4661 Commits

Author	SHA1	Message	Date
Jonathan Miller	22586b7a06	fix(issues): auto-seed default statuses and priorities for orgs ... Status and priority are first-class fields, not custom fields. They must always show in the sidebar without requiring manual setup. When an org has no definitions, the standard presets are auto-created on first access.	2026-06-06 13:40:53 -05:00
Jonathan Miller	e2e80de6fa	fix: rename Priority field to PriorityDef to avoid redeclaration ... The Issue struct already has a Priority int field at line 74.	2026-06-06 11:58:53 -05:00
Jonathan Miller	55c2f81c58	feat(issues): org-level priority field with customizable levels (#509) ... Add org-level issue priority definitions that appear in the issue sidebar. Each priority has a name, color, sort order, and optional default flag. Follows the same architecture as custom statuses (#502). Includes: - IssuePriorityDef model with CRUD operations - Migration v348 adding issue_priority_def table + priority_id on issues - Org settings UI for managing priorities - Issue sidebar dropdown for selecting priority Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 11:52:44 -05:00
Jonathan Miller	3aaa7c0843	feat(settings): repo manifest settings with auto-migration and API (#315) ... Add a "Manifest" page in repo settings that stores moko-platform manifest fields (identity, governance, build) in the database. Includes: - RepoManifest model with all manifest.xml fields - Migration v347 adding repo_manifest table - Auto-detect and migrate .mokogitea/manifest.xml on first settings visit - Repo settings UI with Identity/Governance/Build sections - REST API: GET/PUT /api/v1/repos/{owner}/{repo}/manifest for Actions workflows and moko-platform CLI Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 09:02:23 -05:00
Jonathan Miller	c568e199ed	feat(issues): custom status definitions with automated actions (#502) ... Add org-level custom issue status definitions that appear in the issue sidebar. Each status has a name, color, description, and an optional "closes issue" flag that automatically closes/reopens the issue when the status is selected. Includes: - IssueStatusDef model with CRUD operations - Migration v346 adding issue_status_def table + status_id on issues - Org settings UI for managing statuses - Issue sidebar dropdown for selecting status - Auto close/reopen when status has closes_issue flag Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 08:24:44 -05:00
Jonathan Miller	33076e4e1b	fix(issues): address review findings for custom field search ... - Clear custom field filters when field definitions fail to load, preventing invisible filtering with no UI to undo - Log malformed options JSON instead of silently dropping fields - Extract parseCustomFieldQueryParams helper (web) and parseAPICustomFieldFilters helper (API) to deduplicate cf_ parsing - API returns 400 for non-numeric or non-positive cf_ field IDs - Validate field IDs are positive in web handler - Add entity_type='issue' to subquery to prevent cross-entity matching Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 06:06:32 -05:00
Jonathan Miller	a3c6f54ad3	feat(issues): advanced search with custom field filters (#496) ... Add the ability to filter issues by custom field values throughout the entire search stack: - DB: applyCustomFieldCondition joins custom_field_value with AND semantics (all specified fields must match) - Indexer: CustomFieldFilters map passed through SearchOptions and ToDBOptions - Web: parse cf_{fieldID}={value} query params, show dropdown filters in the issue list sidebar for org-level fields - API: both SearchIssues and ListIssues accept cf_ query params Closes #496 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-06 06:06:32 -05:00
Jonathan Miller	3aec6c2cae	fix(migration): set issue_id default to 0 for new custom_field_value inserts ... The old issue_id column has NOT NULL without a default, causing inserts via the new entity_id-based API to fail. Migration now ALTERs the column to DEFAULT 0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 19:51:56 -05:00
Jonathan Miller	6bd9548b2a	feat(custom-fields): move to org-level definitions with issue and repo scopes ... - CustomFieldDef now has owner_id (org) and scope (issue/repo) - Issue sidebar loads fields by org owner_id, not repo_id - Org Settings > Custom Fields page for managing field definitions - Repo Settings > Metadata page for filling in repo-scoped values - Migration v345 adds owner_id, scope, entity_id, entity_type columns - Per-repo custom field management replaced by org-level - Replaces .mokogitea/manifest.xml with database-backed metadata Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 19:11:22 -05:00
Jonathan Miller	5c22bb04b5	fix(licenses): remove master key banner, sort master keys first in list ... Remove the dedicated master key segment at the top of the Licenses page. Master keys now appear first in the keys table via ORDER BY is_internal DESC. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 17:42:05 -05:00
