jonathan Miller	3aaa7c0843	feat(settings): repo manifest settings with auto-migration and API (#315) ... Add a "Manifest" page in repo settings that stores moko-platform manifest fields (identity, governance, build) in the database. Includes: - RepoManifest model with all manifest.xml fields - Migration v347 adding repo_manifest table - Auto-detect and migrate .mokogitea/manifest.xml on first settings visit - Repo settings UI with Identity/Governance/Build sections - REST API: GET/PUT /api/v1/repos/{owner}/{repo}/manifest for Actions workflows and moko-platform CLI Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 09:02:23 -05:00
Jonathan Miller	c568e199ed	feat(issues): custom status definitions with automated actions (#502) ... Add org-level custom issue status definitions that appear in the issue sidebar. Each status has a name, color, description, and an optional "closes issue" flag that automatically closes/reopens the issue when the status is selected. Includes: - IssueStatusDef model with CRUD operations - Migration v346 adding issue_status_def table + status_id on issues - Org settings UI for managing statuses - Issue sidebar dropdown for selecting status - Auto close/reopen when status has closes_issue flag Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 08:24:44 -05:00
Jonathan Miller	6bd9548b2a	feat(custom-fields): move to org-level definitions with issue and repo scopes ... - CustomFieldDef now has owner_id (org) and scope (issue/repo) - Issue sidebar loads fields by org owner_id, not repo_id - Org Settings > Custom Fields page for managing field definitions - Repo Settings > Metadata page for filling in repo-scoped values - Migration v345 adds owner_id, scope, entity_id, entity_type columns - Per-repo custom field management replaced by org-level - Replaces .mokogitea/manifest.xml with database-backed metadata Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 19:11:22 -05:00
Jonathan Miller	4ec0db8658	feat(issues): show custom fields in issue sidebar with inline editing ... - Load custom field definitions and values in ViewIssue handler - New sidebar template displays dropdown fields with onchange submit - POST handler at /issues/{id}/custom-fields/{field_id} saves values - Dropdown options parsed from JSON and passed to template - Non-dropdown fields display as read-only text - Section appears between Labels and Milestone in sidebar Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 13:48:22 -05:00
Jonathan Miller	bab1acdfe3	fix(licenses): fix master key visibility, package creation, and template structure ... - Always show master key prefix and status in a dedicated segment with a Regenerate button that deactivates the old key and creates a new one - Fix broken <details> structure where </details> was inside an {{if}} block, causing malformed HTML - Move create package form into a proper modal instead of a broken details/summary toggle - Add copy button for all key prefixes (not just full keys) - Add POST /licenses/master-key/regenerate route and handler - Add locale keys for regenerate master key feature Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 08:47:11 -05:00
Jonathan Miller	c7d8f6066f	feat(issues): custom fields foundation — model, migration, settings UI (#8) ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 06:46:33 -05:00
Jonathan Miller	89fcbda623	feat(settings): move advanced settings to dedicated /settings/advanced page ... Extract all feature unit settings (Code, Wiki, Issues, Projects, Releases, Packages, Pull Requests) from options.tmpl into a separate advanced.tmpl with its own route at /settings/advanced. Options page now only contains: basic repo settings, avatar, mirror config, signing settings, and danger zone. Navbar updated: Advanced Settings link points to /settings/advanced. Form posts still go through the existing SettingsPost handler. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 14:23:49 -05:00
Jonathan Miller	a1ceac6396	feat(settings): separate licensing settings page with navbar entry ... Extract licensing/update feed settings to its own page at /settings/licensing with dedicated template and handler. Navbar additions: - Advanced Settings link (points to existing options page) - Licensing link with key icon (when licensing enabled) New handler: LicensingSettings/LicensingSettingsPost serves the standalone licensing form with all fields (platform, gating, metadata, extensions). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 14:02:53 -05:00
Jonathan Miller	ead620daf9	fix(updates): allow update feeds on private repos via lightweight repo loader ... Update feed endpoints (updates.xml, dolibarr.json, wordpress.json, packages.json, prestashop.xml, drupal.xml, whmcs.json, changelog.xml) now use RepoAssignmentPublicFeed instead of the full RepoAssignment. The lightweight loader fetches the repo by owner/name without checking user permissions. Feed handlers gate access via license keys, not repo membership. This allows private repos to serve update feeds to anonymous Joomla/WordPress/Composer clients with valid license keys. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 09:36:06 -05:00
