feat(licenses): store keys in plaintext, show full key with copy button

License keys are domain-locked so hashing is unnecessary. Store the full key in KeyRaw column for permanent visibility. Keys table now shows the complete key with a clipboard copy button per row. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat(licenses): platform enforcement, key deletion, expired key cleanup
2026-05-31 10:07:20 -05:00 · 2026-05-31 10:03:23 -05:00 · 2026-05-31 09:54:38 -05:00 · 2026-05-31 14:48:15 +00:00 · 2026-05-31 09:47:51 -05:00 · 2026-05-31 09:37:42 -05:00
120 changed files with 5914 additions and 7202 deletions
@@ -0,0 +1,251 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/branch-protection.yml
+# BRIEF: Apply standardised branch protection rules to all governed repositories
+#
+# +========================================================================+
+# |                   BRANCH PROTECTION SETUP                              |
+# +========================================================================+
+# |                                                                        |
+# |  Applies protection rules for: main, dev, rc, beta, alpha       |
+# |                                                                        |
+# |  main  — Require PR, block rejected reviews, no force push             |
+# |  dev   — Allow push, no force push, no delete                          |
+# |  rc  — Allow push, no force push, no delete                          |
+# |  beta — Allow push, no force push, no delete                         |
+# |  alpha — Allow push, no force push, no delete                        |
+# |                                                                        |
+# |  jmiller has override authority on all branches.                       |
+# |                                                                        |
+# +========================================================================+
+
+name: Branch Protection Setup
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly Monday 02:00 UTC
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Preview mode (no changes)'
+        required: false
+        type: boolean
+        default: false
+      repos:
+        description: 'Comma-separated repo names (empty = all governed repos)'
+        required: false
+        type: string
+        default: ''
+
+env:
+  GITEA_URL: https://git.mokoconsulting.tech
+  GITEA_ORG: MokoConsulting
+
+permissions:
+  contents: read
+
+jobs:
+  protect:
+    name: Apply Branch Protection Rules
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Determine target repos
+        id: repos
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+
+          # Platform/standards/infra repos to exclude
+          EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
+          EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
+
+          if [ -n "${{ inputs.repos }}" ]; then
+            # User-specified repos
+            REPOS=$(echo "${{ inputs.repos }}" | tr ',' ' ')
+          else
+            # Fetch all org repos
+            PAGE=1
+            REPOS=""
+            while true; do
+              BATCH=$(curl -sS \
+                -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
+                | jq -r '.[].name // empty')
+              [ -z "$BATCH" ] && break
+              REPOS="$REPOS $BATCH"
+              PAGE=$((PAGE + 1))
+            done
+
+            # Filter out excluded repos
+            FILTERED=""
+            for REPO in $REPOS; do
+              SKIP=false
+              for EX in $EXCLUDE; do
+                if [ "$REPO" = "$EX" ]; then
+                  SKIP=true
+                  break
+                fi
+              done
+              if [ "$SKIP" = "false" ]; then
+                FILTERED="$FILTERED $REPO"
+              fi
+            done
+            REPOS="$FILTERED"
+          fi
+
+          echo "repos=$REPOS" >> "$GITHUB_OUTPUT"
+          COUNT=$(echo "$REPOS" | wc -w)
+          echo "📋 Target repos (${COUNT}): $REPOS"
+
+      - name: Apply protection rules
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          DRY_RUN: ${{ inputs.dry_run || 'false' }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+          REPOS="${{ steps.repos.outputs.repos }}"
+
+          SUCCESS=0
+          FAILED=0
+          SKIPPED=0
+
+          # ── Rule definitions ──────────────────────────────────────
+          # Only the CI bot (jmiller token) can push directly.
+          # All human contributors must use PRs.
+          # Force push disabled on all branches.
+
+          RULE_MAIN='{
+            "rule_name": "main",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "dismiss_stale_approvals": true,
+            "block_on_rejected_reviews": true,
+            "block_on_outdated_branch": false,
+            "priority": 1
+          }'
+
+          RULE_DEV='{
+            "rule_name": "dev",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 2
+          }'
+
+          RULE_RC='{
+            "rule_name": "rc",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 3
+          }'
+
+          RULE_BETA='{
+            "rule_name": "beta",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 4
+          }'
+
+          RULE_ALPHA='{
+            "rule_name": "alpha",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 5
+          }'
+
+          RULES=("$RULE_MAIN" "$RULE_DEV" "$RULE_RC" "$RULE_BETA" "$RULE_ALPHA")
+          RULE_NAMES=("main" "dev" "rc" "beta" "alpha")
+
+          # ── Apply rules to each repo ──────────────────────────────
+          for REPO in $REPOS; do
+            echo ""
+            echo "═══ ${REPO} ═══"
+
+            for i in "${!RULES[@]}"; do
+              RULE="${RULES[$i]}"
+              NAME="${RULE_NAMES[$i]}"
+
+              if [ "$DRY_RUN" = "true" ]; then
+                echo "  [DRY RUN] Would apply rule: ${NAME}"
+                SKIPPED=$((SKIPPED + 1))
+                continue
+              fi
+
+              # Delete existing rule if present (idempotent recreate)
+              ENCODED_NAME=$(echo "$NAME" | sed 's|/|%2F|g')
+              curl -sS -o /dev/null -w "" \
+                -X DELETE \
+                -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections/${ENCODED_NAME}" 2>/dev/null || true
+
+              # Create rule
+              RESPONSE=$(curl -sS -w "\n%{http_code}" \
+                -X POST \
+                -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                -d "$RULE" \
+                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections")
+
+              HTTP=$(echo "$RESPONSE" | tail -1)
+              BODY=$(echo "$RESPONSE" | sed '$d')
+
+              if [ "$HTTP" = "201" ]; then
+                echo "  ✅ ${NAME}"
+                SUCCESS=$((SUCCESS + 1))
+              else
+                echo "  ❌ ${NAME} (HTTP ${HTTP}): $(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)"
+                FAILED=$((FAILED + 1))
+              fi
+            done
+          done
+
+          # ── Summary ───────────────────────────────────────────────
+          echo ""
+          echo "════════════════════════════════════════"
+          echo "  ✅ Success: ${SUCCESS}"
+          echo "  ❌ Failed:  ${FAILED}"
+          echo "  ⏭️  Skipped: ${SKIPPED}"
+          echo "════════════════════════════════════════"
+
+          if [ "$FAILED" -gt 0 ]; then
+            echo "::warning::${FAILED} rule(s) failed to apply"
+          fi
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<moko-platform xmlns="https://standards.mokoconsulting.tech/moko-platform/1.0" schema-version="1.0">
+    <identity>
+        <name>MokoGitea</name>
+        <org>MokoConsulting</org>
+        <description>Moko fork of Gitea — adding project board REST API endpoints and custom enhancements</description>
+        <version>05.14.00</version>
+        <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
+    </identity>
+    <governance>
+        <platform>go</platform>
+        <standards-version>05.00.00</standards-version>
+        <standards-source>https://code.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
+    </governance>
+    <build>
+        <language>Go</language>
+        <package-type>application</package-type>
+        <entry-point>./</entry-point>
+    </build>
+</moko-platform>
@@ -1,761 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 05.00.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
-#
-# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
-# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
-# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
-# |                                                                        |
-# +========================================================================+
-
-name: "Universal: Build & Release"
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    name: Build & Release Pipeline
-    runs-on: release
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.GA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
-        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-
-      # -- PLATFORM DETECTION ---------------------------------------------------
-      - name: Detect platform
-        id: platform
-        run: |
-          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
-          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1 || true)
-          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
-          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
-
-      - name: "Step 1: Read version"
-        id: version
-        run: |
-          VERSION=$(php /tmp/moko-platform-api/cli/version_read.php --path .)
-          if [ -z "$VERSION" ]; then
-            echo "::error::No VERSION in README.md"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          MAJOR=$(echo "$VERSION" | cut -d. -f1)
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "release_tag=v${MAJOR}" >> "$GITHUB_OUTPUT"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-          echo "branch=version/${MAJOR}" >> "$GITHUB_OUTPUT"
-
-      - name: "Step 1b: Bump version"
-        id: bump
-        if: steps.version.outputs.skip != 'true'
-        run: |
-          MOKO_API="/tmp/moko-platform-api/cli"
-          BUMP=$(php ${MOKO_API}/version_bump.php --path . --minor)
-          VERSION=$(echo "$BUMP" | grep -oP '\d{2}\.\d{2}\.\d{2}$' || true)
-          [ -z "$VERSION" ] && VERSION=$(php ${MOKO_API}/version_read.php --path .)
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "Bumped to: ${VERSION}"
-
-      - name: Check if already released
-        if: steps.version.outputs.skip != 'true'
-        id: check
-        run: |
-          TAG="${{ steps.version.outputs.release_tag }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-
-          TAG_EXISTS=false
-          BRANCH_EXISTS=false
-
-          git rev-parse "$TAG" >/dev/null 2>&1 && TAG_EXISTS=true
-          git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q "$BRANCH" && BRANCH_EXISTS=true
-
-          echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
-          echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
-
-          # Tag and branch may persist across patch releases — never skip
-          echo "already_released=false" >> "$GITHUB_OUTPUT"
-
-      # -- SANITY CHECKS -------------------------------------------------------
-      - name: "Sanity: Pre-release validation"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          ERRORS=0
-
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          MANIFEST="${{ steps.platform.outputs.manifest }}"
-          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
-          echo "## Pre-Release Sanity Checks (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-
-          # -- Version drift check (must pass before release) --------
-          README_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
-          if [ "$README_VER" != "$VERSION" ]; then
-            echo "- Version drift: README says \`${README_VER}\` but releasing \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          else
-            echo "- Version consistent: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          # Check CHANGELOG version matches
-          CL_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' CHANGELOG.md 2>/dev/null | head -1)
-          if [ -n "$CL_VER" ] && [ "$CL_VER" != "$VERSION" ]; then
-            echo "- CHANGELOG drift: \`${CL_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          fi
-
-          # Check composer.json version if present
-          if [ -f "composer.json" ]; then
-            COMP_VER=$(sed -n 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' composer.json 2>/dev/null | head -1)
-            if [ -n "$COMP_VER" ] && [ "$COMP_VER" != "$VERSION" ]; then
-              echo "- composer.json drift: \`${COMP_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS+1))
-            fi
-          fi
-
-          # Common checks
-          if [ ! -f "LICENSE" ]; then
-            echo "- Missing LICENSE file" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          else
-            echo "- LICENSE present" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if [ ! -d "src" ] && [ ! -d "htdocs" ]; then
-            echo "- Warning: No src/ or htdocs/ directory" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "- Source directory present" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          # -- Platform-specific checks --------
-          case "$PLATFORM" in
-            joomla)
-              if [ -n "$MANIFEST" ]; then
-                XML_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-                if [ -n "$XML_VER" ] && [ "$XML_VER" != "$VERSION" ]; then
-                  echo "- Manifest drift: \`${XML_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-                  ERRORS=$((ERRORS+1))
-                else
-                  echo "- Manifest version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-                fi
-                TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null)
-                echo "- Extension type: ${TYPE:-unknown}" >> $GITHUB_STEP_SUMMARY
-              else
-                echo "- No Joomla XML manifest (WaaS site)" >> $GITHUB_STEP_SUMMARY
-              fi ;;
-            dolibarr)
-              if [ -n "$MOD_FILE" ]; then
-                MOD_VER=$(sed -n "s/.*\\\$this->version = '\([^']*\)'.*/\1/p" "$MOD_FILE" 2>/dev/null | head -1)
-                if [ -n "$MOD_VER" ] && [ "$MOD_VER" != "$VERSION" ]; then
-                  echo "- Module drift: \`${MOD_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-                  ERRORS=$((ERRORS+1))
-                else
-                  echo "- Module version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-                fi
-              else
-                echo "- No mod*.class.php found" >> $GITHUB_STEP_SUMMARY
-                ERRORS=$((ERRORS+1))
-              fi
-              if [ ! -f "update.txt" ]; then
-                echo "- Missing update.txt" >> $GITHUB_STEP_SUMMARY
-                ERRORS=$((ERRORS+1))
-              fi ;;
-            *) echo "- Generic platform � no manifest checks" >> $GITHUB_STEP_SUMMARY ;;
-          esac
-
-          echo "" >> $GITHUB_STEP_SUMMARY
-          if [ "$ERRORS" -gt 0 ]; then
-            echo "**${ERRORS} error(s) — release may be incomplete**" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "**All sanity checks passed**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      # -- STEP 2: Create or update version/XX.YY archive branch ---------------
-      # Always runs — every version change on main archives to version/XX.YY
-      - name: "Step 2: Version archive branch"
-        if: steps.check.outputs.already_released != 'true'
-        run: |
-          BRANCH="${{ steps.version.outputs.branch }}"
-          IS_MINOR="${{ steps.version.outputs.is_minor }}"
-          PATCH="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PATCH_NUM=$(echo "$PATCH" | awk -F. '{print $3}')
-
-          # Check if branch exists
-          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
-            git push origin HEAD:"$BRANCH" --force
-            echo "Updated archive branch: ${BRANCH} (patch ${PATCH_NUM})" >> $GITHUB_STEP_SUMMARY
-          else
-            git checkout -b "$BRANCH" 2>/dev/null || git checkout "$BRANCH"
-            git push origin "$BRANCH" --force
-            echo "Created archive branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      # -- STEP 3: Set platform version ----------------------------------------
-      - name: "Step 3: Set platform version"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/moko-platform-api/cli/version_set_platform.php \
-            --path . --version "$VERSION" --branch main
-
-      # -- STEP 4: Update version badges ----------------------------------------
-      - name: "Step 4: Update version badges"
-        if: steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
-
-      - name: "Step 5: Write update stream"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/moko-platform-api/cli/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability stable \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            --github-output
-
-      - name: Commit release changes
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          if git diff --quiet && git diff --cached --quiet; then
-            echo "No changes to commit"
-            exit 0
-          fi
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git commit -m "chore(release): build ${VERSION} [skip ci]" \
-            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-          git push -u origin HEAD
-
-      # -- STEP 6: Create tag ---------------------------------------------------
-      - name: "Step 6: Create git tag"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.tag_exists != 'true' &&
-          steps.version.outputs.is_minor == 'true'
-        run: |
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          # Only create the major release tag if it doesn't exist yet
-          if ! git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
-            git tag "$RELEASE_TAG"
-            git push origin "$RELEASE_TAG"
-            echo "Tag created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "Tag ${RELEASE_TAG} already exists" >> $GITHUB_STEP_SUMMARY
-          fi
-          echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 7: Create or update Gitea Release --------------------------------
-      - name: "Step 7: Gitea Release"
-        if: >-
-          steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-          MAJOR="${{ steps.version.outputs.major }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Reuse metadata from Step 5 (single source of truth)
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
-          EXT_NAME="${{ steps.updates.outputs.ext_name }}"
-          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
-          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
-
-          # Fallbacks if Step 5 was skipped
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          fi
-          [ -z "$EXT_NAME" ] && EXT_NAME="${GITEA_REPO}"
-
-          NOTES=$(php /tmp/moko-platform-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null)
-          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
-
-          # Build release name: "Pretty Name VERSION (type_element-VERSION)"
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
-
-          # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
-          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
-
-          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
-            echo "Deleted previous stable release (id: ${EXISTING_ID})"
-          fi
-
-          # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/releases" \
-            -d "$(python3 -c "import json; print(json.dumps({
-              'tag_name': '${RELEASE_TAG}',
-              'name': '${RELEASE_NAME}',
-              'body': '''## ${VERSION} ($(date +%Y-%m-%d))\n${NOTES}''',
-              'target_commitish': '${BRANCH}'
-            }))")"
-          echo "Release created: ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
-      - name: "Step 8: Build package and update checksum"
-        if: >-
-          steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          REPO="${{ github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
-          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-          if [ -z "$RELEASE_ID" ]; then
-            echo "No release ${RELEASE_TAG} found — skipping ZIP upload"
-            exit 0
-          fi
-
-          # Find extension element name from manifest
-          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
-          [ -z "$MANIFEST" ] && exit 0
-
-          # Reuse element from Step 5, with same fallback chain
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          fi
-          # ZIP name: type_folder_element-VERSION (e.g. plg_system_mokojgdpc-01.01.00.zip)
-          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
-          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
-
-          # -- Build install packages from src/ ----------------------------
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/"; exit 0; }
-
-          # ZIP package (type-aware via moko-platform PHP API)
-          php /tmp/moko-platform-api/cli/joomla_build.php             --path . --version "${VERSION}" --output /tmp
-          # Match the expected ZIP_NAME for upload
-          BUILT_ZIP=$(ls /tmp/${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip 2>/dev/null | head -1 || true)
-          if [ -n "$BUILT_ZIP" ] && [ "$BUILT_ZIP" != "/tmp/${ZIP_NAME}" ]; then
-            mv "$BUILT_ZIP" "/tmp/${ZIP_NAME}"
-          fi
-
-          # tar.gz package (flat source archive)
-          tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR"             --exclude='.ftpignore' --exclude='sftp-config*'             --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
-
-          ZIP_SIZE=$(stat -c%s "/tmp/${ZIP_NAME}" 2>/dev/null || stat -f%z "/tmp/${ZIP_NAME}" 2>/dev/null || echo "unknown")
-          TAR_SIZE=$(stat -c%s "/tmp/${TAR_NAME}" 2>/dev/null || stat -f%z "/tmp/${TAR_NAME}" 2>/dev/null || echo "unknown")
-
-          # -- Calculate SHA-256 for both ----------------------------------
-          SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
-          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
-
-          # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
-          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
-            ASSET_ID=$(echo "$ASSETS" | python3 -c "
-          import sys,json
-          assets = json.load(sys.stdin)
-          for a in assets:
-              if a['name'] == '${ASSET_NAME}':
-                  print(a['id']); break
-          " 2>/dev/null || true)
-            if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
-            fi
-          done
-
-          # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/octet-stream" \
-            --data-binary @"/tmp/${ZIP_NAME}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
-
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/octet-stream" \
-            --data-binary @"/tmp/${TAR_NAME}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
-
-          # -- Update updates.xml with both download formats ---------------
-          if [ -f "updates.xml" ]; then
-            ZIP_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
-            TAR_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
-
-            # Use Python to update only the stable entry's downloads + sha256
-            export PY_ZIP_URL="$ZIP_URL" PY_TAR_URL="$TAR_URL" PY_SHA="$SHA256_ZIP"
-            python3 << 'PYEOF'
-          import re, os
-
-          with open("updates.xml") as f:
-              content = f.read()
-
-          zip_url = os.environ["PY_ZIP_URL"]
-          tar_url = os.environ["PY_TAR_URL"]
-          sha = os.environ["PY_SHA"]
-
-          # Find the stable update block and replace its downloads + sha256
-          def replace_stable(m):
-              block = m.group(0)
-              # Replace downloads block
-              new_downloads = (
-                  "    <downloads>\n"
-                  f"      <downloadurl type=\"full\" format=\"zip\">{zip_url}</downloadurl>\n"
-                  "    </downloads>"
-              )
-              block = re.sub(r'    <downloads>.*?</downloads>', new_downloads, block, flags=re.DOTALL)
-              # Add or replace sha256
-              if '<sha256>' in block:
-                  block = re.sub(r'    <sha256>.*?</sha256>', f'    <sha256>{sha}</sha256>', block)
-              else:
-                  block = block.replace('</downloads>', f'</downloads>\n    <sha256>{sha}</sha256>')
-              return block
-
-          content = re.sub(
-              r'  <update>.*?<tag>stable</tag>.*?</update>',
-              replace_stable,
-              content,
-              flags=re.DOTALL
-          )
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-
-            CURRENT_BRANCH="${{ github.ref_name }}"
-            git add updates.xml
-            git commit -m "chore(release): ZIP + tar.gz for ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
-            git push || true
-
-            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
-            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
-
-            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
-
-            if [ -n "$FILE_SHA" ]; then
-              CONTENT=$(base64 -w0 updates.xml)
-              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
-                -H "Content-Type: application/json" \
-                "${API}/contents/updates.xml" \
-                -d "$(jq -n \
-                  --arg content "$CONTENT" \
-                  --arg sha "$FILE_SHA" \
-                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
-                  --arg branch "main" \
-                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
-                )" > /dev/null 2>&1 \
-                && echo "updates.xml synced to main via API" \
-                || echo "WARNING: failed to sync updates.xml to main"
-            else
-              echo "WARNING: could not get updates.xml SHA from main"
-            fi
-          fi
-
-          echo "### Packages" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Package | Size | SHA-256 |" >> $GITHUB_STEP_SUMMARY
-          echo "|---------|------|---------|" >> $GITHUB_STEP_SUMMARY
-          echo "| \`${ZIP_NAME}\` | ${ZIP_SIZE} | \`${SHA256_ZIP}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| \`${TAR_NAME}\` | ${TAR_SIZE} | \`${SHA256_TAR}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
-          echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 8b: Update release description with changelog + SHA ----------------
-      - name: "Step 8b: Update release body with changelog and SHA"
-        if: steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
-          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
-          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
-
-          # Build TYPE_PREFIX to match Step 8's ZIP naming
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
-          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
-
-          # Get SHA from the built files
-          SHA256_ZIP=""
-          [ -f "/tmp/${ZIP_NAME}" ] && SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
-          SHA256_TAR=""
-          [ -f "/tmp/${TAR_NAME}" ] && SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
-
-          # Extract latest changelog entry (strip the ## header to avoid duplicate)
-          CHANGELOG=""
-          if [ -f "CHANGELOG.md" ]; then
-            CHANGELOG=$(sed -n "/^## \[*${VERSION}/,/^## \[*[0-9]/p" CHANGELOG.md | sed '$d' | sed '1d')
-            [ -z "$CHANGELOG" ] && CHANGELOG=$(sed -n '/^## /,/^## /p' CHANGELOG.md | sed '$d' | sed '1d' | head -30)
-          fi
-
-          # Build release body (single header, no duplicate from changelog)
-          BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\n"
-          if [ -n "$CHANGELOG" ]; then
-            BODY="${BODY}${CHANGELOG}\n\n"
-          fi
-          BODY="${BODY}---\n\n### Checksums\n\n"
-          BODY="${BODY}| File | SHA-256 |\n|------|--------|\n"
-          [ -n "$SHA256_ZIP" ] && BODY="${BODY}| \`${ZIP_NAME}\` | \`${SHA256_ZIP}\` |\n"
-          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
-
-          # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-          if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
-            python3 -c "
-          import json, urllib.request
-          body = '''$(printf '%b' "$BODY")'''
-          data = json.dumps({'body': body}).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/releases/${RELEASE_ID}',
-              data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
-              method='PATCH'
-          )
-          urllib.request.urlopen(req)
-          " 2>/dev/null && echo "Release body updated with changelog + SHA" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
-        continue-on-error: true
-        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          MAJOR="${{ steps.version.outputs.major }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-
-          NOTES=$(php /tmp/moko-platform-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
-          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
-          echo "$NOTES" > /tmp/release_notes.md
-
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
-
-          if [ -z "$EXISTING" ]; then
-            gh release create "$RELEASE_TAG" \
-              --repo "$GH_REPO" \
-              --title "v${MAJOR} (latest: ${VERSION})" \
-              --notes-file /tmp/release_notes.md \
-              --target "$BRANCH" || true
-          else
-            gh release edit "$RELEASE_TAG" \
-              --repo "$GH_REPO" \
-              --title "v${MAJOR} (latest: ${VERSION})" || true
-          fi
-
-          # Upload assets to GitHub mirror
-          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
-            if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
-            fi
-          done
-          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
-
-      # -- Clean up lesser pre-releases (cascade) ---------------------------------
-      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
-      - name: "Delete lesser pre-release channels"
-        continue-on-error: true
-        run: |
-          php /tmp/moko-platform-api/cli/release_cascade.php \
-            --stability stable \
-            --token "${{ secrets.GA_TOKEN }}" \
-            --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            --gitea-url "${GITEA_URL}" 2>/dev/null || true
-
-      - name: "Step 11: Delete and recreate dev branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-
-          # Delete dev branch
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-
-          # Recreate dev from main (now includes version bump + changelog promotion)
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-
-          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
-
-
-      # -- Dolibarr post-release: Reset dev version -----------------------------
-      - name: "Dolibarr: Reset dev version"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.platform.outputs.platform == 'dolibarr' &&
-          steps.platform.outputs.mod_file != ''
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
-          ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
-          FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
-          FILE_SHA=$(echo "$FILE_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-          FILE_CONTENT=$(echo "$FILE_RESP" | python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin).get('content','')).decode())" 2>/dev/null || true)
-          if [ -n "$FILE_SHA" ] && [ -n "$FILE_CONTENT" ]; then
-            UPDATED=$(echo "$FILE_CONTENT" | sed "s/\$this->version = '[^']*'/\$this->version = 'development'/")
-            ENCODED=$(echo "$UPDATED" | base64 -w0)
-            curl -sf -X PUT -H "Authorization: token ${TOKEN}" -H "Content-Type: application/json" "${API_BASE}/contents/${ENCODED_PATH}" \
-              -d "$(jq -n --arg content \"$ENCODED\" --arg sha \"$FILE_SHA\" --arg msg \"chore(version): reset dev version [skip ci]\" --arg branch \"dev\" '{content:$content,sha:$sha,message:$msg,branch:$branch}')" > /dev/null 2>&1 || true
-          fi
-
-      # -- Summary --------------------------------------------------------------
-      - name: Pipeline Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-          fi
@@ -0,0 +1,48 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.mokogitea/workflows/branch-cleanup.yml
+# VERSION: 01.00.00
+# BRIEF: Delete feature branches after PR merge
+
+name: "Branch Cleanup"
+
+on:
+  pull_request:
+    types: [closed]
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  cleanup:
+    name: Delete merged branch
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      github.event.pull_request.head.ref != 'dev' &&
+      github.event.pull_request.head.ref != 'main'
+
+    steps:
+      - name: Delete source branch
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
+          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
+
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
+            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
+            "${API}/${ENCODED}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "204" ]; then
+            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          elif [ "$STATUS" = "404" ]; then
+            echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
+          fi
@@ -5,6 +5,9 @@
 name: Deploy MokoGitea

 on:
+  push:
+    branches:
+      - main
  workflow_dispatch:
    inputs:
      version:
@@ -36,11 +39,23 @@ jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
+      - name: Checkout source (for version detection)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
      - name: Determine settings
        id: config
        run: |
-          VERSION="${{ github.event.inputs.version }}"
-          ENV="${{ github.event.inputs.environment }}"
+          # On push to main, auto-deploy to production with git-derived version.
+          # On workflow_dispatch, use the provided inputs.
+          if [ "${{ github.event_name }}" = "push" ]; then
+            VERSION=$(git describe --tags --always 2>/dev/null || echo "dev-$(git rev-parse --short HEAD)")
+            ENV="production"
+          else
+            VERSION="${{ github.event.inputs.version }}"
+            ENV="${{ github.event.inputs.environment }}"
+          fi

          if [ "$ENV" = "production" ]; then
            echo "compose_dir=/opt/gitea" >> $GITHUB_OUTPUT
@@ -88,6 +103,17 @@ jobs:

          $SSH_CMD "echo 'SSH connected'"

+          # Pre-deploy cleanup: free disk and memory for the build
+          $SSH_CMD "
+            echo 'Cleaning Docker build cache and unused images...'
+            docker builder prune -af 2>/dev/null || true
+            docker image prune -af 2>/dev/null || true
+            echo 'Clearing swap...'
+            sudo swapoff -a && sudo swapon -a 2>/dev/null || true
+            echo 'Cleanup complete'
+            free -m | head -3
+          "
+
          # Pull latest source
          $SSH_CMD "
            set -e
@@ -143,10 +169,10 @@ jobs:
      - name: Update updates.xml
        if: success()
        env:
-          GITEA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          TAG: ${{ steps.config.outputs.tag }}
          INSTANCE_URL: ${{ steps.config.outputs.instance_url }}
-          DEPLOY_ENV: ${{ github.event.inputs.environment }}
+          DEPLOY_ENV: ${{ github.event.inputs.environment || 'production' }}
        run: |
          # Only update updates.xml for production stable releases
          if [ "$DEPLOY_ENV" != "production" ]; then
@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
-# VERSION: 01.00.00
+# VERSION: 05.14.00
 # BRIEF: Auto-create feature branch when an issue is opened