Jonathan Miller	e4ea1303ea	feat(licenses): add domain restriction to packages and key generation ... - Add DomainRestriction field to LicensePackage model with migration - Packages can define default allowed domains (comma-separated) - Key generation form now includes licensee name, email, and domain fields in a proper modal instead of a tiny inline form - Keys inherit domain restriction from their package if not overridden - Package create/edit forms include domain restriction input - Domain enforcement already exists in heartbeat validation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 09:05:44 -05:00
Jonathan Miller	c15582aa64	fix(build): remove stale custom field API routes, structs, and migration ... Comment out custom-fields API routes in api.go that referenced handler functions from the deleted routers/api/v1/repo/custom_field.go. Remove the unreferenced modules/structs/custom_field.go and the duplicate v1_25/v323 migration (superseded by v1_27/v343). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 07:26:16 -05:00
Jonathan Miller	c7d8f6066f	feat(issues): custom fields foundation — model, migration, settings UI (#8) ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-04 06:46:33 -05:00
Jonathan Miller	ff6d1bf3c9	fix(licenses): add explicit xorm column names for all UpdateStreamConfig fields ... xorm auto-maps CamelCase to snake_case by splitting on each uppercase letter. MaintainerURL became maintainer_u_r_l instead of maintainer_url, causing DB reads to return empty values. Added explicit column name tags to all multi-word fields: SupportURL, KeyPrefix, ExtensionName, DisplayName, ExtensionType, MaintainerURL, InfoURL, TargetVersion, PHPMinimum, LicensingEnabled, RequireKey, FeedVisibility, DownloadGating, StreamMode, CustomStreams. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 19:12:54 -05:00
Jonathan Miller	e2c738a8d8	feat(repos): three-level visibility — Public, Private, Hidden ... Add IsHidden field to Repository model. Three visibility modes: - Public: visible to everyone (green label) - Private: members only, non-members see 403 Access Denied (orange) - Hidden: members only, non-members see 404 Not Found (red) Private mode is for commercial repos — customers know the repo exists and see a styled 403 page with sign-in button. Licensed update feeds and key-gated downloads still work. Hidden mode is for internal/secret repos — complete stealth, as if the repo doesn't exist. Settings UI: radio button selector in danger zone replaces the old binary toggle. Each option shows a colored label with description. Migration v342: adds is_hidden column to repository table. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 13:42:25 -05:00
Jonathan Miller	eca929f680	feat(licenses): configurable key prefix (#406), header button (#408), open feed button (#409) ... #406: Add KeyPrefix field to UpdateStreamConfig. GenerateKeyString now accepts a prefix parameter, looked up from org config. Default remains MOKO if not set. Auto-uppercased, max 20 chars. #408: Move "New Package" button into the packages header bar, right-aligned. Uses details/summary pattern — clicking the button expands the create form below. Cleaner layout on both repo and org. #409: Add open-in-new-tab button (external link icon) next to every copy button on feed URLs. All four feeds: Joomla XML, Dolibarr JSON, WordPress JSON, Changelog XML. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 08:51:55 -05:00
Jonathan Miller	de52ad0fbc	fix(build): permanent fixes for recurring build errors ... - AI migration 339: replaced with noopMigration placeholder - feed/file.go: add missing comma in struct literal - license_key.go: remove unused org_model import These were being applied as server-side hotfixes on every deploy. Now committed to dev so they persist through merges. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 08:34:14 -05:00
Jonathan Miller	2799558040	feat(orgs): enterprise sub-org hierarchy with parent-child relationships (#410) ... Add ParentOrgID field to User model for org hierarchy. Parent orgs can have child orgs, enabling enterprise structures like MokoConsulting → client orgs. Model changes: - ParentOrgID int64 on User (INDEX, DEFAULT 0) - GetChildOrgs, GetAncestorOrgIDs, GetParentOrg helpers - Max 10 hierarchy levels with cycle detection License integration: - ListLicensePackagesWithAncestors — shows packages from parent orgs - ListLicenseKeysWithAncestors — shows keys from parent orgs - SearchLicenseKeysWithAncestors — searches across hierarchy - Master keys from parent orgs validate for child org repos UI: - Parent org dropdown in org settings (owners/admins only) - Shows all orgs user owns except self Migration v341: adds parent_org_id column to user table. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 08:14:08 -05:00