Jonathan Miller	02f3ed88f1	feat(updates): PrestaShop (#352), Drupal (#353), WHMCS (#355) update feeds ... PrestaShop: GET /updates/prestashop.xml — module update XML with name, version, download URL, author, SHA256. Serves stable only. Drupal: GET /updates/drupal.xml — update status XML per Drupal API spec. Includes project metadata, all releases with status, download links, SHA256. Uses TargetVersion config for api_version field. WHMCS: GET /updates/whmcs.json — simple JSON with latest stable version, download URL (with dlid), changelog, author. License key embedded in download URL when provided. All three use ResolveReleaseStream for manual/auto stream mapping, readSHA256FromSidecar for integrity hashes, and extractVersion with stream-name tag fallback. Routes registered under the update server group alongside Joomla, Dolibarr, WordPress, and Composer feeds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 09:08:03 -05:00
Jonathan Miller	0fb0aea719	feat(updates): Composer packages.json feed (#354), hide menu items for guests ... Composer feed: new endpoint GET /updates/packages.json serving Composer/Packagist-compatible packages.json. Includes version, dist URL with SHA256, authors, PHP requirement. License key embedded in download URL when provided. Menu visibility: Actions and Licenses tabs in repo header now require .IsSigned — anonymous users no longer see tabs they can't access. Previously the tabs were visible but clicking redirected to login (confusing UX). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 09:02:00 -05:00
Jonathan Miller	b65b155446	SECURITY: fix release download gating and require login for actions ... Release gating: HideReleaseDownloads now checks download_gating setting in addition to feed_visibility. When licensing is enabled and download_gating != "none", anonymous users see "Sign in to download" instead of download links on the release page. Actions: changed from optSignIn to reqSignIn on the repo actions route group. Anonymous users can no longer view CI/CD runs, logs, or artifacts. This is a MokoGitea policy override — upstream Gitea allows public actions on public repos. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 08:40:40 -05:00
Jonathan Miller	1dfa5d8079	SECURITY: require login for licenses page — was accessible anonymously ... The repo licenses route used optSignIn (login optional), allowing anonymous users to view license packages and keys. Changed to reqSignIn to require authentication. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 08:25:31 -05:00
Jonathan Miller	1fabdb94ec	feat(updates): WordPress PUC-compatible update feed (#351) ... New endpoint: GET /{owner}/{repo}/updates/wordpress.json Generates JSON compatible with the YahnisElsts plugin-update-checker library — the standard for commercial WordPress plugin self-hosted updates. Returns name, slug, version, download_url, homepage, requires_php, author, sections (changelog HTML), icons, and banners. License key validation: reads from ?license_key=, ?dlid=, or ?key= query params (PUC sends these via addQueryArgFilter). When RequireKey is enabled, returns minimal empty response without download_url. Changelog section built from release notes (last 10 stable releases), converting markdown list items to HTML <ul>/<li> elements. Icon/banner URLs point to conventional paths in the repo: assets/icon-128x128.png, assets/icon-256x256.png assets/banner-772x250.png, assets/banner-1544x500.png Route registered at /updates/wordpress.json alongside existing /updates.xml (Joomla) and /updates/dolibarr.json. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 00:01:16 -05:00
Jonathan Miller	448b7d3ab0	feat(licenses): archive, search, download gating, changelog XML, and expanded permissions ... Migration v340: sync all missing columns (key_raw, payment_ref, last_heartbeat_unix, is_archived, licensing_enabled, download_gating, support_url, and all extension metadata fields). Package archiving (#384): add IsArchived field with archive/unarchive handlers and collapsible "Archived Packages" section in templates. Existing keys from archived packages continue to work. Expanded delete permissions (#385): org owners and site admins can permanently delete packages and keys (previously site admin only). Search (#392): server-side search across key_prefix, key_raw, licensee_name, licensee_email, domain_restriction, and payment_ref via ?q= query parameter on both repo and org licenses pages. Sortable tables (#390): Fomantic UI sortable class on keys table with new Domain column showing DomainRestriction per key. Download gating (#347): three modes — none, prerelease-only, and all downloads. CheckDownloadGating() intercepts both release attachment and git archive download handlers. Support URL (#393): configurable SupportURL field on UpdateStreamConfig for wiki or external site links. Changelog XML (#343): ServeChangelogXML endpoint at /changelog.xml generates Joomla-compatible changelog from release notes. Parses Keep-a-Changelog markdown sections into <security>, <fix>, <addition>, <change>, <remove>, <note> XML elements. API renew (#387): POST /license-keys/{id}/renew endpoint extends key expiration by package duration. Closes #384, #385, #386, #387, #389, #390, #392, #393 Refs #343, #346, #347 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-01 04:45:20 -05:00