 name: "Universal: Issue Branch"
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Create branch and comment
        run: |
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
@@ -1,90 +1,90 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# Enforces branch merge policy:
-#   feature/* → dev only
-#   fix/*     → dev only
-#   hotfix/*  → dev or main (emergency)
-#   dev       → main only
-#   alpha/*   → dev only
-#   beta/*    → dev only
-#   rc/*      → main only
-
-name: Branch Policy Check
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, edited]
-
-jobs:
-  check-target:
-    name: Verify merge target
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check branch policy
-        run: |
-          HEAD="${{ github.head_ref }}"
-          BASE="${{ github.base_ref }}"
-
-          echo "PR: ${HEAD} → ${BASE}"
-
-          ALLOWED=true
-          REASON=""
-
-          case "$HEAD" in
-            feature/*|feat/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Feature branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            fix/*|bugfix/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Fix branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            hotfix/*)
-              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
-              fi
-              ;;
-            alpha/*|beta/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Pre-release branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            rc/*)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Release candidate branches must target 'main', not '${BASE}'"
-              fi
-              ;;
-            dev)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Dev branch can only merge into 'main', not '${BASE}'"
-              fi
-              ;;
-          esac
-
-          if [ "$ALLOWED" = false ]; then
-            echo "::error::${REASON}"
-            echo ""
-            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
-            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-
-          echo "Branch policy: OK (${HEAD} → ${BASE})"
-          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# Enforces branch merge policy:
+#   feature/* → dev only
+#   fix/*     → dev only
+#   hotfix/*  → dev or main (emergency)
+#   dev       → main only
+#   alpha/*   → dev only
+#   beta/*    → dev only
+#   rc/*      → main only
+
+name: Branch Policy Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  check-target:
+    name: Verify merge target
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch policy
+        run: |
+          HEAD="${{ github.head_ref }}"
+          BASE="${{ github.base_ref }}"
+
+          echo "PR: ${HEAD} → ${BASE}"
+
+          ALLOWED=true
+          REASON=""
+
+          case "$HEAD" in
+            feature/*|feat/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Feature branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            fix/*|bugfix/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Fix branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            hotfix/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
+              fi
+              ;;
+            alpha/*|beta/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Pre-release branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            rc/*)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Release candidate branches must target 'main', not '${BASE}'"
+              fi
+              ;;
+            dev)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Dev branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+          esac
+
+          if [ "$ALLOWED" = false ]; then
+            echo "::error::${REASON}"
+            echo ""
+            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
+            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "Branch policy: OK (${HEAD} → ${BASE})"
+          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,236 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/universal/pr-check.yml.template
+# VERSION: 05.00.00
+# BRIEF: PR gate — branch policy + code validation before merge
+
+name: "Universal: PR Check"
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Branch Policy ──────────────────────────────────────────────────────
+  branch-policy:
+    name: Branch Policy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch merge target
+        run: |
+          HEAD="${{ github.head_ref }}"
+          BASE="${{ github.base_ref }}"
+
+          echo "PR: ${HEAD} → ${BASE}"
+
+          ALLOWED=true
+          REASON=""
+
+          case "$HEAD" in
+            feature/*|feat/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Feature branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            fix/*|bugfix/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Fix branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            patch/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "rc" ]; then
+                ALLOWED=false
+                REASON="Patch branches must target 'dev' or 'rc', not '${BASE}'"
+              fi
+              ;;
+            hotfix/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
+              fi
+              ;;
+            rc)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="RC branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+            dev)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Dev branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+          esac
+
+          if [ "$ALLOWED" = false ]; then
+            echo "::error::${REASON}"
+            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
+            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "Branch policy: OK (${HEAD} → ${BASE})"
+          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
+
+  # ── Code Validation ────────────────────────────────────────────────────
+  validate:
+    name: Validate PR
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect platform
+        id: platform
+        run: |
+          # Read platform from XML manifest (<platform> tag) or plain text fallback
+          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
+          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
+          [ -z "$PLATFORM" ] && PLATFORM="generic"
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+
+      - name: Setup PHP
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+
+      - name: PHP syntax check
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
+          echo "PHP lint: ${ERRORS} error(s)"
+          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
+
+      - name: Validate platform manifest
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+              if [ -z "$MANIFEST" ]; then
+                echo "::warning::No Joomla manifest found (WaaS site)"
+                exit 0
+              fi
+              echo "Manifest: ${MANIFEST}"
+              if command -v php &> /dev/null; then
+                php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
+              fi
+              for ELEMENT in name version description; do
+                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
+              done
+              echo "Joomla manifest valid"
+              ;;
+            dolibarr)
+              MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
+              if [ -z "$MOD_FILE" ]; then
+                echo "::error::No mod*.class.php found"
+                exit 1
+              fi
+              echo "Dolibarr module: ${MOD_FILE}"
+              ;;
+            *)
+              echo "Generic platform — no manifest validation"
+              ;;
+          esac
+
+      - name: Check update stream format
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              if [ -f "updates.xml" ]; then
+                if command -v php &> /dev/null; then
+                  php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
+                fi
+                echo "updates.xml valid"
+              fi
+              ;;
+            dolibarr)
+              [ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
+              ;;
+          esac
+
+      - name: Check changelog has unreleased entry
+        run: |
+          if [ ! -f "CHANGELOG.md" ]; then
+            echo "::warning::No CHANGELOG.md found"
+            exit 0
+          fi
+          # Check for content under [Unreleased] section
+          if ! grep -q "## \[Unreleased\]" CHANGELOG.md; then
+            echo "::error::CHANGELOG.md missing [Unreleased] section"
+            exit 1
+          fi
+          # Check there's at least one entry (Added/Changed/Fixed/Removed) under Unreleased
+          UNRELEASED_CONTENT=$(sed -n '/## \[Unreleased\]/,/## \[/p' CHANGELOG.md | grep -cE '^\s*-\s' || true)
+          if [ "$UNRELEASED_CONTENT" -eq 0 ]; then
+            echo "::error::CHANGELOG.md [Unreleased] section has no entries. Add a changelog entry describing your changes."
+            echo "## Changelog Check: Failed" >> $GITHUB_STEP_SUMMARY
+            echo "The \`[Unreleased]\` section in CHANGELOG.md has no entries." >> $GITHUB_STEP_SUMMARY
+            echo "Add a line like \`- Description of your change\` under a heading (\`### Added\`, \`### Changed\`, \`### Fixed\`, etc.)" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "Changelog: ${UNRELEASED_CONTENT} entry/entries in [Unreleased]"
+
+      - name: Verify package source
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          if [ ! -d "$SOURCE_DIR" ]; then
+            echo "::warning::No src/ or htdocs/ directory"
+            exit 0
+          fi
+          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
+          echo "Source: ${FILE_COUNT} files"
+          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
+
+  # ── Pre-Release RC Build ─────────────────────────────────────────────────
+  pre-release:
+    name: Build RC Package
+    runs-on: ubuntu-latest
+    needs: [branch-policy, validate]
+
+    steps:
+      - name: Trigger RC pre-release
+        env:
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ github.head_ref }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+        run: |
+          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
+          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
+          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
@@ -108,7 +108,7 @@ jobs:
      - name: Create RC release
        if: steps.guard.outputs.skip != 'true'
        env:
-          GITEA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          RC_TAG: ${{ steps.version.outputs.tag }}
          RC_VERSION: ${{ steps.version.outputs.version }}
          PR_TITLE: ${{ github.event.pull_request.title }}
@@ -155,7 +155,7 @@ jobs:
      - name: Commit updates.xml
        if: steps.guard.outputs.skip != 'true'
        env:
-          GITEA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          HEAD_REF: ${{ github.event.pull_request.head.ref }}
          PR_NUM: ${{ github.event.pull_request.number }}
        run: |
@@ -1,375 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 05.01.00
-# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
-
-name: "Universal: Pre-Release"
-
-on:
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Pre-release channel'
-        required: true
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - release-candidate
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-jobs:
-  build:
-    name: "Build Pre-Release (${{ inputs.stability }})"
-    runs-on: release
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
-
-      - name: Setup tools
-        run: |
-          # Update moko-platform CLI tools if available; install PHP if missing
-          if command -v moko-platform-update &> /dev/null; then
-            moko-platform-update
-          elif [ -d "/opt/moko-platform" ]; then
-            cd /opt/moko-platform && git pull origin main --quiet 2>/dev/null || true
-          else
-            if ! command -v php &> /dev/null; then
-              sudo apt-get update -qq
-              sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl >/dev/null 2>&1
-            fi
-            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
-              /tmp/moko-platform-api
-          fi
-          # Set MOKO_CLI to whichever path exists
-          if [ -d "/opt/moko-platform/cli" ]; then
-            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
-          else
-            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-          fi
-
-      - name: Detect platform
-        id: platform
-        run: |
-          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1 | tr -d '[:space:]')
-          [ -z "$PLATFORM" ] && PLATFORM="generic"
-          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
-          MANIFEST=$(find ./src -maxdepth 1 -name "pkg_*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          [ -z "$MANIFEST" ] && MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "*/packages/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          [ -z "$MANIFEST" ] && MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
-          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
-          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
-
-      - name: Resolve metadata and bump version
-        id: meta
-        run: |
-          STABILITY="${{ inputs.stability }}"
-
-          case "$STABILITY" in
-            development)        SUFFIX="-dev";   TAG="development" ;;
-            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)               SUFFIX="-beta";  TAG="beta" ;;
-            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
-          esac
-
-          # Patch bump via CLI tool
-          php ${MOKO_CLI}/version_bump.php --path .
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
-          [ -z "$VERSION" ] && VERSION="00.00.01"
-          TODAY=$(date +%Y-%m-%d)
-
-          # Update platform-specific manifest
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          MANIFEST="${{ steps.platform.outputs.manifest }}"
-          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
-
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "${{ github.ref_name }}" 2>/dev/null || true
-
-          # Commit version bump
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1
-          }
-
-          # Auto-detect element (platform-aware)
-          EXT_ELEMENT=""
-          case "$PLATFORM" in
-            joomla)
-              if [ -n "$MANIFEST" ]; then
-                EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-                if [ -z "$EXT_ELEMENT" ]; then
-                  EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-                  case "$EXT_ELEMENT" in
-                    templatedetails|manifest) EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
-                  esac
-                fi
-              else
-                EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-              fi
-              ;;
-            dolibarr)
-              if [ -n "$MOD_FILE" ]; then
-                MOD_BASENAME=$(basename "$MOD_FILE" .class.php)
-                EXT_ELEMENT=$(echo "$MOD_BASENAME" | sed 's/^mod//' | tr '[:upper:]' '[:lower:]')
-              else
-                EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-              fi
-              ;;
-            *)
-              EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-              ;;
-          esac
-
-          ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
-
-          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
-
-      - name: Build package
-        run: |
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ ! -d "$SOURCE_DIR" ]; then
-            echo "::error::No src/ or htdocs/ directory"
-            exit 1
-          fi
-
-          MANIFEST="${{ steps.meta.outputs.manifest }}"
-          EXT_TYPE=""
-          if [ -n "$MANIFEST" ]; then
-            EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          fi
-
-          EXCLUDES="sftp-config* .ftpignore *.ppk *.pem *.key .env* *.local .build-trigger"
-
-          mkdir -p build/package
-
-          if [ "$EXT_TYPE" = "package" ] && [ -d "${SOURCE_DIR}/packages" ]; then
-            echo "=== Building Joomla PACKAGE (multi-extension) ==="
-            for ext_dir in "${SOURCE_DIR}"/packages/*/; do
-              [ ! -d "$ext_dir" ] && continue
-              EXT_NAME=$(basename "$ext_dir")
-              echo "  Packaging sub-extension: ${EXT_NAME}"
-              cd "$ext_dir"
-              zip -r "../../build/package/${EXT_NAME}.zip" . -x $EXCLUDES
-              cd "$OLDPWD"
-            done
-            for f in "${SOURCE_DIR}"/*.xml "${SOURCE_DIR}"/*.php; do
-              [ -f "$f" ] && cp "$f" build/package/
-            done
-          else
-            echo "=== Building standard extension ==="
-            rsync -a \
-              --exclude='sftp-config*' \
-              --exclude='.ftpignore' \
-              --exclude='*.ppk' \
-              --exclude='*.pem' \
-              --exclude='*.key' \
-              --exclude='.env*' \
-              --exclude='*.local' \
-              --exclude='.build-trigger' \
-              "${SOURCE_DIR}/" build/package/
-          fi
-
-      - name: Create ZIP
-        id: zip
-        run: |
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          cd build/package
-          zip -r "../${ZIP_NAME}" .
-          cd ..
-
-          SHA256=$(sha256sum "${ZIP_NAME}" | cut -d' ' -f1)
-          echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT"
-          echo "ZIP: ${ZIP_NAME} (SHA: ${SHA256:0:16}...)"
-
-      - name: Create or replace Gitea release
-        id: release
-        run: |
-          TAG="${{ steps.meta.outputs.tag }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          BRANCH=$(git branch --show-current)
-
-          BODY="## ${VERSION} ($(date +%Y-%m-%d))
-          **Channel:** ${STABILITY}
-          **SHA-256:** \`${SHA256}\`"
-
-          # Delete existing release
-          EXISTING_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
-            "${API}/releases/tags/${TAG}" | jq -r '.id // empty' 2>/dev/null)
-          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/tags/${TAG}" 2>/dev/null || true
-          fi
-
-          # Create release
-          RELEASE_ID=$(curl -sS -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API}/releases" \
-            -d "$(jq -n \
-              --arg tag "$TAG" \
-              --arg target "$BRANCH" \
-              --arg name "${EXT_ELEMENT} ${VERSION} (${STABILITY})" \
-              --arg body "$BODY" \
-              '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, prerelease: true}'
-            )" | jq -r '.id')
-
-          echo "release_id=${RELEASE_ID}" >> "$GITHUB_OUTPUT"
-
-          # Upload ZIP
-          curl -sS -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/octet-stream" \
-            "${API}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" \
-            --data-binary "@build/${ZIP_NAME}"
-
-          echo "Released: ${EXT_ELEMENT} ${VERSION} (${STABILITY})"
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml -- skipping"
-            exit 0
-          fi
-
-          # Map stability to XML tag name
-          case "$STABILITY" in
-            development)        XML_TAG="development" ;;
-            alpha)              XML_TAG="alpha" ;;
-            beta)               XML_TAG="beta" ;;
-            release-candidate)  XML_TAG="rc" ;;
-            *)                  XML_TAG="$STABILITY" ;;
-          esac
-
-          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${TAG}/${ZIP_NAME}"
-
-          # Use PHP to update the channel in updates.xml
-          php -r '
-            $xml_tag = $argv[1];
-            $version = $argv[2];
-            $sha256 = $argv[3];
-            $url = $argv[4];
-            $date = date("Y-m-d");
-
-            $content = file_get_contents("updates.xml");
-            $pattern = "/(<update>(?:(?!<\/update>).)*?<tag>" . preg_quote($xml_tag) . "<\/tag>.*?<\/update>)/s";
-
-            $content = preg_replace_callback($pattern, function($m) use ($version, $sha256, $url, $date) {
-              $block = $m[0];
-              $block = preg_replace("/<version>[^<]*<\/version>/", "<version>{$version}</version>", $block);
-              if (strpos($block, "<sha256>") !== false) {
-                $block = preg_replace("/<sha256>[^<]*<\/sha256>/", "<sha256>{$sha256}</sha256>", $block);
-              } else {
-                $block = str_replace("</downloads>", "</downloads>\n    <sha256>{$sha256}</sha256>", $block);
-              }
-              $block = preg_replace("/(<downloadurl[^>]*>)[^<]*(<\/downloadurl>)/", "\${1}{$url}\${2}", $block);
-              return $block;
-            }, $content);
-
-            file_put_contents("updates.xml", $content);
-            echo "Updated {$xml_tag} channel: version={$version}\n";
-          ' "$XML_TAG" "$VERSION" "$SHA256" "$DOWNLOAD_URL"
-
-          # Commit and push
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          CURRENT_BRANCH="${{ github.ref_name }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-
-          for BRANCH in main dev; do
-            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
-            echo "Syncing updates.xml -> ${BRANCH}"
-            git fetch origin "${BRANCH}" 2>/dev/null || continue
-            git checkout "origin/${BRANCH}" -- . 2>/dev/null || continue
-            git checkout "${CURRENT_BRANCH}" -- updates.xml
-            if ! git diff --quiet updates.xml 2>/dev/null; then
-              git add updates.xml
-              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
-              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-            fi
-            git checkout "${CURRENT_BRANCH}" 2>/dev/null
-          done
-
-      - name: "Delete lesser pre-release channels (cascade)"
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-
-          php ${MOKO_CLI}/release_cascade.php \
-            --stability "${{ steps.meta.outputs.stability }}" \
-            --token "${TOKEN}" \
-            --api-base "${API_BASE}"
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          echo "## Pre-Release Complete" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Channel | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| SHA-256 | \`${SHA256:-n/a}\` |" >> $GITHUB_STEP_SUMMARY
@@ -23,7 +23,7 @@ jobs:
    steps:
      - name: Sync upstream bugs
        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_MIRROR_TOKEN }}
          MOKOGITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          MOKOGITEA_URL: https://git.mokoconsulting.tech
          MOKOGITEA_REPO: MokoConsulting/MokoGitea
@@ -1,293 +1,161 @@
-# Contribution Guidelines
-
-This document explains how to contribute changes to the Gitea project. Topic-specific guides live in separate files so the essentials are easier to find.
-
-| Topic | Document |
-| :---- | :------- |
-| Backend (Go modules, API v1) | [docs/guideline-backend.md](docs/guideline-backend.md) |
-| Frontend (npm, UI guidelines) | [docs/guideline-frontend.md](docs/guideline-frontend.md) |
-| Maintainers, TOC, labels, merge queue, commit format for mergers | [docs/community-governance.md](docs/community-governance.md) |
-| Release cycle, backports, tagging releases | [docs/release-management.md](docs/release-management.md) |
-
-<details><summary>Table of Contents</summary>
-
- [Contribution Guidelines](#contribution-guidelines)
-  - [Introduction](#introduction)
-  - [AI Contribution Policy](#ai-contribution-policy)
-  - [Issues](#issues)
-    - [How to report issues](#how-to-report-issues)
-    - [Types of issues](#types-of-issues)
-    - [Discuss your design before the implementation](#discuss-your-design-before-the-implementation)
-    - [Issue locking](#issue-locking)
-  - [Building Gitea](#building-gitea)
-  - [Styleguide](#styleguide)
-  - [Copyright](#copyright)
-  - [Testing](#testing)
-  - [Translation](#translation)
-  - [Code review](#code-review)
-    - [Pull request format](#pull-request-format)
-    - [PR title and summary](#pr-title-and-summary)
-    - [Breaking PRs](#breaking-prs)
-      - [What is a breaking PR?](#what-is-a-breaking-pr)
-      - [How to handle breaking PRs?](#how-to-handle-breaking-prs)
-    - [Maintaining open PRs](#maintaining-open-prs)
-    - [Reviewing PRs](#reviewing-prs)
-      - [For PR authors](#for-pr-authors)
-  - [Documentation](#documentation)
-  - [Developer Certificate of Origin (DCO)](#developer-certificate-of-origin-dco)
-
-</details>
-
-## Introduction
-
-It assumes you have followed the [installation instructions](https://docs.gitea.com/category/installation). \
-Sensitive security-related issues should be reported to [security@gitea.io](mailto:security@gitea.io).
-
-For configuring IDEs for Gitea development, see the [contributed IDE configurations](contrib/ide/).
-
-## AI Contribution Policy
-
-Contributions made with the assistance of AI tools are welcome, but contributors must use them responsibly and disclose that use clearly.
-
-1. Review AI-generated code closely before marking a pull request ready for review.
-2. Manually test the changes and add appropriate automated tests where feasible.
-3. Only use AI to assist in contributions that you understand well enough to explain, defend, and revise yourself during review.
-4. Disclose AI-assisted content clearly.
-5. Do not use AI to reply to questions about your issue or pull request. The questions are for you, not an AI model.
-6. AI may be used to help draft issues and pull requests, but contributors remain responsible for the accuracy, completeness, and intent of what they submit.
-
-Maintainers reserve the right to close pull requests and issues that do not disclose AI assistance, that appear to be low-quality AI-generated content, or where the contributor cannot explain or defend the proposed changes themselves.
-
-We welcome new contributors, but cannot sustain the effort of supporting contributors who primarily defer to AI rather than engaging substantively with the review process.
-
-## Issues
-
-### How to report issues
-
-Please search the issues on the issue tracker with a variety of related keywords to ensure that your issue has not already been reported.
-
-If your issue has not been reported yet, [open an issue](https://github.com/go-gitea/gitea/issues/new)
-and answer the questions so we can understand and reproduce the problematic behavior. \
-Please write clear and concise instructions so that we can reproduce the behavior — even if it seems obvious. \
-The more detailed and specific you are, the faster we can fix the issue. \
-It is really helpful if you can reproduce your problem on a site running on the latest commits, i.e. <https://demo.gitea.com>, as perhaps your problem has already been fixed on a current version. \
-Please follow the guidelines described in [How to Report Bugs Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html) for your report.
-
-Please be kind—remember that Gitea comes at no cost to you, and you're getting free help.
-
-### Types of issues
-
-Typically, issues fall in one of the following categories:
-
- `bug`: Something in the frontend or backend behaves unexpectedly
- `security issue`: bug that has serious implications such as leaking another users data. Please do not file such issues on the public tracker and send a mail to security@gitea.io instead
- `feature`: Completely new functionality. You should describe this feature in enough detail that anyone who reads the issue can understand how it is supposed to be implemented
- `enhancement`: An existing feature should get an upgrade
- `refactoring`: Parts of the code base don't conform with other parts and should be changed to improve Gitea's maintainability
-
-### Discuss your design before the implementation
-
-We welcome submissions. \
-If you want to change or add something, please let everyone know what you're working on — [file an issue](https://github.com/go-gitea/gitea/issues/new) or comment on an existing one before starting your work!
-
-Significant changes such as new features must go through the change proposal process before they can be accepted. \
-This is mainly to save yourself the trouble of implementing it, only to find out that your proposed implementation has some potential problems. \
-Furthermore, this process gives everyone a chance to validate the design, helps prevent duplication of effort, and ensures that the idea fits inside
-the goals for the project and tools.
-
-Pull requests should not be the place for architecture discussions.
-
-### Issue locking
-
-Commenting on closed or merged issues/PRs is strongly discouraged.
-Such comments will likely be overlooked as some maintainers may not view notifications on closed issues, thinking that the item is resolved.
-As such, commenting on closed/merged issues/PRs may be disabled prior to the scheduled auto-locking if a discussion starts or if unrelated comments are posted.
-If further discussion is needed, we encourage you to open a new issue instead and we recommend linking to the issue/PR in question for context.
-
-## Building Gitea
-
-See the [development setup instructions](https://docs.gitea.com/development/hacking-on-gitea).
-
-## Styleguide
-
-You should always run `make fmt` before committing to conform to Gitea's styleguide.
-
-## Copyright
-
-New code files that you contribute should use the standard copyright header:
-
-```
-// Copyright <current year> The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-```
-
-Afterwards, copyright should only be modified when the copyright author changes.
-
-## Testing
-
-Before submitting a pull request, run all tests to make sure your changes don't cause a regression elsewhere.
-
-Here's how to run the test suite:
-
- code lint
-
-|                       |                                                                              |
-| :-------------------- | :--------------------------------------------------------------------------- |
-|``make lint``          | lint everything (not needed if you only change the front- **or** backend)    |
-|``make lint-frontend`` | lint frontend files                                                          |
-|``make lint-backend``  | lint backend files                                                           |
-
- run tests (we suggest running them on Linux)
-
-| Command                                       | Action                                               |                                             |
-|:----------------------------------------------|:-----------------------------------------------------| ------------------------------------------- |
-| ``make test-backend[\#SpecificTestName]``     | run unit test(s)                                     |                                             |
-| ``make test-integration[\#SpecificTestName]`` | run [integration](tests/integration) test(s)         | [More details](tests/integration/README.md) |
-| ``make test-e2e``                             | run [end-to-end](tests/e2e) test(s) using Playwright |                                             |
-
- E2E test environment variables
-
-| Variable                          | Description                                                 |
-| :-------------------------------- | :---------------------------------------------------------- |
-| ``GITEA_TEST_E2E_DEBUG``          | When set, show Gitea server output                          |
-| ``GITEA_TEST_E2E_FLAGS``          | Additional flags passed to Playwright, for example ``--ui`` |
-| ``GITEA_TEST_E2E_TIMEOUT_FACTOR`` | Timeout multiplier (default: 4 on CI, 1 locally)            |
-
-## Translation
-
-All translation work happens on [Crowdin](https://translate.gitea.com).
-The only translation that is maintained in this repository is [the English translation](https://github.com/go-gitea/gitea/blob/main/options/locale/locale_en-US.json).
-It is synced regularly with Crowdin. \
-Other locales on main branch **should not** be updated manually as they will be overwritten with each sync. \
-Once a language has reached a **satisfactory percentage** of translated keys (~25%), it will be synced back into this repo and included in the next released version.
-
-The tool `go run build/backport-locale.go` can be used to backport locales from the main branch to release branches that were missed.
-
-## Code review
-
-How labels, milestones, and the merge queue work is documented in [docs/community-governance.md](docs/community-governance.md).
-
-### Pull request format
-
-Please try to make your pull request easy to review for us. \
-For that, please read the [*Best Practices for Faster Reviews*](https://github.com/kubernetes/community/blob/261cb0fd089b64002c91e8eddceebf032462ccd6/contributors/guide/pull-requests.md#best-practices-for-faster-reviews) guide. \
-It has lots of useful tips for any project you may want to contribute to. \
-Some of the key points:
-
- Make small pull requests. \
-  The smaller, the faster to review and the more likely it will be merged soon.
- Don't make changes unrelated to your PR. \
-  Maybe there are typos on some comments, maybe refactoring would be welcome on a function... \
-  but if that is not related to your PR, please make *another* PR for that.
- Split big pull requests into multiple small ones. \
-  An incremental change will be faster to review than a huge PR.
- Allow edits by maintainers. This way, the maintainers will take care of merging the PR later on instead of you.
-
-### PR title and summary
-
-In the PR title, describe the problem you are fixing, not how you are fixing it. \
-Use the first comment as a summary of your PR. \
-In the PR summary, you can describe exactly how you are fixing this problem.
-
-PR titles must follow the [Conventional Commits](https://www.conventionalcommits.org/) format, because PRs are squash-merged and the PR title becomes the resulting commit message:
-
-```text
-type(scope)!: subject
-```
-
-The allowed types are `build`, `chore`, `ci`, `docs`, `feat`, `fix`, `perf`, `refactor`, `revert`, `style`, and `test`. The generic `chore` type is intentionally not accepted; pick a more descriptive type instead.
-
-Examples:
-
-```text
-fix(web): prevent avatar upload crash on empty file
-feat(api): add pagination to repo hooks list
-ci(workflows): lint PR titles with commitlint
-```
-
-Keep this summary up-to-date as the PR evolves. \
-If your PR changes the UI, you must add **after** screenshots in the PR summary. \
-If you are not implementing a new feature, you should also post **before** screenshots for comparison.
-
-If you are implementing a new feature, your PR will only be merged if your screenshots are up to date.\
-Furthermore, feature PRs will only be merged if their summary contains a clear usage description (understandable for users) and testing description (understandable for reviewers).
-You should strive to combine both into a single description.
-
-Another requirement for merging PRs is that the PR is labeled correctly.\
-However, this is not your job as a contributor, but the job of the person merging your PR.\
-If you think that your PR was labeled incorrectly, or notice that it was merged without labels, please let us know.
-
-If your PR closes some issues, you must note that in a way that both GitHub and Gitea understand, i.e. by appending a paragraph like
-
-```text
-Fixes/Closes/Resolves #<ISSUE_NR_X>.
-Fixes/Closes/Resolves #<ISSUE_NR_Y>.
-```
-
-to your summary. \
-Each issue that will be closed must stand on a separate line.
-
-### Breaking PRs
-
-#### What is a breaking PR?
-
-A PR is breaking if it meets one of the following criteria:
-
- It changes API output in an incompatible way for existing users
- It removes a setting that an admin could previously set (i.e. via `app.ini`)
- An admin must do something manually to restore the old behavior
-
-In particular, this means that adding new settings is not breaking.\
-Changing the default value of a setting or replacing the setting with another one is breaking, however.
-
-#### How to handle breaking PRs?
-
-If your PR has a breaking change, you must add two things to the summary of your PR:
-
-1. A reasoning why this breaking change is necessary
-2. A `BREAKING` section explaining in simple terms (understandable for a typical user) how this PR affects users and how to mitigate these changes. This section can look for example like
-
-```md
-## :warning: BREAKING :warning:
-```
-
-Breaking PRs will not be merged as long as not both of these requirements are met.
-
-### Maintaining open PRs
-
-Code review starts when you open a non-draft PR or move a draft out of draft state. After that, do not rebase or squash your branch; it makes new changes harder to review.
-
-Merge the base branch into yours only when you need to, for example because of conflicting changes elsewhere. That limits unnecessary CI runs.
-
-Every PR is squash-merged, so merge commits on your branch do not matter for final history. The squash produces a single commit; mergers follow the [commit message format](docs/community-governance.md#commit-messages) in the governance guide.
-
-### Reviewing PRs
-
-Maintainers are encouraged to review pull requests in areas where they have expertise or particular interest.
-
-#### For PR authors
-
- **Response**: When answering reviewer questions, use real-world cases or examples and avoid speculation.
- **Discussion**: A discussion is always welcome and should be used to clarify the changes and the intent of the PR.
- **Help**: If you need help with the PR or comments are unclear, ask for clarification.
-
-Guidance for reviewers, the merge queue, and the squash commit message format is in [docs/community-governance.md](docs/community-governance.md).
-
-## Documentation
-
-If you add a new feature or change an existing aspect of Gitea, the documentation for that feature must be created or updated in another PR at [https://gitea.com/gitea/docs](https://gitea.com/gitea/docs).
-**The docs directory on main repository will be removed at some time. We will have a yaml file to store configuration file's meta data. After that completed, configuration documentation should be in the main repository.**
-
-## Developer Certificate of Origin (DCO)
-
-We consider the act of contributing to the code by submitting a Pull Request as the "Sign off" or agreement to the certifications and terms of the [DCO](DCO) and [MIT license](LICENSE). \
-No further action is required. \
-You can also decide to sign off your commits by adding the following line at the end of your commit messages:
-
-```
-Signed-off-by: Joe Smith <joe.smith@email.com>
-```
-
-If you set the `user.name` and `user.email` Git config options, you can add the line to the end of your commits automatically with `git commit -s`.
-
-We assume in good faith that the information you provide is legally binding.
+# Contributing to Moko Consulting Projects
+
+Thank you for your interest in contributing. All Moko Consulting repositories follow this universal workflow and version policy.
+
+## Branching Workflow
+
+```
+feature/* ──PR──> dev ──draft PR──> (renamed to rc) ──merge──> main
+```
+
+### Step by step
+
+1. **Create a feature branch** from `dev`:
+   ```bash
+   git checkout dev && git pull
+   git checkout -b feature/my-change
+   ```
+
+2. **Work and commit** on your feature branch. Push to origin.
+
+3. **Open a PR**: `feature/my-change` → `dev`. After review and checks, merge it.
+
+4. **When ready for release**, open a **draft PR**: `dev` → `main`.
+   - This automatically renames the source branch to `rc` (release candidate)
+   - An RC pre-release is built and uploaded
+
+5. **Alpha and beta branches** are created by manually renaming the branch before the RC stage:
+   - Rename `dev` to `alpha` for early testing → alpha pre-release is built
+   - Rename `alpha` to `beta` for feature-complete testing → beta pre-release is built
+   - When the draft PR is created, the branch is renamed to `rc`
+
+6. **Once PR checks pass** on the `rc` branch, mark the PR as ready and merge to `main`.
+
+7. **Merging to main** triggers the stable release pipeline:
+   - Minor version bump (e.g., `02.09.xx` → `02.10.00`)
+   - Stability suffix stripped (clean version)
+   - Gitea release created with ZIP/tar.gz packages
+   - `updates.xml` updated (Joomla extensions)
+   - `dev` branch recreated from `main`
+
+### Branch summary
+
+| Branch | Purpose | Created by |
+|--------|---------|-----------|
+| `feature/*` | New features and fixes | Developer |
+| `dev` | Integration branch | Auto-recreated after release |
+| `alpha` | Alpha pre-release testing | Manual rename from `dev` |
+| `beta` | Beta pre-release testing | Manual rename from `alpha` |
+| `rc` | Release candidate | Auto-renamed on draft PR to main |
+| `main` | Stable releases | Protected, merge only |
+| `version/XX.YY.ZZ` | Archived release snapshots | Auto-created by CI |
+
+### Protected branches
+
+| Branch | Direct push | Merge via |
+|--------|------------|-----------|
+| `main` | Blocked (CI bot whitelisted) | PR merge only |
+| `dev` | Blocked (CI bot whitelisted) | PR merge from feature/* |
+| `rc` | Blocked (CI bot whitelisted) | Auto-created on draft PR |
+| `alpha` | Blocked (CI bot whitelisted) | Manual rename |
+| `beta` | Blocked (CI bot whitelisted) | Manual rename |
+| `feature/*` | Open | N/A (source branch) |
+
+## Version Policy
+
+### Format
+
+All versions use `XX.YY.ZZ` — three two-digit segments, zero-padded:
+
+- **XX** — Major version (breaking changes)
+- **YY** — Minor version (new features, bumped on release to main)
+- **ZZ** — Patch version (auto-incremented on every push to dev/feature branches)
+
+Rollover: patch `99` → `00` increments minor; minor `99` → `00` increments major.
+
+### Stability suffixes
+
+Each branch appends a suffix to indicate stability:
+
+| Branch | Suffix | Example |
+|--------|--------|---------|
+| `main` | (none) | `02.09.00` |
+| `dev` | `-dev` | `02.09.01-dev` |
+| `feature/*` | `-dev` | `02.09.01-dev` |
+| `alpha` | `-alpha` | `02.09.01-alpha` |
+| `beta` | `-beta` | `02.09.01-beta` |
+| `rc` | `-rc` | `02.09.01-rc` |
+
+### Auto version bump
+
+On every push to `dev`, `feature/*`, or `patch/*`:
+
+1. Patch version incremented
+2. Stability suffix `-dev` applied
+3. All version-bearing files updated (manifests, CHANGELOG, PHP headers, etc.)
+4. Commit created with `[skip ci]` to avoid loops
+
+### Release version flow
+
+Version bumps happen at specific release events:
+
+| Event | Bump | Example |
+|-------|------|---------|
+| Feature merged to dev | Patch bump after dev release | `02.09.01-dev` → release → `02.09.02-dev` |
+| Dev promoted to RC | Minor bump | `02.09.02-dev` → `02.10.00-rc` |
+| RC merged to main | Minor bump | `02.10.00-rc` → `02.11.00` (stable) |
+| Dev recreated from main | Patch bump | `02.11.00` → `02.11.01-dev` |
+
+### Release stream copies
+
+When a higher-stability release is published, copies are created for all lesser streams with the same base version:
+
+- **RC `02.10.00-rc`** also creates: `02.10.00-dev`, `02.10.00-alpha`, `02.10.00-beta`
+- **Stable `02.11.00`** also creates: `02.11.00-dev`, `02.11.00-alpha`, `02.11.00-beta`, `02.11.00-rc`
+
+This ensures Joomla sites on ANY stability channel see the update (Joomla only shows versions higher than what's installed).
+
+### Version files
+
+The version tools update all files containing version stamps:
+
+- `.mokogitea/manifest.xml` (canonical source)
+- Joomla XML manifests (`<version>` tag)
+- `README.md`, `CHANGELOG.md` (`VERSION:` pattern)
+- `package.json`, `pyproject.toml`
+- Any text file with a `VERSION: XX.YY.ZZ` label
+
+Files synced from other repos (with a `# REPO:` header) are not touched.
+
+## Code Standards
+
+- **PHP**: PSR-12, tabs for indentation
+- **Copyright**: all files must include the Moko Consulting copyright header
+- **License**: SPDX identifier `GPL-3.0-or-later` (or as specified per repo)
+- **Attribution**: use `Authored-by: Moko Consulting` in commits, not individual names
+
+## Commit Messages
+
+Use conventional commit format:
+
+```
+type(scope): short description
+
+Optional body with context.
+
+Authored-by: Moko Consulting
+```
+
+Types: `feat`, `fix`, `chore`, `docs`, `style`, `refactor`, `test`, `ci`
+
+Special flags in commit messages:
+- `[skip ci]` — skip all CI workflows
+- `[skip bump]` — skip auto version bump only
+
+## Reporting Issues
+
+Use the repository's issue tracker with the appropriate template.
+
+---
+
+*Moko Consulting <hello@mokoconsulting.tech>*
@@ -34,16 +34,19 @@ const (
 	swaggerSpecPath = "templates/swagger/v1_json.tmpl"
 	openapi3OutPath = "templates/swagger/v1_openapi3_json.tmpl"

-	appSubUrlVar = "{{.SwaggerAppSubUrl}}"
-	appVerVar    = "{{.SwaggerAppVer}}"
+	appSubUrlVar  = "{{.SwaggerAppSubUrl}}"
+	appVerVar     = "{{.SwaggerAppVer}}"
+	appNameVar    = "{{.SwaggerAppName}}"

-	appSubUrlPlaceholder = "GITEA_APP_SUB_URL_PLACEHOLDER"
-	appVerPlaceholder    = "0.0.0-gitea-placeholder"
+	appSubUrlPlaceholder  = "GITEA_APP_SUB_URL_PLACEHOLDER"
+	appVerPlaceholder     = "0.0.0-gitea-placeholder"
+	appNamePlaceholder    = "GiteaAppNamePlaceholder"
 )

 var (
 	appSubUrlRe = regexp.MustCompile(regexp.QuoteMeta(appSubUrlVar))
 	appVerRe    = regexp.MustCompile(regexp.QuoteMeta(appVerVar))
+	appNameRe   = regexp.MustCompile(regexp.QuoteMeta(appNameVar))

 	enumScanDirs = []string{
 		"modules/structs",
@@ -70,6 +73,7 @@ func main() {

 	cleaned := appSubUrlRe.ReplaceAll(data, []byte(appSubUrlPlaceholder))
 	cleaned = appVerRe.ReplaceAll(cleaned, []byte(appVerPlaceholder))
+	cleaned = appNameRe.ReplaceAll(cleaned, []byte(appNamePlaceholder))

 	oas3, err := openapi3gen.Convert(cleaned, astEnumMap)
 	if err != nil {
@@ -87,6 +91,7 @@ func main() {

 	result := strings.ReplaceAll(string(out), appSubUrlPlaceholder, appSubUrlVar)
 	result = strings.ReplaceAll(result, appVerPlaceholder, appVerVar)
+	result = strings.ReplaceAll(result, appNamePlaceholder, appNameVar)
 	result = strings.TrimSpace(result)

 	if err := os.WriteFile(openapi3OutPath, []byte(result), 0o644); err != nil {
@@ -1,6 +1,6 @@
 module git.mokoconsulting.tech/MokoConsulting/MokoGitea

-go 1.26.2
+go 1.26.3

 // rfc5280 said: "The serial number is an integer assigned by the CA to each certificate."
 // But some CAs use negative serial number, just relax the check. related:
@@ -9,6 +9,7 @@ godebug x509negativeserial=1

 require (
 	code.gitea.io/actions-proto-go v0.4.1
+	code.gitea.io/gitea v1.26.2
 	code.gitea.io/sdk/gitea v0.24.1
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
 	connectrpc.com/connect v1.19.1
@@ -52,8 +53,8 @@ require (
 	github.com/go-chi/cors v1.2.2
 	github.com/go-co-op/gocron/v2 v2.19.1
 	github.com/go-enry/go-enry/v2 v2.9.5
-	github.com/go-git/go-billy/v5 v5.8.0
-	github.com/go-git/go-git/v5 v5.18.0
+	github.com/go-git/go-billy/v5 v5.9.0
+	github.com/go-git/go-git/v5 v5.19.0
 	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/go-redsync/redsync/v4 v4.16.0
 	github.com/go-sql-driver/mysql v1.9.3
@@ -242,17 +243,18 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/nwaples/rardecode/v2 v2.2.2 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oasdiff/yaml v0.0.9 // indirect
 	github.com/oasdiff/yaml3 v0.0.12 // indirect
 	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
 	github.com/olekukonko/errors v1.2.0 // indirect
 	github.com/olekukonko/ll v0.1.8 // indirect
 	github.com/olekukonko/tablewriter v1.1.4 // indirect
-	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/olivere/elastic/v7 v7.0.32 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.26 // indirect
-	github.com/pjbgf/sha1cd v0.5.0 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
@@ -265,7 +267,6 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/skeema/knownhosts v1.3.2 // indirect
-	github.com/smartystreets/assertions v1.1.1 // indirect
 	github.com/sorairolake/lzip-go v0.3.8 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
@@ -277,7 +278,6 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
-	github.com/zeebo/assert v1.3.0 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
 	go.etcd.io/bbolt v1.4.3 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
@@ -287,7 +287,6 @@ require (
 	go.yaml.in/yaml/v2 v2.4.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	go4.org v0.0.0-20260112195520-a5071408f32f // indirect
-	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b // indirect
 	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
@@ -2,6 +2,8 @@ cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdB
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 code.gitea.io/actions-proto-go v0.4.1 h1:l0EYhjsgpUe/1VABo2eK7zcoNX2W44WOnb0MSLrKfls=
 code.gitea.io/actions-proto-go v0.4.1/go.mod h1:mn7Wkqz6JbnTOHQpot3yDeHx+O5C9EGhMEE+htvHBas=
+code.gitea.io/gitea v1.26.2 h1:i0oTSOGXnB3WLILa0lRzwi4KFIkKIEZnoyCtYiajtYY=
+code.gitea.io/gitea v1.26.2/go.mod h1:K2pVuCKcxMzEl/KBD3b4GsWIOu6ZH74g8lJYiACcnsM=
 code.gitea.io/gitea-vet v0.2.3 h1:gdFmm6WOTM65rE8FUBTRzeQZYzXePKSSB1+r574hWwI=
 code.gitea.io/gitea-vet v0.2.3/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE=
 code.gitea.io/sdk/gitea v0.24.1 h1:hpaqcdGcBmfMpV7JSbBJVwE99qo+WqGreJYKrDKEyW8=
@@ -269,6 +271,8 @@ github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
 github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY=
 github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM=
+github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
+github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -300,12 +304,12 @@ github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e h1:oRq/fiirun5Hql
 github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
-github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM=
-github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
+github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc=
+github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
@@ -326,7 +330,6 @@ github.com/go-redsync/redsync/v4 v4.16.0 h1:bNcOzeHH9d3s6pghU9NJFMPrQa41f5Nx3L4Y
 github.com/go-redsync/redsync/v4 v4.16.0/go.mod h1:V4gagqgyASWBZuwx4xGzu72aZNb/6Mo05byUa3mVmKQ=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
@@ -354,12 +357,6 @@ github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8J
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@@ -373,9 +370,6 @@ github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl76
 github.com/google/flatbuffers v24.3.25+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/flatbuffers v25.12.19+incompatible h1:haMV2JRRJCe1998HeW/p0X9UaMTK6SDo0ffLn2+DbLs=
 github.com/google/flatbuffers v25.12.19+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -570,7 +564,6 @@ github.com/niklasfasching/go-org v1.9.1 h1:/3s4uTPOF06pImGa2Yvlp24yKXZoTYM+nsIlM
 github.com/niklasfasching/go-org v1.9.1/go.mod h1:ZAGFFkWvUQcpazmi/8nHqwvARpr1xpb+Es67oUGX/48=
 github.com/nwaples/rardecode/v2 v2.2.2 h1:/5oL8dzYivRM/tqX9VcTSWfbpwcbwKG1QtSJr3b3KcU=
 github.com/nwaples/rardecode/v2 v2.2.2/go.mod h1:7uz379lSxPe6j9nvzxUZ+n7mnJNgjsRNb6IbvGVHRmw=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/oasdiff/yaml v0.0.9 h1:zQOvd2UKoozsSsAknnWoDJlSK4lC0mpmjfDsfqNwX48=
@@ -585,14 +578,13 @@ github.com/olekukonko/ll v0.1.8 h1:ysHCJRGHYKzmBSdz9w5AySztx7lG8SQY+naTGYUbsz8=
 github.com/olekukonko/ll v0.1.8/go.mod h1:RPRC6UcscfFZgjo1nulkfMH5IM0QAYim0LfnMvUuozw=
 github.com/olekukonko/tablewriter v1.1.4 h1:ORUMI3dXbMnRlRggJX3+q7OzQFDdvgbN9nVWj1drm6I=
 github.com/olekukonko/tablewriter v1.1.4/go.mod h1:+kedxuyTtgoZLwif3P1Em4hARJs+mVnzKxmsCL/C5RY=
+github.com/olivere/elastic/v7 v7.0.32 h1:R7CXvbu8Eq+WlsLgxmKVKPox0oOwAE/2T9Si5BnvK6E=
+github.com/olivere/elastic/v7 v7.0.32/go.mod h1:c7PVmLe3Fxq77PIfY/bZmxY/TAamBhCzZ8xDOE09a9k=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -608,8 +600,8 @@ github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
 github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pierrec/lz4/v4 v4.1.26 h1:GrpZw1gZttORinvzBdXPUXATeqlJjqUG/D87TKMnhjY=
 github.com/pierrec/lz4/v4 v4.1.26/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
-github.com/pjbgf/sha1cd v0.5.0 h1:a+UkboSi1znleCDUNT3M5YxjOnN1fz2FhN48FlwCxs0=
-github.com/pjbgf/sha1cd v0.5.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -693,7 +685,6 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -801,8 +792,8 @@ golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ss
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
 golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
-golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b h1:DXr+pvt3nC887026GRP39Ej11UATqWDmWuS99x26cD0=
-golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
 golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@@ -820,9 +811,7 @@ golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -841,7 +830,6 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -857,16 +845,12 @@ golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -915,7 +899,6 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200325010219-a49f79bcc224/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200928182047-19e03678916f/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
-golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
@@ -930,12 +913,6 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20260401020348-3a24fdc17823 h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260401020348-3a24fdc17823/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
 google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -953,7 +930,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
@@ -5,6 +5,7 @@ package db

 import (
 	"fmt"
+	"strings"