Jonathan Miller	37322e4212	feat(updates): manual release-to-stream mapping ... Add release_stream_map table for explicitly assigning releases to update streams. When a mapping exists, it overrides automatic tag detection. When absent, falls back to tag name/suffix matching. New model: ReleaseStreamMap with SetReleaseStream, GetReleaseStream, ResolveReleaseStream (manual first, auto fallback). UI: stream selector dropdown on release create/edit page, shown when licensing is enabled. Options: auto-detect (default) or any configured stream (stable, release-candidate, beta, etc.). All three feed generators (Joomla, Dolibarr, WordPress) now use ResolveReleaseStream instead of MatchStreamFromTag. Migration v340 updated with release_stream_map table creation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 07:37:02 -05:00
Jonathan Miller	0a3cd3115f	feat(updates): support stream-name tags alongside version tags ... MatchStreamFromTag now checks if the tag name directly matches a stream name (e.g. "stable", "release-candidate", "development") before falling back to suffix matching. Supports both conventions: 1. Stream-name tags: tag IS the stream (MokoWaaS style) 2. Version tags: tag has version + suffix (v1.0.0-rc1 style) When a stream-name tag is detected, the version number is extracted from the release title instead of the tag. Falls back to tag name if no version found in title. Applied across all feed generators: Joomla XML, Dolibarr JSON, WordPress JSON, and Changelog XML. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 07:21:02 -05:00
Jonathan Miller	3e31b662a6	fix(licenses): remove UNIQUE constraint on PaymentRef, use tw-max-w-lg ... PaymentRef UNIQUE constraint causes Error 1062 when creating keys without a payment reference — empty strings collide. Remove the DB constraint; idempotency is enforced in code via GetLicenseKeyByPaymentRef which already filters empty strings. Also replace inline style with tw-max-w-lg class on search box. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 07:12:13 -05:00
Jonathan Miller	0e7d3c4a34	fix(security): ownership guards, RepoScope parsing, CSRF tokens, XSS escaping ... SECURITY: Add verifyPackageOwnership/verifyKeyOwnership checks to all API handlers that accept ID parameters. Prevents cross-org access where an admin of org A could modify org B's license data. FIX: RepoScope validation now properly parses JSON arrays using json.Unmarshal instead of strings.Contains. The old approach matched substrings (repo ID "2" matched inside "12"). Now uses typed int64 comparison. FIX: Add {{$.CsrfTokenHtml}} to both delete confirmation modal forms (package and key) in repo and org templates. Without CSRF tokens, the form-fetch-action POST requests would be rejected. FIX: HTML-escape release notes in WordPress changelog to prevent XSS via malicious release note content reaching WP admin dashboards. FIX: Parse AllowedChannels JSON format before comma-split fallback to avoid garbage values from splitting JSON arrays by comma. FIX: Add missing third return value (false) on error path in validateUpdateKey to prevent compile error. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 06:59:29 -05:00
Jonathan Miller	a149edccd3	feat(licenses): feed visibility modes and login-required releases ... Add FeedVisibility field to UpdateStreamConfig with three modes: - public: full feed with download URLs (default) - no-download: version info visible but download URLs stripped - hidden: empty feed returned without a valid license key The "no-download" mode is the key commercial pattern — customers see updates exist (motivating purchase/renewal) but cannot download without a valid key. Joomla shows "update available" in admin. Applied consistently across all update feed endpoints (Joomla XML, Dolibarr JSON, WordPress JSON) via the shared validateUpdateKey() which now returns a stripDownloads flag. Also: when licensing is enabled, the release listing page requires login. Anonymous users are redirected to the login page. This prevents browsing release notes and download links without auth. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-02 06:38:09 -05:00
Jonathan Miller	d204ecb9f0	fix(licenses): enforce RepoScope validation and add API revoke endpoint ... SECURITY: ValidateLicenseKeyForRepo() now checks the package's RepoScope field against the requesting repo ID. A package scoped to repo A will reject keys when accessed from repo B's update feed. Update server and download gating both use the new function. Master/internal keys bypass repo scope checks. RepoScope supports: "all" (any repo), single repo ID string, or JSON array of repo IDs like ["1","5","12"]. Also adds POST /license-keys/{id}/revoke API endpoint that was missing from the API but existed in web handlers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-01 05:33:26 -05:00