Jonathan Miller	e998c494b2	fix: resolve tech-debt batch 7 — dead routes, stale FIXMEs, feed revision ... - chore: remove stale mustNotBeArchived FIXME (CanEnableEditor no longer exists) - fix(routes): remove dead /cherry-pick/{sha} route — replaced by /_cherrypick/ - fix(feed): use full ref name instead of ShortName for file feed revision Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 13:46:06 -05:00
Jonathan Miller	cd0a803341	fix(issues): deprecate Issue.Ref branch selector UI (#307) ... Remove the branch/tag selector from the issue sidebar and new issue form. The Issue.Ref field was added 8 years ago and provides minimal value — it only saves a branch name and optionally restricts which branch's commits can auto-close the issue. Removed: - Branch selector template (branch_selector_field.tmpl) - Sidebar and new-form includes - Ref badge from issue lists - POST /{index}/ref web route and UpdateIssueRef handler - GetRefEndNamesAndURLs calls from list renderers - JS handler for branch selector dropdown Preserved: - DB column (Issue.Ref) — still used by commit-close logic - API response still includes ref for backward compatibility Closes #307 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 13:31:11 -05:00
Jonathan Miller	889f64009b	fix: resolve tech-debt batch 4 — parseIssueHref, job limit, stale TODOs ... - fix(ts): parseIssueHref now uses URL pathname and trims appSubUrl for correct issue link parsing with sub-path deployments - fix(actions): enforce MaxJobNumPerRun (256) limit when creating jobs, rejecting workflows that exceed the GitHub-compatible limit - chore: remove stale TODO comment on OAuth redirect route Refs #325, #334 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 11:12:44 -05:00
Jonathan Miller	b9b3026122	fix: resolve tech-debt batch 3 — remove deprecated functions, use stdlib ... - refactor(go): replace ValuesRepository with maps.Values (Go 1.21+) - refactor(go): remove CanEnableEditor wrapper, use CanContentChange directly - chore: remove stale TODO comments about project column route naming Refs #311, #317 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 11:03:42 -05:00
Jonathan Miller	9a5720e8ad	chore: rename Go module from git. to code.mokoconsulting.tech (#336) ... Full namespace migration: update the Go module path and all import statements from git.mokoconsulting.tech to code.mokoconsulting.tech. Also updates all URL references in templates, workflows, configs, tests, and documentation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 10:28:25 -05:00
Jonathan Miller	4efc679c8b	feat(licenses): platform enforcement, key deletion, expired key cleanup ... - Block update feed endpoints based on repo platform setting: Joomla-only repos return 404 on /updates/dolibarr.json and vice versa - Show feed URLs section only when licensing is enabled - Add delete button for license keys (site admin only) - Add weekly cron job to purge expired keys older than 1 year - Add DeleteLicenseKey and DeleteExpiredKeys model functions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 10:03:23 -05:00
Jonathan Miller	1bf51f3aa5	fix(licenses): remove repo unit requirement from licenses routes ... The licenses feature is gated by org-level LicensingEnabled config, not by per-repo unit enablement. Requiring TypeLicenses unit on repos caused 404s since it wasn't in DefaultRepoUnits. Write permissions are still enforced in handlers via CanWrite(TypeLicenses). Org routes retain reqUnitAccess for team-level permission control. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 09:47:51 -05:00
Jonathan Miller	ed79a48119	feat(licenses): UI/UX cleanup, permissions, renew, auto-domain, custom keys ... - Replace confirm() with Gitea modal system (link-action + data-modal-confirm) - Add confirmation modal to revoke key action - Fix clipboard copy to use data-clipboard-target with tooltip feedback - Localize all hardcoded English strings (feed labels, "unlimited", "Master") - Improve key creation flash with security-focused message + copy button - Add count badge to org licenses nav tab - Add icon to org settings navbar for update streams - Add help text to "Active" checkboxes explaining deactivation impact - Fix empty state message to reference UI creation (not just API) - Compact tables for denser license data display - Add orange "Master" label to master package rows - Conditional feed buttons on release page (only when licensing enabled) - Add TypeLicenses unit type with Read/Write/Admin team permissions - Route-level permission enforcement via RequireUnitReader/Writer - Add "Renew" action for license keys (extends by package duration) - Auto-associate domain on first heartbeat (lock-on-first-use) - Enforce max_sites limit during domain auto-association - Allow site admins and org owners to set custom license key values Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 08:54:29 -05:00