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/util"
 )
@@ -72,3 +73,27 @@ func (err ErrNotExist) Error() string {
 func (err ErrNotExist) Unwrap() error {
 	return util.ErrNotExist
 }
+
+// IsErrDeadlock checks whether err is a database deadlock.
+// MySQL returns error 1213 (ER_LOCK_DEADLOCK / SQLSTATE 40001).
+// PostgreSQL returns SQLSTATE 40P01 with "deadlock detected".
+// SQLite returns SQLITE_BUSY (error 5) with "database is locked".
+func IsErrDeadlock(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	// MySQL / MariaDB: "Error 1213 (40001): Deadlock found when trying to get lock"
+	if strings.Contains(msg, "Error 1213") || strings.Contains(msg, "40001") {
+		return true
+	}
+	// PostgreSQL: "deadlock detected"
+	if strings.Contains(msg, "deadlock detected") {
+		return true
+	}
+	// SQLite: "database is locked"
+	if strings.Contains(msg, "database is locked") {
+		return true
+	}
+	return false
+}
@@ -0,0 +1,31 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package db
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsErrDeadlock(t *testing.T) {
+	tests := []struct {
+		name string
+		err  error
+		want bool
+	}{
+		{name: "nil", err: nil, want: false},
+		{name: "unrelated", err: errors.New("connection refused"), want: false},
+		{name: "mysql 1213", err: errors.New("Error 1213 (40001): Deadlock found when trying to get lock; try restarting transaction"), want: true},
+		{name: "mysql sqlstate", err: errors.New("SQLSTATE 40001: serialization failure"), want: true},
+		{name: "postgres", err: errors.New("pq: deadlock detected"), want: true},
+		{name: "sqlite", err: errors.New("database is locked"), want: true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, IsErrDeadlock(tt.err))
+		})
+	}
+}
@@ -48,6 +48,9 @@ type ProtectedBranch struct {
 	ForcePushAllowlistUserIDs     []int64  `xorm:"JSON TEXT"`
 	ForcePushAllowlistTeamIDs     []int64  `xorm:"JSON TEXT"`
 	ForcePushAllowlistDeployKeys  bool     `xorm:"NOT NULL DEFAULT false"`
+	WhitelistActionsUser          bool     `xorm:"NOT NULL DEFAULT false"`
+	MergeWhitelistActionsUser     bool     `xorm:"NOT NULL DEFAULT false"`
+	ForcePushAllowlistActionsUser bool     `xorm:"NOT NULL DEFAULT false"`
 	EnableStatusCheck             bool     `xorm:"NOT NULL DEFAULT false"`
 	StatusCheckContexts           []string `xorm:"JSON TEXT"`
 	EnableApprovalsWhitelist      bool     `xorm:"NOT NULL DEFAULT false"`
@@ -124,6 +127,11 @@ func (protectBranch *ProtectedBranch) CanUserPush(ctx context.Context, user *use
 		return false
 	}

+	// Allow the actions bot user if explicitly whitelisted.
+	if user.IsActions() && protectBranch.WhitelistActionsUser {
+		return true
+	}
+
 	if !protectBranch.EnableWhitelist {
 		if err := protectBranch.LoadRepo(ctx); err != nil {
 			log.Error("LoadRepo: %v", err)
@@ -161,6 +169,11 @@ func (protectBranch *ProtectedBranch) CanUserForcePush(ctx context.Context, user
 		return false
 	}

+	// Allow the actions bot user if explicitly whitelisted.
+	if user.IsActions() && protectBranch.ForcePushAllowlistActionsUser {
+		return protectBranch.CanUserPush(ctx, user)
+	}
+
 	if !protectBranch.EnableForcePushAllowlist {
 		return protectBranch.CanUserPush(ctx, user)
 	}
@@ -183,6 +196,11 @@ func (protectBranch *ProtectedBranch) CanUserForcePush(ctx context.Context, user

 // IsUserMergeWhitelisted checks if some user is whitelisted to merge to this branch
 func IsUserMergeWhitelisted(ctx context.Context, protectBranch *ProtectedBranch, userID int64, permissionInRepo access_model.Permission) bool {
+	// Allow the actions bot user if explicitly whitelisted.
+	if userID == user_model.ActionsUserID && protectBranch.MergeWhitelistActionsUser {
+		return true
+	}
+
 	if !protectBranch.EnableMergeWhitelist {
 		// Then we need to fall back on whether the user has write permission
 		return permissionInRepo.CanWrite(unit.TypeCode)
@@ -0,0 +1,320 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package licenses
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"strings"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+)
+
+func init() {
+	db.RegisterModel(new(LicenseKey))
+}
+
+// LicenseKey represents an individual key issued from a LicensePackage.
+type LicenseKey struct {
+	ID                int64              `xorm:"pk autoincr"`
+	PackageID         int64              `xorm:"INDEX NOT NULL"`           // FK to license_package
+	OwnerID           int64              `xorm:"INDEX NOT NULL"`           // org or user that issued it
+	KeyHash           string             `xorm:"UNIQUE NOT NULL"`          // SHA-256 of the raw key (for fast lookup)
+	KeyRaw            string             `xorm:"TEXT"`                     // plaintext key (viewable by admins)
+	KeyPrefix         string             `xorm:"NOT NULL"`                 // first 8 chars for display
+	LicenseeName      string             `xorm:""`                         // customer name
+	LicenseeEmail     string             `xorm:""`                         // customer email
+	DomainRestriction string             `xorm:"TEXT"`                     // comma-separated allowed domains
+	MaxSites          int                `xorm:"NOT NULL DEFAULT 0"`       // 0 = use package default
+	PaymentRef        string             `xorm:"UNIQUE"`                   // idempotency key from payment system
+	IsInternal        bool               `xorm:"NOT NULL DEFAULT false"`   // true = base org/repo key
+	IsActive          bool               `xorm:"NOT NULL DEFAULT true"`
+	StartsUnix        timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // custom start, 0 = creation
+	ExpiresUnix       timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // 0 = never
+	LastHeartbeatUnix timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // last successful validation
+	CreatedUnix       timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix       timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (LicenseKey) TableName() string {
+	return "license_key"
+}
+
+// GenerateKeyString creates a random license key in MOKO-XXXX-XXXX-XXXX-XXXX format.
+func GenerateKeyString() (string, error) {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	hex := strings.ToUpper(hex.EncodeToString(b))
+	return fmt.Sprintf("MOKO-%s-%s-%s-%s", hex[0:4], hex[4:8], hex[8:12], hex[12:16]), nil
+}
+
+// HashKey returns the SHA-256 hash of a raw key string.
+func HashKey(rawKey string) string {
+	h := sha256.Sum256([]byte(rawKey))
+	return hex.EncodeToString(h[:])
+}
+
+// CreateLicenseKey generates a new key, stores it in plaintext and hashed, and returns the raw key.
+func CreateLicenseKey(ctx context.Context, key *LicenseKey) (rawKey string, err error) {
+	rawKey, err = GenerateKeyString()
+	if err != nil {
+		return "", fmt.Errorf("GenerateKeyString: %w", err)
+	}
+
+	key.KeyHash = HashKey(rawKey)
+	key.KeyRaw = rawKey
+	key.KeyPrefix = rawKey[:12] + "..."
+
+	if _, err := db.GetEngine(ctx).Insert(key); err != nil {
+		return "", err
+	}
+	return rawKey, nil
+}
+
+// CreateLicenseKeyCustom stores a key with a user-provided raw key string.
+func CreateLicenseKeyCustom(ctx context.Context, key *LicenseKey, rawKey string) error {
+	key.KeyHash = HashKey(rawKey)
+	key.KeyRaw = rawKey
+	if len(rawKey) > 12 {
+		key.KeyPrefix = rawKey[:12] + "..."
+	} else {
+		key.KeyPrefix = rawKey
+	}
+	_, err := db.GetEngine(ctx).Insert(key)
+	return err
+}
+
+// GetLicenseKeyByHash looks up a key by its SHA-256 hash.
+func GetLicenseKeyByHash(ctx context.Context, hash string) (*LicenseKey, error) {
+	key := new(LicenseKey)
+	has, err := db.GetEngine(ctx).Where("key_hash = ?", hash).Get(key)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, db.ErrNotExist{Resource: "LicenseKey"}
+	}
+	return key, nil
+}
+
+// GetLicenseKeyByID returns a key by its ID.
+func GetLicenseKeyByID(ctx context.Context, id int64) (*LicenseKey, error) {
+	key := new(LicenseKey)
+	has, err := db.GetEngine(ctx).ID(id).Get(key)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, db.ErrNotExist{Resource: "LicenseKey", ID: id}
+	}
+	return key, nil
+}
+
+// ListLicenseKeys returns all keys for the given owner.
+func ListLicenseKeys(ctx context.Context, ownerID int64) ([]*LicenseKey, error) {
+	keys := make([]*LicenseKey, 0, 20)
+	return keys, db.GetEngine(ctx).Where("owner_id = ?", ownerID).Find(&keys)
+}
+
+// ListLicenseKeysByPackage returns all keys for a specific package.
+func ListLicenseKeysByPackage(ctx context.Context, packageID int64) ([]*LicenseKey, error) {
+	keys := make([]*LicenseKey, 0, 20)
+	return keys, db.GetEngine(ctx).Where("package_id = ?", packageID).Find(&keys)
+}
+
+// GetLicenseKeyByPaymentRef looks up a key by its payment reference (idempotency).
+func GetLicenseKeyByPaymentRef(ctx context.Context, paymentRef string) (*LicenseKey, error) {
+	if paymentRef == "" {
+		return nil, db.ErrNotExist{Resource: "LicenseKey"}
+	}
+	key := new(LicenseKey)
+	has, err := db.GetEngine(ctx).Where("payment_ref = ?", paymentRef).Get(key)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, db.ErrNotExist{Resource: "LicenseKey"}
+	}
+	return key, nil
+}
+
+// CountKeysByPackage returns the number of keys for a package.
+func CountKeysByPackage(ctx context.Context, packageID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("package_id = ?", packageID).Count(new(LicenseKey))
+}
+
+// UpdateLicenseKey updates a license key.
+func UpdateLicenseKey(ctx context.Context, key *LicenseKey) error {
+	_, err := db.GetEngine(ctx).ID(key.ID).AllCols().Update(key)
+	return err
+}
+
+// DeleteLicenseKey permanently removes a license key by ID.
+func DeleteLicenseKey(ctx context.Context, id int64) error {
+	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicenseKey))
+	return err
+}
+
+// DeleteExpiredKeys removes keys that expired more than the given duration ago.
+func DeleteExpiredKeys(ctx context.Context, olderThanDays int) (int64, error) {
+	cutoff := timeutil.TimeStampNow() - timeutil.TimeStamp(int64(olderThanDays)*86400)
+	return db.GetEngine(ctx).
+		Where("expires_unix > 0 AND expires_unix < ? AND is_internal = ?", cutoff, false).
+		Delete(new(LicenseKey))
+}
+
+// TouchHeartbeat updates the last heartbeat timestamp for a key.
+func TouchHeartbeat(ctx context.Context, keyID int64) error {
+	_, err := db.GetEngine(ctx).ID(keyID).
+		Cols("last_heartbeat_unix").
+		Update(&LicenseKey{LastHeartbeatUnix: timeutil.TimeStampNow()})
+	return err
+}
+
+// DeleteLicenseKey deletes a license key by ID.
+func DeleteLicenseKey(ctx context.Context, id int64) error {
+	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicenseKey))
+	return err
+}
+
+// ValidateLicenseKey validates a raw key string against the database.
+// Returns the key record and its associated package, or an error.
+// The domain parameter is optional — when provided, it is checked against
+// the key's DomainRestriction list and the MaxSites limit.
+// On first heartbeat with a domain, if no DomainRestriction is set, the domain
+// is automatically associated as the key's restriction (lock-on-first-use).
+func ValidateLicenseKey(ctx context.Context, rawKey, domain string) (*LicenseKey, *LicensePackage, error) {
+	hash := HashKey(rawKey)
+	key, err := GetLicenseKeyByHash(ctx, hash)
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid license key")
+	}
+
+	if !key.IsActive {
+		return nil, nil, fmt.Errorf("license key is deactivated")
+	}
+
+	now := timeutil.TimeStampNow()
+	if key.StartsUnix > 0 && now < key.StartsUnix {
+		return nil, nil, fmt.Errorf("license key not yet active")
+	}
+	if key.ExpiresUnix > 0 && now > key.ExpiresUnix {
+		return nil, nil, fmt.Errorf("license key has expired")
+	}
+
+	pkg, err := GetLicensePackageByID(ctx, key.PackageID)
+	if err != nil {
+		return nil, nil, fmt.Errorf("license package not found")
+	}
+
+	if !pkg.IsActive {
+		return nil, nil, fmt.Errorf("license package is deactivated")
+	}
+
+	// Domain restriction check — skip for internal/master keys.
+	if domain != "" && !key.IsInternal {
+		if key.DomainRestriction != "" {
+			allowed := false
+			for _, d := range strings.Split(key.DomainRestriction, ",") {
+				if strings.EqualFold(strings.TrimSpace(d), domain) {
+					allowed = true
+					break
+				}
+			}
+			if !allowed {
+				return nil, nil, fmt.Errorf("domain not allowed for this license key")
+			}
+		} else {
+			// No domain restriction set — auto-associate on first heartbeat.
+			// Append this domain to the restriction list, enforcing max_sites.
+			maxSites := key.MaxSites
+			if maxSites == 0 {
+				maxSites = pkg.MaxSites
+			}
+			domainKnown, _ := IsDomainKnownForKey(ctx, key.ID, domain)
+			if !domainKnown {
+				if maxSites > 0 {
+					uniqueDomains, err := CountUniqueDomainsByKey(ctx, key.ID)
+					if err != nil {
+						return nil, nil, fmt.Errorf("failed to count domains: %w", err)
+					}
+					if uniqueDomains >= int64(maxSites) {
+						return nil, nil, fmt.Errorf("site limit reached (%d/%d)", uniqueDomains, maxSites)
+					}
+				}
+				// Append this domain to the key's restriction list.
+				_ = updateDomainRestriction(ctx, key.ID, domain)
+				if key.DomainRestriction == "" {
+					key.DomainRestriction = domain
+				} else {
+					key.DomainRestriction = key.DomainRestriction + "," + domain
+				}
+			}
+		}
+
+		// Site limit check: use key's MaxSites, fall back to package default.
+		maxSites := key.MaxSites
+		if maxSites == 0 {
+			maxSites = pkg.MaxSites
+		}
+		if maxSites > 0 {
+			uniqueDomains, err := CountUniqueDomainsByKey(ctx, key.ID)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to count domains: %w", err)
+			}
+			// Allow if this domain is already recorded, or if under the limit.
+			domainKnown, _ := IsDomainKnownForKey(ctx, key.ID, domain)
+			if !domainKnown && uniqueDomains >= int64(maxSites) {
+				return nil, nil, fmt.Errorf("site limit reached (%d/%d)", uniqueDomains, maxSites)
+			}
+		}
+	}
+
+	return key, pkg, nil
+}
+
+// updateDomainRestriction appends a domain to a key's DomainRestriction field in the DB.
+func updateDomainRestriction(ctx context.Context, keyID int64, domain string) error {
+	key, err := GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		return err
+	}
+	if key.DomainRestriction == "" {
+		key.DomainRestriction = domain
+	} else {
+		key.DomainRestriction = key.DomainRestriction + "," + domain
+	}
+	_, err = db.GetEngine(ctx).ID(keyID).Cols("domain_restriction").Update(key)
+	return err
+}
+
+// RenewLicenseKey extends the expiration of a key by the given number of days
+// from the current expiry (or from now if already expired/no expiry set).
+func RenewLicenseKey(ctx context.Context, keyID int64, days int) error {
+	key, err := GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		return err
+	}
+
+	now := timeutil.TimeStampNow()
+	var base timeutil.TimeStamp
+	if key.ExpiresUnix > 0 && key.ExpiresUnix > now {
+		// Key still valid — extend from current expiry.
+		base = key.ExpiresUnix
+	} else {
+		// Key expired or has no expiry — extend from now.
+		base = now
+	}
+
+	key.ExpiresUnix = base + timeutil.TimeStamp(int64(days)*86400)
+	key.IsActive = true
+	_, err = db.GetEngine(ctx).ID(keyID).Cols("expires_unix", "is_active").Update(key)
+	return err
+}
@@ -0,0 +1,65 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package licenses
+
+import (
+	"context"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+)
+
+func init() {
+	db.RegisterModel(new(LicenseKeyUsage))
+}
+
+// LicenseKeyUsage tracks update check activity for a license key.
+type LicenseKeyUsage struct {
+	ID          int64              `xorm:"pk autoincr"`
+	KeyID       int64              `xorm:"INDEX NOT NULL"`
+	RepoID      int64              `xorm:"INDEX NOT NULL"`
+	Domain      string             `xorm:""`            // requesting domain from extra_query
+	IPAddress   string             `xorm:""`
+	UserAgent   string             `xorm:"TEXT"`
+	VersionFrom string             `xorm:""`            // version the client is updating from
+	CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED"`
+}
+
+func (LicenseKeyUsage) TableName() string {
+	return "license_key_usage"
+}
+
+// RecordUsage inserts a usage tracking entry.
+func RecordUsage(ctx context.Context, usage *LicenseKeyUsage) error {
+	_, err := db.GetEngine(ctx).Insert(usage)
+	return err
+}
+
+// GetRecentUsage returns the most recent usage entries for a key.
+func GetRecentUsage(ctx context.Context, keyID int64, limit int) ([]*LicenseKeyUsage, error) {
+	usages := make([]*LicenseKeyUsage, 0, limit)
+	return usages, db.GetEngine(ctx).Where("key_id = ?", keyID).
+		OrderBy("created_unix DESC").Limit(limit).Find(&usages)
+}
+
+// CountUsageByKey returns the total number of update checks for a key.
+func CountUsageByKey(ctx context.Context, keyID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("key_id = ?", keyID).Count(new(LicenseKeyUsage))
+}
+
+// CountUniqueDomainsByKey returns the number of distinct domains that have used a key.
+func CountUniqueDomainsByKey(ctx context.Context, keyID int64) (int64, error) {
+	count, err := db.GetEngine(ctx).
+		Where("key_id = ? AND domain != ''", keyID).
+		Distinct("domain").
+		Count(new(LicenseKeyUsage))
+	return count, err
+}
+
+// IsDomainKnownForKey checks whether a specific domain has already been recorded for a key.
+func IsDomainKnownForKey(ctx context.Context, keyID int64, domain string) (bool, error) {
+	return db.GetEngine(ctx).
+		Where("key_id = ? AND domain = ?", keyID, domain).
+		Exist(new(LicenseKeyUsage))
+}
@@ -0,0 +1,95 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package licenses
+
+import (
+	"context"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+
+	"xorm.io/builder"
+)
+
+func init() {
+	db.RegisterModel(new(LicensePackage))
+}
+
+// LicensePackage defines a purchasable subscription tier that determines
+// what update streams a group of license keys can access.
+type LicensePackage struct {
+	ID          int64              `xorm:"pk autoincr"`
+	OwnerID     int64              `xorm:"INDEX NOT NULL"`             // org or user that owns this package
+	Name        string             `xorm:"NOT NULL"`                   // e.g. "Pro Annual", "Lifetime"
+	Description string             `xorm:"TEXT"`
+	DurationDays int               `xorm:"NOT NULL DEFAULT 0"`         // 0 = unlimited/lifetime
+	MaxSites    int                `xorm:"NOT NULL DEFAULT 0"`         // 0 = unlimited
+	RepoScope   string             `xorm:"TEXT NOT NULL DEFAULT 'all'"` // "all" = org-wide, or JSON array of repo IDs
+	// AllowedChannels defines which update streams keys from this package
+	// can access. JSON array, e.g. ["stable","rc"]. Empty = all channels.
+	AllowedChannels string         `xorm:"TEXT"`
+	IsActive    bool               `xorm:"NOT NULL DEFAULT true"`
+	CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (LicensePackage) TableName() string {
+	return "license_package"
+}
+
+// CreateLicensePackage creates a new license package.
+func CreateLicensePackage(ctx context.Context, pkg *LicensePackage) error {
+	_, err := db.GetEngine(ctx).Insert(pkg)
+	return err
+}
+
+// GetLicensePackageByID returns a license package by ID.
+func GetLicensePackageByID(ctx context.Context, id int64) (*LicensePackage, error) {
+	pkg := new(LicensePackage)
+	has, err := db.GetEngine(ctx).ID(id).Get(pkg)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, db.ErrNotExist{Resource: "LicensePackage", ID: id}
+	}
+	return pkg, nil
+}
+
+// FindLicensePackageOptions for db.Find/db.Count.
+type FindLicensePackageOptions struct {
+	db.ListOptions
+	OwnerID int64
+}
+
+func (opts FindLicensePackageOptions) ToConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.OwnerID > 0 {
+		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	}
+	return cond
+}
+
+// ListLicensePackages returns all packages for the given owner.
+func ListLicensePackages(ctx context.Context, ownerID int64) ([]*LicensePackage, error) {
+	pkgs := make([]*LicensePackage, 0, 10)
+	return pkgs, db.GetEngine(ctx).Where("owner_id = ?", ownerID).Find(&pkgs)
+}
+
+// UpdateLicensePackage updates a license package.
+func UpdateLicensePackage(ctx context.Context, pkg *LicensePackage) error {
+	_, err := db.GetEngine(ctx).ID(pkg.ID).AllCols().Update(pkg)
+	return err
+}
+
+// CountOrgPackages returns the number of license packages for an organization.
+func CountOrgPackages(ctx context.Context, orgID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("owner_id = ?", orgID).Count(new(LicensePackage))
+}
+
+// DeleteLicensePackage deletes a license package by ID.
+func DeleteLicensePackage(ctx context.Context, id int64) error {
+	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicensePackage))
+	return err
+}
@@ -0,0 +1,89 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package licenses
+
+import (
+	"context"
+	"fmt"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+)
+
+const (
+	MasterPackageName = "Master (Internal)"
+	MasterPackageDesc = "Auto-created master package with unlimited access to all channels."
+)
+
+// EnsureMasterKey ensures that a master license package and key exist for the given owner.
+// Returns the master key's raw key string only if it was just created (empty string otherwise).
+func EnsureMasterKey(ctx context.Context, ownerID int64) (rawKey string, err error) {
+	// Check if a master package already exists.
+	pkgs, err := ListLicensePackages(ctx, ownerID)
+	if err != nil {
+		return "", err
+	}
+
+	var masterPkg *LicensePackage
+	for _, pkg := range pkgs {
+		if pkg.Name == MasterPackageName {
+			masterPkg = pkg
+			break
+		}
+	}
+
+	// Create master package if it doesn't exist.
+	if masterPkg == nil {
+		masterPkg = &LicensePackage{
+			OwnerID:      ownerID,
+			Name:         MasterPackageName,
+			Description:  MasterPackageDesc,
+			DurationDays: 0, // lifetime
+			MaxSites:     0, // unlimited
+			RepoScope:    "all",
+			IsActive:     true,
+		}
+		if err := CreateLicensePackage(ctx, masterPkg); err != nil {
+			return "", fmt.Errorf("CreateLicensePackage: %w", err)
+		}
+	}
+
+	// Check if a master key already exists for this package.
+	keys, err := ListLicenseKeysByPackage(ctx, masterPkg.ID)
+	if err != nil {
+		return "", err
+	}
+
+	for _, key := range keys {
+		if key.IsInternal {
+			return "", nil // already exists, don't return raw key
+		}
+	}
+
+	// Create the master key.
+	masterKey := &LicenseKey{
+		PackageID:  masterPkg.ID,
+		OwnerID:    ownerID,
+		IsInternal: true,
+		IsActive:   true,
+	}
+	rawKey, err = CreateLicenseKey(ctx, masterKey)
+	if err != nil {
+		return "", fmt.Errorf("CreateLicenseKey: %w", err)
+	}
+
+	return rawKey, nil
+}
+
+// GetMasterKey returns the master key for an owner, if it exists.
+func GetMasterKey(ctx context.Context, ownerID int64) (*LicenseKey, error) {
+	key := new(LicenseKey)
+	has, err := db.GetEngine(ctx).Where("owner_id = ? AND is_internal = ?", ownerID, true).Get(key)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, nil
+	}
+	return key, nil
+}
@@ -0,0 +1,183 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package licenses
+
+import (
+	"context"
+	"strings"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+)
+
+func init() {
+	db.RegisterModel(new(UpdateStreamConfig))
+}
+
+// UpdateStreamConfig stores update stream settings at org or repo level.
+// When OwnerID is set and RepoID is 0, it's an org-level default.
+// When RepoID is set, it's a per-repo override.
+type UpdateStreamConfig struct {
+	ID          int64              `xorm:"pk autoincr"`
+	OwnerID     int64              `xorm:"INDEX NOT NULL"`         // org or user
+	RepoID      int64              `xorm:"INDEX NOT NULL DEFAULT 0"` // 0 = org-level default
+	StreamMode  string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, custom
+	Platform    string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, dolibarr, both
+	LicensingEnabled bool          `xorm:"NOT NULL DEFAULT false"`    // master toggle for licensing system
+	RequireKey  bool               `xorm:"NOT NULL DEFAULT false"`    // require license key for update feed
+	// CustomStreams is a JSON array of stream definitions.
+	// Each entry: {"name":"lts","suffix":"-lts","description":"Long-term support"}
+	CustomStreams string            `xorm:"TEXT"`
+	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix  timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (UpdateStreamConfig) TableName() string {
+	return "update_stream_config"
+}
+
+// StreamDef defines a single update stream/channel.
+type StreamDef struct {
+	Name        string `json:"name"`        // e.g. "stable", "lts", "nightly"
+	Suffix      string `json:"suffix"`      // tag suffix to match, e.g. "-lts", "-rc"
+	Description string `json:"description"` // human-readable label
+}
+
+// DefaultJoomlaStreams returns the standard Joomla update streams.
+func DefaultJoomlaStreams() []StreamDef {
+	return []StreamDef{
+		{Name: "stable", Suffix: "", Description: "Stable releases"},
+		{Name: "release-candidate", Suffix: "-rc", Description: "Release candidates"},
+		{Name: "beta", Suffix: "-beta", Description: "Beta testing"},
+		{Name: "alpha", Suffix: "-alpha", Description: "Alpha / early access"},
+		{Name: "development", Suffix: "-dev", Description: "Development builds"},
+	}
+}
+
+// GetCustomStreams parses the CustomStreams JSON field.
+func (c *UpdateStreamConfig) GetCustomStreams() []StreamDef {
+	if c.CustomStreams == "" {
+		return nil
+	}
+	var streams []StreamDef
+	if err := json.Unmarshal([]byte(c.CustomStreams), &streams); err != nil {
+		return nil
+	}
+	return streams
+}
+
+// GetActiveStreams returns the effective streams for this config.
+func (c *UpdateStreamConfig) GetActiveStreams() []StreamDef {
+	if c.StreamMode == "custom" {
+		if custom := c.GetCustomStreams(); len(custom) > 0 {
+			return custom
+		}
+	}
+	return DefaultJoomlaStreams()
+}
+
+// GetOrgConfig returns the org-level update stream config.
+func GetOrgConfig(ctx context.Context, ownerID int64) (*UpdateStreamConfig, error) {
+	cfg := new(UpdateStreamConfig)
+	has, err := db.GetEngine(ctx).Where("owner_id = ? AND repo_id = 0", ownerID).Get(cfg)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return &UpdateStreamConfig{OwnerID: ownerID, StreamMode: "joomla"}, nil
+	}
+	return cfg, nil
+}
+
+// GetRepoConfig returns the repo-level override, or nil if none exists.
+func GetRepoConfig(ctx context.Context, repoID int64) (*UpdateStreamConfig, error) {
+	cfg := new(UpdateStreamConfig)
+	has, err := db.GetEngine(ctx).Where("repo_id = ?", repoID).Get(cfg)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, nil
+	}
+	return cfg, nil
+}
+
+// GetEffectiveStreams resolves the streams for a repo: repo override → org default → Joomla default.
+func GetEffectiveStreams(ctx context.Context, ownerID, repoID int64) []StreamDef {
+	// Check repo-level override first.
+	repoCfg, err := GetRepoConfig(ctx, repoID)
+	if err == nil && repoCfg != nil {
+		return repoCfg.GetActiveStreams()
+	}
+
+	// Fall back to org-level config.
+	orgCfg, err := GetOrgConfig(ctx, ownerID)
+	if err == nil && orgCfg != nil {
+		return orgCfg.GetActiveStreams()
+	}
+
+	return DefaultJoomlaStreams()
+}
+
+// SaveConfig creates or updates an update stream config.
+func SaveConfig(ctx context.Context, cfg *UpdateStreamConfig) error {
+	existing := new(UpdateStreamConfig)
+	var has bool
+	var err error
+	if cfg.RepoID > 0 {
+		has, err = db.GetEngine(ctx).Where("repo_id = ?", cfg.RepoID).Get(existing)
+	} else {
+		has, err = db.GetEngine(ctx).Where("owner_id = ? AND repo_id = 0", cfg.OwnerID).Get(existing)
+	}
+	if err != nil {
+		return err
+	}
+
+	if has {
+		cfg.ID = existing.ID
+		_, err = db.GetEngine(ctx).ID(cfg.ID).AllCols().Update(cfg)
+	} else {
+		_, err = db.GetEngine(ctx).Insert(cfg)
+	}
+	return err
+}
+
+// MatchStreamFromTag determines which stream a tag belongs to based on the given stream definitions.
+func MatchStreamFromTag(tagName string, isPrerelease bool, streams []StreamDef) string {
+	lower := strings.ToLower(tagName)
+
+	// Check custom suffixes (longest match first to avoid "-rc" matching before "-rc-special").
+	var bestMatch string
+	bestLen := 0
+	for _, s := range streams {
+		if s.Suffix == "" {
+			continue // stable/default stream handled below
+		}
+		if strings.Contains(lower, s.Suffix) && len(s.Suffix) > bestLen {
+			bestMatch = s.Name
+			bestLen = len(s.Suffix)
+		}
+	}
+	if bestMatch != "" {
+		return bestMatch
+	}
+
+	// If prerelease and no suffix matched, use the first prerelease stream.
+	if isPrerelease {
+		for _, s := range streams {
+			if s.Suffix != "" {
+				return s.Name
+			}
+		}
+	}
+
+	// Default: first stream with empty suffix (stable).
+	for _, s := range streams {
+		if s.Suffix == "" {
+			return s.Name
+		}
+	}
+	return "stable"
+}
@@ -410,6 +410,12 @@ func prepareMigrationTasks() []*migration {

 		newMigration(331, "Add ActionRunAttempt model and related action fields", v1_27.AddActionRunAttemptModel),
 		newMigration(332, "Add org-level branch protection rulesets", v1_27.AddOrgProtectedBranchTable),
+		newMigration(333, "Add require_2fa to user table for org enforcement", v1_27.AddRequire2FAToUser),
+		newMigration(334, "Add actions user whitelist to protected branches", v1_27.AddActionsUserWhitelistToProtectedBranch),
+		newMigration(335, "Add license key tables for update server", v1_27.AddLicenseKeyTables),
+		newMigration(336, "Add update stream config table", v1_27.AddUpdateStreamConfigTable),
+		newMigration(337, "Add key_plain column to license_key", v1_27.AddKeyPlainToLicenseKey),
+		newMigration(338, "Add platform and require_key to update_stream_config", v1_27.AddPlatformAndRequireKeyToStreamConfig),
 	}
 	return preparedMigrations
 }
@@ -0,0 +1,16 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddRequire2FAToUser(x *xorm.Engine) error {
+	type User struct {
+		Require2FA bool `xorm:"NOT NULL DEFAULT false"`
+	}
+	_, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(User))
+	return err
+}
@@ -0,0 +1,17 @@
+// Copyright 2026 The MokoGitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_27
+
+import "xorm.io/xorm"
+
+// AddActionsUserWhitelistToProtectedBranch adds toggle fields that allow
+// the built-in actions bot user to bypass branch protection rules.
+func AddActionsUserWhitelistToProtectedBranch(x *xorm.Engine) error {
+	type ProtectedBranch struct {
+		WhitelistActionsUser          bool `xorm:"NOT NULL DEFAULT false"`
+		MergeWhitelistActionsUser     bool `xorm:"NOT NULL DEFAULT false"`
+		ForcePushAllowlistActionsUser bool `xorm:"NOT NULL DEFAULT false"`
+	}
+	return x.Sync(new(ProtectedBranch))
+}
@@ -0,0 +1,75 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import (
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+type licensePackage335 struct {
+	ID              int64              `xorm:"pk autoincr"`
+	OwnerID         int64              `xorm:"INDEX NOT NULL"`
+	Name            string             `xorm:"NOT NULL"`
+	Description     string             `xorm:"TEXT"`
+	DurationDays    int                `xorm:"NOT NULL DEFAULT 0"`
+	MaxSites        int                `xorm:"NOT NULL DEFAULT 0"`
+	RepoScope       string             `xorm:"TEXT NOT NULL DEFAULT 'all'"`
+	AllowedChannels string             `xorm:"TEXT"`
+	IsActive        bool               `xorm:"NOT NULL DEFAULT true"`
+	CreatedUnix     timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix     timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (licensePackage335) TableName() string {
+	return "license_package"
+}
+
+type licenseKey335 struct {
+	ID                int64              `xorm:"pk autoincr"`
+	PackageID         int64              `xorm:"INDEX NOT NULL"`
+	OwnerID           int64              `xorm:"INDEX NOT NULL"`
+	KeyHash           string             `xorm:"UNIQUE NOT NULL"`
+	KeyPrefix         string             `xorm:"NOT NULL"`
+	LicenseeName      string             `xorm:""`
+	LicenseeEmail     string             `xorm:""`
+	DomainRestriction string             `xorm:"TEXT"`
+	MaxSites          int                `xorm:"NOT NULL DEFAULT 0"`
+	IsInternal        bool               `xorm:"NOT NULL DEFAULT false"`
+	IsActive          bool               `xorm:"NOT NULL DEFAULT true"`
+	StartsUnix        timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`
+	ExpiresUnix       timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`
+	CreatedUnix       timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix       timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (licenseKey335) TableName() string {
+	return "license_key"
+}
+
+type licenseKeyUsage335 struct {
+	ID          int64              `xorm:"pk autoincr"`
+	KeyID       int64              `xorm:"INDEX NOT NULL"`
+	RepoID      int64              `xorm:"INDEX NOT NULL"`
+	Domain      string             `xorm:""`
+	IPAddress   string             `xorm:""`
+	UserAgent   string             `xorm:"TEXT"`
+	VersionFrom string             `xorm:""`
+	CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED"`
+}
+
+func (licenseKeyUsage335) TableName() string {
+	return "license_key_usage"
+}
+
+// AddLicenseKeyTables creates the license_package, license_key, and
+// license_key_usage tables for the update server license system.
+func AddLicenseKeyTables(x *xorm.Engine) error {
+	return x.Sync(
+		new(licensePackage335),
+		new(licenseKey335),
+		new(licenseKeyUsage335),
+	)
+}
@@ -0,0 +1,29 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import (
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+type updateStreamConfig336 struct {
+	ID           int64              `xorm:"pk autoincr"`
+	OwnerID      int64              `xorm:"INDEX NOT NULL"`
+	RepoID       int64              `xorm:"INDEX NOT NULL DEFAULT 0"`
+	StreamMode   string             `xorm:"NOT NULL DEFAULT 'joomla'"`
+	CustomStreams string             `xorm:"TEXT"`
+	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix  timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (updateStreamConfig336) TableName() string {
+	return "update_stream_config"
+}
+
+// AddUpdateStreamConfigTable creates the update_stream_config table.
+func AddUpdateStreamConfigTable(x *xorm.Engine) error {
+	return x.Sync(new(updateStreamConfig336))
+}
@@ -0,0 +1,20 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import "xorm.io/xorm"
+
+type licenseKey337 struct {
+	ID       int64  `xorm:"pk autoincr"`
+	KeyPlain string `xorm:""`
+}
+
+func (licenseKey337) TableName() string {
+	return "license_key"
+}
+
+// AddKeyPlainToLicenseKey adds the key_plain column to license_key table.
+func AddKeyPlainToLicenseKey(x *xorm.Engine) error {
+	return x.Sync(new(licenseKey337))
+}
@@ -0,0 +1,22 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import "xorm.io/xorm"
+
+type updateStreamConfig338 struct {
+	ID         int64  `xorm:"pk autoincr"`
+	Platform   string `xorm:"NOT NULL DEFAULT 'joomla'"`
+	RequireKey bool   `xorm:"NOT NULL DEFAULT false"`
+}
+
+func (updateStreamConfig338) TableName() string {
+	return "update_stream_config"
+}
+
+// AddPlatformAndRequireKeyToStreamConfig adds platform and require_key
+// columns to update_stream_config.
+func AddPlatformAndRequireKeyToStreamConfig(x *xorm.Engine) error {
+	return x.Sync(new(updateStreamConfig338))
+}
@@ -31,6 +31,11 @@ func (t TeamList) UnitMaxAccess(tp unit.Type) perm.AccessMode {
 		if team.IsOwnerTeam() {
 			return perm.AccessModeOwner
 		}
+		// Admin-level teams implicitly have admin access to all units,
+		// even units added after the team was created (no TeamUnit record needed).
+		if team.HasAdminAccess() && maxAccess < perm.AccessModeAdmin {
+			maxAccess = perm.AccessModeAdmin
+		}
 		for _, teamUnit := range team.Units {
 			if teamUnit.Type != tp {
 				continue
@@ -52,7 +52,7 @@ func RemoveTeamRepo(ctx context.Context, teamID, repoID int64) error {