Jonathan Miller	53a5d0b97b	feat(licenses): domain lock timer, infourl fix, Akeeba-compatible XML format ... Domain lock timer: add DomainLockHours to LicensePackage and FirstUsedUnix to LicenseKey. During the grace period after first use, any domain is accepted and auto-added to the restriction list. After the grace period, only listed domains are allowed. Set 0 for immediate lock-on-first-use (default). Fix infourl: default to /releases listing page instead of specific tag page. Falls back to SupportURL or InfoURL if configured. Match Akeeba Backup Pro XML format: downloadkey prefix is "dlid=" (not "&dlid="), matching how Joomla stores extra_query. Verified against production Akeeba/JCE/AdminTools manifests via SSH. Update migration v340 with FirstUsedUnix and DomainLockHours columns. Add DomainLockHours field to create/edit package forms for both repo and org levels with help text. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-01 05:00:50 -05:00
Jonathan Miller	448b7d3ab0	feat(licenses): archive, search, download gating, changelog XML, and expanded permissions ... Migration v340: sync all missing columns (key_raw, payment_ref, last_heartbeat_unix, is_archived, licensing_enabled, download_gating, support_url, and all extension metadata fields). Package archiving (#384): add IsArchived field with archive/unarchive handlers and collapsible "Archived Packages" section in templates. Existing keys from archived packages continue to work. Expanded delete permissions (#385): org owners and site admins can permanently delete packages and keys (previously site admin only). Search (#392): server-side search across key_prefix, key_raw, licensee_name, licensee_email, domain_restriction, and payment_ref via ?q= query parameter on both repo and org licenses pages. Sortable tables (#390): Fomantic UI sortable class on keys table with new Domain column showing DomainRestriction per key. Download gating (#347): three modes — none, prerelease-only, and all downloads. CheckDownloadGating() intercepts both release attachment and git archive download handlers. Support URL (#393): configurable SupportURL field on UpdateStreamConfig for wiki or external site links. Changelog XML (#343): ServeChangelogXML endpoint at /changelog.xml generates Joomla-compatible changelog from release notes. Parses Keep-a-Changelog markdown sections into <security>, <fix>, <addition>, <change>, <remove>, <note> XML elements. API renew (#387): POST /license-keys/{id}/renew endpoint extends key expiration by package duration. Closes #384, #385, #386, #387, #389, #390, #392, #393 Refs #343, #346, #347 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-06-01 04:45:20 -05:00
Jonathan Miller	1ed8e463df	chore: remove stale TODO comments (#328, #332) ... - Remove TODO from OAuth2 regenerate secret template — the functionality was already fully implemented - Remove stub TODO test comments for TestMerge, TestNewPullRequest, TestAddTestPullRequestTask — stale for years - Remove stale GetProjectsMode TODO — method is needed by templates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 13:38:18 -05:00
Jonathan Miller	88e210bffb	fix(build): use slices.Collect for maps.Values (Go 1.23+ compat) ... In Go 1.23+, maps.Values returns iter.Seq not a slice. Use slices.Collect() to materialize the iterator. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 11:38:00 -05:00
Jonathan Miller	889f64009b	fix: resolve tech-debt batch 4 — parseIssueHref, job limit, stale TODOs ... - fix(ts): parseIssueHref now uses URL pathname and trims appSubUrl for correct issue link parsing with sub-path deployments - fix(actions): enforce MaxJobNumPerRun (256) limit when creating jobs, rejecting workflows that exceed the GitHub-compatible limit - chore: remove stale TODO comment on OAuth redirect route Refs #325, #334 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 11:12:44 -05:00
Jonathan Miller	27c4d176f4	fix(licenses): remove duplicate DeleteLicenseKey declaration ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 11:06:41 -05:00
Jonathan Miller	b9b3026122	fix: resolve tech-debt batch 3 — remove deprecated functions, use stdlib ... - refactor(go): replace ValuesRepository with maps.Values (Go 1.21+) - refactor(go): remove CanEnableEditor wrapper, use CanContentChange directly - chore: remove stale TODO comments about project column route naming Refs #311, #317 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 11:03:42 -05:00
Jonathan Miller	d30e7d7a5a	feat(updates): extension metadata settings for update feed generation ... - Add configurable fields: element name, display name, description, extension type, maintainer, maintainer URL, info URL, target version, PHP minimum - Add platform dropdown: joomla, dolibarr, wordpress, prestashop, drupal, composer, both - Update Joomla XML generator to use metadata from config (falls back to repo-derived values when not set) - Add GetEffectiveConfig() for resolving repo → org → nil config chain - Add locale keys for all new settings fields Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 10:58:45 -05:00