Jonathan Miller	b77da17f38	feat(licenses): implement full commercial license management system ... Add key editing, domain enforcement, purchase webhooks, public validation API, channels multiselect, Joomla downloadkey element, licensing feature toggle, unified update system, release tag enforcement, heartbeat tracking, and improved settings UX. Phase 1: Full key display with AbsoluteShort dates, master package protection (hide edit/delete in UI, reject in handlers). Phase 2: Key edit page with template, handlers, and routes for both repo and org levels. Master keys redirect away. Phase 3: Domain restriction checking against CSV allowlist, MaxSites enforcement via CountUniqueDomainsByKey and IsDomainKnownForKey, dlid query param support for Joomla. Phase 4: Purchase webhook (POST /license-keys/purchase) with PaymentRef idempotency. Public validation endpoint (POST /license-keys/validate) outside auth middleware. PATCH /license-keys/{id} for API key editing. Phase 5: Channels multiselect using org UpdateStreamConfig streams rendered as checkboxes, stored as JSON arrays. Additional: downloadkey XML element, LicensingEnabled toggle on UpdateStreamConfig, Dolibarr endpoint unified with key validation, release tag suffix enforcement, LastHeartbeatUnix field with TouchHeartbeat, and cleaned-up settings pages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 01:31:51 -05:00
Jonathan Miller	d75e648970	feat(org): add Update Streams settings page in org settings ... Add "Licenses & Update Streams" tab to org settings sidebar with: - Stream mode: Joomla standard or Custom - Active streams table showing name, suffix, description - Custom streams JSON editor - Saves org-level defaults that repos inherit Ref #265 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 23:09:07 -05:00
Jonathan Miller	021ddbb17a	feat(licenses): edit and delete license packages via web UI ... Add edit and delete actions for license packages: - Edit button (pencil icon) opens edit form with all package fields - Delete button (trash icon) with confirmation dialog - Edit form includes active/inactive toggle - Routes: GET/POST /licenses/packages/{id}/edit, POST /licenses/packages/{id}/delete Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 23:03:44 -05:00
Jonathan Miller	5b02cf188e	feat(licenses): org-level licenses page, master keys, and menu fixes ... Major licensing UI improvements: - Org-level Licenses tab in org menu (visible to org members) - Org-level Licenses page with full CRUD (packages, keys, revoke) - Auto-created master key: when admin first visits Licenses page, a Master (Internal) package + key is auto-generated - Master keys marked with orange "Master" badge in key list - Revoking a master key auto-creates a new one on next visit - Fixed "New Package" button toggle (was using tw-hidden class that didn't work, now uses style.display) - IsRepoAdmin set as context data for template access - Master keys have IsInternal=true, lifetime, all channels Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 22:30:33 -05:00
Jonathan Miller	30197e4e97	feat(licenses): web UI for package creation, key generation, and revocation ... Add full license management web forms to the Licenses page: - "New Package" form: name, description, duration, max sites, channels - "Generate Key" button per package: creates key with auto-expiry - "Revoke" button per key: deactivates the key - New key display: shows raw key once with copy instructions - Update Feed URLs section: copyable Joomla/Dolibarr endpoint URLs - Admin-only controls: forms only visible to repo admins Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 21:27:12 -05:00
Jonathan Miller	3f29562938	fix(routes): use optSignIn for licenses page ... The licenses page was using reqSignIn which blocks API token access and redirects to login. Use optSignIn so the page is accessible. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 21:18:38 -05:00
Jonathan Miller	381952f6d2	feat(licenses): add Licenses tab and page for repos ... Add a Licenses tab in the repo header that shows when license packages exist for the repo's owner. The tab displays: - License packages with name, duration, allowed channels, key count - Issued keys with prefix, licensee, expiry, and status Also includes: - Org-level default update streams with per-repo override (#265) - Full Joomla channel names in update feeds - Update Feed button on releases page - DB migration v336 for update_stream_config table The Licenses tab appears after Packages in the repo header, gated by whether any license packages exist for the owner. Ref #239, #265 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 21:03:52 -05:00