 // GetTeamsWithAccessToAnyRepoUnit returns all teams in an organization that have given access level to the repository special unit.
 // This function is only used for finding some teams that can be used as branch protection allowlist or reviewers, it isn't really used for access control.
-// FIXME: TEAM-UNIT-PERMISSION this logic is not complete, search the fixme keyword to see more details
+// Note: admin-level teams (authorize >= Admin) implicitly have access to all units.
 func GetTeamsWithAccessToAnyRepoUnit(ctx context.Context, orgID, repoID int64, mode perm.AccessMode, unitType unit.Type, unitTypesMore ...unit.Type) (teams []*Team, err error) {
 	teamIDs, err := getTeamIDsWithAccessToAnyRepoUnit(ctx, orgID, repoID, mode, unitType, unitTypesMore...)
 	if err != nil {
@@ -405,8 +405,11 @@ func GetIndividualUserRepoPermission(ctx context.Context, repo *repo_model.Repos
 	perm.units = repo.Units

 	// anonymous user visit private repo.
+	// Still process unit-level anonymous access so that units with
+	// AnonymousAccessMode (e.g. public wiki on a private repo) are visible.
 	if user == nil && repo.IsPrivate {
 		perm.AccessMode = perm_model.AccessModeNone
+		finalProcessRepoUnitPermission(user, &perm)
 		return perm, nil
 	}

@@ -673,6 +673,14 @@ func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) bu
 		cond = userAllPublicRepoCond(cond, orgVisibilityLimit)
 	}

+	// Include private repos that have at least one unit with public anonymous access.
+	// This enables discovery of repos where e.g. wiki or releases are public.
+	cond = cond.Or(builder.In("`repository`.id",
+		builder.Select("repo_id").From("repo_unit").Where(
+			builder.Gt{"anonymous_access_mode": 0},
+		),
+	))
+
 	if user != nil {
 		// 2. Be able to see all repositories that we have unit independent access to
 		// 3. Be able to see all repositories through team membership(s)
@@ -33,9 +33,7 @@ const (
 	TypeProjects        // 8 Projects
 	TypePackages        // 9 Packages
 	TypeActions         // 10 Actions
-
-	// FIXME: TEAM-UNIT-PERMISSION: the team unit "admin" permission's design is not right, when a new unit is added in the future,
-	// admin team won't inherit the correct admin permission for the new unit, need to have a complete fix before adding any new unit.
+	TypeLicenses        // 11 Licenses
 )

 // Value returns integer value for unit type (used by template)
@@ -65,6 +63,7 @@ var (
 		TypeProjects,
 		TypePackages,
 		TypeActions,
+		TypeLicenses,
 	}

 	// DefaultRepoUnits contains the default unit types
@@ -328,6 +327,15 @@ var (
 		perm.AccessModeOwner,
 	}

+	UnitLicenses = Unit{
+		TypeLicenses,
+		"repo.licenses",
+		"/licenses",
+		"repo.licenses.desc",
+		8,
+		perm.AccessModeOwner,
+	}
+
 	// Units contains all the units
 	Units = map[Type]Unit{
 		TypeCode:            UnitCode,
@@ -340,6 +348,7 @@ var (
 		TypeProjects:        UnitProjects,
 		TypePackages:        UnitPackages,
 		TypeActions:         UnitActions,
+		TypeLicenses:        UnitLicenses,
 	}
 )

@@ -54,9 +54,9 @@ func GenerateRandomAvatar(ctx context.Context, u *User) error {

 // AvatarLinkWithSize returns a link to the user's avatar with size. size <= 0 means default size
 func (u *User) AvatarLinkWithSize(ctx context.Context, size int) string {
-	// ghost user was deleted, Gitea actions is a bot user, 0 means the user should be a virtual user
+	// ghost user was deleted, actions bot is a system user, 0 means the user should be a virtual user
 	// which comes from git configure information
-	if u.IsGhost() || u.IsGiteaActions() || u.ID <= 0 {
+	if u.IsGhost() || u.IsActions() || u.ID <= 0 {
 		return avatars.DefaultAvatarLink()
 	}

@@ -117,6 +117,9 @@ type User struct {
 	// Maximum repository creation limit, -1 means use global default
 	MaxRepoCreation int `xorm:"NOT NULL DEFAULT -1"`

+	// Require2FA when true (and user is an org), all org members must have 2FA enabled
+	Require2FA bool `xorm:"NOT NULL DEFAULT false"`
+
 	// IsActive true: primary email is activated, user can access Web UI and Git SSH.
 	// false: an inactive user can only log in Web UI for account operations (ex: activate the account by email), no other access.
 	IsActive bool `xorm:"INDEX"`
@@ -507,9 +510,9 @@ func (u *User) GitName() string {
 }

 // IsMailable checks if a user is eligible to receive emails.
-// System users like Ghost and Gitea Actions are excluded.
+// System users like Ghost and the actions bot are excluded.
 func (u *User) IsMailable() bool {
-	return u.IsActive && !u.IsGiteaActions() && !u.IsGhost()
+	return u.IsActive && !u.IsActions() && !u.IsGhost()
 }

 // IsUserExist checks if given username exist,
@@ -624,8 +627,10 @@ var (
 		"swagger.v1.json",
 		"openapi3.v1.json",

-		"ghost",         // reserved name for deleted users (id: -1)
-		"gitea-actions", // gitea builtin user (id: -2)
+		"ghost",             // reserved name for deleted users (id: -1)
+		"mokogitea-actions", // actions bot user (id: -2)
+		"gitea-actions",     // legacy actions bot name
+		"github-actions",    // legacy actions bot name
 	}

 	// These names are reserved for user accounts: user's keys, user's rss feed, user's avatar, etc.
@@ -34,8 +34,12 @@ func (u *User) IsGhost() bool {

 const (
 	ActionsUserID    int64 = -2
-	ActionsUserName        = "gitea-actions"
-	ActionsUserEmail       = "teabot@gitea.io"
+	ActionsUserName        = "mokogitea-actions"
+	ActionsUserEmail       = "mokogitea-actions[bot]@mokoconsulting.tech"
+
+	// Legacy names recognized as aliases for the actions bot user.
+	ActionsUserNameLegacyGitea  = "gitea-actions"
+	ActionsUserNameLegacyGitHub = "github-actions"
 )

 // NewActionsUser creates and returns a fake user for running the actions.
@@ -45,7 +49,7 @@ func NewActionsUser() *User {
 		Name:             ActionsUserName,
 		LowerName:        ActionsUserName,
 		IsActive:         true,
-		FullName:         "Gitea Actions",
+		FullName:         "MokoGitea Actions",
 		Email:            ActionsUserEmail,
 		KeepEmailPrivate: true,
 		LoginName:        ActionsUserName,
@@ -75,15 +79,30 @@ func GetActionsUserTaskID(u *User) (int64, bool) {
 	return 0, false
 }

-func (u *User) IsGiteaActions() bool {
+// IsActions checks whether this user is the built-in actions bot.
+func (u *User) IsActions() bool {
 	return u != nil && u.ID == ActionsUserID
 }

+// IsGiteaActions is a deprecated alias for IsActions.
+func (u *User) IsGiteaActions() bool {
+	return u.IsActions()
+}
+
+// isActionsName returns true if the given name (case-insensitive, with
+// optional "[bot]" suffix stripped) matches any known actions bot name.
+func isActionsName(name string) bool {
+	clean := strings.TrimSuffix(name, "[bot]")
+	return strings.EqualFold(clean, ActionsUserName) ||
+		strings.EqualFold(clean, ActionsUserNameLegacyGitea) ||
+		strings.EqualFold(clean, ActionsUserNameLegacyGitHub)
+}
+
 func GetSystemUserByName(name string) *User {
 	if strings.EqualFold(name, GhostUserName) {
 		return NewGhostUser()
 	}
-	if strings.EqualFold(name, ActionsUserName) {
+	if isActionsName(name) {
 		return NewActionsUser()
 	}
 	return nil
@@ -25,13 +25,39 @@ func TestSystemUser(t *testing.T) {
 	uid, u, err = GetPossibleUserByID(t.Context(), -2)
 	require.NoError(t, err)
 	assert.Equal(t, int64(-2), uid)
-	assert.Equal(t, "gitea-actions", u.Name)
-	assert.Equal(t, "gitea-actions", u.LowerName)
-	assert.True(t, u.IsGiteaActions())
+	assert.Equal(t, "mokogitea-actions", u.Name)
+	assert.Equal(t, "mokogitea-actions", u.LowerName)
+	assert.True(t, u.IsActions())
+	assert.True(t, u.IsGiteaActions()) // deprecated alias

+	// canonical name lookup
+	u = GetSystemUserByName("mokogitea-actions")
+	require.NotNil(t, u)
+	assert.Equal(t, "MokoGitea Actions", u.FullName)
+
+	// legacy name lookups
 	u = GetSystemUserByName("Gitea-actionS")
 	require.NotNil(t, u)
-	assert.Equal(t, "Gitea Actions", u.FullName)
+	assert.Equal(t, "MokoGitea Actions", u.FullName)
+
+	u = GetSystemUserByName("github-actions")
+	require.NotNil(t, u)
+	assert.Equal(t, "MokoGitea Actions", u.FullName)
+
+	// [bot] suffix lookups
+	u = GetSystemUserByName("mokogitea-actions[bot]")
+	require.NotNil(t, u)
+	assert.Equal(t, "MokoGitea Actions", u.FullName)
+
+	u = GetSystemUserByName("gitea-actions[bot]")
+	require.NotNil(t, u)
+
+	u = GetSystemUserByName("github-actions[bot]")
+	require.NotNil(t, u)
+
+	// unknown name returns nil
+	u = GetSystemUserByName("unknown-bot")
+	assert.Nil(t, u)

 	uid, u, err = GetPossibleUserByID(t.Context(), 999999)
 	require.NoError(t, err)
@@ -63,7 +63,7 @@ func TestFile(t *testing.T) {
 		{
 			name:      "tags.py",
 			code:      "<>",
-			want:      lines(`<span class="o">&lt;</span><span class="o">&gt;</span>`),
+			want:      lines(`<span class="o">&lt;&gt;</span>`),
 			lexerName: "Python",
 		},
 		{
@@ -102,7 +102,7 @@ c=2
 <span class="n">def</span><span class="p">:</span>\n
    <span class="n">a</span><span class="o">=</span><span class="mi">1</span>\n
 \n
-<span class="n">b</span><span class="o">=</span><span class="sa"></span><span class="s1">&#39;</span><span class="s1">&#39;</span>\n
+<span class="n">b</span><span class="o">=</span><span class="s1">&#39;&#39;</span>\n
    \n
 <span class="n">c</span><span class="o">=</span><span class="mi">2</span>`,
 			),
@@ -114,6 +114,18 @@ c=2
 			want:      []template.HTML{"<span class=\"c1\">--\n</span>", `<span class="k">SELECT</span>`},
 			lexerName: "SQL",
 		},
+		{
+			name: "test.http",
+			code: `HTTP/1.0 400 Bad request
+Content-Type: text/html
+
+<html></html>`,
+			want: lines(`<span class="kr">HTTP</span><span class="o">/</span><span class="m">1.0</span> <span class="m">400</span> <span class="ne">Bad request</span>\n
+<span class="n">Content-Type</span><span class="o">:</span> <span class="l">text/html</span>\n
+\n
+<span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>`),
+			lexerName: "HTTP",
+		},
 	}

 	for _, tt := range tests {
@@ -288,24 +288,24 @@ func detectChromaLexerWithAnalyze(fileName, lang string, code []byte) chroma.Lex

 	// if lang is provided, and it matches a lexer, use it directly
 	if byLang {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}

 	// if a lexer is detected and there is no conflict for the file extension, use it directly
 	fileExt := path.Ext(fileName)
 	_, hasConflicts := chromaLexers().conflictingExtLangMap[fileExt]
 	if !hasConflicts && lexer != lexers.Fallback {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}

 	// try to detect language by content, for best guessing for the language
 	// when using "code" to detect, analyze.GetCodeLanguage is slow, it iterates many rules to detect language from content
 	analyzedLanguage := analyze.GetCodeLanguage(fileName, code)
-	lexer = DetectChromaLexerByFileName(fileName, analyzedLanguage)
+	lexer, _ = detectChromaLexerByFileName(fileName, analyzedLanguage)
 	if lexer == lexers.Fallback {
 		if analyzedLanguage != enry.OtherLanguage {
 			log.Warn("No chroma lexer found for enry detected language: %s (file: %s), need to fix the language mapping between enry and chroma.", analyzedLanguage, fileName)
 		}
 	}
-	return lexer
+	return chroma.Coalesce(lexer)
 }
@@ -5,6 +5,7 @@ package log

 import (
 	"context"
+	"net/url"
 	"reflect"
 	"runtime"
 	"strings"
@@ -226,6 +227,8 @@ func (l *LoggerImpl) Log(skip int, event *Event, format string, logArgs ...any)
 			}
 		} else if ls := asLogStringer(v); ls != nil {
 			msgArgs[i] = logStringFormatter{v: ls}
+		} else if str, ok := v.(string); ok {
+			msgArgs[i] = protectSensitiveInfo(str)
 		}
 	}

@@ -235,6 +238,24 @@ func (l *LoggerImpl) Log(skip int, event *Event, format string, logArgs ...any)
 	l.SendLogEvent(event)
 }

+func protectSensitiveInfo(s string) string {
+	u, err := url.Parse(s)
+	if err != nil || (u.Scheme != "http" && u.Scheme != "https") || u.Host == "" {
+		return s
+	}
+	q := u.Query()
+	for _, vals := range q {
+		for i := range vals {
+			vals[i] = "_"
+		}
+	}
+	masked := &url.URL{Scheme: u.Scheme, Host: u.Host, Path: u.Path, RawQuery: q.Encode()}
+	if u.User != nil {
+		masked.User = url.User("_masked_")
+	}
+	return masked.String()
+}
+
 func (l *LoggerImpl) GetLevel() Level {
 	return Level(l.level.Load())
 }
@@ -177,3 +177,10 @@ func TestLoggerExpressionFilter(t *testing.T) {

 	assert.Equal(t, []string{"foo\n", "foo bar\n", "by filename\n"}, w1.FetchLogs())
 }
+
+func TestProtectSensitiveInfo(t *testing.T) {
+	assert.Empty(t, protectSensitiveInfo(""))
+	assert.Equal(t, "mailto:user@example.com", protectSensitiveInfo("mailto:user@example.com"))
+	assert.Equal(t, "https://example.com", protectSensitiveInfo("https://example.com"))
+	assert.Equal(t, "https://_masked_@example.com/path?k=_", protectSensitiveInfo("https://u:p@example.com/path?k=v#hash"))
+}
@@ -81,6 +81,7 @@ func initDefaultConfig() {
 		Instance: &InstanceStruct{
 			WebBanner:       config.NewOption[WebBannerType]("instance.web_banner"),
 			MaintenanceMode: config.NewOption[MaintenanceModeType]("instance.maintenance_mode"),
+			LandingPage:     config.NewOption[LandingPageType]("instance.landing_page"),
 		},
 	}
 }
@@ -52,7 +52,35 @@ func (m MaintenanceModeType) IsActive() bool {
 	return true
 }

+// LandingPageType configures the default page for unauthenticated visitors.
+// Mode values: "home", "explore", "organizations", "login", or "custom".
+// When Mode is "custom", CustomPath holds the redirect target (e.g. "/MokoConsulting").
+type LandingPageType struct {
+	Mode       string // home, explore, organizations, login, custom
+	CustomPath string // only used when Mode == "custom"
+}
+
+// URL returns the redirect path for the configured landing page.
+func (lp LandingPageType) URL() string {
+	switch lp.Mode {
+	case "explore":
+		return "/explore"
+	case "organizations":
+		return "/explore/organizations"
+	case "login":
+		return "/user/login"
+	case "custom":
+		if lp.CustomPath != "" {
+			return lp.CustomPath
+		}
+		return "/"
+	default:
+		return "/"
+	}
+}
+
 type InstanceStruct struct {
 	WebBanner       *config.Option[WebBannerType]
 	MaintenanceMode *config.Option[MaintenanceModeType]
+	LandingPage     *config.Option[LandingPageType]
 }
@@ -39,6 +39,13 @@ var (
 		Channel:  "stable",
 	}

+	// LoginNotification configuration for sign-in alerts
+	LoginNotification = struct {
+		Enabled bool
+	}{
+		Enabled: true,
+	}
+
 	// IsInTesting indicates whether the testing is running (unit test or integration test). It can be used for:
 	// * Skip nonsense error logs during testing caused by unreliable code (TODO: this is only a temporary solution, we should make the test code more reliable)
 	// * Panic in dev or testing mode to make the problem more obvious and easier to debug
@@ -171,6 +178,7 @@ func loadCommonSettingsFrom(cfg ConfigProvider) error {
 	loadOtherFrom(cfg)
 	loadUpdateCheckerFrom(cfg)
 	loadNtfyFrom(cfg)
+	loadLoginNotificationFrom(cfg)
 	return nil
 }

@@ -181,6 +189,11 @@ func loadUpdateCheckerFrom(cfg ConfigProvider) {
 	UpdateChecker.Channel = sec.Key("CHANNEL").MustString(UpdateChecker.Channel)
 }

+func loadLoginNotificationFrom(cfg ConfigProvider) {
+	sec := cfg.Section("login_notification")
+	LoginNotification.Enabled = sec.Key("ENABLED").MustBool(true)
+}
+
 func loadRunModeFrom(rootCfg ConfigProvider) {
 	rootSec := rootCfg.Section("")
 	RunUser = rootSec.Key("RUN_USER").MustString(user.CurrentUsername())
@@ -0,0 +1,135 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package structs
+
+import "time"
+
+// LicensePackage represents a license package (subscription tier).
+type LicensePackage struct {
+	ID              int64  `json:"id"`
+	OwnerID         int64  `json:"owner_id"`
+	Name            string `json:"name"`
+	Description     string `json:"description"`
+	DurationDays    int    `json:"duration_days"`
+	MaxSites        int    `json:"max_sites"`
+	RepoScope       string `json:"repo_scope"`
+	AllowedChannels string `json:"allowed_channels"`
+	IsActive        bool   `json:"is_active"`
+	// swagger:strfmt date-time
+	Created time.Time `json:"created_at"`
+	// swagger:strfmt date-time
+	Updated time.Time `json:"updated_at"`
+}
+
+// CreateLicensePackageOption options for creating a license package.
+type CreateLicensePackageOption struct {
+	Name            string `json:"name" binding:"Required"`
+	Description     string `json:"description"`
+	DurationDays    int    `json:"duration_days"`
+	MaxSites        int    `json:"max_sites"`
+	RepoScope       string `json:"repo_scope"`
+	AllowedChannels string `json:"allowed_channels"`
+}
+
+// EditLicensePackageOption options for editing a license package.
+type EditLicensePackageOption struct {
+	Name            *string `json:"name"`
+	Description     *string `json:"description"`
+	DurationDays    *int    `json:"duration_days"`
+	MaxSites        *int    `json:"max_sites"`
+	RepoScope       *string `json:"repo_scope"`
+	AllowedChannels *string `json:"allowed_channels"`
+	IsActive        *bool   `json:"is_active"`
+}
+
+// LicenseKey represents a license key (response — never includes raw key except on creation).
+type LicenseKey struct {
+	ID                int64  `json:"id"`
+	PackageID         int64  `json:"package_id"`
+	OwnerID           int64  `json:"owner_id"`
+	KeyPrefix         string `json:"key_prefix"`
+	LicenseeName      string `json:"licensee_name"`
+	LicenseeEmail     string `json:"licensee_email"`
+	DomainRestriction string `json:"domain_restriction"`
+	MaxSites          int    `json:"max_sites"`
+	IsInternal        bool   `json:"is_internal"`
+	IsActive          bool   `json:"is_active"`
+	// swagger:strfmt date-time
+	StartsAt *time.Time `json:"starts_at"`
+	// swagger:strfmt date-time
+	ExpiresAt *time.Time `json:"expires_at"`
+	// swagger:strfmt date-time
+	LastHeartbeat *time.Time `json:"last_heartbeat,omitempty"`
+	// swagger:strfmt date-time
+	Created time.Time `json:"created_at"`
+}
+
+// LicenseKeyCreated is the response when a key is first created (includes raw key).
+type LicenseKeyCreated struct {
+	LicenseKey
+	// RawKey is the full license key string. Only returned on creation.
+	RawKey string `json:"raw_key"`
+}
+
+// CreateLicenseKeyOption options for creating a license key.
+type CreateLicenseKeyOption struct {
+	PackageID         int64  `json:"package_id" binding:"Required"`
+	LicenseeName      string `json:"licensee_name"`
+	LicenseeEmail     string `json:"licensee_email"`
+	DomainRestriction string `json:"domain_restriction"`
+	MaxSites          int    `json:"max_sites"`
+	// StartsAt is optional; defaults to now.
+	StartsAt *time.Time `json:"starts_at"`
+	// ExpiresAt is optional; auto-calculated from package duration if not set.
+	ExpiresAt *time.Time `json:"expires_at"`
+}
+
+// EditLicenseKeyOption options for editing a license key.
+type EditLicenseKeyOption struct {
+	LicenseeName      *string `json:"licensee_name"`
+	LicenseeEmail     *string `json:"licensee_email"`
+	DomainRestriction *string `json:"domain_restriction"`
+	MaxSites          *int    `json:"max_sites"`
+	IsActive          *bool   `json:"is_active"`
+	ExpiresAt         *time.Time `json:"expires_at"`
+}
+
+// PurchaseLicenseKeyOption options for purchasing a license key via webhook.
+type PurchaseLicenseKeyOption struct {
+	PackageID    int64  `json:"package_id" binding:"Required"`
+	LicenseeName string `json:"licensee_name"`
+	LicenseeEmail string `json:"licensee_email"`
+	Domain       string `json:"domain"`
+	PaymentRef   string `json:"payment_ref"`
+}
+
+// ValidateLicenseKeyOption options for validating a license key.
+type ValidateLicenseKeyOption struct {
+	Key    string `json:"key" binding:"Required"`
+	Domain string `json:"domain"`
+}
+
+// ValidateLicenseKeyResponse is the response from license key validation.
+type ValidateLicenseKeyResponse struct {
+	Valid       bool       `json:"valid"`
+	Message     string     `json:"message,omitempty"`
+	PackageName string     `json:"package_name,omitempty"`
+	Channels    string     `json:"channels,omitempty"`
+	ExpiresAt   *time.Time `json:"expires_at,omitempty"`
+	SitesUsed   int64      `json:"sites_used"`
+	MaxSites    int        `json:"max_sites"`
+}
+
+// LicenseKeyUsage represents a usage tracking entry.
+type LicenseKeyUsage struct {
+	ID          int64  `json:"id"`
+	KeyID       int64  `json:"key_id"`
+	RepoID      int64  `json:"repo_id"`
+	Domain      string `json:"domain"`
+	IPAddress   string `json:"ip_address"`
+	UserAgent   string `json:"user_agent"`
+	VersionFrom string `json:"version_from"`
+	// swagger:strfmt date-time
+	Created time.Time `json:"created_at"`
+}
@@ -42,14 +42,17 @@ type BranchProtection struct {
 	PushWhitelistUsernames        []string `json:"push_whitelist_usernames"`
 	PushWhitelistTeams            []string `json:"push_whitelist_teams"`
 	PushWhitelistDeployKeys       bool     `json:"push_whitelist_deploy_keys"`
+	PushWhitelistActionsUser      bool     `json:"push_whitelist_actions_user"`
 	EnableForcePush               bool     `json:"enable_force_push"`
 	EnableForcePushAllowlist      bool     `json:"enable_force_push_allowlist"`
 	ForcePushAllowlistUsernames   []string `json:"force_push_allowlist_usernames"`
 	ForcePushAllowlistTeams       []string `json:"force_push_allowlist_teams"`
 	ForcePushAllowlistDeployKeys  bool     `json:"force_push_allowlist_deploy_keys"`
+	ForcePushAllowlistActionsUser bool     `json:"force_push_allowlist_actions_user"`
 	EnableMergeWhitelist          bool     `json:"enable_merge_whitelist"`
 	MergeWhitelistUsernames       []string `json:"merge_whitelist_usernames"`
 	MergeWhitelistTeams           []string `json:"merge_whitelist_teams"`
+	MergeWhitelistActionsUser     bool     `json:"merge_whitelist_actions_user"`
 	EnableStatusCheck             bool     `json:"enable_status_check"`
 	StatusCheckContexts           []string `json:"status_check_contexts"`
 	RequiredApprovals             int64    `json:"required_approvals"`
@@ -84,14 +87,17 @@ type CreateBranchProtectionOption struct {
 	PushWhitelistUsernames        []string `json:"push_whitelist_usernames"`
 	PushWhitelistTeams            []string `json:"push_whitelist_teams"`
 	PushWhitelistDeployKeys       bool     `json:"push_whitelist_deploy_keys"`
+	PushWhitelistActionsUser      bool     `json:"push_whitelist_actions_user"`
 	EnableForcePush               bool     `json:"enable_force_push"`
 	EnableForcePushAllowlist      bool     `json:"enable_force_push_allowlist"`
 	ForcePushAllowlistUsernames   []string `json:"force_push_allowlist_usernames"`
 	ForcePushAllowlistTeams       []string `json:"force_push_allowlist_teams"`
 	ForcePushAllowlistDeployKeys  bool     `json:"force_push_allowlist_deploy_keys"`
+	ForcePushAllowlistActionsUser bool     `json:"force_push_allowlist_actions_user"`
 	EnableMergeWhitelist          bool     `json:"enable_merge_whitelist"`
 	MergeWhitelistUsernames       []string `json:"merge_whitelist_usernames"`
 	MergeWhitelistTeams           []string `json:"merge_whitelist_teams"`
+	MergeWhitelistActionsUser     bool     `json:"merge_whitelist_actions_user"`
 	EnableStatusCheck             bool     `json:"enable_status_check"`
 	StatusCheckContexts           []string `json:"status_check_contexts"`
 	RequiredApprovals             int64    `json:"required_approvals"`
@@ -117,14 +123,17 @@ type EditBranchProtectionOption struct {
 	PushWhitelistUsernames        []string `json:"push_whitelist_usernames"`
 	PushWhitelistTeams            []string `json:"push_whitelist_teams"`
 	PushWhitelistDeployKeys       *bool    `json:"push_whitelist_deploy_keys"`
+	PushWhitelistActionsUser      *bool    `json:"push_whitelist_actions_user"`
 	EnableForcePush               *bool    `json:"enable_force_push"`
 	EnableForcePushAllowlist      *bool    `json:"enable_force_push_allowlist"`
 	ForcePushAllowlistUsernames   []string `json:"force_push_allowlist_usernames"`
 	ForcePushAllowlistTeams       []string `json:"force_push_allowlist_teams"`
 	ForcePushAllowlistDeployKeys  *bool    `json:"force_push_allowlist_deploy_keys"`
+	ForcePushAllowlistActionsUser *bool    `json:"force_push_allowlist_actions_user"`
 	EnableMergeWhitelist          *bool    `json:"enable_merge_whitelist"`
 	MergeWhitelistUsernames       []string `json:"merge_whitelist_usernames"`
 	MergeWhitelistTeams           []string `json:"merge_whitelist_teams"`
+	MergeWhitelistActionsUser     *bool    `json:"merge_whitelist_actions_user"`
 	EnableStatusCheck             *bool    `json:"enable_status_check"`
 	StatusCheckContexts           []string `json:"status_check_contexts"`
 	RequiredApprovals             *int64   `json:"required_approvals"`
@@ -8,6 +8,8 @@ import (
 	"strings"
 	"testing"

+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+
 	"github.com/stretchr/testify/assert"
 )

@@ -66,6 +68,21 @@ func TestLocaleStore(t *testing.T) {
 	assert.Equal(t, "&lt;no-such&gt;", string(res))
 }

+func TestLocaleAppNameSubstitution(t *testing.T) {
+	setting.AppName = "TestApp"
+
+	ls := NewLocaleStore()
+	assert.NoError(t, ls.AddLocaleByJSON("lang1", "Lang1", []byte(`{"greeting":"Welcome to ${APP_NAME}","plain":"No placeholder here"}`), nil))
+	lang1, _ := ls.Locale("lang1")
+
+	assert.Equal(t, "Welcome to TestApp", lang1.TrString("greeting"))
+	assert.Equal(t, "No placeholder here", lang1.TrString("plain"))
+
+	// Verify it responds to runtime AppName changes
+	setting.AppName = "ChangedApp"
+	assert.Equal(t, "Welcome to ChangedApp", lang1.TrString("greeting"))
+}
+
 func TestLocaleStoreMoreSource(t *testing.T) {
 	testData1 := []byte(`
 {
@@ -9,9 +9,11 @@ import (
 	"html"
 	"html/template"
 	"slices"
+	"strings"

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
 )