Jonathan Miller	d74ae92e5b	fix: resolve tech-debt batch 2 — dropdown validation, editor cleanup, rename ... - fix(templates): add required validation to issue dropdown fields - refactor(ts): remove redundant `handled` field from MarkdownHandleIndentionResult - refactor(go): rename HasOrgOrUserVisible to IsOwnerVisibleToDoer for clarity Refs #311, #334 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 10:50:33 -05:00
Jonathan Miller	9a5720e8ad	chore: rename Go module from git. to code.mokoconsulting.tech (#336) ... Full namespace migration: update the Go module path and all import statements from git.mokoconsulting.tech to code.mokoconsulting.tech. Also updates all URL references in templates, workflows, configs, tests, and documentation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 10:28:25 -05:00
Jonathan Miller	809c387054	feat(licenses): store keys in plaintext, show full key with copy button ... License keys are domain-locked so hashing is unnecessary. Store the full key in KeyRaw column for permanent visibility. Keys table now shows the complete key with a clipboard copy button per row. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 10:07:20 -05:00
Jonathan Miller	4efc679c8b	feat(licenses): platform enforcement, key deletion, expired key cleanup ... - Block update feed endpoints based on repo platform setting: Joomla-only repos return 404 on /updates/dolibarr.json and vice versa - Show feed URLs section only when licensing is enabled - Add delete button for license keys (site admin only) - Add weekly cron job to purge expired keys older than 1 year - Add DeleteLicenseKey and DeleteExpiredKeys model functions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 10:03:23 -05:00
Jonathan Miller	1a4d0739db	fix(permissions): admin teams implicitly inherit access to all unit types ... Admin-level teams (team.authorize >= Admin) now implicitly get admin access to all unit types in UnitMaxAccess(), even without explicit TeamUnit records. This resolves the long-standing TEAM-UNIT-PERMISSION issue where adding new units (like TypeLicenses) left existing admin teams without access. Resolves: #304 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 09:00:49 -05:00
Jonathan Miller	ed79a48119	feat(licenses): UI/UX cleanup, permissions, renew, auto-domain, custom keys ... - Replace confirm() with Gitea modal system (link-action + data-modal-confirm) - Add confirmation modal to revoke key action - Fix clipboard copy to use data-clipboard-target with tooltip feedback - Localize all hardcoded English strings (feed labels, "unlimited", "Master") - Improve key creation flash with security-focused message + copy button - Add count badge to org licenses nav tab - Add icon to org settings navbar for update streams - Add help text to "Active" checkboxes explaining deactivation impact - Fix empty state message to reference UI creation (not just API) - Compact tables for denser license data display - Add orange "Master" label to master package rows - Conditional feed buttons on release page (only when licensing enabled) - Add TypeLicenses unit type with Read/Write/Admin team permissions - Route-level permission enforcement via RequireUnitReader/Writer - Add "Renew" action for license keys (extends by package duration) - Auto-associate domain on first heartbeat (lock-on-first-use) - Enforce max_sites limit during domain auto-association - Allow site admins and org owners to set custom license key values Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 08:54:29 -05:00
Jonathan Miller	b77da17f38	feat(licenses): implement full commercial license management system ... Add key editing, domain enforcement, purchase webhooks, public validation API, channels multiselect, Joomla downloadkey element, licensing feature toggle, unified update system, release tag enforcement, heartbeat tracking, and improved settings UX. Phase 1: Full key display with AbsoluteShort dates, master package protection (hide edit/delete in UI, reject in handlers). Phase 2: Key edit page with template, handlers, and routes for both repo and org levels. Master keys redirect away. Phase 3: Domain restriction checking against CSV allowlist, MaxSites enforcement via CountUniqueDomainsByKey and IsDomainKnownForKey, dlid query param support for Joomla. Phase 4: Purchase webhook (POST /license-keys/purchase) with PaymentRef idempotency. Public validation endpoint (POST /license-keys/validate) outside auth middleware. PATCH /license-keys/{id} for API key editing. Phase 5: Channels multiselect using org UpdateStreamConfig streams rendered as checkboxes, stored as JSON arrays. Additional: downloadkey XML element, LicensingEnabled toggle on UpdateStreamConfig, Dolibarr endpoint unified with key validation, release tag suffix enforcement, LastHeartbeatUnix field with TouchHeartbeat, and cleaned-up settings pages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-31 01:31:51 -05:00