Jonathan Miller	627a22ee53	feat(updates): license key system and Dolibarr endpoint (Phase 2-3) ... Add license key data model and Dolibarr update feed endpoint: License key system: - license_package table: subscription tiers with duration, max sites, repo scope (org-wide or specific repos), and allowed update channels - license_key table: individual keys with SHA-256 hashed storage, domain restriction, custom start/end dates, internal/master key flag - license_key_usage table: tracks update check activity per key - DB migration v335 creates all three tables Update server enhancements: - Dolibarr JSON endpoint at /{owner}/{repo}/updates/dolibarr.json - License key validation on update endpoints via ?key=MOKO-XXXX param - Channel filtering: packages restrict which update streams keys access - Invalid keys get empty XML response (Joomla-compatible "no updates") - Usage tracking records domain, IP, user agent, version on each check Key design decisions: - Org-level master keys: IsInternal=true, package RepoScope="all" - Keys stored as SHA-256 hashes, raw key only shown at creation - Packages define allowed channels (e.g. ["stable","rc"] for Pro tier) - MOKO-XXXX-XXXX-XXXX-XXXX format for license keys Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 13:09:47 -05:00
Jonathan Miller	6c06384966	feat(updates): built-in Joomla update server endpoint ... Add GET /{owner}/{repo}/updates.xml that dynamically generates a Joomla-compatible updates.xml from the repository's releases. Features: - Automatically maps release tags to channels (stable/rc/beta/alpha/dev) - Finds .zip attachments for download URLs, falls back to archive URL - Emits one entry per channel (latest release wins) - Extracts version from tag names, strips common prefixes - Publicly accessible (no auth required) for Joomla update clients This is Phase 1 of #239 — the core dynamic update feed generation. Future phases will add license key gating, Dolibarr support, and repo settings UI. Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 12:54:31 -05:00
Jonathan Miller	1032ae4268	feat: organization-level 2FA requirement for members (#208) ... Adds a Require2FA toggle to organization settings. When enabled, org members without 2FA are redirected to the security settings page with a warning flash message. Changes: - New Require2FA field on User model (migration v333) - Org settings UI checkbox with shield-lock icon - Check2FARequirement middleware on member-required org routes - UpdateOptions extended with Require2FA field Closes #208 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-26 13:11:15 -05:00
Jonathan Miller	26fde4a50e	feat: reset-to-default buttons on branding page, admin sidebar icons ... - Each branding image row now has a Reset button when custom image exists - Reset removes the custom file, reverting to built-in default - All admin sidebar menu items now have octicon icons Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-25 22:08:04 -05:00
Jonathan Miller	71e0af4196	feat: three-column branding layout with identity settings ... Branding page now has: - Identity section: App Name, Description, Support URL, Author (saved to app.ini, applied in-memory immediately) - Images section: three-column table (Setting | Upload | Preview) for Nav Icon, Login Logo, and Favicon Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-25 21:43:55 -05:00
Jonathan Miller	d77713dd77	feat: admin branding page with uploadable nav icon, logo, and favicon (#181) ... Add a Branding section to Site Administration where admins can upload custom images for three separate slots: - Nav icon (logo-small.png) — top-left corner, 30x30px - Login logo (logo.png) — login page and homepage - Favicon (favicon.png) — browser tab icon Changes: - New admin route: /-/admin/branding with upload forms - Templates use AssetUrlPrefix instead of hardcoded external URLs - Nav bar uses logo-small.png with fallback to logo.png - Uploads save to custom/public/assets/img/ (persists across restarts) - SVG overrides auto-removed when PNG is uploaded - Added logo-small.png as default built-in asset Closes #181 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-25 20:23:34 -05:00
Jonathan Miller	c572fcfe04	chore(core): rename Go module from code.gitea.io/gitea to MokoGitea namespace ... Rename the Go module path from code.gitea.io/gitea to git.mokoconsulting.tech/MokoConsulting/MokoGitea across the entire codebase. Scope: - go.mod module declaration - 2,235 Go source files (import paths) - Dockerfile WORKDIR and COPY paths - Swagger API templates - golangci.yml linter config External dependencies (code.gitea.io/gitea-vet, code.gitea.io/sdk/gitea, gitea.com/gitea/act, etc.) are intentionally NOT renamed — they are separate upstream modules. Closes #132 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-25 00:22:38 -05:00
wxiaoguang	a2a5ef8d0e	Fix update branch protection order (#37508) ... Regression of changed behavior or Golang JSON v2 package Fix #37506	2026-05-02 16:32:36 +00:00
Myers Carpenter	9e031eb3df	Serve OpenAPI 3.0 spec at /openapi.v1.json (#37038) ... Add a build-time conversion step that transforms the existing Swagger 2.0 spec into an OpenAPI 3.0 spec. The OAS3 spec is served alongside the existing Swagger 2.0 spec, enabling API clients that require OAS3 to generate code directly from Gitea's API. This is not to be an answer to how gitea handles OAS3 long term, but a way to use what we have to move a step forward. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-04-29 20:47:52 +08:00