 // This file implements the static LocaleStore that will not watch for changes
@@ -142,6 +144,9 @@ func (l *locale) TrString(trKey string, trArgs ...any) string {
 	if format == "" { // still missing, use the key itself
 		format = html.EscapeString(trKey)
 	}
+	if strings.Contains(format, "${APP_NAME}") {
+		format = strings.ReplaceAll(format, "${APP_NAME}", setting.AppName)
+	}
 	msg, err := Format(format, trArgs...)
 	if err != nil {
 		log.Error("Error whilst formatting %q in %s: %v", trKey, l.langName, err)
@@ -25,7 +25,7 @@
  "enable_javascript": "This website requires JavaScript.",
  "toc": "Table of Contents",
  "licenses": "Licenses",
-  "return_to_gitea": "Return to MokoGitea",
+  "return_to_gitea": "Return to ${APP_NAME}",
  "more_items": "More items",
  "username": "Username",
  "email": "Email Address",
@@ -222,7 +222,7 @@
  "filter.string.asc": "A–Z",
  "filter.string.desc": "Z–A",
  "error.occurred": "An error occurred",
-  "error.report_message": "If you believe that this is a MokoGitea bug, please search for issues on <a href=\"%s\" target=\"_blank\">GitHub</a> or open a new issue if necessary.",
+  "error.report_message": "If you believe that this is a ${APP_NAME} bug, please search for issues on <a href=\"%s\" target=\"_blank\">GitHub</a> or open a new issue if necessary.",
  "error.not_found": "The target couldn't be found.",
  "error.permission_denied": "Permission denied.",
  "error.network_error": "Network error",
@@ -230,16 +230,16 @@
  "startpage.install": "Easy to install",
  "startpage.install_desc": "Simply <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%[1]s\">run the binary</a> for your platform, ship it with <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%[2]s\">Docker</a>, or get it <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%[3]s\">packaged</a>.",
  "startpage.platform": "Cross-platform",
-  "startpage.platform_desc": "MokoGitea runs anywhere <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">Go</a> can compile for: Windows, macOS, Linux, ARM, etc. Choose the one you love!",
+  "startpage.platform_desc": "${APP_NAME} runs anywhere <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">Go</a> can compile for: Windows, macOS, Linux, ARM, etc. Choose the one you love!",
  "startpage.lightweight": "Lightweight",
-  "startpage.lightweight_desc": "MokoGitea has low minimal requirements and can run on an inexpensive Raspberry Pi. Save your machine energy!",
+  "startpage.lightweight_desc": "${APP_NAME} has low minimal requirements and can run on an inexpensive Raspberry Pi. Save your machine energy!",
  "startpage.license": "Open Source",
  "startpage.license_desc": "Go get <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%[1]s\">%[2]s</a>! Join us by <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%[3]s\">contributing</a> to make this project even better. Don't hesitate to contribute!",
  "install.install": "Installation",
  "install.installing_desc": "Installing now, please wait…",
  "install.title": "Initial Configuration",
-  "install.docker_helper": "If you run MokoGitea inside Docker, please read the <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">documentation</a> before changing any settings.",
-  "install.require_db_desc": "MokoGitea requires MySQL, PostgreSQL, MSSQL, SQLite3 or TiDB (MySQL protocol).",
+  "install.docker_helper": "If you run ${APP_NAME} inside Docker, please read the <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">documentation</a> before changing any settings.",
+  "install.require_db_desc": "${APP_NAME} requires MySQL, PostgreSQL, MSSQL, SQLite3 or TiDB (MySQL protocol).",
  "install.db_title": "Database Settings",
  "install.db_type": "Database Type",
  "install.host": "Host",
@@ -250,12 +250,12 @@
  "install.db_schema_helper": "Leave blank for database default (\"public\").",
  "install.ssl_mode": "SSL",
  "install.path": "Path",
-  "install.sqlite_helper": "File path for the SQLite3 database.<br>Enter an absolute path if you run MokoGitea as a service.",
-  "install.reinstall_error": "You are trying to install into an existing MokoGitea database",
-  "install.reinstall_confirm_message": "Re-installing with an existing MokoGitea database can cause multiple problems. In most cases, you should use your existing \"app.ini\" to run MokoGitea. If you know what you are doing, confirm the following:",
+  "install.sqlite_helper": "File path for the SQLite3 database.<br>Enter an absolute path if you run ${APP_NAME} as a service.",
+  "install.reinstall_error": "You are trying to install into an existing ${APP_NAME} database",
+  "install.reinstall_confirm_message": "Re-installing with an existing ${APP_NAME} database can cause multiple problems. In most cases, you should use your existing \"app.ini\" to run ${APP_NAME}. If you know what you are doing, confirm the following:",
  "install.reinstall_confirm_check_1": "The data encrypted by the SECRET_KEY in app.ini may be lost: users may not be able to log in with 2FA/OTP and mirrors may not function correctly. By checking this box, you confirm that the current app.ini file contains the correct SECRET_KEY.",
  "install.reinstall_confirm_check_2": "The repositories and settings may need to be resynchronized. By checking this box, you confirm that you will resynchronize the hooks for the repositories and authorized_keys file manually. You confirm that you will ensure that repository and mirror settings are correct.",
-  "install.reinstall_confirm_check_3": "You confirm that you are absolutely sure that this MokoGitea is running with the correct app.ini location and that you are sure that you have to re-install. You confirm that you acknowledge the above risks.",
+  "install.reinstall_confirm_check_3": "You confirm that you are absolutely sure that this ${APP_NAME} is running with the correct app.ini location and that you are sure that you have to re-install. You confirm that you acknowledge the above risks.",
  "install.err_empty_db_path": "The SQLite3 database path cannot be empty.",
  "install.no_admin_and_disable_registration": "You cannot disable user self-registration without creating an administrator account.",
  "install.err_empty_admin_password": "The administrator password cannot be empty.",
@@ -271,14 +271,14 @@
  "install.lfs_path": "Git LFS Root Path",
  "install.lfs_path_helper": "Files tracked by Git LFS will be stored in this directory. Leave empty to disable.",
  "install.run_user": "Run As Username",
-  "install.run_user_helper": "The operating system username that MokoGitea runs as, it must have write access to the data paths. This value is auto-detected and cannot be changed here. To use a different user, restart MokoGitea under that account.",
+  "install.run_user_helper": "The operating system username that ${APP_NAME} runs as, it must have write access to the data paths. This value is auto-detected and cannot be changed here. To use a different user, restart ${APP_NAME} under that account.",
  "install.domain": "Server Domain",
  "install.domain_helper": "Domain or host address for the server.",
  "install.ssh_port": "SSH Server Port",
  "install.ssh_port_helper": "Port number your SSH server listens on. Leave empty to disable.",
-  "install.http_port": "MokoGitea HTTP Listen Port",
-  "install.http_port_helper": "Port number the MokoGitea web server will listen on.",
-  "install.app_url": "MokoGitea Base URL",
+  "install.http_port": "${APP_NAME} HTTP Listen Port",
+  "install.http_port_helper": "Port number the ${APP_NAME} web server will listen on.",
+  "install.app_url": "${APP_NAME} Base URL",
  "install.app_url_helper": "Base address for HTTP(S) clone URLs and email notifications.",
  "install.log_root_path": "Log Path",
  "install.log_root_path_helper": "Log files will be written to this directory.",
@@ -288,7 +288,7 @@
  "install.smtp_port": "SMTP Port",
  "install.smtp_from": "Send Email As",
  "install.smtp_from_invalid": "The \"Send Email As\" address is invalid",
-  "install.smtp_from_helper": "Email address MokoGitea will use. Enter a plain email address or use the \"Name\" <email@example.com> format.",
+  "install.smtp_from_helper": "Email address ${APP_NAME} will use. Enter a plain email address or use the \"Name\" <email@example.com> format.",
  "install.mailer_user": "SMTP Username",
  "install.mailer_password": "SMTP Password",
  "install.register_confirm": "Require Email Confirmation to Register",
@@ -311,7 +311,7 @@
  "install.admin_password": "Password",
  "install.confirm_password": "Confirm Password",
  "install.admin_email": "Email Address",
-  "install.install_btn_confirm": "Install MokoGitea",
+  "install.install_btn_confirm": "Install ${APP_NAME}",
  "install.test_git_failed": "Could not test 'git' command: %v",
  "install.invalid_db_setting": "The database settings are invalid: %v",
  "install.invalid_db_table": "The database table \"%s\" is invalid: %v",
@@ -385,7 +385,7 @@
  "auth.forgot_password_title": "Forgot Password",
  "auth.forgot_password": "Forgot password?",
  "auth.need_account": "Need an account?",
-  "auth.sign_up_tip": "You are registering the first account in the system, which has administrator privileges. Please carefully remember your username and password. If you forget the username or password, please refer to the MokoGitea documentation to recover the account.",
+  "auth.sign_up_tip": "You are registering the first account in the system, which has administrator privileges. Please carefully remember your username and password. If you forget the username or password, please refer to the ${APP_NAME} documentation to recover the account.",
  "auth.sign_up_now": "Register now.",
  "auth.sign_up_successful": "Account was successfully created. Welcome!",
  "auth.confirmation_mail_sent_prompt_ex": "A new confirmation email has been sent to <b>%s</b>. Please check your inbox within the next %s to complete the registration process. If your registration email address is incorrect, you can sign in again and change it.",
@@ -409,7 +409,7 @@
  "auth.reset_password_helper": "Recover Account",
  "auth.reset_password_wrong_user": "You are signed in as %s, but the account recovery link is meant for %s",
  "auth.password_too_short": "Password length cannot be less than %d characters.",
-  "auth.non_local_account": "Non-local users cannot update their password through the MokoGitea web interface.",
+  "auth.non_local_account": "Non-local users cannot update their password through the ${APP_NAME} web interface.",
  "auth.verify": "Verify",
  "auth.scratch_code": "Scratch code",
  "auth.use_scratch_code": "Use a scratch code",
@@ -726,7 +726,7 @@
  "settings.retype_new_password": "Confirm New Password",
  "settings.password_incorrect": "The current password is incorrect.",
  "settings.change_password_success": "Your password has been updated. Sign in using your new password from now on.",
-  "settings.password_change_disabled": "Non-local users cannot update their password through the MokoGitea web interface.",
+  "settings.password_change_disabled": "Non-local users cannot update their password through the ${APP_NAME} web interface.",
  "settings.emails": "Email Addresses",
  "settings.manage_emails": "Manage Email Addresses",
  "settings.manage_themes": "Select default theme",
@@ -734,7 +734,7 @@
  "settings.email_desc": "Your primary email address will be used for notifications, password recovery and, provided that it is not hidden, web-based Git operations.",
  "settings.theme_desc": "This will be your default theme across the site.",
  "settings.theme_colorblindness_help": "Color blindness Theme Support",
-  "settings.theme_colorblindness_prompt": "MokoGitea only has a few themes with basic color blindness support, which only have a few colors defined. The work is still in progress. More improvements could be made by defining more colors in the theme CSS files.",
+  "settings.theme_colorblindness_prompt": "${APP_NAME} only has a few themes with basic color blindness support, which only have a few colors defined. The work is still in progress. More improvements could be made by defining more colors in the theme CSS files.",
  "settings.primary": "Primary",
  "settings.activated": "Activated",
  "settings.requires_activation": "Requires activation",
@@ -843,7 +843,7 @@
  "settings.unbind_success": "The social account has been removed successfully.",
  "settings.manage_access_token": "Manage Access Tokens",
  "settings.generate_new_token": "Generate New Token",
-  "settings.tokens_desc": "These tokens grant access to your account using the Gitea API.",
+  "settings.tokens_desc": "These tokens grant access to your account using the ${APP_NAME} API.",
  "settings.token_name": "Token Name",
  "settings.generate_token": "Generate Token",
  "settings.generate_token_success": "Your new token has been generated. Copy it now as it will not be shown again.",
@@ -869,7 +869,7 @@
  "settings.permissions_list": "Permissions:",
  "settings.manage_oauth2_applications": "Manage OAuth2 Applications",
  "settings.edit_oauth2_application": "Edit OAuth2 Application",
-  "settings.oauth2_applications_desc": "OAuth2 applications enable your third-party application to securely authenticate users at this MokoGitea instance.",
+  "settings.oauth2_applications_desc": "OAuth2 applications enable your third-party application to securely authenticate users at this ${APP_NAME} instance.",
  "settings.remove_oauth2_application": "Remove OAuth2 Application",
  "settings.remove_oauth2_application_desc": "Removing an OAuth2 application will revoke access to all signed access tokens. Continue?",
  "settings.remove_oauth2_application_success": "The application has been deleted.",
@@ -890,9 +890,9 @@
  "settings.oauth2_application_edit": "Edit",
  "settings.oauth2_application_create_description": "OAuth2 applications give your third-party application access to user accounts on this instance.",
  "settings.oauth2_application_remove_description": "Removing an OAuth2 application will prevent it from accessing authorized user accounts on this instance. Continue?",
-  "settings.oauth2_application_locked": "MokoGitea pre-registers some OAuth2 applications on startup if enabled in config. To prevent unexpected behavior, these can neither be edited nor removed. Please refer to the OAuth2 documentation for more information.",
+  "settings.oauth2_application_locked": "${APP_NAME} pre-registers some OAuth2 applications on startup if enabled in config. To prevent unexpected behavior, these can neither be edited nor removed. Please refer to the OAuth2 documentation for more information.",
  "settings.authorized_oauth2_applications": "Authorized OAuth2 Applications",
-  "settings.authorized_oauth2_applications_description": "You have granted access to your personal MokoGitea account to these third-party applications. Please revoke access for applications you no longer need.",
+  "settings.authorized_oauth2_applications_description": "You have granted access to your personal ${APP_NAME} account to these third-party applications. Please revoke access for applications you no longer need.",
  "settings.revoke_key": "Revoke",
  "settings.revoke_oauth2_grant": "Revoke Access",
  "settings.revoke_oauth2_grant_description": "Revoking access for this third-party application will prevent this application from accessing your data. Are you sure?",
@@ -923,11 +923,11 @@
  "settings.webauthn_key_loss_warning": "If you lose your security keys, you will lose access to your account.",
  "settings.webauthn_alternative_tip": "You may want to configure an additional authentication method.",
  "settings.manage_account_links": "Manage Linked Accounts",
-  "settings.manage_account_links_desc": "These external accounts are linked to your MokoGitea account.",
-  "settings.account_links_not_available": "No external accounts are currently linked to your MokoGitea account.",
+  "settings.manage_account_links_desc": "These external accounts are linked to your ${APP_NAME} account.",
+  "settings.account_links_not_available": "No external accounts are currently linked to your ${APP_NAME} account.",
  "settings.link_account": "Link Account",
  "settings.remove_account_link": "Remove Linked Account",
-  "settings.remove_account_link_desc": "Removing a linked account will revoke its access to your MokoGitea account. Continue?",
+  "settings.remove_account_link_desc": "Removing a linked account will revoke its access to your ${APP_NAME} account. Continue?",
  "settings.remove_account_link_success": "The linked account has been removed.",
  "settings.hooks.desc": "Add webhooks which will be triggered for <strong>all repositories</strong> that you own.",
  "settings.orgs_none": "You are not a member of any organizations.",
@@ -943,7 +943,7 @@
  "settings.email_notifications.disable": "Disable Email Notifications",
  "settings.email_notifications.submit": "Set Email Preference",
  "settings.email_notifications.andyourown": "And Your Own Notifications",
-  "settings.email_notifications.actions.desc": "Notifications for workflow runs on repositories set up with <a target=\"_blank\" href=\"%s\">Gitea Actions</a>.",
+  "settings.email_notifications.actions.desc": "Notifications for workflow runs on repositories set up with <a target=\"_blank\" href=\"%s\">${APP_NAME} Actions</a>.",
  "settings.email_notifications.actions.failure_only": "Only notify for failed workflow runs",
  "settings.visibility": "User visibility",
  "settings.visibility.public": "Public",
@@ -1125,7 +1125,7 @@
  "repo.migrate.github.description": "Migrate data from github.com or other GitHub instances.",
  "repo.migrate.git.description": "Migrate a repository only from any Git service.",
  "repo.migrate.gitlab.description": "Migrate data from gitlab.com or other GitLab instances.",
-  "repo.migrate.gitea.description": "Migrate data from gitea.com or other Gitea instances.",
+  "repo.migrate.gitea.description": "Migrate data from other ${APP_NAME} instances.",
  "repo.migrate.gogs.description": "Migrate data from notabug.org or other Gogs instances.",
  "repo.migrate.onedev.description": "Migrate data from code.onedev.io or other OneDev instances.",
  "repo.migrate.codebase.description": "Migrate data from codebasehq.com.",
@@ -1891,7 +1891,7 @@
  "repo.pulls.cmd_instruction_checkout_title": "Checkout",
  "repo.pulls.cmd_instruction_checkout_desc": "From your project repository, check out a new branch and test the changes.",
  "repo.pulls.cmd_instruction_merge_title": "Merge",
-  "repo.pulls.cmd_instruction_merge_desc": "Merge the changes and update on MokoGitea.",
+  "repo.pulls.cmd_instruction_merge_desc": "Merge the changes and update on ${APP_NAME}.",
  "repo.pulls.cmd_instruction_merge_warning": "Warning: This operation cannot merge pull request because \"autodetect manual merge\" is not enabled.",
  "repo.pulls.clear_merge_message": "Clear merge message",
  "repo.pulls.clear_merge_message_hint": "Clearing the merge message will only remove the commit message content and keep generated git trailers such as \"Co-Authored-By…\".",
@@ -2144,6 +2144,19 @@
  "repo.settings.pulls.default_delete_branch_after_merge": "Delete pull request branch after merge by default",
  "repo.settings.pulls.default_allow_edits_from_maintainers": "Allow edits from maintainers by default",
  "repo.settings.releases_desc": "Enable Repository Releases",
+  "repo.settings.unit_visibility": "Visibility",
+  "repo.settings.unit_visibility_private": "Private (follow repo visibility)",
+  "repo.settings.unit_visibility_public": "Public (anyone can read)",
+  "repo.settings.unit_visibility_releases_help": "Controls whether the releases page is visible to anonymous visitors.",
+  "repo.settings.licensing_section": "Licensing & Updates",
+  "repo.settings.licensing_section_desc": "Manage commercial license keys and gated update feeds for this repository. When enabled, the Licenses tab appears and release tags must follow update stream naming.",
+  "repo.settings.update_platform": "Update Feed Format",
+  "repo.settings.update_platform_both": "Both (Joomla + Dolibarr)",
+  "repo.settings.update_platform_help": "Choose which update feed format to generate. All formats support license key validation.",
+  "repo.settings.require_update_key": "Require license key for update feeds",
+  "repo.settings.require_update_key_help": "When enabled, update feeds return empty results unless a valid license key is provided. Joomla clients will see a Download Key field in Update Sites.",
+  "repo.settings.enable_licensing": "Enable licensing for this repository",
+  "repo.settings.enable_licensing_help": "Show the Licenses tab and enable license key management for this repository.",
  "repo.settings.packages_desc": "Enable Repository Packages Registry",
  "repo.settings.projects_desc": "Enable Projects",
  "repo.settings.projects_mode_desc": "Projects Mode (which kinds of projects to show)",
@@ -2199,11 +2212,11 @@
  "repo.settings.trust_model.collaborator.long": "Collaborator: Trust signatures by collaborators",
  "repo.settings.trust_model.collaborator.desc": "Valid signatures by collaborators of this repository will be marked \"trusted\", whether they match the committer or not. Otherwise, valid signatures will be marked \"untrusted\" if the signature matches the committer and \"unmatched\" if not.",
  "repo.settings.trust_model.committer": "Committer",
-  "repo.settings.trust_model.committer.long": "Committer: Trust signatures that match committers. This matches GitHub's behavior and will force commits signed by MokoGitea to have MokoGitea as the committer.",
-  "repo.settings.trust_model.committer.desc": "Valid signatures will only be marked \"trusted\" if they match the committer, otherwise they will be marked \"unmatched\". This forces MokoGitea to be the committer on signed commits, with the actual committer marked as Co-authored-by: and Co-committed-by: trailer in the commit. The default MokoGitea key must match a user in the database.",
+  "repo.settings.trust_model.committer.long": "Committer: Trust signatures that match committers. This matches GitHub's behavior and will force commits signed by ${APP_NAME} to have ${APP_NAME} as the committer.",
+  "repo.settings.trust_model.committer.desc": "Valid signatures will only be marked \"trusted\" if they match the committer, otherwise they will be marked \"unmatched\". This forces ${APP_NAME} to be the committer on signed commits, with the actual committer marked as Co-authored-by: and Co-committed-by: trailer in the commit. The default ${APP_NAME} key must match a user in the database.",
  "repo.settings.trust_model.collaboratorcommitter": "Collaborator+Committer",
  "repo.settings.trust_model.collaboratorcommitter.long": "Collaborator+Committer: Trust signatures by collaborators which match the committer",
-  "repo.settings.trust_model.collaboratorcommitter.desc": "Valid signatures by collaborators of this repository will be marked \"trusted\" if they match the committer. Otherwise, valid signatures will be marked \"untrusted\" if the signature matches the committer and \"unmatched\" otherwise. This will force MokoGitea to be marked as the committer on signed commits, with the actual committer marked as Co-Authored-By: and Co-Committed-By: trailer in the commit. The default MokoGitea key must match a user in the database.",
+  "repo.settings.trust_model.collaboratorcommitter.desc": "Valid signatures by collaborators of this repository will be marked \"trusted\" if they match the committer. Otherwise, valid signatures will be marked \"untrusted\" if the signature matches the committer and \"unmatched\" otherwise. This will force ${APP_NAME} to be marked as the committer on signed commits, with the actual committer marked as Co-Authored-By: and Co-Committed-By: trailer in the commit. The default ${APP_NAME} key must match a user in the database.",
  "repo.settings.wiki_delete": "Delete Wiki Data",
  "repo.settings.wiki_delete_desc": "Deleting repository wiki data is permanent and cannot be undone.",
  "repo.settings.wiki_delete_notices_1": "- This will permanently delete and disable the repository wiki for %s.",
@@ -2240,7 +2253,7 @@
  "repo.settings.remove_team_success": "The team's access to the repository has been removed.",
  "repo.settings.add_webhook": "Add Webhook",
  "repo.settings.add_webhook.invalid_channel_name": "Webhook channel name cannot be empty and cannot contain only a # character.",
-  "repo.settings.hooks_desc": "Webhooks automatically make HTTP POST requests to a server when certain MokoGitea events trigger. Read more in the <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">webhooks guide</a>.",
+  "repo.settings.hooks_desc": "Webhooks automatically make HTTP POST requests to a server when certain ${APP_NAME} events trigger. Read more in the <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">webhooks guide</a>.",
  "repo.settings.webhook_deletion": "Remove Webhook",
  "repo.settings.webhook_deletion_desc": "Removing a webhook deletes its settings and delivery history. Continue?",
  "repo.settings.webhook_deletion_success": "The webhook has been removed.",
@@ -2258,7 +2271,7 @@
  "repo.settings.githooks_desc": "Git Hooks are powered by Git itself. You can edit hook files below to set up custom operations.",
  "repo.settings.githook_edit_desc": "If the hook is inactive, sample content will be presented. Leaving content to an empty value will disable this hook.",
  "repo.settings.update_githook": "Update Hook",
-  "repo.settings.add_webhook_desc": "MokoGitea will send <code>POST</code> requests with a specified content type to the target URL. Read more in the <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">webhooks guide</a>.",
+  "repo.settings.add_webhook_desc": "${APP_NAME} will send <code>POST</code> requests with a specified content type to the target URL. Read more in the <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">webhooks guide</a>.",
  "repo.settings.payload_url": "Target URL",
  "repo.settings.http_method": "HTTP Method",
  "repo.settings.content_type": "POST Content Type",
@@ -2326,9 +2339,9 @@
  "repo.settings.event_pull_request_merge": "Pull Request Merge",
  "repo.settings.event_header_workflow": "Workflow Events",
  "repo.settings.event_workflow_run": "Workflow Run",
-  "repo.settings.event_workflow_run_desc": "Gitea Actions Workflow run queued, waiting, in progress, or completed.",
+  "repo.settings.event_workflow_run_desc": "${APP_NAME} Actions Workflow run queued, waiting, in progress, or completed.",
  "repo.settings.event_workflow_job": "Workflow Jobs",
-  "repo.settings.event_workflow_job_desc": "Gitea Actions Workflow job queued, waiting, in progress, or completed.",
+  "repo.settings.event_workflow_job_desc": "${APP_NAME} Actions Workflow job queued, waiting, in progress, or completed.",
  "repo.settings.event_package": "Package",
  "repo.settings.event_package_desc": "Package created or deleted in a repository.",
  "repo.settings.branch_filter": "Branch filter",
@@ -2349,7 +2362,7 @@
  "repo.settings.slack_domain": "Domain",
  "repo.settings.slack_channel": "Channel",
  "repo.settings.add_web_hook_desc": "Integrate <a target=\"_blank\" rel=\"noreferrer\" href=\"%s\">%s</a> into your repository.",
-  "repo.settings.web_hook_name_gitea": "MokoGitea",
+  "repo.settings.web_hook_name_gitea": "${APP_NAME}",
  "repo.settings.web_hook_name_gogs": "Gogs",
  "repo.settings.web_hook_name_slack": "Slack",
  "repo.settings.web_hook_name_discord": "Discord",
@@ -2404,15 +2417,18 @@
  "repo.settings.protect_whitelist_committers": "Allowlist Restricted Push",
  "repo.settings.protect_whitelist_committers_desc": "Only allowlisted users or teams will be allowed to push to this branch (but not force push).",
  "repo.settings.protect_whitelist_deploy_keys": "Allowlist deploy keys with write access to push.",
+  "repo.settings.protect_whitelist_actions_user": "Allowlist actions bot user to push.",
  "repo.settings.protect_whitelist_users": "Allowlisted users for pushing:",
  "repo.settings.protect_whitelist_teams": "Allowlisted teams for pushing:",
  "repo.settings.protect_force_push_allowlist_users": "Allowlisted users for force pushing:",
  "repo.settings.protect_force_push_allowlist_teams": "Allowlisted teams for force pushing:",
  "repo.settings.protect_force_push_allowlist_deploy_keys": "Allowlist deploy keys with push access to force push.",
+  "repo.settings.protect_force_push_allowlist_actions_user": "Allowlist actions bot user to force push.",
  "repo.settings.protect_merge_whitelist_committers": "Enable Merge Allowlist",
  "repo.settings.protect_merge_whitelist_committers_desc": "Allow only allowlisted users or teams to merge pull requests into this branch.",
  "repo.settings.protect_merge_whitelist_users": "Allowlisted users for merging:",
  "repo.settings.protect_merge_whitelist_teams": "Allowlisted teams for merging:",
+  "repo.settings.protect_merge_whitelist_actions_user": "Allowlist actions bot user to merge.",
  "repo.settings.protect_check_status_contexts": "Enable Status Check",
  "repo.settings.protect_status_check_patterns": "Status check patterns:",
  "repo.settings.protect_status_check_patterns_desc": "Enter patterns to specify which status checks must pass before branches can be merged into a branch that matches this rule. Each line specifies a pattern. Patterns cannot be empty.",
@@ -2605,6 +2621,74 @@
  "repo.release.detail": "Release details",
  "repo.release.tags": "Tags",
  "repo.release.new_release": "New Release",
+  "repo.release.update_feed": "Update Feed",
+  "repo.licenses": "Licenses",
+  "repo.licenses.packages": "License Packages",
+  "repo.licenses.package_name": "Package",
+  "repo.licenses.duration": "Duration",
+  "repo.licenses.channels": "Channels",
+  "repo.licenses.keys_issued": "Keys",
+  "repo.licenses.status": "Status",
+  "repo.licenses.lifetime": "Lifetime",
+  "repo.licenses.days": "days",
+  "repo.licenses.all_channels": "All channels",
+  "repo.licenses.active": "Active",
+  "repo.licenses.inactive": "Inactive",
+  "repo.licenses.none": "No License Packages",
+  "repo.licenses.none_desc": "Create a license package to start managing keys and gating update feeds.",
+  "repo.licenses.issued_keys": "Issued Keys",
+  "repo.licenses.key_prefix": "Key",
+  "repo.licenses.licensee": "Licensee",
+  "repo.licenses.expires": "Expires",
+  "repo.licenses.never": "Never",
+  "repo.licenses.new_package": "New Package",
+  "repo.licenses.description": "Description",
+  "repo.licenses.max_sites": "Max Sites",
+  "repo.licenses.channels_help": "Select which update channels this package grants access to. Leave all unchecked for all channels.",
+  "repo.licenses.create_package": "Create License Package",
+  "repo.licenses.create_new_package": "Create New License Package",
+  "repo.licenses.package_created": "License package created successfully.",
+  "repo.licenses.generate_key": "Generate Key",
+  "repo.licenses.key_created": "License Key Created",
+  "repo.licenses.key_created_copy": "Your new license key is shown below. You can also view and copy it from the keys table at any time.",
+  "repo.licenses.revoke": "Revoke",
+  "repo.licenses.edit_package": "Edit License Package",
+  "repo.licenses.delete_package": "Delete Package",
+  "repo.licenses.package_updated": "License package updated.",
+  "repo.licenses.package_deleted": "License package deleted.",
+  "repo.licenses.key_revoked": "License key revoked.",
+  "repo.licenses.master_key_created": "Master License Key Created",
+  "repo.licenses.master_key_created_copy": "This is your organization master key with unlimited access to all update channels. Copy it now — it will not be shown again.",
+  "repo.licenses.update_feeds": "Update Feed URLs",
+  "repo.licenses.edit_key": "Edit License Key",
+  "repo.licenses.licensee_name": "Licensee Name",
+  "repo.licenses.licensee_email": "Licensee Email",
+  "repo.licenses.domain_restriction": "Domain Restriction",
+  "repo.licenses.domain_restriction_help": "Comma-separated list of allowed domains. Leave empty for no restriction.",
+  "repo.licenses.use_package_default": "use package default",
+  "repo.licenses.expires_at": "Expires At",
+  "repo.licenses.expires_at_help": "Leave empty for no expiry (lifetime).",
+  "repo.licenses.key_updated": "License key updated.",
+  "repo.licenses.last_seen": "Last Seen",
+  "repo.licenses.confirm_delete_package": "Delete this package? This action cannot be undone.",
+  "repo.licenses.confirm_revoke_key": "Revoke this license key? The licensee will immediately lose access to update feeds.",
+  "repo.licenses.feed_joomla_xml": "Joomla XML",
+  "repo.licenses.feed_dolibarr_json": "Dolibarr JSON",
+  "repo.licenses.feed_joomla_updates": "Joomla updates.xml",
+  "repo.licenses.feed_dolibarr_updates": "Dolibarr JSON",
+  "repo.licenses.master_label": "Master",
+  "repo.licenses.unlimited": "unlimited",
+  "repo.licenses.active_help_package": "Deactivating blocks new key creation and disables all issued keys.",
+  "repo.licenses.active_help_key": "Deactivating immediately blocks update feed access for this licensee.",
+  "repo.licenses.renew": "Renew",
+  "repo.licenses.key_renewed": "License key renewed for %d days.",
+  "repo.licenses.confirm_renew_key": "Renew this license key? The expiration will be extended by the package duration.",
+  "repo.licenses.desc": "License packages and keys for gating update feeds.",
+  "repo.licenses.custom_key_placeholder": "Custom key (optional)",
+  "repo.licenses.custom_key_help": "Leave empty to auto-generate. Site admins and org owners can set a custom key value.",
+  "repo.licenses.delete_key": "Delete Key",
+  "repo.licenses.confirm_delete_key": "Permanently delete this license key? This cannot be undone.",
+  "repo.licenses.key_deleted": "License key deleted.",
  "repo.release.draft": "Draft",
  "repo.release.prerelease": "Pre-Release",
  "repo.release.stable": "Stable",
@@ -2634,7 +2718,7 @@
  "repo.release.delete_release": "Delete Release",
  "repo.release.delete_tag": "Delete Tag",
  "repo.release.deletion": "Delete Release",
-  "repo.release.deletion_desc": "Deleting a release only removes it from MokoGitea. It will not affect the Git tag, the contents of your repository or its history. Continue?",
+  "repo.release.deletion_desc": "Deleting a release only removes it from ${APP_NAME}. It will not affect the Git tag, the contents of your repository or its history. Continue?",
  "repo.release.deletion_success": "The release has been deleted.",
  "repo.release.deletion_tag_desc": "Will delete this tag from repository. Repository contents and history remain unchanged. Continue?",
  "repo.release.deletion_tag_success": "The tag has been deleted.",
@@ -2746,6 +2830,26 @@
  "org.form.create_org_not_allowed": "You are not allowed to create an organization.",
  "org.settings": "Settings",
  "org.settings.options": "Organization",
+  "org.settings.update_streams": "Licensing & Update Streams",
+  "org.settings.licensing": "Licensing",
+  "org.settings.licensing_desc": "Control commercial license key management and gated update feeds across all repositories in this organization.",
+  "org.settings.enable_licensing": "Enable licensing for this organization",
+  "org.settings.enable_licensing_help": "Show the Licenses page in the org menu and enable license key management. Individual repos can also enable licensing independently.",
+  "org.settings.require_key": "Require license key for all update feeds",
+  "org.settings.require_key_help": "Update feeds return empty results unless a valid key is provided. Joomla clients will see a Download Key field. Individual repos can override this.",
+  "org.settings.update_streams_heading": "Update Streams",
+  "org.settings.update_streams_desc": "Configure the default update streams for all repositories. Release tags are matched to streams by their suffix. Repos can override with per-repo settings.",
+  "org.settings.stream_mode": "Stream Mode",
+  "org.settings.stream_mode_joomla": "Standard Joomla streams (stable, release-candidate, beta, alpha, development)",
+  "org.settings.stream_mode_custom": "Custom streams (define your own channels and tag patterns)",
+  "org.settings.default_streams": "Active Streams",
+  "org.settings.stream_name": "Channel",
+  "org.settings.stream_suffix": "Tag Suffix",
+  "org.settings.no_suffix": "none (stable)",
+  "org.settings.streams_tag_help": "When licensing is active, release tags with prerelease suffixes must match one of the streams above (e.g. v1.0.0-rc1 matches the -rc stream).",
+  "org.settings.custom_streams": "Custom Stream Definitions (JSON)",
+  "org.settings.custom_streams_help": "JSON array of stream objects. Each needs: name, suffix, description. Example: [{\"name\":\"lts\",\"suffix\":\"-lts\",\"description\":\"Long-term support\"}]",
+  "org.settings.update_streams_saved": "Settings saved.",
  "org.settings.full_name": "Full Name",
  "org.settings.email": "Contact Email Address",
  "org.settings.website": "Website",
@@ -2913,7 +3017,7 @@
  "admin.last_page": "Last",
  "admin.total": "Total: %d",
  "admin.settings": "Admin Settings",
-  "admin.dashboard.new_version_hint": "MokoGitea %s is now available, you are running %s. Check <a target=\"_blank\" rel=\"noreferrer\" href=\"%s\">the blog</a> for more details.",
+  "admin.dashboard.new_version_hint": "${APP_NAME} %s is now available, you are running %s. Check <a target=\"_blank\" rel=\"noreferrer\" href=\"%s\">the blog</a> for more details.",
  "admin.dashboard.statistic": "Summary",
  "admin.dashboard.maintenance_operations": "Maintenance Operations",
  "admin.dashboard.system_status": "System Status",
@@ -2949,8 +3053,8 @@
  "admin.dashboard.deleted_branches_cleanup": "Clean up deleted branches",
  "admin.dashboard.update_migration_poster_id": "Update migration poster IDs",
  "admin.dashboard.git_gc_repos": "Garbage-collect all repositories",
-  "admin.dashboard.resync_all_sshkeys": "Update the '.ssh/authorized_keys' file with MokoGitea SSH keys",
-  "admin.dashboard.resync_all_sshprincipals": "Update the '.ssh/authorized_principals' file with MokoGitea SSH principals",
+  "admin.dashboard.resync_all_sshkeys": "Update the '.ssh/authorized_keys' file with ${APP_NAME} SSH keys",
+  "admin.dashboard.resync_all_sshprincipals": "Update the '.ssh/authorized_principals' file with ${APP_NAME} SSH principals",
  "admin.dashboard.resync_all_hooks": "Resynchronize git hooks of all repositories (pre-receive, update, post-receive, proc-receive, ...)",
  "admin.dashboard.reinit_missing_repos": "Reinitialize all missing Git repositories for which records exist",
  "admin.dashboard.sync_external_users": "Synchronize external user data",
@@ -3030,7 +3134,7 @@
  "admin.users.is_admin": "Is Administrator",
  "admin.users.is_restricted": "Is Restricted",
  "admin.users.allow_git_hook": "May Create Git Hooks",
-  "admin.users.allow_git_hook_tooltip": "Git Hooks are executed as the OS user running MokoGitea and will have the same level of host access. As a result, users with this special Git Hook privilege can access and modify all MokoGitea repositories as well as the database used by MokoGitea. Consequently they are also able to gain MokoGitea administrator privileges.",
+  "admin.users.allow_git_hook_tooltip": "Git Hooks are executed as the OS user running ${APP_NAME} and will have the same level of host access. As a result, users with this special Git Hook privilege can access and modify all ${APP_NAME} repositories as well as the database used by ${APP_NAME}. Consequently they are also able to gain ${APP_NAME} administrator privileges.",
  "admin.users.allow_import_local": "May Import Local Repositories",
  "admin.users.allow_create_organization": "May Create Organizations",
  "admin.users.update_profile": "Update User Account",
@@ -3100,11 +3204,11 @@
  "admin.packages.size": "Size",
  "admin.packages.published": "Published",
  "admin.defaulthooks": "Default Webhooks",
-  "admin.defaulthooks.desc": "Webhooks automatically make HTTP POST requests to a server when certain MokoGitea events trigger. Webhooks defined here are defaults and will be copied into all new repositories. Read more in the <a target=\"_blank\" rel=\"noopener\" href=\"%s\">webhooks guide</a>.",
+  "admin.defaulthooks.desc": "Webhooks automatically make HTTP POST requests to a server when certain ${APP_NAME} events trigger. Webhooks defined here are defaults and will be copied into all new repositories. Read more in the <a target=\"_blank\" rel=\"noopener\" href=\"%s\">webhooks guide</a>.",
  "admin.defaulthooks.add_webhook": "Add Default Webhook",
  "admin.defaulthooks.update_webhook": "Update Default Webhook",
  "admin.systemhooks": "System Webhooks",
-  "admin.systemhooks.desc": "Webhooks automatically make HTTP POST requests to a server when certain MokoGitea events trigger. Webhooks defined here will act on all repositories on the system, so please consider any performance implications this may have. Read more in the <a target=\"_blank\" rel=\"noopener\" href=\"%s\">webhooks guide</a>.",
+  "admin.systemhooks.desc": "Webhooks automatically make HTTP POST requests to a server when certain ${APP_NAME} events trigger. Webhooks defined here will act on all repositories on the system, so please consider any performance implications this may have. Read more in the <a target=\"_blank\" rel=\"noopener\" href=\"%s\">webhooks guide</a>.",
  "admin.systemhooks.add_webhook": "Add System Webhook",
  "admin.systemhooks.update_webhook": "Update System Webhook",
  "admin.auths.auth_manage_panel": "Authentication Source Management",
@@ -3125,7 +3229,7 @@
  "admin.auths.user_base": "User Search Base",
  "admin.auths.user_dn": "User DN",
  "admin.auths.attribute_username": "Username Attribute",
-  "admin.auths.attribute_username_placeholder": "Leave empty to use the username entered in MokoGitea.",
+  "admin.auths.attribute_username_placeholder": "Leave empty to use the username entered in ${APP_NAME}.",
  "admin.auths.attribute_name": "First Name Attribute",
  "admin.auths.attribute_surname": "Surname Attribute",
  "admin.auths.attribute_mail": "Email Attribute",
@@ -3232,7 +3336,7 @@
  "admin.auths.invalid_openIdConnectAutoDiscoveryURL": "Invalid Auto Discovery URL (this must be a valid URL starting with http:// or https://)",
  "admin.config.server_config": "Server Configuration",
  "admin.config.app_name": "Site Title",
-  "admin.config.app_ver": "MokoGitea Version",
+  "admin.config.app_ver": "${APP_NAME} Version",
  "admin.config.custom_conf": "Configuration File Path",
  "admin.config.custom_file_root_path": "Custom File Root Path",
  "admin.config.disable_router_log": "Disable Router Log",
@@ -3272,7 +3376,7 @@
  "admin.config.service_config": "Service Configuration",
  "admin.config.register_email_confirm": "Require Email Confirmation to Register",
  "admin.config.disable_register": "Disable Self-Registration",
-  "admin.config.allow_only_internal_registration": "Allow Registration Only Through MokoGitea itself",
+  "admin.config.allow_only_internal_registration": "Allow Registration Only Through ${APP_NAME} itself",
  "admin.config.allow_only_external_registration": "Allow Registration Only Through External Services",
  "admin.config.enable_openid_signup": "Enable OpenID Self-Registration",
  "admin.config.enable_openid_signin": "Enable OpenID Sign-In",
@@ -3325,6 +3429,14 @@
  "admin.config.common.start_time": "Start time",
  "admin.config.common.end_time": "End time",
  "admin.config.common.skip_time_check": "Leave time empty (clear the field) to skip time check",
+  "admin.config.instance_landing_page": "Default Landing Page",
+  "admin.config.landing_page.home": "Home — default home page",
+  "admin.config.landing_page.explore": "Explore — repository explore page",
+  "admin.config.landing_page.organizations": "Organizations — organization explore page",
+  "admin.config.landing_page.login": "Login — redirect to login page",
+  "admin.config.landing_page.custom": "Custom path — redirect to a specific URL path",
+  "admin.config.landing_page.custom_path": "Custom path",
+  "admin.config.landing_page.custom_path_help": "Internal path to redirect unauthenticated visitors to (e.g. /MokoConsulting or /MokoConsulting/MokoGitea/wiki).",
  "admin.config.instance_maintenance": "Instance Maintenance",
  "admin.config.instance_maintenance_mode.admin_web_access_only": "Only allow admin to access the web UI",
  "admin.config.instance_web_banner.enabled": "Show banner",
@@ -3414,11 +3526,11 @@
  "admin.self_check.no_problem_found": "No problem found yet.",
  "admin.self_check.startup_warnings": "Startup warnings:",
  "admin.self_check.database_collation_mismatch": "Expect database to use collation: %s",
-  "admin.self_check.database_collation_case_insensitive": "Database is using collation %s, which is a case-insensitive collation. Although MokoGitea could work with it, there might be some rare cases which don't work as expected.",
+  "admin.self_check.database_collation_case_insensitive": "Database is using collation %s, which is a case-insensitive collation. Although ${APP_NAME} could work with it, there might be some rare cases which don't work as expected.",
  "admin.self_check.database_inconsistent_collation_columns": "Database is using collation %s, but these columns are using mismatched collations. This might cause some unexpected problems.",
  "admin.self_check.database_fix_mysql": "For MySQL/MariaDB users, you could use the \"gitea doctor convert\" command to fix the collation problems, or you could also fix the problem manually with \"ALTER ... COLLATE ...\" SQL queries.",
  "admin.self_check.database_fix_mssql": "For MSSQL users, you could only fix the problem manually with \"ALTER ... COLLATE ...\" SQL queries at the moment.",
-  "admin.self_check.location_origin_mismatch": "Current URL (%[1]s) doesn't match the URL seen by MokoGitea (%[2]s). If you are using a reverse proxy, please make sure the \"Host\" and \"X-Forwarded-Proto\" headers are set correctly.",
+  "admin.self_check.location_origin_mismatch": "Current URL (%[1]s) doesn't match the URL seen by ${APP_NAME} (%[2]s). If you are using a reverse proxy, please make sure the \"Host\" and \"X-Forwarded-Proto\" headers are set correctly.",
  "action.create_repo": "created repository <a href=\"%s\">%s</a>",
  "action.rename_repo": "renamed repository from <code>%[1]s</code> to <a href=\"%[2]s\">%[3]s</a>",
  "action.commit_repo": "pushed to <a href=\"%[2]s\">%[3]s</a> at <a href=\"%[1]s\">%[4]s</a>",
@@ -3771,8 +3883,8 @@
  "actions.runs.status_no_select": "All status",
  "actions.runs.no_results": "No results matched.",
  "actions.runs.no_workflows": "There are no workflows yet.",
-  "actions.runs.no_workflows.quick_start": "Don't know how to start with Gitea Actions? See <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">the quick start guide</a>.",
-  "actions.runs.no_workflows.documentation": "For more information on Gitea Actions, see <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">the documentation</a>.",
+  "actions.runs.no_workflows.quick_start": "Don't know how to start with ${APP_NAME} Actions? See <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">the quick start guide</a>.",
+  "actions.runs.no_workflows.documentation": "For more information on ${APP_NAME} Actions, see <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">the documentation</a>.",
  "actions.runs.no_runs": "The workflow has no runs yet.",
  "actions.runs.empty_commit_message": "(empty commit message)",
  "actions.runs.expire_log_message": "Logs have been purged because they were too old.",
@@ -1347,6 +1347,21 @@ func Routes() *web.Router {
 							Delete(reqToken(), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseByTag)
 					})
 				}, reqRepoReader(unit.TypeReleases))
+				m.Group("/license-packages", func() {
+					m.Combo("").Get(repo.ListLicensePackages).
+						Post(bind(api.CreateLicensePackageOption{}), repo.CreateLicensePackage)
+				}, reqToken(), reqAdmin())
+				m.Post("/license-keys/validate", bind(api.ValidateLicenseKeyOption{}), repo.ValidateLicenseKey)
+				m.Group("/license-keys", func() {
+					m.Combo("").Get(repo.ListLicenseKeys).
+						Post(bind(api.CreateLicenseKeyOption{}), repo.CreateLicenseKey)
+					m.Post("/purchase", bind(api.PurchaseLicenseKeyOption{}), repo.PurchaseLicenseKey)
+					m.Group("/{id}", func() {
+						m.Delete("", repo.DeleteLicenseKey)
+						m.Patch("", bind(api.EditLicenseKeyOption{}), repo.EditLicenseKey)
+						m.Get("/usage", repo.GetLicenseKeyUsage)
+					})
+				}, reqToken(), reqAdmin())
 				m.Post("/mirror-sync", reqToken(), reqRepoWriter(unit.TypeCode), mustNotBeArchived, repo.MirrorSync)
 				m.Post("/push_mirrors-sync", reqAdmin(), reqToken(), mustNotBeArchived, repo.PushMirrorSync)
 				m.Group("/push_mirrors", func() {
@@ -758,10 +758,13 @@ func CreateBranchProtection(ctx *context.APIContext) {
 		CanPush:                       form.EnablePush,
 		EnableWhitelist:               form.EnablePush && form.EnablePushWhitelist,
 		WhitelistDeployKeys:           form.EnablePush && form.EnablePushWhitelist && form.PushWhitelistDeployKeys,
+		WhitelistActionsUser:          form.EnablePush && form.EnablePushWhitelist && form.PushWhitelistActionsUser,
 		CanForcePush:                  form.EnablePush && form.EnableForcePush,
 		EnableForcePushAllowlist:      form.EnablePush && form.EnableForcePush && form.EnableForcePushAllowlist,
 		ForcePushAllowlistDeployKeys:  form.EnablePush && form.EnableForcePush && form.EnableForcePushAllowlist && form.ForcePushAllowlistDeployKeys,
+		ForcePushAllowlistActionsUser: form.EnablePush && form.EnableForcePush && form.EnableForcePushAllowlist && form.ForcePushAllowlistActionsUser,
 		EnableMergeWhitelist:          form.EnableMergeWhitelist,
+		MergeWhitelistActionsUser:     form.EnableMergeWhitelist && form.MergeWhitelistActionsUser,
 		EnableStatusCheck:             form.EnableStatusCheck,
 		StatusCheckContexts:           form.StatusCheckContexts,
 		EnableApprovalsWhitelist:      form.EnableApprovalsWhitelist,
@@ -861,17 +864,22 @@ func EditBranchProtection(ctx *context.APIContext) {
 			protectBranch.CanPush = false
 			protectBranch.EnableWhitelist = false
 			protectBranch.WhitelistDeployKeys = false
+			protectBranch.WhitelistActionsUser = false
 		} else {
 			protectBranch.CanPush = true
 			if form.EnablePushWhitelist != nil {
 				if !*form.EnablePushWhitelist {
 					protectBranch.EnableWhitelist = false
 					protectBranch.WhitelistDeployKeys = false
+					protectBranch.WhitelistActionsUser = false
 				} else {
 					protectBranch.EnableWhitelist = true
 					if form.PushWhitelistDeployKeys != nil {
 						protectBranch.WhitelistDeployKeys = *form.PushWhitelistDeployKeys
 					}
+					if form.PushWhitelistActionsUser != nil {
+						protectBranch.WhitelistActionsUser = *form.PushWhitelistActionsUser
+					}
 				}
 			}
 		}
@@ -882,17 +890,22 @@ func EditBranchProtection(ctx *context.APIContext) {
 			protectBranch.CanForcePush = false
 			protectBranch.EnableForcePushAllowlist = false
 			protectBranch.ForcePushAllowlistDeployKeys = false
+			protectBranch.ForcePushAllowlistActionsUser = false
 		} else {
 			protectBranch.CanForcePush = true
 			if form.EnableForcePushAllowlist != nil {
 				if !*form.EnableForcePushAllowlist {
 					protectBranch.EnableForcePushAllowlist = false
 					protectBranch.ForcePushAllowlistDeployKeys = false
+					protectBranch.ForcePushAllowlistActionsUser = false
 				} else {
 					protectBranch.EnableForcePushAllowlist = true
 					if form.ForcePushAllowlistDeployKeys != nil {
 						protectBranch.ForcePushAllowlistDeployKeys = *form.ForcePushAllowlistDeployKeys
 					}
+					if form.ForcePushAllowlistActionsUser != nil {
+						protectBranch.ForcePushAllowlistActionsUser = *form.ForcePushAllowlistActionsUser
+					}
 				}
 			}
 		}
@@ -904,6 +917,12 @@ func EditBranchProtection(ctx *context.APIContext) {