Jonathan Miller	3a5ca580db	feat(updates): per-repo platform, require-key, platform-aware buttons ... - Repo settings: platform dropdown (Joomla/Dolibarr/Both) + require key - Releases page buttons change based on platform setting - Update feed enforces require-key (empty response without valid key) - key_plain column stores full key for copy functionality - DB migrations v337 (key_plain) + v338 (platform, require_key) Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 22:55:55 -05:00
Jonathan Miller	689173ecab	feat(licenses): auto-create master key for org/repo ... When an admin first visits the Licenses page, a master license package and key are automatically created: - Master package: lifetime, unlimited, all channels, all repos - Master key: IsInternal=true, never expires - Raw key shown once with copy instructions - If master key is revoked, a new one is created on next visit The master key is always present — revoking it and revisiting the page generates a fresh one. Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 22:26:24 -05:00
Jonathan Miller	381952f6d2	feat(licenses): add Licenses tab and page for repos ... Add a Licenses tab in the repo header that shows when license packages exist for the repo's owner. The tab displays: - License packages with name, duration, allowed channels, key count - Issued keys with prefix, licensee, expiry, and status Also includes: - Org-level default update streams with per-repo override (#265) - Full Joomla channel names in update feeds - Update Feed button on releases page - DB migration v336 for update_stream_config table The Licenses tab appears after Packages in the repo header, gated by whether any license packages exist for the owner. Ref #239, #265 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 21:03:52 -05:00
Jonathan Miller	a88e3f8787	feat(updates): org-level default streams with per-repo override ... Add configurable update streams at org and repo level: - UpdateStreamConfig model: stores stream mode (joomla/custom) and custom stream definitions (name, suffix, description) - Resolution chain: repo override → org default → Joomla defaults - MatchStreamFromTag: matches release tags to streams using configured suffixes (longest match wins) - Both Joomla XML and Dolibarr JSON generators use effective streams - DB migration v336 creates update_stream_config table - Default Joomla streams: stable, release-candidate, beta, alpha, development - Custom streams support any tag suffix (e.g. -lts, -nightly, -security) Ref #265 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 20:49:46 -05:00
Jonathan Miller	627a22ee53	feat(updates): license key system and Dolibarr endpoint (Phase 2-3) ... Add license key data model and Dolibarr update feed endpoint: License key system: - license_package table: subscription tiers with duration, max sites, repo scope (org-wide or specific repos), and allowed update channels - license_key table: individual keys with SHA-256 hashed storage, domain restriction, custom start/end dates, internal/master key flag - license_key_usage table: tracks update check activity per key - DB migration v335 creates all three tables Update server enhancements: - Dolibarr JSON endpoint at /{owner}/{repo}/updates/dolibarr.json - License key validation on update endpoints via ?key=MOKO-XXXX param - Channel filtering: packages restrict which update streams keys access - Invalid keys get empty XML response (Joomla-compatible "no updates") - Usage tracking records domain, IP, user agent, version on each check Key design decisions: - Org-level master keys: IsInternal=true, package RepoScope="all" - Keys stored as SHA-256 hashes, raw key only shown at creation - Packages define allowed channels (e.g. ["stable","rc"] for Pro tier) - MOKO-XXXX-XXXX-XXXX-XXXX format for license keys Ref #239 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 13:09:47 -05:00
Jonathan Miller	7884e2f141	feat(permissions): section-based visibility — public units on private repos ... Fix three gaps that prevented per-unit public access from working on private repositories: 1. Git HTTP handler (githttp.go): allow anonymous git pull for private repos when the target unit (code or wiki) has AnonymousAccessMode set to read. Previously only checked repo.IsPrivate. 2. Permission engine (repo_permission.go): call finalProcessRepoUnitPermission for anonymous users on private repos so that unit-level anonymous access modes are populated. Previously returned early with AccessModeNone, skipping anonymous mode setup. 3. Search/explore (repo_list.go): include private repos that have at least one unit with anonymous_access_mode > 0 in search results, so anonymous users can discover repos with public sections. The existing settings UI at /settings/public_access already allows configuring per-unit visibility. The home page redirect to the first readable unit (e.g. wiki) also already works via checkHomeCodeViewable. Closes #238 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 12:26:24 -05:00
Jonathan Miller	d4824dc05b	feat(actions): rebrand actions bot user and add branch protection whitelist ... Rebrand the built-in actions bot user from upstream Gitea naming to MokoGitea branding: - Name: gitea-actions → mokogitea-actions - FullName: Gitea Actions → MokoGitea Actions - Email: teabot@gitea.io → mokogitea-actions[bot]@mokoconsulting.tech Add backward-compatible name recognition so all three bot name variants (mokogitea-actions, gitea-actions, github-actions) with optional [bot] suffix resolve to the same system user. Add WhitelistActionsUser, MergeWhitelistActionsUser, and ForcePushAllowlistActionsUser toggles to branch protection rules, allowing CI/CD workflows to push to protected branches when explicitly enabled. Previously the actions bot (virtual user ID -2) could never be added to whitelist because updateUserWhitelist() only validates real database users. Closes #233 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-30 10:37:43 -05:00
Jonathan Miller	dd6fc4b69c	fix(actions): retry workflow insertion on database deadlock ... When multiple workflows are triggered by a single event (e.g. a pull_request with several matching workflow files), each InsertRun transaction acquires an X-lock on the repository row via UpdateRepoRunsNumbers and an index lock on action_run. Two concurrent transactions can deadlock when each holds one lock and waits for the other. InnoDB kills the lighter transaction, but handleWorkflows only logged the error and silently dropped the workflow run — making it appear as though pull_request events were never fired. This was the root cause of API-created PRs appearing to not trigger Actions workflows: the notification pipeline was correct, but the DB insert was lost to an unretried deadlock. The fix wraps PrepareRunAndInsert in a retry loop (up to 3 attempts with exponential backoff) that detects deadlock errors across MySQL, PostgreSQL, and SQLite. On deadlock, the rolled-back run fields are reset before the next attempt. Also adds db.IsErrDeadlock() for cross-engine deadlock detection and unit tests for the same. Closes #220 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-26 15:16:30 -05:00
Jonathan Miller	1032ae4268	feat: organization-level 2FA requirement for members (#208) ... Adds a Require2FA toggle to organization settings. When enabled, org members without 2FA are redirected to the security settings page with a warning flash message. Changes: - New Require2FA field on User model (migration v333) - Org settings UI checkbox with shield-lock icon - Check2FARequirement middleware on member-required org routes - UpdateOptions extended with Require2FA field Closes #208 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-26 13:11:15 -05:00
Jonathan Miller	c572fcfe04	chore(core): rename Go module from code.gitea.io/gitea to MokoGitea namespace ... Rename the Go module path from code.gitea.io/gitea to git.mokoconsulting.tech/MokoConsulting/MokoGitea across the entire codebase. Scope: - go.mod module declaration - 2,235 Go source files (import paths) - Dockerfile WORKDIR and COPY paths - Swagger API templates - golangci.yml linter config External dependencies (code.gitea.io/gitea-vet, code.gitea.io/sdk/gitea, gitea.com/gitea/act, etc.) are intentionally NOT renamed — they are separate upstream modules. Closes #132 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-25 00:22:38 -05:00
Lunny Xiao	ca6c8c958c	fix: Unify public-only token filtering in API queries and repo access checks (#37118) (#37773) ... backport #37118 This PR closes remaining `public-only` token gaps in the API by making the restriction apply consistently across repository, organization, activity, notification, and authenticated `/api/v1/user/...` routes. Previously, `public-only` tokens were still able to: - receive private results from some list/search/self endpoints, - access repository data through ID-based lookups, - and reach several authenticated self routes that should remain unavailable for public-only access. This change treats `public-only` as a cross-cutting visibility boundary: - list/search endpoints now filter private resources consistently, - repository lookups enforce the same restriction even when addressed indirectly, - and self routes that inherently expose or mutate private account state now reject `public-only` tokens. --- Generated by a coding agent with Codex 5.2 Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com>	2026-05-24 03:38:02 -05:00