 	if form.EnableMergeWhitelist != nil {
 		protectBranch.EnableMergeWhitelist = *form.EnableMergeWhitelist
+		if !*form.EnableMergeWhitelist {
+			protectBranch.MergeWhitelistActionsUser = false
+		}
+	}
+	if form.MergeWhitelistActionsUser != nil && protectBranch.EnableMergeWhitelist {
+		protectBranch.MergeWhitelistActionsUser = *form.MergeWhitelistActionsUser
 	}

 	if form.EnableStatusCheck != nil {
@@ -0,0 +1,331 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package repo
+
+import (
+	"net/http"
+	"time"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/structs"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/web"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+func toLicensePackageAPI(pkg *licenses.LicensePackage) *structs.LicensePackage {
+	return &structs.LicensePackage{
+		ID:              pkg.ID,
+		OwnerID:         pkg.OwnerID,
+		Name:            pkg.Name,
+		Description:     pkg.Description,
+		DurationDays:    pkg.DurationDays,
+		MaxSites:        pkg.MaxSites,
+		RepoScope:       pkg.RepoScope,
+		AllowedChannels: pkg.AllowedChannels,
+		IsActive:        pkg.IsActive,
+		Created:         time.Unix(int64(pkg.CreatedUnix), 0),
+		Updated:         time.Unix(int64(pkg.UpdatedUnix), 0),
+	}
+}
+
+func toLicenseKeyAPI(key *licenses.LicenseKey) *structs.LicenseKey {
+	lk := &structs.LicenseKey{
+		ID:                key.ID,
+		PackageID:         key.PackageID,
+		OwnerID:           key.OwnerID,
+		KeyPrefix:         key.KeyPrefix,
+		LicenseeName:      key.LicenseeName,
+		LicenseeEmail:     key.LicenseeEmail,
+		DomainRestriction: key.DomainRestriction,
+		MaxSites:          key.MaxSites,
+		IsInternal:        key.IsInternal,
+		IsActive:          key.IsActive,
+		Created:           time.Unix(int64(key.CreatedUnix), 0),
+	}
+	if key.StartsUnix > 0 {
+		t := time.Unix(int64(key.StartsUnix), 0)
+		lk.StartsAt = &t
+	}
+	if key.ExpiresUnix > 0 {
+		t := time.Unix(int64(key.ExpiresUnix), 0)
+		lk.ExpiresAt = &t
+	}
+	if key.LastHeartbeatUnix > 0 {
+		t := time.Unix(int64(key.LastHeartbeatUnix), 0)
+		lk.LastHeartbeat = &t
+	}
+	return lk
+}
+
+// ListLicensePackages lists license packages for the repo owner.
+func ListLicensePackages(ctx *context.APIContext) {
+	pkgs, err := licenses.ListLicensePackages(ctx, ctx.Repo.Repository.OwnerID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	result := make([]*structs.LicensePackage, len(pkgs))
+	for i, pkg := range pkgs {
+		result[i] = toLicensePackageAPI(pkg)
+	}
+	ctx.JSON(http.StatusOK, result)
+}
+
+// CreateLicensePackage creates a new license package.
+func CreateLicensePackage(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.CreateLicensePackageOption)
+
+	pkg := &licenses.LicensePackage{
+		OwnerID:         ctx.Repo.Repository.OwnerID,
+		Name:            form.Name,
+		Description:     form.Description,
+		DurationDays:    form.DurationDays,
+		MaxSites:        form.MaxSites,
+		RepoScope:       form.RepoScope,
+		AllowedChannels: form.AllowedChannels,
+		IsActive:        true,
+	}
+	if pkg.RepoScope == "" {
+		pkg.RepoScope = "all"
+	}
+
+	if err := licenses.CreateLicensePackage(ctx, pkg); err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	ctx.JSON(http.StatusCreated, toLicensePackageAPI(pkg))
+}
+
+// ListLicenseKeys lists license keys for the repo owner.
+func ListLicenseKeys(ctx *context.APIContext) {
+	keys, err := licenses.ListLicenseKeys(ctx, ctx.Repo.Repository.OwnerID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	result := make([]*structs.LicenseKey, len(keys))
+	for i, key := range keys {
+		result[i] = toLicenseKeyAPI(key)
+	}
+	ctx.JSON(http.StatusOK, result)
+}
+
+// CreateLicenseKey creates a new license key.
+func CreateLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.CreateLicenseKeyOption)
+
+	key := &licenses.LicenseKey{
+		PackageID:         form.PackageID,
+		OwnerID:           ctx.Repo.Repository.OwnerID,
+		LicenseeName:      form.LicenseeName,
+		LicenseeEmail:     form.LicenseeEmail,
+		DomainRestriction: form.DomainRestriction,
+		MaxSites:          form.MaxSites,
+		IsActive:          true,
+	}
+
+	if form.StartsAt != nil {
+		key.StartsUnix = timeutil.TimeStamp(form.StartsAt.Unix())
+	}
+
+	if form.ExpiresAt != nil {
+		key.ExpiresUnix = timeutil.TimeStamp(form.ExpiresAt.Unix())
+	} else {
+		// Auto-calculate from package duration.
+		pkg, err := licenses.GetLicensePackageByID(ctx, form.PackageID)
+		if err != nil {
+			ctx.APIErrorInternal(err)
+			return
+		}
+		if pkg.DurationDays > 0 {
+			start := time.Now()
+			if form.StartsAt != nil {
+				start = *form.StartsAt
+			}
+			expires := start.AddDate(0, 0, pkg.DurationDays)
+			key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+		}
+	}
+
+	rawKey, err := licenses.CreateLicenseKey(ctx, key)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	resp := &structs.LicenseKeyCreated{
+		LicenseKey: *toLicenseKeyAPI(key),
+		RawKey:     rawKey,
+	}
+	ctx.JSON(http.StatusCreated, resp)
+}
+
+// EditLicenseKey edits a license key via API.
+func EditLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.EditLicenseKeyOption)
+	keyID := ctx.PathParamInt64("id")
+
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.APIErrorNotFound(err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.APIError(http.StatusForbidden, "master keys cannot be edited")
+		return
+	}
+
+	if form.LicenseeName != nil {
+		key.LicenseeName = *form.LicenseeName
+	}
+	if form.LicenseeEmail != nil {
+		key.LicenseeEmail = *form.LicenseeEmail
+	}
+	if form.DomainRestriction != nil {
+		key.DomainRestriction = *form.DomainRestriction
+	}
+	if form.MaxSites != nil {
+		key.MaxSites = *form.MaxSites
+	}
+	if form.IsActive != nil {
+		key.IsActive = *form.IsActive
+	}
+	if form.ExpiresAt != nil {
+		key.ExpiresUnix = timeutil.TimeStamp(form.ExpiresAt.Unix())
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, toLicenseKeyAPI(key))
+}
+
+// PurchaseLicenseKey handles purchase webhook — creates a key from a payment event.
+func PurchaseLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.PurchaseLicenseKeyOption)
+
+	// Idempotency check: if payment_ref already exists, return existing key.
+	if form.PaymentRef != "" {
+		existing, err := licenses.GetLicenseKeyByPaymentRef(ctx, form.PaymentRef)
+		if err == nil {
+			resp := &structs.LicenseKeyCreated{
+				LicenseKey: *toLicenseKeyAPI(existing),
+				RawKey:     "", // raw key not available after creation
+			}
+			ctx.JSON(http.StatusOK, resp)
+			return
+		}
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, form.PackageID)
+	if err != nil {
+		ctx.APIErrorNotFound(err)
+		return
+	}
+
+	key := &licenses.LicenseKey{
+		PackageID:         form.PackageID,
+		OwnerID:           ctx.Repo.Repository.OwnerID,
+		LicenseeName:      form.LicenseeName,
+		LicenseeEmail:     form.LicenseeEmail,
+		DomainRestriction: form.Domain,
+		PaymentRef:        form.PaymentRef,
+		IsActive:          true,
+	}
+
+	if pkg.DurationDays > 0 {
+		expires := time.Now().AddDate(0, 0, pkg.DurationDays)
+		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+	}
+
+	rawKey, err := licenses.CreateLicenseKey(ctx, key)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	resp := &structs.LicenseKeyCreated{
+		LicenseKey: *toLicenseKeyAPI(key),
+		RawKey:     rawKey,
+	}
+	ctx.JSON(http.StatusCreated, resp)
+}
+
+// DeleteLicenseKey deletes a license key.
+func DeleteLicenseKey(ctx *context.APIContext) {
+	if err := licenses.DeleteLicenseKey(ctx, ctx.PathParamInt64("id")); err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+	ctx.Status(http.StatusNoContent)
+}
+
+// ValidateLicenseKey validates a license key — public endpoint (no auth required).
+func ValidateLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.ValidateLicenseKeyOption)
+
+	key, pkg, err := licenses.ValidateLicenseKey(ctx, form.Key, form.Domain)
+	if err != nil {
+		ctx.JSON(http.StatusOK, &structs.ValidateLicenseKeyResponse{
+			Valid:   false,
+			Message: err.Error(),
+		})
+		return
+	}
+
+	_ = licenses.TouchHeartbeat(ctx, key.ID)
+
+	var expiresAt *time.Time
+	if key.ExpiresUnix > 0 {
+		t := time.Unix(int64(key.ExpiresUnix), 0)
+		expiresAt = &t
+	}
+
+	maxSites := key.MaxSites
+	if maxSites == 0 {
+		maxSites = pkg.MaxSites
+	}
+
+	sitesUsed, _ := licenses.CountUniqueDomainsByKey(ctx, key.ID)
+
+	ctx.JSON(http.StatusOK, &structs.ValidateLicenseKeyResponse{
+		Valid:       true,
+		PackageName: pkg.Name,
+		Channels:    pkg.AllowedChannels,
+		ExpiresAt:   expiresAt,
+		SitesUsed:   sitesUsed,
+		MaxSites:    maxSites,
+	})
+}
+
+// GetLicenseKeyUsage returns usage logs for a license key.
+func GetLicenseKeyUsage(ctx *context.APIContext) {
+	usages, err := licenses.GetRecentUsage(ctx, ctx.PathParamInt64("id"), 100)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	result := make([]*structs.LicenseKeyUsage, len(usages))
+	for i, u := range usages {
+		result[i] = &structs.LicenseKeyUsage{
+			ID:          u.ID,
+			KeyID:       u.KeyID,
+			RepoID:      u.RepoID,
+			Domain:      u.Domain,
+			IPAddress:   u.IPAddress,
+			UserAgent:   u.UserAgent,
+			VersionFrom: u.VersionFrom,
+			Created:     time.Unix(int64(u.CreatedUnix), 0),
+		}
+	}
+	ctx.JSON(http.StatusOK, result)
+}
@@ -440,6 +440,9 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember bool) {
 		ctx.ServerError("UpdateUser", err)
 		return
 	}
+
+	// Send login notification (email + ntfy)
+	go mailer.SendLoginNotification(u, ctx.RemoteAddr(), ctx.Req.UserAgent())
 }

 // extractUserNameFromOAuth2 tries to extract a normalized username from the given OAuth2 user.
@@ -253,6 +253,11 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		return
 	}

+	oauth2SignInSync(ctx, linkAccountData.AuthSourceID, u, linkAccountData.GothUser)
+	if ctx.Written() {
+		return
+	}
+
 	authSource, err := auth.GetSourceByID(ctx, linkAccountData.AuthSourceID)
 	if err != nil {
 		ctx.ServerError("GetSourceByID", err)
@@ -13,6 +13,7 @@ import (
 	"net/url"
 	"sort"
 	"strings"
+	"time"

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/auth"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
@@ -301,21 +302,42 @@ func showLinkingLogin(ctx *context.Context, authSourceID int64, gothUser goth.Us
 	ctx.Redirect(setting.AppSubURL + "/user/link_account")
 }

-func oauth2UpdateAvatarIfNeed(ctx *context.Context, url string, u *user_model.User) {
-	if setting.OAuth2Client.UpdateAvatar && len(url) > 0 {
-		resp, err := http.Get(url)
-		if err == nil {
-			defer func() {
-				_ = resp.Body.Close()
-			}()
-		}
-		// ignore any error
-		if err == nil && resp.StatusCode == http.StatusOK {
-			data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1))
-			if err == nil && int64(len(data)) <= setting.Avatar.MaxFileSize {
-				_ = user_service.UploadAvatar(ctx, u, data)
-			}
-		}
+var oauth2AvatarHTTPClient = &http.Client{Timeout: 30 * time.Second}
+
+func oauth2UpdateAvatarIfNeed(ctx *context.Context, avatarURL string, u *user_model.User) {
+	if !setting.OAuth2Client.UpdateAvatar || len(avatarURL) == 0 {
+		return
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, avatarURL, nil)
+	if err != nil {
+		log.Warn("invalid avatar URL %q: %v", avatarURL, err)
+		return
+	}
+	// Some hosts (e.g. Wikimedia) reject Go's default User-Agent.
+	req.Header.Set("User-Agent", "Gitea "+setting.AppVer)
+
+	resp, err := oauth2AvatarHTTPClient.Do(req)
+	if err != nil {
+		log.Warn("fetch %q failed: %v", avatarURL, err)
+		return
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		log.Warn("fetch %q returned status %d", avatarURL, resp.StatusCode)
+		return
+	}
+	data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1))
+	if err != nil {
+		log.Warn("read body from %q failed: %v", avatarURL, err)
+		return
+	}
+	if int64(len(data)) > setting.Avatar.MaxFileSize {
+		log.Warn("avatar from %q exceeds max size %d", avatarURL, setting.Avatar.MaxFileSize)
+		return
+	}
+	if err := user_service.UploadAvatar(ctx, u, data); err != nil {
+		log.Warn("UploadAvatar for user %q failed: %v", u.Name, err)
 	}
 }

@@ -48,9 +48,18 @@ func Home(ctx *context.Context) {
 		}
 		return
 		// Check non-logged users landing page.
-	} else if setting.LandingPageURL != setting.LandingPageHome {
-		ctx.Redirect(setting.AppSubURL + string(setting.LandingPageURL))
-		return
+	} else {
+		// Dynamic landing page from admin config takes priority.
+		landingPage := setting.Config().Instance.LandingPage.Value(ctx)
+		if landingPage.Mode != "" && landingPage.Mode != "home" {
+			ctx.Redirect(setting.AppSubURL + landingPage.URL())
+			return
+		}
+		// Fall back to static app.ini setting.
+		if setting.LandingPageURL != setting.LandingPageHome {
+			ctx.Redirect(setting.AppSubURL + string(setting.LandingPageURL))
+			return
+		}
 	}

 	// Check auto-login.
@@ -9,6 +9,7 @@ import (
 	"strings"

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/organization"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/renderhelper"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
@@ -107,6 +108,13 @@ func home(ctx *context.Context, viewRepositories bool) {
 	ctx.Data["Teams"] = ctx.Org.Teams
 	ctx.Data["IsOrganizationMember"] = ctx.Org.IsMember
 	ctx.Data["IsOrganizationOwner"] = ctx.Org.IsOwner
+
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, ctx.Org.Organization.ID)
+	ctx.Data["OrgLicensingEnabled"] = orgCfg != nil && orgCfg.LicensingEnabled
+	if orgCfg != nil && orgCfg.LicensingEnabled {
+		numPkgs, _ := licenses_model.CountOrgPackages(ctx, ctx.Org.Organization.ID)
+		ctx.Data["NumOrgLicensePackages"] = numPkgs
+	}
 	ctx.Data["IsPublicMember"] = func(uid int64) bool {
 		return membersIsPublic[uid]
 	}
@@ -0,0 +1,454 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm"
+	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+const tplOrgLicenses templates.TplName = "org/licenses"
+
+// parseOrgAllowedChannels splits an AllowedChannels string (CSV or JSON array) into a slice.
+func parseOrgAllowedChannels(s string) []string {
+	if s == "" {
+		return nil
+	}
+	if strings.HasPrefix(s, "[") {
+		var parsed []string
+		if err := json.Unmarshal([]byte(s), &parsed); err == nil {
+			return parsed
+		}
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if t := strings.TrimSpace(p); t != "" {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
+// LicensePackageDisplay is used in templates.
+type LicensePackageDisplay struct {
+	*licenses.LicensePackage
+	KeyCount int64
+	Created  time.Time
+}
+
+// Licenses shows the org-level license packages and keys.
+func Licenses(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["IsLicensesPage"] = true
+
+	org := ctx.Org.Organization
+	ownerID := org.ID
+
+	canWriteLicenses := ctx.Org.Organization.UnitPermission(ctx, ctx.Doer, unit_model.TypeLicenses) >= perm.AccessModeWrite || ctx.IsUserSiteAdmin()
+
+	// Auto-create master key if has write access.
+	if canWriteLicenses {
+		newMasterKey, err := licenses.EnsureMasterKey(ctx, ownerID)
+		if err != nil {
+			ctx.ServerError("EnsureMasterKey", err)
+			return
+		}
+		if newMasterKey != "" {
+			ctx.Data["NewMasterKey"] = newMasterKey
+		}
+	}
+
+	pkgs, err := licenses.ListLicensePackages(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicensePackages", err)
+		return
+	}
+
+	var display []LicensePackageDisplay
+	for _, pkg := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, pkg.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: pkg,
+			KeyCount:       count,
+			Created:        time.Unix(int64(pkg.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+
+	keys, err := licenses.ListLicenseKeys(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicenseKeys", err)
+		return
+	}
+	ctx.Data["LicenseKeys"] = keys
+	ctx.Data["IsRepoAdmin"] = canWriteLicenses
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+	ctx.Data["IsOrganizationOwner"] = ctx.Org.IsOwner
+	ctx.Data["OrgLicensingEnabled"] = true
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicenses)
+}
+
+// LicensesCreatePackage handles POST to create a new org-level license package.
+func LicensesCreatePackage(ctx *context.Context) {
+	name := ctx.FormString("name")
+	if name == "" {
+		ctx.Flash.Error("Package name is required")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+
+	channels := ctx.Req.Form["allowed_channels"]
+	var allowedChannels string
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		allowedChannels = string(data)
+	}
+
+	pkg := &licenses.LicensePackage{
+		OwnerID:         ctx.Org.Organization.ID,
+		Name:            name,
+		Description:     ctx.FormString("description"),
+		DurationDays:    durationDays,
+		MaxSites:        maxSites,
+		AllowedChannels: allowedChannels,
+		RepoScope:       "all",
+		IsActive:        true,
+	}
+
+	if err := licenses.CreateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("CreateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_created"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesGenerateKey handles POST to generate a key from an org package.
+func LicensesGenerateKey(ctx *context.Context) {
+	packageID, _ := strconv.ParseInt(ctx.FormString("package_id"), 10, 64)
+	if packageID == 0 {
+		ctx.Flash.Error("Invalid package")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, packageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	key := &licenses.LicenseKey{
+		PackageID: packageID,
+		OwnerID:   ctx.Org.Organization.ID,
+		IsActive:  true,
+	}
+
+	if pkg.DurationDays > 0 {
+		expires := time.Now().AddDate(0, 0, pkg.DurationDays)
+		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+	}
+
+	// Site admins and org owners can manually set a custom key.
+	var rawKey string
+	customKey := strings.TrimSpace(ctx.FormString("custom_key"))
+	if customKey != "" && (ctx.IsUserSiteAdmin() || ctx.Org.IsOwner) {
+		if err := licenses.CreateLicenseKeyCustom(ctx, key, customKey); err != nil {
+			ctx.ServerError("CreateLicenseKeyCustom", err)
+			return
+		}
+		rawKey = customKey
+	} else {
+		rawKey, err = licenses.CreateLicenseKey(ctx, key)
+		if err != nil {
+			ctx.ServerError("CreateLicenseKey", err)
+			return
+		}
+	}
+
+	// Re-render with the new key shown.
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["IsRepoAdmin"] = ctx.Org.IsOwner
+	ctx.Data["NewKeyCreated"] = rawKey
+
+	ownerID := ctx.Org.Organization.ID
+	pkgs, _ := licenses.ListLicensePackages(ctx, ownerID)
+	var display []LicensePackageDisplay
+	for _, p := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, p.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: p,
+			KeyCount:       count,
+			Created:        time.Unix(int64(p.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+	keys, _ := licenses.ListLicenseKeys(ctx, ownerID)
+	ctx.Data["LicenseKeys"] = keys
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicenses)
+}
+
+const tplOrgLicensesEditPackage templates.TplName = "org/licenses_edit_package"
+const tplOrgLicensesEditKey templates.TplName = "repo/licenses_edit_key"
+
+// LicensesEditPackage shows the edit form for an org license package.
+func LicensesEditPackage(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_package")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Package"] = pkg
+	ctx.Data["SelectedChannels"] = parseOrgAllowedChannels(pkg.AllowedChannels)
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ctx.Org.Organization.ID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicensesEditPackage)
+}
+
+// LicensesEditPackagePost saves edits to an org license package.
+func LicensesEditPackagePost(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	pkg.Name = ctx.FormString("name")
+	pkg.Description = ctx.FormString("description")
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	pkg.DurationDays = durationDays
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	pkg.MaxSites = maxSites
+
+	channels := ctx.Req.Form["allowed_channels"]
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		pkg.AllowedChannels = string(data)
+	} else {
+		pkg.AllowedChannels = ""
+	}
+
+	pkg.IsActive = ctx.FormString("is_active") == "on"
+
+	if err := licenses.UpdateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("UpdateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_updated"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesDeletePackage deletes an org license package. Site admin only.
+func LicensesDeletePackage(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be deleted")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+	if err := licenses.DeleteLicensePackage(ctx, pkgID); err != nil {
+		ctx.ServerError("DeleteLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_deleted"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesEditKey shows the edit form for an org license key.
+func LicensesEditKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_key")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Key"] = key
+	ctx.Data["FormAction"] = ctx.Org.OrgLink + "/-/licenses/keys/" + strconv.FormatInt(key.ID, 10) + "/edit"
+	ctx.Data["BackLink"] = ctx.Org.OrgLink + "/-/licenses"
+
+	if key.ExpiresUnix > 0 {
+		ctx.Data["ExpiresDate"] = time.Unix(int64(key.ExpiresUnix), 0).Format("2006-01-02")
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicensesEditKey)
+}
+
+// LicensesEditKeyPost saves edits to an org license key.
+func LicensesEditKeyPost(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	key.LicenseeName = ctx.FormString("licensee_name")
+	key.LicenseeEmail = ctx.FormString("licensee_email")
+	key.DomainRestriction = ctx.FormString("domain_restriction")
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	key.MaxSites = maxSites
+	key.IsActive = ctx.FormString("is_active") == "on"
+
+	expiresStr := ctx.FormString("expires_at")
+	if expiresStr != "" {
+		t, err := time.Parse("2006-01-02", expiresStr)
+		if err == nil {
+			key.ExpiresUnix = timeutil.TimeStamp(t.Unix())
+		}
+	} else {
+		key.ExpiresUnix = 0
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_updated"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesRevokeKey handles POST to revoke an org license key.
+func LicensesRevokeKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	key.IsActive = false
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_revoked"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesRenewKey extends a license key's expiration by the package's duration.
+func LicensesRenewKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, key.PackageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	days := pkg.DurationDays
+	if days == 0 {
+		days = 365 // default to 1 year for lifetime packages
+	}
+
+	if err := licenses.RenewLicenseKey(ctx, keyID, days); err != nil {
+		ctx.ServerError("RenewLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_renewed", days))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesDeleteKey permanently deletes a license key. Site admin only.
+func LicensesDeleteKey(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	keyID := ctx.PathParamInt64("id")
+	if err := licenses.DeleteLicenseKey(ctx, keyID); err != nil {
+		ctx.ServerError("DeleteLicenseKey", err)
+		return
+	}
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_deleted"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
@@ -0,0 +1,37 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	auth_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/auth"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+// Check2FARequirement checks if the current org requires 2FA and if the user has it enabled.
+// If the user doesn't have 2FA and the org requires it, redirect to 2FA setup page.
+func Check2FARequirement(ctx *context.Context) {
+	if ctx.Org == nil || ctx.Org.Organization == nil || ctx.Doer == nil {
+		return
+	}
+
+	if !ctx.Org.Organization.Require2FA {
+		return
+	}
+
+	// Check if user has 2FA enabled
+	has, err := auth_model.HasTwoFactorOrWebAuthn(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.ServerError("HasTwoFactorOrWebAuthn", err)
+		return
+	}
+
+	if has {
+		return
+	}
+
+	// User doesn't have 2FA — show warning and redirect to settings
+	ctx.Flash.Warning("This organization requires two-factor authentication. Please enable 2FA to continue.")
+	ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+}
@@ -80,12 +80,14 @@ func SettingsPost(ctx *context.Context) {
 		return
 	}

+	require2FA := ctx.FormBool("require_2fa")
 	opts := &user_service.UpdateOptions{
 		FullName:                  optional.FromPtr(form.FullName),
 		Description:               optional.FromPtr(form.Description),
 		Website:                   optional.FromPtr(form.Website),
 		Location:                  optional.FromPtr(form.Location),
 		RepoAdminChangeTeamAccess: optional.FromPtr(form.RepoAdminChangeTeamAccess),
+		Require2FA:                optional.Some(require2FA),
 	}
 	if ctx.Doer.IsAdmin {
 		opts.MaxRepoCreation = optional.FromPtr(form.MaxRepoCreation)
@@ -324,19 +324,9 @@ func NewTeam(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplTeamNew)
 }

-// FIXME: TEAM-UNIT-PERMISSION: this design is not right, when a new unit is added in the future,
-// The existing teams won't inherit the correct admin permission for the new unit.
-// The full history is like this:
-// 1. There was only "team", no "team unit", so "team.authorize" was used to determine the team permission.
-// 2. Later, "team unit" was introduced, then the usage of "team.authorize" became inconsistent, and causes various bugs.
-//   - Sometimes, "team.authorize" is used to determine the team permission, e.g. admin, owner
-//   - Sometimes, "team unit" is used not really used and "team unit" is used.
-//   - Some functions like `GetTeamsWithAccessToAnyRepoUnit` use both.
-//
-// 3. After introducing "team unit" and more unclear changes, it becomes difficult to maintain team permissions.
-//   - Org owner need to click the permission for each unit, but can't just set a common "write" permission for all units.
-//
-// Ideally, "team.authorize=write" should mean the team has write access to all units including newly (future) added ones.
+// getUnitPerms parses the unit permission form values for a team.
+// Note: admin teams (team.authorize >= Admin) implicitly have admin access to
+// all units via UnitMaxAccess(), so explicit TeamUnit records are supplementary.
 func getUnitPerms(forms url.Values, teamPermission perm.AccessMode) map[unit_model.Type]perm.AccessMode {
 	unitPerms := make(map[unit_model.Type]perm.AccessMode)
 	for _, ut := range unit_model.AllRepoUnitTypes {
@@ -0,0 +1,59 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	"net/http"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+const tplSettingsUpdateStreams templates.TplName = "org/settings/update_streams"
+
+// SettingsUpdateStreams shows the org-level update stream settings.
+func SettingsUpdateStreams(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("org.settings.update_streams")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsSettingsUpdateStreams"] = true
+
+	orgID := ctx.Org.Organization.ID
+
+	cfg, err := licenses.GetOrgConfig(ctx, orgID)
+	if err != nil {
+		ctx.ServerError("GetOrgConfig", err)
+		return
+	}
+	ctx.Data["StreamConfig"] = cfg
+	ctx.Data["EffectiveStreams"] = cfg.GetActiveStreams()
+
+	ctx.HTML(http.StatusOK, tplSettingsUpdateStreams)
+}
+
+// SettingsUpdateStreamsPost saves the org-level update stream settings.
+func SettingsUpdateStreamsPost(ctx *context.Context) {
+	orgID := ctx.Org.Organization.ID
+
+	cfg := &licenses.UpdateStreamConfig{
+		OwnerID:          orgID,
+		RepoID:           0,
+		StreamMode:       ctx.FormString("stream_mode"),
+		CustomStreams:     ctx.FormString("custom_streams"),
+		LicensingEnabled: ctx.FormString("licensing_enabled") == "on",
+		RequireKey:       ctx.FormString("require_key") == "on",
+	}
+
+	if cfg.StreamMode == "" {
+		cfg.StreamMode = "joomla"
+	}
+
+	if err := licenses.SaveConfig(ctx, cfg); err != nil {
+		ctx.ServerError("SaveConfig", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("org.settings.update_streams_saved"))
+	ctx.Redirect(ctx.Org.OrgLink + "/settings/update-streams")
+}
@@ -138,8 +138,7 @@ func resolveCurrentRunForView(ctx *context_module.Context) *actions_model.Action
 	var runByID, runByIndex *actions_model.ActionRun
 	var targetJobByIndex *actions_model.ActionRunJob

-	// Each run must have at least one job, so a valid job ID in the same run cannot be smaller than the run ID.
-	if !byIndex && jobNum >= runNum {
+	if !byIndex {
 		// Probe the repo-scoped job ID first and only accept it when the job exists and belongs to the same runNum.
 		job, err := actions_model.GetRunJobByRepoAndID(ctx, ctx.Repo.Repository.ID, jobNum)
 		if err != nil && !errors.Is(err, util.ErrNotExist) {
@@ -128,7 +128,15 @@ func httpBase(ctx *context.Context, optGitService ...string) *serviceHandler {
 	}

 	// Only public pull don't need auth.
-	isPublicPull := repoExist && !repo.IsPrivate && isPull
+	// For private repos, also allow anonymous pull if the specific unit
+	// (code or wiki) has AnonymousAccessMode >= Read.
+	isPublicPull := repoExist && isPull && !repo.IsPrivate
+	if repoExist && isPull && repo.IsPrivate {
+		repoUnit := repo.MustGetUnit(ctx, unitType)
+		if repoUnit.AnonymousAccessMode >= perm.AccessModeRead {
+			isPublicPull = true
+		}
+	}
 	askAuth := !isPublicPull || setting.Service.RequireSignInViewStrict

 	// don't allow anonymous pulls if organization is not public
@@ -147,11 +155,11 @@ func httpBase(ctx *context.Context, optGitService ...string) *serviceHandler {
 		if !ctx.IsSigned {
 			// TODO: support digit auth - which would be Authorization header with digit
 			if setting.OAuth2.Enabled {
-				// `Basic realm="Gitea"` tells the GCM to use builtin OAuth2 application: https://github.com/git-ecosystem/git-credential-manager/pull/1442
-				ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea"`)
+				// `Basic realm="<AppName>"` tells the GCM to use builtin OAuth2 application: https://github.com/git-ecosystem/git-credential-manager/pull/1442
+				ctx.Resp.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="%s"`, setting.AppName))
 			} else {
 				// If OAuth2 is disabled, then use another realm to avoid GCM OAuth2 attempt
-				ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea (Basic Auth)"`)
+				ctx.Resp.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="%s (Basic Auth)"`, setting.AppName))
 			}
 			ctx.HTTPError(http.StatusUnauthorized)
 			return nil
@@ -162,7 +170,7 @@ func httpBase(ctx *context.Context, optGitService ...string) *serviceHandler {
 			return nil
 		}

-		if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true && !ctx.Doer.IsGiteaActions() {
+		if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true && !ctx.Doer.IsActions() {
 			_, err = auth_model.GetTwoFactorByUID(ctx, ctx.Doer.ID)
 			if err == nil {
 				// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
@@ -0,0 +1,457 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package repo
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+const tplLicenses templates.TplName = "repo/licenses"
+
+// parseAllowedChannels splits an AllowedChannels string (CSV or JSON array) into a slice.
+func parseAllowedChannels(s string) []string {
+	if s == "" {
+		return nil
+	}
+	if strings.HasPrefix(s, "[") {
+		var parsed []string
+		if err := json.Unmarshal([]byte(s), &parsed); err == nil {
+			return parsed
+		}
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if t := strings.TrimSpace(p); t != "" {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
+// LicensePackageDisplay is used in templates.
+type LicensePackageDisplay struct {
+	*licenses.LicensePackage
+	KeyCount int64
+	Created  time.Time
+}
+
+// Licenses shows the license packages and keys for a repo.
+func Licenses(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	canWriteLicenses := ctx.Repo.Permission.CanWrite(unit_model.TypeLicenses) || ctx.IsUserSiteAdmin()
+	ctx.Data["IsRepoAdmin"] = canWriteLicenses
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+
+	ownerID := ctx.Repo.Repository.OwnerID
+
+	// Auto-create master package + key if admin and none exist.
+	if canWriteLicenses {
+		newMasterKey, err := licenses.EnsureMasterKey(ctx, ownerID)
+		if err != nil {
+			ctx.ServerError("EnsureMasterKey", err)
+			return
+		}
+		if newMasterKey != "" {
+			ctx.Data["NewMasterKey"] = newMasterKey
+		}
+	}
+
+	pkgs, err := licenses.ListLicensePackages(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicensePackages", err)
+		return
+	}
+
+	var display []LicensePackageDisplay
+	for _, pkg := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, pkg.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: pkg,
+			KeyCount:       count,
+			Created:        time.Unix(int64(pkg.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+
+	keys, err := licenses.ListLicenseKeys(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicenseKeys", err)
+		return
+	}
+	ctx.Data["LicenseKeys"] = keys
+
+	// Load available streams for the channels multiselect.
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplLicenses)
+}
+
+// LicensesCreatePackage handles POST to create a new license package.
+func LicensesCreatePackage(ctx *context.Context) {
+	name := ctx.FormString("name")
+	if name == "" {
+		ctx.Flash.Error("Package name is required")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+
+	channels := ctx.Req.Form["allowed_channels"]
+	var allowedChannels string
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		allowedChannels = string(data)
+	}
+
+	pkg := &licenses.LicensePackage{
+		OwnerID:         ctx.Repo.Repository.OwnerID,
+		Name:            name,
+		Description:     ctx.FormString("description"),
+		DurationDays:    durationDays,
+		MaxSites:        maxSites,
+		AllowedChannels: allowedChannels,
+		RepoScope:       "all",
+		IsActive:        true,
+	}
+
+	if err := licenses.CreateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("CreateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_created"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesGenerateKey handles POST to generate a new key from a package.
+func LicensesGenerateKey(ctx *context.Context) {
+	packageID, _ := strconv.ParseInt(ctx.FormString("package_id"), 10, 64)
+	if packageID == 0 {
+		ctx.Flash.Error("Invalid package")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, packageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	key := &licenses.LicenseKey{
+		PackageID: packageID,
+		OwnerID:   ctx.Repo.Repository.OwnerID,
+		IsActive:  true,
+	}
+
+	// Auto-calculate expiry from package duration.
+	if pkg.DurationDays > 0 {
+		expires := time.Now().AddDate(0, 0, pkg.DurationDays)
+		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+	}
+
+	// Site admins and org owners can manually set a custom key.
+	var rawKey string
+	customKey := strings.TrimSpace(ctx.FormString("custom_key"))
+	if customKey != "" && (ctx.IsUserSiteAdmin() || ctx.Repo.Permission.IsOwner()) {
+		if err := licenses.CreateLicenseKeyCustom(ctx, key, customKey); err != nil {
+			ctx.ServerError("CreateLicenseKeyCustom", err)
+			return
+		}
+		rawKey = customKey
+	} else {
+		rawKey, err = licenses.CreateLicenseKey(ctx, key)
+		if err != nil {
+			ctx.ServerError("CreateLicenseKey", err)
+			return
+		}
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.CanWrite(unit_model.TypeLicenses) || ctx.IsUserSiteAdmin()
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+	ctx.Data["NewKeyCreated"] = rawKey
+
+	// Re-render the page with the new key displayed.
+	ownerID := ctx.Repo.Repository.OwnerID
+	pkgs, _ := licenses.ListLicensePackages(ctx, ownerID)
+	var display []LicensePackageDisplay
+	for _, p := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, p.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: p,
+			KeyCount:       count,
+			Created:        time.Unix(int64(p.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+	keys, _ := licenses.ListLicenseKeys(ctx, ownerID)
+	ctx.Data["LicenseKeys"] = keys
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplLicenses)
+}
+
+// LicensesRevokeKey handles POST to revoke a license key.
+func LicensesRevokeKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	key.IsActive = false
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_revoked"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+const tplLicensesEditPackage templates.TplName = "repo/licenses_edit_package"
+const tplLicensesEditKey templates.TplName = "repo/licenses_edit_key"
+
+// LicensesEditKey shows the edit form for a license key.
+func LicensesEditKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_key")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Key"] = key
+	ctx.Data["FormAction"] = ctx.Repo.RepoLink + "/licenses/keys/" + strconv.FormatInt(key.ID, 10) + "/edit"
+	ctx.Data["BackLink"] = ctx.Repo.RepoLink + "/licenses"
+
+	if key.ExpiresUnix > 0 {
+		ctx.Data["ExpiresDate"] = time.Unix(int64(key.ExpiresUnix), 0).Format("2006-01-02")
+	}
+
+	ctx.HTML(http.StatusOK, tplLicensesEditKey)
+}
+
+// LicensesEditKeyPost saves edits to a license key.
+func LicensesEditKeyPost(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	key.LicenseeName = ctx.FormString("licensee_name")
+	key.LicenseeEmail = ctx.FormString("licensee_email")
+	key.DomainRestriction = ctx.FormString("domain_restriction")
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	key.MaxSites = maxSites
+	key.IsActive = ctx.FormString("is_active") == "on"
+
+	expiresStr := ctx.FormString("expires_at")
+	if expiresStr != "" {
+		t, err := time.Parse("2006-01-02", expiresStr)
+		if err == nil {
+			key.ExpiresUnix = timeutil.TimeStamp(t.Unix())
+		}
+	} else {
+		key.ExpiresUnix = 0
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_updated"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesEditPackage shows the edit form for a license package.
+func LicensesEditPackage(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_package")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Package"] = pkg
+	ctx.Data["SelectedChannels"] = parseAllowedChannels(pkg.AllowedChannels)
+
+	ownerID := ctx.Repo.Repository.OwnerID
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplLicensesEditPackage)
+}
+
+// LicensesEditPackagePost saves edits to a license package.
+func LicensesEditPackagePost(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	pkg.Name = ctx.FormString("name")
+	pkg.Description = ctx.FormString("description")
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	pkg.DurationDays = durationDays
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	pkg.MaxSites = maxSites
+
+	channels := ctx.Req.Form["allowed_channels"]
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		pkg.AllowedChannels = string(data)
+	} else {
+		pkg.AllowedChannels = ""
+	}
+
+	pkg.IsActive = ctx.FormString("is_active") == "on"
+
+	if err := licenses.UpdateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("UpdateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_updated"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesDeletePackage deletes a license package. Site admin only.
+func LicensesDeletePackage(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be deleted")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+	if err := licenses.DeleteLicensePackage(ctx, pkgID); err != nil {
+		ctx.ServerError("DeleteLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_deleted"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesRenewKey extends a license key's expiration by the package's duration.
+func LicensesRenewKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, key.PackageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	days := pkg.DurationDays
+	if days == 0 {
+		days = 365 // default to 1 year for lifetime packages
+	}
+
+	if err := licenses.RenewLicenseKey(ctx, keyID, days); err != nil {
+		ctx.ServerError("RenewLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_renewed", days))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesDeleteKey permanently deletes a license key. Site admin only.
+func LicensesDeleteKey(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	keyID := ctx.PathParamInt64("id")
+	if err := licenses.DeleteLicenseKey(ctx, keyID); err != nil {
+		ctx.ServerError("DeleteLicenseKey", err)
+		return
+	}
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_deleted"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
@@ -168,10 +168,12 @@ func SettingsProtectedBranchPost(ctx *context.Context) {
 		protectBranch.CanPush = true
 		protectBranch.EnableWhitelist = false
 		protectBranch.WhitelistDeployKeys = false
+		protectBranch.WhitelistActionsUser = false
 	case "whitelist":
 		protectBranch.CanPush = true
 		protectBranch.EnableWhitelist = true
 		protectBranch.WhitelistDeployKeys = f.WhitelistDeployKeys
+		protectBranch.WhitelistActionsUser = f.WhitelistActionsUser
 		if strings.TrimSpace(f.WhitelistUsers) != "" {
 			whitelistUsers, _ = base.StringsToInt64s(strings.Split(f.WhitelistUsers, ","))
 		}
@@ -182,6 +184,7 @@ func SettingsProtectedBranchPost(ctx *context.Context) {
 		protectBranch.CanPush = false
 		protectBranch.EnableWhitelist = false
 		protectBranch.WhitelistDeployKeys = false
+		protectBranch.WhitelistActionsUser = false
 	}

 	switch f.EnableForcePush {
@@ -189,10 +192,12 @@ func SettingsProtectedBranchPost(ctx *context.Context) {
 		protectBranch.CanForcePush = true
 		protectBranch.EnableForcePushAllowlist = false
 		protectBranch.ForcePushAllowlistDeployKeys = false
+		protectBranch.ForcePushAllowlistActionsUser = false
 	case "whitelist":
 		protectBranch.CanForcePush = true
 		protectBranch.EnableForcePushAllowlist = true
 		protectBranch.ForcePushAllowlistDeployKeys = f.ForcePushAllowlistDeployKeys
+		protectBranch.ForcePushAllowlistActionsUser = f.ForcePushAllowlistActionsUser
 		if strings.TrimSpace(f.ForcePushAllowlistUsers) != "" {
 			forcePushAllowlistUsers, _ = base.StringsToInt64s(strings.Split(f.ForcePushAllowlistUsers, ","))
 		}
@@ -203,9 +208,11 @@ func SettingsProtectedBranchPost(ctx *context.Context) {
 		protectBranch.CanForcePush = false
 		protectBranch.EnableForcePushAllowlist = false
 		protectBranch.ForcePushAllowlistDeployKeys = false
+		protectBranch.ForcePushAllowlistActionsUser = false
 	}

 	protectBranch.EnableMergeWhitelist = f.EnableMergeWhitelist
+	protectBranch.MergeWhitelistActionsUser = f.EnableMergeWhitelist && f.MergeWhitelistActionsUser
 	if f.EnableMergeWhitelist {
 		if strings.TrimSpace(f.MergeWhitelistUsers) != "" {
 			mergeWhitelistUsers, _ = base.StringsToInt64s(strings.Split(f.MergeWhitelistUsers, ","))
@@ -12,6 +12,8 @@ import (

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/organization"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
@@ -99,6 +101,8 @@ func SettingsCtxData(ctx *context.Context) {

 // Settings show a repository's settings page
 func Settings(ctx *context.Context) {
+	repoCfg, _ := licenses_model.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+	ctx.Data["RepoUpdateConfig"] = repoCfg
 	ctx.HTML(http.StatusOK, tplSettingsOptions)
 }

@@ -510,6 +514,17 @@ func newRepoUnit(repo *repo_model.Repository, unitType unit_model.Type, config c
 	return repoUnit
 }

+// applyUnitVisibility sets AnonymousAccessMode on a unit based on the form value.
+// Values: "" or "not-set" = none, "anonymous-read" = anonymous read.
+func applyUnitVisibility(unit *repo_model.RepoUnit, visibility string) {
+	switch visibility {
+	case "anonymous-read":
+		unit.AnonymousAccessMode = perm.AccessModeRead
+	default:
+		unit.AnonymousAccessMode = perm.AccessModeNone
+	}
+}
+
 func handleSettingsPostAdvanced(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.RepoSettingForm)
 	repo := ctx.Repo.Repository
@@ -527,7 +542,9 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 	}

 	if form.EnableCode && !unit_model.TypeCode.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeCode, nil))
+		u := newRepoUnit(repo, unit_model.TypeCode, nil)
+		applyUnitVisibility(&u, form.CodeVisibility)
+		units = append(units, u)
 	} else if !unit_model.TypeCode.UnitGlobalDisabled() {
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeCode)
 	}
@@ -544,7 +561,9 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 		}))
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeWiki)
 	} else if form.EnableWiki && !form.EnableExternalWiki && !unit_model.TypeWiki.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeWiki, new(repo_model.UnitConfig)))
+		u := newRepoUnit(repo, unit_model.TypeWiki, new(repo_model.UnitConfig))
+		applyUnitVisibility(&u, form.WikiVisibility)
+		units = append(units, u)
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeExternalWiki)
 	} else {
 		if !unit_model.TypeExternalWiki.UnitGlobalDisabled() {
@@ -581,11 +600,13 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 		}))
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeIssues)
 	} else if form.EnableIssues && !form.EnableExternalTracker && !unit_model.TypeIssues.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeIssues, &repo_model.IssuesConfig{
+		u := newRepoUnit(repo, unit_model.TypeIssues, &repo_model.IssuesConfig{
 			EnableTimetracker:                form.EnableTimetracker,
 			AllowOnlyContributorsToTrackTime: form.AllowOnlyContributorsToTrackTime,
 			EnableDependencies:               form.EnableIssueDependencies,
-		}))
+		})
+		applyUnitVisibility(&u, form.IssuesVisibility)
+		units = append(units, u)
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeExternalTracker)
 	} else {
 		if !unit_model.TypeExternalTracker.UnitGlobalDisabled() {
@@ -605,7 +626,9 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 	}

 	if form.EnableReleases && !unit_model.TypeReleases.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeReleases, nil))
+		u := newRepoUnit(repo, unit_model.TypeReleases, nil)
+		applyUnitVisibility(&u, form.ReleasesVisibility)
+		units = append(units, u)
 	} else if !unit_model.TypeReleases.UnitGlobalDisabled() {
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeReleases)
 	}
@@ -652,6 +675,23 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 			return
 		}
 	}
+	// Save update server platform and require-key settings.
+	updatePlatform := form.UpdatePlatform
+	if updatePlatform == "" {
+		updatePlatform = "joomla"
+	}
+	updateCfg := &licenses_model.UpdateStreamConfig{
+		OwnerID:          repo.OwnerID,
+		RepoID:           repo.ID,
+		Platform:         updatePlatform,
+		LicensingEnabled: form.EnableLicensing,
+		RequireKey:       form.RequireUpdateKey,
+		StreamMode:       "joomla", // inherit org default
+	}
+	if err := licenses_model.SaveConfig(ctx, updateCfg); err != nil {
+		log.Error("SaveConfig: %v", err)
+	}
+
 	log.Trace("Repository advanced settings updated: %s/%s", ctx.Repo.Owner.Name, repo.Name)

 	ctx.Flash.Success(ctx.Tr("repo.settings.update_settings_success"))
@@ -0,0 +1,150 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package repo
+
+import (
+	"net/http"
+	"strings"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/updateserver"
+)
+
+// validateUpdateKey checks for a license key in the request and validates it.
+// Returns allowed channels (nil = all channels) and whether access is granted.
+func validateUpdateKey(ctx *context.Context) (allowedChannels []string, ok bool) {
+	rawKey := ctx.FormString("key")
+	if rawKey == "" {
+		rawKey = ctx.FormString("download_key")
+	}
+	if rawKey == "" {
+		rawKey = ctx.FormString("dlid")
+	}
+
+	if rawKey == "" {
+		// Check if this repo requires a key for update feed access.
+		repoCfg, _ := licenses.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+		if repoCfg != nil && repoCfg.RequireKey {
+			// Key required but not provided — return empty.
+			return nil, false
+		}
+		// No key required — allow public access (all channels).
+		return nil, true
+	}
+
+	domain := ctx.FormString("domain")
+	key, pkg, err := licenses.ValidateLicenseKey(ctx, rawKey, domain)
+	if err != nil {
+		log.Debug("License key validation failed: %v", err)
+		return nil, false
+	}
+
+	// Update heartbeat and record usage.
+	_ = licenses.TouchHeartbeat(ctx, key.ID)
+	_ = licenses.RecordUsage(ctx, &licenses.LicenseKeyUsage{
+		KeyID:       key.ID,
+		RepoID:      ctx.Repo.Repository.ID,
+		Domain:      domain,
+		IPAddress:   ctx.RemoteAddr(),
+		UserAgent:   ctx.Req.UserAgent(),
+		VersionFrom: ctx.FormString("version"),
+	})
+
+	// Parse allowed channels from the package.
+	if pkg.AllowedChannels != "" {
+		channels := strings.Split(pkg.AllowedChannels, ",")
+		for i := range channels {
+			channels[i] = strings.TrimSpace(channels[i])
+		}
+		// Also try JSON array format.
+		if strings.HasPrefix(pkg.AllowedChannels, "[") {
+			var parsed []string
+			if err := json.Unmarshal([]byte(pkg.AllowedChannels), &parsed); err == nil {
+				channels = parsed
+			}
+		}
+		// Normalize shorthand names to full Joomla convention.
+		for i := range channels {
+			channels[i] = updateserver.NormalizeChannel(channels[i])
+		}
+		return channels, true
+	}
+
+	// Master/internal keys or packages with no channel restriction — all channels.
+	return nil, true
+}
+
+// ServeUpdatesXML generates and serves a Joomla-compatible updates.xml
+// from the repository's releases.
+func ServeUpdatesXML(ctx *context.Context) {
+	// Block if platform doesn't include joomla.
+	platform := ctx.Data["RepoUpdatePlatform"]
+	if platform == "dolibarr" {
+		ctx.NotFound(nil)
+		return
+	}
+
+	allowedChannels, ok := validateUpdateKey(ctx)
+	if !ok {
+		// Return empty updates XML for invalid keys (Joomla-compatible).
+		ctx.Resp.Header().Set("Content-Type", "application/xml; charset=utf-8")
+		ctx.Resp.WriteHeader(http.StatusOK)
+		_, _ = ctx.Resp.Write([]byte(`<?xml version="1.0" encoding="UTF-8"?><updates></updates>`))
+		return
+	}
+
+	// Check if this repo requires a license key for update feed access.
+	repoCfg, _ := licenses.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+	requireKey := repoCfg != nil && repoCfg.RequireKey
+
+	xmlData, err := updateserver.GenerateJoomlaXML(ctx, ctx.Repo.Repository, requireKey, allowedChannels...)
+	if err != nil {
+		ctx.ServerError("GenerateJoomlaXML", err)
+		return
+	}
+
+	ctx.Resp.Header().Set("Content-Type", "application/xml; charset=utf-8")
+	ctx.Resp.WriteHeader(http.StatusOK)
+	_, _ = ctx.Resp.Write(xmlData)
+}
+
+// ServeDolibarrJSON generates and serves a Dolibarr-compatible update feed
+// from the repository's releases. Uses the same license key validation as the
+// Joomla XML feed — all platforms share the same licensing system.
+func ServeDolibarrJSON(ctx *context.Context) {
+	// Block if platform doesn't include dolibarr.
+	platform := ctx.Data["RepoUpdatePlatform"]
+	if platform == "joomla" || platform == "" {
+		ctx.NotFound(nil)
+		return
+	}
+
+	allowedChannels, ok := validateUpdateKey(ctx)
+	if !ok {
+		// Return empty updates for invalid keys.
+		ctx.Resp.Header().Set("Content-Type", "application/json; charset=utf-8")
+		ctx.Resp.WriteHeader(http.StatusOK)
+		_, _ = ctx.Resp.Write([]byte(`{"module":"","updates":[]}`))
+		return
+	}
+
+	data, err := updateserver.GenerateDolibarrJSON(ctx, ctx.Repo.Repository, allowedChannels...)
+	if err != nil {
+		ctx.ServerError("GenerateDolibarrJSON", err)
+		return
+	}
+
+	jsonData, err := json.MarshalIndent(data, "", "  ")
+	if err != nil {
+		ctx.ServerError("json.Marshal", err)
+		return
+	}
+
+	ctx.Resp.Header().Set("Content-Type", "application/json; charset=utf-8")
+	ctx.Resp.WriteHeader(http.StatusOK)
+	_, _ = ctx.Resp.Write(jsonData)
+}
@@ -13,6 +13,7 @@ import (
 // SwaggerV1Json render swagger v1 json
 func SwaggerV1Json(ctx *context.Context) {
 	ctx.Data["SwaggerAppVer"] = template.HTML(template.JSEscapeString(setting.AppVer))
+	ctx.Data["SwaggerAppName"] = template.HTML(template.JSEscapeString(setting.AppName))
 	ctx.Data["SwaggerAppSubUrl"] = setting.AppSubURL // it is JS-safe
 	ctx.JSONTemplate("swagger/v1_json")
 }
@@ -20,6 +21,7 @@ func SwaggerV1Json(ctx *context.Context) {
 // OpenAPI3Json render OpenAPI 3.0 json (auto-converted from Swagger 2.0)
 func OpenAPI3Json(ctx *context.Context) {
 	ctx.Data["SwaggerAppVer"] = template.HTML(template.JSEscapeString(setting.AppVer))
+	ctx.Data["SwaggerAppName"] = template.HTML(template.JSEscapeString(setting.AppName))
 	ctx.Data["SwaggerAppSubUrl"] = setting.AppSubURL // it is JS-safe
 	ctx.JSONTemplate("swagger/v1_openapi3_json")
 }
@@ -960,7 +960,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 			m.Get("/milestones/{team}", reqMilestonesDashboardPageEnabled, user.Milestones)
 			m.Post("/members/action/{action}", org.MembersAction)
 			m.Get("/teams", org.Teams)
-		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireMember: true, RequireTeamMember: true}))
+		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireMember: true, RequireTeamMember: true}), org.Check2FARequirement)

 		m.Group("/{org}", func() {
 			m.Get("/teams/{team}", org.TeamMembers)
@@ -1057,6 +1057,11 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 					m.Get("", org.BlockedUsers)
 					m.Post("", web.Bind(forms.BlockUserForm{}), org.BlockedUsersPost)
 				})
+
+				m.Group("/update-streams", func() {
+					m.Get("", org.SettingsUpdateStreams)
+					m.Post("", org.SettingsUpdateStreamsPost)
+				})
 			}, ctxDataSet("EnableOAuth2", setting.OAuth2.Enabled, "EnablePackages", setting.Packages.Enabled, "PageIsOrgSettings", true))
 		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireOwner: true}))
 	}, reqSignIn)
@@ -1099,6 +1104,22 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 		// at the moment, only editing "owner-level projects" need to "mention", maybe in the future we can relax the permission check
 		m.Get("/mentions-in-owner", reqUnitAccess(unit.TypeProjects, perm.AccessModeWrite, true), org.GetMentionsInOwner)

+		m.Group("/licenses", func() {
+			m.Get("", org.Licenses)
+			m.Group("", func() {
+				m.Post("/packages", org.LicensesCreatePackage)
+				m.Get("/packages/{id}/edit", org.LicensesEditPackage)
+				m.Post("/packages/{id}/edit", org.LicensesEditPackagePost)
+				m.Post("/packages/{id}/delete", org.LicensesDeletePackage)
+				m.Post("/keys/generate", org.LicensesGenerateKey)
+				m.Get("/keys/{id}/edit", org.LicensesEditKey)
+				m.Post("/keys/{id}/edit", org.LicensesEditKeyPost)
+				m.Post("/keys/{id}/revoke", org.LicensesRevokeKey)
+				m.Post("/keys/{id}/renew", org.LicensesRenewKey)
+				m.Post("/keys/{id}/delete", org.LicensesDeleteKey)
+			}, reqUnitAccess(unit.TypeLicenses, perm.AccessModeWrite, true))
+		}, reqUnitAccess(unit.TypeLicenses, perm.AccessModeRead, true))
+
 		m.Get("/repositories", org.Repositories)
 		m.Get("/heatmap", user.DashboardHeatmap)

@@ -1494,6 +1515,31 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 	}, optSignIn, context.RepoAssignment, repo.MustBeNotEmpty, reqRepoReleaseReader)
 	// end "/{username}/{reponame}": repo releases

+	// "/{username}/{reponame}": update server endpoints
+	m.Group("/{username}/{reponame}", func() {
+		m.Get("/updates.xml", repo.ServeUpdatesXML)
+		m.Get("/updates/dolibarr.json", repo.ServeDolibarrJSON)
+	}, optSignIn, context.RepoAssignment)
+	// end "/{username}/{reponame}": update server
+
+	// "/{username}/{reponame}": licenses page
+	// Note: page visibility is controlled by LicensingEnabled (org config).
+	// Write permissions are checked in handlers via CanWrite(TypeLicenses).
+	m.Group("/{username}/{reponame}/licenses", func() {
+		m.Get("", repo.Licenses)
+		m.Post("/packages", repo.LicensesCreatePackage)
+		m.Get("/packages/{id}/edit", repo.LicensesEditPackage)
+		m.Post("/packages/{id}/edit", repo.LicensesEditPackagePost)
+		m.Post("/packages/{id}/delete", repo.LicensesDeletePackage)
+		m.Post("/keys/generate", repo.LicensesGenerateKey)
+		m.Get("/keys/{id}/edit", repo.LicensesEditKey)
+		m.Post("/keys/{id}/edit", repo.LicensesEditKeyPost)
+		m.Post("/keys/{id}/revoke", repo.LicensesRevokeKey)
+		m.Post("/keys/{id}/renew", repo.LicensesRenewKey)
+		m.Post("/keys/{id}/delete", repo.LicensesDeleteKey)
+	}, optSignIn, context.RepoAssignment)
+	// end "/{username}/{reponame}": licenses
+
 	m.Group("/{username}/{reponame}", func() { // to maintain compatibility with old attachments
 		m.Get("/attachments/{uuid}", webAuth.AllowBasic, webAuth.AllowOAuth2, repo.GetAttachment)
 	}, optSignIn, context.RepoAssignment)
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"slices"
 	"strings"
+	"time"

 	actions_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/actions"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
@@ -117,7 +118,7 @@ func (input *notifyInput) Notify(ctx context.Context) {

 func notify(ctx context.Context, input *notifyInput) error {
 	shouldDetectSchedules := input.Event == webhook_module.HookEventPush && input.Ref.BranchName() == input.Repo.DefaultBranch
-	if input.Doer.IsGiteaActions() {
+	if input.Doer.IsActions() {
 		// avoiding triggering cyclically, for example:
 		// a comment of an issue will trigger the runner to add a new comment as reply,
 		// and the new comment will trigger the runner again.
@@ -344,7 +345,7 @@ func handleWorkflows(

 		run.NeedApproval = need

-		if err := PrepareRunAndInsert(ctx, dwf.Content, run, nil); err != nil {
+		if err := prepareRunAndInsertWithRetry(ctx, dwf.Content, run); err != nil {
 			log.Error("PrepareRunAndInsert: %v", err)
 			continue
 		}
@@ -352,6 +353,54 @@ func handleWorkflows(
 	return nil
 }

+// prepareRunAndInsertWithRetry wraps PrepareRunAndInsert with retries on
+// database deadlocks.  When multiple workflow runs are inserted for the same
+// event (e.g. several workflows triggered by a single pull_request), each
+// InsertRun transaction acquires an X-lock on the repository row (via
+// UpdateRepoRunsNumbers) and an index lock on action_run.  Two concurrent
+// transactions can deadlock when each holds one lock and waits for the other.
+// InnoDB resolves this by killing the lighter transaction, but handleWorkflows
+// only logged the error and moved on — silently dropping the workflow run.
+// Retrying the insert is safe because the rolled-back transaction left no
+// partial state.
+func prepareRunAndInsertWithRetry(ctx context.Context, content []byte, run *actions_model.ActionRun) error {
+	const maxRetries = 3
+	backoff := 50 * time.Millisecond
+
+	// Save original values that InsertRun mutates inside its transaction.
+	// On deadlock rollback these become stale and must be reset before retry.
+	origTitle := run.Title
+
+	var err error
+	for attempt := range maxRetries {
+		if err = PrepareRunAndInsert(ctx, content, run, nil); err == nil {
+			return nil
+		}
+		if !db.IsErrDeadlock(err) {
+			return err
+		}
+		log.Warn("PrepareRunAndInsert deadlock (attempt %d/%d) for workflow %s in repo %d, retrying: %v",
+			attempt+1, maxRetries, run.WorkflowID, run.RepoID, err)
+
+		// Reset fields that InsertRun sets inside the (now rolled-back) transaction
+		// so the next attempt starts clean.
+		run.ID = 0
+		run.Index = 0
+		run.Status = actions_model.StatusWaiting
+		run.Title = origTitle
+		run.ConcurrencyGroup = ""
+		run.ConcurrencyCancel = false
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-time.After(backoff):
+		}
+		backoff *= 2
+	}
+	return fmt.Errorf("deadlock persisted after %d retries: %w", maxRetries, err)
+}
+
 func newNotifyInputFromIssue(issue *issues_model.Issue, event webhook_module.HookEventType) *notifyInput {
 	return newNotifyInput(issue.Repo, issue.Poster, event)
 }
@@ -68,7 +68,7 @@ func (b *Basic) parseAuthBasic(req *http.Request) (ret struct{ authToken, uname,

 // VerifyAuthToken only the access token provided as parameter, used by other auth methods that want to reuse access token verification logic
 func (b *Basic) VerifyAuthToken(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore, authToken string) (*user_model.User, error) {
-	// get oauth2 token's user's ID
+	// get oauth2 token's user's ID and access scope
 	accessTokenScope, uid := GetOAuthAccessTokenScopeAndUserID(req.Context(), authToken)
 	if uid != 0 {
 		log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)
@@ -18,6 +18,7 @@ import (
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
 	issues_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/issues"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	access_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm/access"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
@@ -605,6 +606,28 @@ func repoAssignmentPrepareTemplateData(ctx *Context, data *repoAssignmentPrepare
 		return
 	}

+	// Check if licensing is enabled for this repo/org.
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+	repoUpdateCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+	licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+		(repoUpdateCfg != nil && repoUpdateCfg.LicensingEnabled)
+
+	numLicensePackages, _ := db.Count[licenses_model.LicensePackage](ctx, licenses_model.FindLicensePackageOptions{
+		OwnerID: repo.OwnerID,
+	})
+	ctx.Data["NumLicensePackages"] = numLicensePackages
+	ctx.Data["EnableLicenses"] = licensingEnabled || numLicensePackages > 0
+	ctx.Data["LicensingEnabled"] = licensingEnabled
+	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.IsAdmin()
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+
+	// Load repo update config for platform-aware UI.
+	if repoUpdateCfg != nil {
+		ctx.Data["RepoUpdatePlatform"] = repoUpdateCfg.Platform
+	} else {
+		ctx.Data["RepoUpdatePlatform"] = "joomla"
+	}
+
 	ctx.Data["Title"] = repo.Owner.Name + "/" + repo.Name
 	ctx.Data["PageTitleCommon"] = repo.Name + " - " + setting.AppName
 	ctx.Data["Repository"] = repo
@@ -173,14 +173,17 @@ func ToBranchProtection(ctx context.Context, bp *git_model.ProtectedBranch, repo
 		PushWhitelistUsernames:        pushWhitelistUsernames,
 		PushWhitelistTeams:            pushWhitelistTeams,
 		PushWhitelistDeployKeys:       bp.WhitelistDeployKeys,
+		PushWhitelistActionsUser:      bp.WhitelistActionsUser,
 		EnableForcePush:               bp.CanForcePush,
 		EnableForcePushAllowlist:      bp.EnableForcePushAllowlist,
 		ForcePushAllowlistUsernames:   forcePushAllowlistUsernames,
 		ForcePushAllowlistTeams:       forcePushAllowlistTeams,
 		ForcePushAllowlistDeployKeys:  bp.ForcePushAllowlistDeployKeys,
+		ForcePushAllowlistActionsUser: bp.ForcePushAllowlistActionsUser,
 		EnableMergeWhitelist:          bp.EnableMergeWhitelist,
 		MergeWhitelistUsernames:       mergeWhitelistUsernames,
 		MergeWhitelistTeams:           mergeWhitelistTeams,
+		MergeWhitelistActionsUser:     bp.MergeWhitelistActionsUser,
 		EnableStatusCheck:             bp.EnableStatusCheck,
 		StatusCheckContexts:           bp.StatusCheckContexts,
 		RequiredApprovals:             bp.RequiredApprovals,
@@ -9,9 +9,11 @@ import (

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/webhook"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/git/gitcmd"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/updatechecker"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/auth"
@@ -158,6 +160,24 @@ func registerCleanupPackages() {
 	})
 }

+func registerCleanupExpiredLicenseKeys() {
+	RegisterTaskFatal("cleanup_expired_license_keys", &BaseConfig{
+		Enabled:    true,
+		RunAtStart: false,
+		Schedule:   "@weekly",
+	}, func(ctx context.Context, _ *user_model.User, config Config) error {
+		// Delete non-internal keys that expired more than 365 days ago.
+		deleted, err := licenses_model.DeleteExpiredKeys(ctx, 365)
+		if err != nil {
+			return err
+		}
+		if deleted > 0 {
+			log.Info("Cleaned up %d expired license keys (expired >1 year)", deleted)
+		}
+		return nil
+	})
+}
+
 func registerSyncRepoLicenses() {
 	RegisterTaskFatal("sync_repo_licenses", &BaseConfig{
 		Enabled:    false,
@@ -185,6 +205,7 @@ func initBasicTasks() {
 		registerCleanupPackages()
 	}
 	registerSyncRepoLicenses()
+	registerCleanupExpiredLicenseKeys()
 	if setting.UpdateChecker.Enabled {
 		registerUpdateChecker()
 	}
@@ -110,12 +110,14 @@ type RepoSettingForm struct {
 	EnablePrune            bool

 	// Advanced settings
-	EnableCode bool
+	EnableCode     bool
+	CodeVisibility string

-	EnableWiki         bool
-	EnableExternalWiki bool
-	DefaultWikiBranch  string
-	ExternalWikiURL    string
+	EnableWiki             bool
+	EnableExternalWiki     bool
+	DefaultWikiBranch      string
+	ExternalWikiURL        string
+	WikiVisibility         string

 	EnableIssues                          bool
 	EnableExternalTracker                 bool
@@ -124,13 +126,18 @@ type RepoSettingForm struct {
 	TrackerIssueStyle                     string
 	ExternalTrackerRegexpPattern          string
 	EnableCloseIssuesViaCommitInAnyBranch bool
+	IssuesVisibility                      string

 	EnableProjects bool
 	ProjectsMode   string

-	EnableReleases bool
+	EnableReleases     bool
+	ReleasesVisibility string
+	UpdatePlatform     string
+	RequireUpdateKey   bool
+	EnableLicensing    bool

-	EnablePackages bool
+	EnablePackages     bool

 	EnablePulls                      bool
 	PullsIgnoreWhitespace            bool
@@ -172,13 +179,16 @@ type ProtectBranchForm struct {
 	WhitelistUsers                string
 	WhitelistTeams                string
 	WhitelistDeployKeys           bool
+	WhitelistActionsUser          bool
 	EnableForcePush               string
 	ForcePushAllowlistUsers       string
 	ForcePushAllowlistTeams       string
 	ForcePushAllowlistDeployKeys  bool
+	ForcePushAllowlistActionsUser bool
 	EnableMergeWhitelist          bool
 	MergeWhitelistUsers           string
 	MergeWhitelistTeams           string
+	MergeWhitelistActionsUser     bool
 	EnableStatusCheck             bool
 	StatusCheckContexts           string
 	RequiredApprovals             int64
@@ -0,0 +1,84 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package mailer
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+	sender_service "git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/mailer/sender"
+)
+
+// SendLoginNotification sends email and ntfy notifications when a user signs in.
+func SendLoginNotification(u *user_model.User, ip, userAgent string) {
+	if !setting.LoginNotification.Enabled {
+		return
+	}
+
+	timestamp := time.Now().UTC().Format("2006-01-02 15:04:05 UTC")
+	subject := fmt.Sprintf("[%s] New sign-in: %s", setting.AppName, u.Name)
+
+	body := fmt.Sprintf(`New sign-in detected
+
+Account:    %s (%s)
+IP Address: %s
+Browser:    %s
+Time:       %s
+Instance:   %s
+
+If this wasn't you, change your password immediately and review your active sessions.
+
+— %s`, u.Name, u.Email, ip, userAgent, timestamp, setting.AppURL, setting.AppName)
+
+	// Email notification
+	if setting.MailService != nil && u.Email != "" {
+		msg := sender_service.NewMessage(u.EmailTo(), subject, body)
+		msg.Info = fmt.Sprintf("Login notification for %s", u.Name)
+		SendAsync(msg)
+		log.Debug("Login notification email sent to %s", u.Email)
+	}
+
+	// ntfy push notification
+	if setting.Ntfy.Enabled && setting.Ntfy.ServerURL != "" {
+		go sendLoginNtfy(subject, u.Name, ip, timestamp)
+	}
+}
+
+func sendLoginNtfy(title, username, ip, timestamp string) {
+	body := fmt.Sprintf("User: %s\nIP: %s\nTime: %s", username, ip, timestamp)
+	url := fmt.Sprintf("%s/%s", setting.Ntfy.ServerURL, setting.Ntfy.DefaultTopic)
+
+	req, err := http.NewRequest("POST", url, bytes.NewBufferString(body))
+	if err != nil {
+		log.Error("ntfy login: create request: %v", err)
+		return
+	}
+
+	req.Header.Set("Title", title)
+	req.Header.Set("Priority", "default")
+	req.Header.Set("Tags", "key,login")
+	req.Header.Set("Click", setting.AppURL+"-/admin")
+	if setting.Ntfy.Token != "" {
+		req.Header.Set("Authorization", "Bearer "+setting.Ntfy.Token)
+	}
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Error("ntfy login: send: %v", err)
+		return
+	}
+	defer resp.Body.Close()
+	io.Copy(io.Discard, resp.Body)
+
+	if resp.StatusCode >= 300 {
+		log.Error("ntfy login: status %d", resp.StatusCode)
+	}
+}
@@ -11,6 +11,7 @@ import (

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/container"
@@ -166,6 +167,64 @@ func createTag(ctx context.Context, gitRepo *git.Repository, rel *repo_model.Rel
 }

 // CreateRelease creates a new release of repository.
+// ErrTagDoesNotMatchStream indicates a tag doesn't match any configured update stream.
+type ErrTagDoesNotMatchStream struct {
+	TagName string
+}
+
+func (e ErrTagDoesNotMatchStream) Error() string {
+	return fmt.Sprintf("tag %q does not match any configured update stream", e.TagName)
+}
+
+// validateTagAgainstStreams checks that a release tag follows the update stream
+// naming convention when licensing is active. Tags must start with a version
+// prefix (v1.0.0) and any suffix must match a configured stream (e.g. -rc, -beta).
+// When licensing is disabled, any tag is allowed.
+func validateTagAgainstStreams(ctx context.Context, rel *repo_model.Release) error {
+	if rel.IsDraft || rel.IsTag {
+		return nil // drafts and lightweight tags are not validated
+	}
+
+	// Load the repo to get the owner ID.
+	repo, err := repo_model.GetRepositoryByID(ctx, rel.RepoID)
+	if err != nil {
+		return nil // non-fatal, skip validation
+	}
+
+	// Check if licensing is enabled at org or repo level.
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+	repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+	licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+		(repoCfg != nil && repoCfg.LicensingEnabled)
+
+	if !licensingEnabled {
+		return nil // licensing off — any tag is fine
+	}
+
+	// Check that the tag contains a stream-compatible suffix.
+	// Any prerelease suffix in the tag must match a configured stream suffix.
+	streams := licenses_model.GetEffectiveStreams(ctx, repo.OwnerID, repo.ID)
+	lower := strings.ToLower(rel.TagName)
+	for _, s := range streams {
+		if s.Suffix == "" {
+			continue // stable stream matches everything
+		}
+		if strings.Contains(lower, s.Suffix) {
+			return nil // matches a configured stream
+		}
+	}
+
+	// If the tag has a prerelease-looking suffix but it doesn't match any stream, reject.
+	for _, indicator := range []string{"-rc", "-beta", "-alpha", "-dev"} {
+		if strings.Contains(lower, indicator) {
+			return ErrTagDoesNotMatchStream{TagName: rel.TagName}
+		}
+	}
+
+	// No prerelease suffix — this is a stable release, always allowed.
+	return nil
+}
+
 func CreateRelease(gitRepo *git.Repository, rel *repo_model.Release, attachmentUUIDs []string, msg string) error {
 	has, err := repo_model.IsReleaseExist(gitRepo.Ctx, rel.RepoID, rel.TagName)
 	if err != nil {
@@ -176,6 +235,11 @@ func CreateRelease(gitRepo *git.Repository, rel *repo_model.Release, attachmentU
 		}
 	}

+	// When licensing is enabled, validate that the tag matches a configured update stream.
+	if err := validateTagAgainstStreams(gitRepo.Ctx, rel); err != nil {
+		return err
+	}
+
 	if _, err = createTag(gitRepo.Ctx, gitRepo, rel, msg); err != nil {
 		return err
 	}
@@ -0,0 +1,131 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package updateserver
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+)
+
+// DolibarrUpdate represents a single module update entry in Dolibarr format.
+type DolibarrUpdate struct {
+	Name         string `json:"name"`
+	Version      string `json:"version"`
+	Channel      string `json:"channel"`
+	DownloadURL  string `json:"url"`
+	ChangelogURL string `json:"changelog"`
+	ReleaseURL   string `json:"release_url"`
+	Requires     string `json:"requires,omitempty"`
+	Date         string `json:"date"`
+	SHA256       string `json:"sha256,omitempty"`
+}
+
+// DolibarrUpdates holds the full update feed response.
+type DolibarrUpdates struct {
+	Module  string           `json:"module"`
+	Updates []DolibarrUpdate `json:"updates"`
+}
+
+// GenerateDolibarrJSON builds a Dolibarr-compatible update feed from releases.
+// allowedChannels optionally restricts output to specific channels (nil = all).
+func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository, allowedChannels ...string) (*DolibarrUpdates, error) {
+	releases, err := db.Find[repo_model.Release](ctx, repo_model.FindReleasesOptions{
+		RepoID:        repo.ID,
+		ListOptions:   db.ListOptionsAll,
+		IncludeDrafts: false,
+		IncludeTags:   false,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("FindReleases: %w", err)
+	}
+
+	if err := repo.LoadOwner(ctx); err != nil {
+		return nil, fmt.Errorf("LoadOwner: %w", err)
+	}
+
+	baseURL := strings.TrimSuffix(setting.AppURL, "/")
+	repoLink := fmt.Sprintf("%s/%s/%s", baseURL, repo.Owner.Name, repo.Name)
+
+	result := &DolibarrUpdates{
+		Module: repo.Name,
+	}
+
+	// Resolve effective streams.
+	streams := licenses.GetEffectiveStreams(ctx, repo.OwnerID, repo.ID)
+
+	// Track best release per channel.
+	bestByChannel := make(map[string]*repo_model.Release)
+	for _, rel := range releases {
+		if rel.IsDraft || rel.IsTag {
+			continue
+		}
+		ch := licenses.MatchStreamFromTag(rel.TagName, rel.IsPrerelease, streams)
+		existing, ok := bestByChannel[ch]
+		if !ok || rel.CreatedUnix > existing.CreatedUnix {
+			bestByChannel[ch] = rel
+		}
+	}
+
+	// Build allowed channel set for filtering.
+	channelAllowed := make(map[string]bool)
+	if len(allowedChannels) > 0 {
+		for _, c := range allowedChannels {
+			channelAllowed[NormalizeChannel(c)] = true
+		}
+	}
+
+	for _, stream := range streams {
+		ch := stream.Name
+		if len(channelAllowed) > 0 && !channelAllowed[ch] {
+			continue
+		}
+		rel, ok := bestByChannel[ch]
+		if !ok {
+			continue
+		}
+
+		if err := rel.LoadAttributes(ctx); err != nil {
+			continue
+		}
+
+		var downloadURL string
+		for _, att := range rel.Attachments {
+			if strings.HasSuffix(strings.ToLower(att.Name), ".zip") {
+				downloadURL = fmt.Sprintf("%s/releases/download/%s/%s", repoLink, rel.TagName, att.Name)
+				break
+			}
+		}
+		if downloadURL == "" {
+			downloadURL = fmt.Sprintf("%s/archive/%s.zip", repoLink, rel.TagName)
+		}
+
+		version := extractVersion(rel.TagName)
+		suffix := stream.Suffix
+		if suffix == "" {
+			suffix = channelSuffix(ch)
+		}
+		if suffix != "" {
+			version = version + suffix
+		}
+
+		result.Updates = append(result.Updates, DolibarrUpdate{
+			Name:         repo.Name,
+			Version:      version,
+			Channel:      ch,
+			DownloadURL:  downloadURL,
+			ChangelogURL: fmt.Sprintf("%s/raw/branch/%s/CHANGELOG.md", repoLink, repo.DefaultBranch),
+			ReleaseURL:   fmt.Sprintf("%s/releases/tag/%s", repoLink, rel.TagName),
+			Date:         time.Unix(int64(rel.CreatedUnix), 0).Format("2006-01-02"),
+		})
+	}
+
+	return result, nil
+}
@@ -0,0 +1,288 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package updateserver
+
+import (
+	"context"
+	"encoding/xml"
+	"fmt"
+	"strings"
+	"time"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+)
+
+// Joomla-compatible updates.xml structures for XML marshaling.
+
+type xmlUpdates struct {
+	XMLName xml.Name    `xml:"updates"`
+	Updates []xmlUpdate `xml:"update"`
+}
+
+type xmlUpdate struct {
+	Name           string          `xml:"name"`
+	Description    string          `xml:"description"`
+	Element        string          `xml:"element"`
+	Type           string          `xml:"type"`
+	Client         string          `xml:"client"`
+	Version        string          `xml:"version"`
+	CreationDate   string          `xml:"creationDate"`
+	InfoURL        xmlInfoURL      `xml:"infourl"`
+	Downloads      xmlDownloads    `xml:"downloads"`
+	SHA256         string          `xml:"sha256,omitempty"`
+	Tags           xmlTags         `xml:"tags"`
+	ChangelogURL   string          `xml:"changelogurl,omitempty"`
+	Maintainer     string          `xml:"maintainer,omitempty"`
+	MaintainerURL  string          `xml:"maintainerurl,omitempty"`
+	TargetPlatform xmlTargetPlat   `xml:"targetplatform"`
+	DownloadKey    *xmlDownloadKey `xml:"downloadkey,omitempty"`
+}
+
+type xmlDownloadKey struct {
+	Prefix string `xml:"prefix,attr"`
+	Suffix string `xml:"suffix,attr"`
+}
+
+type xmlInfoURL struct {
+	Title string `xml:"title,attr"`
+	URL   string `xml:",chardata"`
+}
+
+type xmlDownloads struct {
+	DownloadURL []xmlDownloadURL `xml:"downloadurl"`
+}
+
+type xmlDownloadURL struct {
+	Type   string `xml:"type,attr"`
+	Format string `xml:"format,attr"`
+	URL    string `xml:",chardata"`
+}
+
+type xmlTags struct {
+	Tag string `xml:"tag"`
+}
+
+type xmlTargetPlat struct {
+	Name    string `xml:"name,attr"`
+	Version string `xml:"version,attr"`
+}
+
+// channelFromTag maps a release tag name to a Joomla update channel.
+// Joomla update stream names (full convention).
+const (
+	ChannelStable           = "stable"
+	ChannelReleaseCandidate = "release-candidate"
+	ChannelBeta             = "beta"
+	ChannelAlpha            = "alpha"
+	ChannelDevelopment      = "development"
+)
+
+// AllChannels in display order (most stable first).
+var AllChannels = []string{ChannelStable, ChannelReleaseCandidate, ChannelBeta, ChannelAlpha, ChannelDevelopment}
+
+// channelFromTag maps a release tag name to a Joomla update channel.
+func channelFromTag(tagName string, isPrerelease bool) string {
+	lower := strings.ToLower(tagName)
+	switch {
+	case strings.Contains(lower, "-dev") || strings.Contains(lower, "development"):
+		return ChannelDevelopment
+	case strings.Contains(lower, "-alpha"):
+		return ChannelAlpha
+	case strings.Contains(lower, "-beta"):
+		return ChannelBeta
+	case strings.Contains(lower, "-rc") || strings.Contains(lower, "release-candidate"):
+		return ChannelReleaseCandidate
+	case isPrerelease:
+		return ChannelReleaseCandidate
+	default:
+		return ChannelStable
+	}
+}
+
+// NormalizeChannel maps shorthand channel names to the full Joomla convention.
+// Accepts both "rc" and "release-candidate", "dev" and "development", etc.
+func NormalizeChannel(ch string) string {
+	switch strings.ToLower(ch) {
+	case "rc", "release-candidate":
+		return ChannelReleaseCandidate
+	case "dev", "development":
+		return ChannelDevelopment
+	case "alpha":
+		return ChannelAlpha
+	case "beta":
+		return ChannelBeta
+	case "stable":
+		return ChannelStable
+	default:
+		return ch
+	}
+}
+
+// GenerateJoomlaXML builds a Joomla-compatible updates.xml from repository releases.
+// It returns the raw XML bytes. The element, maintainer, and target platform
+// are derived from the repo name and owner.
+// allowedChannels optionally restricts output to specific channels (nil = all).
+func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, requireKey bool, allowedChannels ...string) ([]byte, error) {
+	releases, err := db.Find[repo_model.Release](ctx, repo_model.FindReleasesOptions{
+		RepoID:        repo.ID,
+		ListOptions:   db.ListOptionsAll,
+		IncludeDrafts: false,
+		IncludeTags:   false,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("GetReleasesByRepoID: %w", err)
+	}
+
+	if err := repo.LoadOwner(ctx); err != nil {
+		return nil, fmt.Errorf("LoadOwner: %w", err)
+	}
+
+	baseURL := setting.AppURL
+	if strings.HasSuffix(baseURL, "/") {
+		baseURL = baseURL[:len(baseURL)-1]
+	}
+	repoLink := fmt.Sprintf("%s/%s/%s", baseURL, repo.Owner.Name, repo.Name)
+
+	element := strings.ToLower(repo.Name)
+
+	// Resolve effective streams (repo override → org default → Joomla default).
+	streams := licenses.GetEffectiveStreams(ctx, repo.OwnerID, repo.ID)
+
+	// Track best (latest) release per channel to emit one entry per channel.
+	bestByChannel := make(map[string]*repo_model.Release)
+	for _, rel := range releases {
+		if rel.IsDraft || rel.IsTag {
+			continue
+		}
+		ch := licenses.MatchStreamFromTag(rel.TagName, rel.IsPrerelease, streams)
+		existing, ok := bestByChannel[ch]
+		if !ok || rel.CreatedUnix > existing.CreatedUnix {
+			bestByChannel[ch] = rel
+		}
+	}
+
+	// Build allowed channel set for filtering.
+	// Normalize shorthand names so both "rc" and "release-candidate" work.
+	channelAllowed := make(map[string]bool)
+	if len(allowedChannels) > 0 {
+		for _, c := range allowedChannels {
+			channelAllowed[NormalizeChannel(c)] = true
+		}
+	}
+
+	var updates xmlUpdates
+	for _, stream := range streams {
+		ch := stream.Name
+		// Skip channels not in the allowed set (when filtering is active).
+		if len(channelAllowed) > 0 && !channelAllowed[ch] {
+			continue
+		}
+		rel, ok := bestByChannel[ch]
+		if !ok {
+			continue
+		}
+
+		// Load attachments for download URLs.
+		if err := rel.LoadAttributes(ctx); err != nil {
+			continue
+		}
+
+		// Find the first .zip attachment as the download URL.
+		var downloadURL string
+		for _, att := range rel.Attachments {
+			if strings.HasSuffix(strings.ToLower(att.Name), ".zip") {
+				downloadURL = fmt.Sprintf("%s/releases/download/%s/%s", repoLink, rel.TagName, att.Name)
+				break
+			}
+		}
+		// Fall back to the release tag archive if no zip attachment.
+		if downloadURL == "" {
+			downloadURL = fmt.Sprintf("%s/archive/%s.zip", repoLink, rel.TagName)
+		}
+
+		version := extractVersion(rel.TagName)
+		suffix := stream.Suffix
+		if suffix == "" {
+			suffix = channelSuffix(ch) // fallback for Joomla defaults
+		}
+		if suffix != "" {
+			version = version + suffix
+		}
+
+		u := xmlUpdate{
+			Name:        fmt.Sprintf("%s - %s", repo.Owner.Name, repo.Name),
+			Description: fmt.Sprintf("%s - %s %s build.", repo.Owner.Name, repo.Name, ch),
+			Element:     element,
+			Type:        "component",
+			Client:      "site",
+			Version:     version,
+			CreationDate: time.Unix(int64(rel.CreatedUnix), 0).Format("2006-01-02"),
+			InfoURL: xmlInfoURL{
+				Title: fmt.Sprintf("%s - %s", repo.Owner.Name, repo.Name),
+				URL:   fmt.Sprintf("%s/releases/tag/%s", repoLink, rel.TagName),
+			},
+			Downloads: xmlDownloads{
+				DownloadURL: []xmlDownloadURL{
+					{Type: "full", Format: "zip", URL: downloadURL},
+				},
+			},
+			Tags: xmlTags{Tag: ch},
+			ChangelogURL:  fmt.Sprintf("%s/raw/branch/%s/CHANGELOG.md", repoLink, repo.DefaultBranch),
+			Maintainer:    repo.Owner.Name,
+			MaintainerURL: fmt.Sprintf("%s/%s", baseURL, repo.Owner.Name),
+			TargetPlatform: xmlTargetPlat{
+				Name:    "joomla",
+				Version: ".*",
+			},
+		}
+
+		if requireKey {
+			u.DownloadKey = &xmlDownloadKey{Prefix: "&dlid=", Suffix: ""}
+		}
+
+		updates.Updates = append(updates.Updates, u)
+	}
+
+	output, err := xml.MarshalIndent(updates, "", "  ")
+	if err != nil {
+		return nil, fmt.Errorf("xml.MarshalIndent: %w", err)
+	}
+
+	return append([]byte(xml.Header), output...), nil
+}
+
+// extractVersion strips common tag prefixes (v, release-, etc.) to get the version.
+func extractVersion(tagName string) string {
+	v := tagName
+	v = strings.TrimPrefix(v, "v")
+	v = strings.TrimPrefix(v, "release-")
+	v = strings.TrimPrefix(v, "release/")
+	// Strip channel suffixes to get base version.
+	for _, suffix := range []string{"-dev", "-alpha", "-beta", "-rc", "-development", "-release-candidate"} {
+		if idx := strings.Index(strings.ToLower(v), suffix); idx > 0 {
+			v = v[:idx]
+			break
+		}
+	}
+	return v
+}
+
+// channelSuffix returns the version suffix for a channel.
+func channelSuffix(channel string) string {
+	switch channel {
+	case ChannelDevelopment:
+		return "-dev"
+	case ChannelAlpha:
+		return "-alpha"
+	case ChannelBeta:
+		return "-beta"
+	case ChannelReleaseCandidate:
+		return "-rc"
+	default:
+		return ""
+	}
+}
@@ -56,6 +56,7 @@ type UpdateOptions struct {
 	EmailNotificationsPreference optional.Option[string]
 	SetLastLogin                 bool
 	RepoAdminChangeTeamAccess    optional.Option[bool]
+	Require2FA                   optional.Option[bool]
 }

 func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) error {
@@ -169,6 +170,11 @@ func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) er

 		cols = append(cols, "repo_admin_change_team_access")
 	}
+	if opts.Require2FA.Has() {
+		u.Require2FA = opts.Require2FA.Value()
+
+		cols = append(cols, "require_2fa")
+	}

 	if opts.EmailNotificationsPreference.Has() {
 		u.EmailNotificationsPreference = opts.EmailNotificationsPreference.Value()
@@ -6,6 +6,7 @@ package wiki
 import (
 	"net/url"
 	"path"
+	"regexp"
 	"strings"

 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
@@ -148,10 +149,26 @@ func WebPathFromRequest(s string) WebPath {
 	return WebPath(s)
 }

+var multiHyphenRe = regexp.MustCompile(`-{2,}`)
+var nonSlugRe = regexp.MustCompile(`[^a-zA-Z0-9+.\-]`)
+
+// sanitizeWikiTitle converts a user-provided title into a clean, URL-friendly slug.
+// Spaces and special characters become hyphens, consecutive hyphens collapse to one.
+// Preserves: letters, digits, hyphens, plus signs (+), and dots (.)
+func sanitizeWikiTitle(title string) string {
+	title = strings.TrimSpace(title)
+	title = strings.ReplaceAll(title, " ", "-")
+	title = nonSlugRe.ReplaceAllString(title, "-")
+	title = multiHyphenRe.ReplaceAllString(title, "-")
+	title = strings.NewReplacer("-+-", "-", "+-", "-", "-+", "-").Replace(title) // clean stray plus signs
+	title = strings.Trim(title, "-+.")
+	return title
+}
+
 func UserTitleToWebPath(base, title string) WebPath {
 	// TODO: no support for subdirectory, because the old wiki code's behavior is always using %2F, instead of subdirectory.
 	// So we do not add the support for writing slashes in title at the moment.
-	title = strings.TrimSpace(title)
+	title = sanitizeWikiTitle(title)
 	title = util.PathJoinRelX(base, escapeSegToWeb(title, false))
 	if title == "" || title == "." {
 		title = "unnamed"
@@ -2,6 +2,7 @@

 	{{template "admin/config_settings/avatars" .}}
 	{{template "admin/config_settings/repository" .}}
+	{{template "admin/config_settings/landing_page" .}}
 	{{template "admin/config_settings/instance" .}}

 {{template "admin/layout_footer" .}}
@@ -0,0 +1,49 @@
+<h4 class="ui top attached header">{{ctx.Locale.Tr "admin.config.instance_landing_page"}}</h4>
+<div class="ui attached segment">
+	<form class="ui form ignore-dirty system-config-form" method="post" action="{{AppSubUrl}}/-/admin/config">
+		{{$cfgOpt := $.SystemConfig.Instance.LandingPage}}
+		{{$cfgKey := $cfgOpt.DynKey}}
+		{{$landingPage := $cfgOpt.Value ctx}}
+		<input type="hidden" data-config-dyn-key="{{$cfgKey}}" data-config-value-json="{{JsonUtils.EncodeToString $landingPage}}">
+		<div class="grouped fields">
+			<div class="field">
+				<div class="ui radio checkbox">
+					<input name="{{$cfgKey}}.Mode" type="radio" value="home" {{if or (eq $landingPage.Mode "") (eq $landingPage.Mode "home")}}checked{{end}}>
+					<label>{{ctx.Locale.Tr "admin.config.landing_page.home"}}</label>
+				</div>
+			</div>
+			<div class="field">
+				<div class="ui radio checkbox">
+					<input name="{{$cfgKey}}.Mode" type="radio" value="explore" {{if eq $landingPage.Mode "explore"}}checked{{end}}>
+					<label>{{ctx.Locale.Tr "admin.config.landing_page.explore"}}</label>
+				</div>
+			</div>
+			<div class="field">
+				<div class="ui radio checkbox">
+					<input name="{{$cfgKey}}.Mode" type="radio" value="organizations" {{if eq $landingPage.Mode "organizations"}}checked{{end}}>
+					<label>{{ctx.Locale.Tr "admin.config.landing_page.organizations"}}</label>
+				</div>
+			</div>
+			<div class="field">
+				<div class="ui radio checkbox">
+					<input name="{{$cfgKey}}.Mode" type="radio" value="login" {{if eq $landingPage.Mode "login"}}checked{{end}}>
+					<label>{{ctx.Locale.Tr "admin.config.landing_page.login"}}</label>
+				</div>
+			</div>
+			<div class="field">
+				<div class="ui radio checkbox">
+					<input name="{{$cfgKey}}.Mode" type="radio" value="custom" {{if eq $landingPage.Mode "custom"}}checked{{end}}>
+					<label>{{ctx.Locale.Tr "admin.config.landing_page.custom"}}</label>
+				</div>
+			</div>
+		</div>
+		<div class="field">
+			<label>{{ctx.Locale.Tr "admin.config.landing_page.custom_path"}}</label>
+			<input type="text" name="{{$cfgKey}}.CustomPath" value="{{$landingPage.CustomPath}}" placeholder="/MokoConsulting">
+			<div class="help">{{ctx.Locale.Tr "admin.config.landing_page.custom_path_help"}}</div>
+		</div>
+		<div class="field">
+			<button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
+		</div>
+	</form>
+</div>
@@ -2,7 +2,7 @@
 	<div class="admin-setting-content">
 		{{if .NeedUpdate}}
 		<div class="ui positive message">
-			<div class="header">{{svg "octicon-info"}} MokoGitea Update Available</div>
+			<div class="header">{{svg "octicon-info"}} {{AppName}} Update Available</div>
 			<p>A new version <strong>{{.LatestVersion}}</strong> is available{{if .UpdateChannel}} ({{.UpdateChannel}} channel){{end}}.
 			{{if .ReleaseURL}}<a href="{{.ReleaseURL}}" target="_blank" rel="noopener noreferrer">View release notes</a>{{end}}</p>
 			{{if .DockerImage}}<p><code>docker pull {{.DockerImage}}</code></p>{{end}}
@@ -1,7 +1,7 @@
 <footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
 	<div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
 		{{if ShowFooterPoweredBy}}
-			<a target="_blank" href="https://git.mokoconsulting.tech/MokoConsulting/MokoGitea">{{ctx.Locale.Tr "powered_by" "MokoGitea"}}</a>
+			<a target="_blank" href="https://git.mokoconsulting.tech/MokoConsulting/MokoGitea">{{ctx.Locale.Tr "powered_by" AppName}}</a>
 		{{end}}
 		{{if (or .ShowFooterVersion .PageIsAdmin)}}
 			<span>
@@ -36,6 +36,7 @@
 		</div>
 		<a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
 		{{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
+		<a href="{{HelpURL}}" target="_blank">{{ctx.Locale.Tr "help"}}</a>
 		{{template "custom/extra_links_footer" .}}
 	</div>
 </footer>
@@ -35,9 +35,7 @@

 		{{template "custom/extra_links" .}}

-		{{if not .IsSigned}}
-			<a class="item" target="_blank" href="{{HelpURL}}">{{ctx.Locale.Tr "help"}}</a>
-		{{end}}
+		<a class="item" target="_blank" href="{{HelpURL}}">{{ctx.Locale.Tr "help"}}</a>
 	</div>

 	<!-- the full dropdown menus -->
@@ -0,0 +1,192 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content organization">
+	{{template "org/header" .}}
+	<div class="ui container">
+
+		{{if .NewMasterKey}}
+			<div class="ui info message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.master_key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.master_key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-master-key" type="text" readonly value="{{.NewMasterKey}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-master-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		{{if .NewKeyCreated}}
+			<div class="ui success message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-license-key" type="text" readonly value="{{.NewKeyCreated}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-license-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		<h4 class="ui top attached header">
+			{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}
+		</h4>
+		<div class="ui attached segment">
+			{{if .IsRepoAdmin}}
+				<details class="tw-mb-4">
+					<summary class="ui primary button">{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.new_package"}}</summary>
+					<div class="tw-mt-4">
+						<form class="ui form" method="post" action="{{$.Org.HomeLink}}/-/licenses/packages">
+							{{.CsrfTokenHtml}}
+							<div class="two fields">
+								<div class="required field">
+									<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+									<input name="name" required placeholder="e.g. Pro Annual, Basic Monthly">
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+									<input name="description" placeholder="e.g. Annual pro subscription">
+								</div>
+							</div>
+							<div class="three fields">
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+									<input name="duration_days" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+									<input name="max_sites" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+									{{if $.AvailableStreams}}
+										{{range $.AvailableStreams}}
+										<div class="ui checkbox tw-mr-4 tw-mb-2">
+											<input name="allowed_channels" type="checkbox" value="{{.Name}}">
+											<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+										</div>
+										{{end}}
+									{{end}}
+									<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+								</div>
+							</div>
+							<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
+						</form>
+					</div>
+				</details>
+			{{end}}
+			{{if .LicensePackages}}
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.package_name"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.duration"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.channels"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.keys_issued"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicensePackages}}
+							<tr>
+								<td><strong>{{.Name}}</strong>{{if eq .Name "Master (Internal)"}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
+								<td>{{if eq .DurationDays 0}}{{ctx.Locale.Tr "repo.licenses.lifetime"}}{{else}}{{.DurationDays}} {{ctx.Locale.Tr "repo.licenses.days"}}{{end}}</td>
+								<td>{{if .AllowedChannels}}<code>{{.AllowedChannels}}</code>{{else}}{{ctx.Locale.Tr "repo.licenses.all_channels"}}{{end}}</td>
+								<td>{{.KeyCount}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										<form method="post" action="{{$.Org.HomeLink}}/-/licenses/keys/generate" class="tw-inline tw-flex tw-gap-1 tw-items-center">
+											{{$.CsrfTokenHtml}}
+											<input type="hidden" name="package_id" value="{{.ID}}">
+											{{if or $.IsSiteAdmin $.IsOrganizationOwner}}
+											<input type="text" name="custom_key" placeholder="{{ctx.Locale.Tr "repo.licenses.custom_key_placeholder"}}" class="tw-w-32 tw-text-xs" title="{{ctx.Locale.Tr "repo.licenses.custom_key_help"}}">
+											{{end}}
+											<button class="ui tiny primary button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.generate_key"}}">
+												{{svg "octicon-plus" 14}}
+											</button>
+										</form>
+										{{if ne .Name "Master (Internal)"}}
+										<a class="ui tiny button" href="{{$.Org.HomeLink}}/-/licenses/packages/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_package"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/packages/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_package"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_package"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			{{else}}
+				<div class="empty-placeholder">
+					{{svg "octicon-key" 48}}
+					<h2>{{ctx.Locale.Tr "repo.licenses.none"}}</h2>
+					<p>{{ctx.Locale.Tr "repo.licenses.none_desc"}}</p>
+				</div>
+			{{end}}
+		</div>
+
+		{{if .LicenseKeys}}
+			<h4 class="ui top attached header tw-mt-4">
+				{{svg "octicon-lock" 16}} {{ctx.Locale.Tr "repo.licenses.issued_keys"}}
+			</h4>
+			<div class="ui attached segment">
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.licensee"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.expires"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.last_seen"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicenseKeys}}
+							<tr>
+								<td>
+									<div class="tw-flex tw-items-center tw-gap-1">
+										<code class="js-license-key-{{.ID}}">{{if .KeyRaw}}{{.KeyRaw}}{{else}}{{.KeyPrefix}}{{end}}</code>
+										{{if .KeyRaw}}<button class="ui tiny icon button" data-clipboard-target=".js-license-key-{{.ID}}" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 12}}</button>{{end}}
+										{{if .IsInternal}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}
+									</div>
+								</td>
+								<td>{{.LicenseeName}}{{if .LicenseeEmail}} <small>({{.LicenseeEmail}})</small>{{end}}</td>
+								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .LastHeartbeatUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .LastHeartbeatUnix}}{{end}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										{{if not .IsInternal}}
+										<a class="ui tiny button" href="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_key"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										<button class="ui tiny green button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/renew" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_renew_key"}}" title="{{ctx.Locale.Tr "repo.licenses.renew"}}">
+											{{svg "octicon-sync" 14}}
+										</button>
+										{{end}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/revoke" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_revoke_key"}}" title="{{ctx.Locale.Tr "repo.licenses.revoke"}}">
+											{{svg "octicon-x" 14}}
+										</button>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_key"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_key"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			</div>
+		{{end}}
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -0,0 +1,60 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content organization">
+	{{template "org/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_package"}}
+		</h4>
+		<div class="ui attached segment">
+			<form class="ui form" method="post" action="{{$.Org.HomeLink}}/-/licenses/packages/{{.Package.ID}}/edit">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="required field">
+						<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+						<input name="name" required value="{{.Package.Name}}">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+						<input name="description" value="{{.Package.Description}}">
+					</div>
+				</div>
+				<div class="three fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+						<input name="duration_days" type="number" value="{{.Package.DurationDays}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Package.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+						{{if .AvailableStreams}}
+							{{range .AvailableStreams}}
+							<div class="ui checkbox tw-mr-4 tw-mb-2">
+								<input name="allowed_channels" type="checkbox" value="{{.Name}}" {{if SliceUtils.Contains $.SelectedChannels .Name}}checked{{end}}>
+								<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+							</div>
+							{{end}}
+						{{end}}
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Package.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_package"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{$.Org.HomeLink}}/-/licenses">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -25,6 +25,14 @@
 				{{svg "octicon-package"}} {{ctx.Locale.Tr "packages.title"}}
 			</a>
 			{{end}}
+			{{if and .IsOrganizationMember (or .OrgLicensingEnabled .IsLicensesPage)}}
+			<a class="{{if .IsLicensesPage}}active {{end}}item" href="{{$.Org.HomeLink}}/-/licenses">
+				{{svg "octicon-key"}} {{ctx.Locale.Tr "repo.licenses"}}
+				{{if .NumOrgLicensePackages}}
+					<div class="ui small label">{{.NumOrgLicensePackages}}</div>
+				{{end}}
+			</a>
+			{{end}}
 			{{if and .IsRepoIndexerEnabled .CanReadCode}}
 			<a class="{{if .IsCodePage}}active {{end}}item" href="{{$.Org.HomeLink}}/-/code">
 				{{svg "octicon-code"}} {{ctx.Locale.Tr "org.code"}}
@@ -25,6 +25,9 @@
 			{{ctx.Locale.Tr "packages.title"}}
 		</a>
 		{{end}}
+		<a class="{{if .PageIsSettingsUpdateStreams}}active {{end}}item" href="{{.OrgLink}}/settings/update-streams">
+			{{svg "octicon-key"}} {{ctx.Locale.Tr "org.settings.update_streams"}}
+		</a>
 		{{if .EnableActions}}
 		<details class="item toggleable-item" {{if or .PageIsOrgSettingsActionsGeneral .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>
@@ -48,6 +48,16 @@
 			</div>
 			{{end}}

+			<div class="divider"></div>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input type="checkbox" name="require_2fa" {{if .Org.Require2FA}}checked{{end}}>
+					<label>{{svg "octicon-shield-lock" 16}} Require two-factor authentication for all members</label>
+				</div>
+				<p class="help">When enabled, organization members without 2FA configured will be prompted to set it up before accessing organization resources.</p>
+			</div>
+
 			<div class="field">
 				<button class="ui primary button">{{ctx.Locale.Tr "org.settings.update_settings"}}</button>
 			</div>
@@ -0,0 +1,87 @@
+{{template "org/settings/layout_head" (dict "pageClass" "organization settings")}}
+<div class="org-setting-content">
+
+	{{/* ── Section 1: Licensing ── */}}
+	<h4 class="ui top attached header">
+		{{svg "octicon-key" 16}} {{ctx.Locale.Tr "org.settings.licensing"}}
+	</h4>
+	<div class="ui attached segment">
+		<form class="ui form" method="post" action="{{.OrgLink}}/settings/update-streams">
+			{{.CsrfTokenHtml}}
+
+			<p>{{ctx.Locale.Tr "org.settings.licensing_desc"}}</p>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input name="licensing_enabled" type="checkbox" {{if .StreamConfig.LicensingEnabled}}checked{{end}}>
+					<label><strong>{{ctx.Locale.Tr "org.settings.enable_licensing"}}</strong></label>
+				</div>
+				<p class="help">{{ctx.Locale.Tr "org.settings.enable_licensing_help"}}</p>
+			</div>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input name="require_key" type="checkbox" {{if .StreamConfig.RequireKey}}checked{{end}}>
+					<label><strong>{{ctx.Locale.Tr "org.settings.require_key"}}</strong></label>
+				</div>
+				<p class="help">{{ctx.Locale.Tr "org.settings.require_key_help"}}</p>
+			</div>
+
+			<div class="ui divider"></div>
+
+			{{/* ── Section 2: Update Streams ── */}}
+			<h5>{{svg "octicon-rss" 14}} {{ctx.Locale.Tr "org.settings.update_streams_heading"}}</h5>
+			<p>{{ctx.Locale.Tr "org.settings.update_streams_desc"}}</p>
+
+			<div class="grouped fields">
+				<label>{{ctx.Locale.Tr "org.settings.stream_mode"}}</label>
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input name="stream_mode" type="radio" value="joomla" {{if or (eq .StreamConfig.StreamMode "") (eq .StreamConfig.StreamMode "joomla")}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "org.settings.stream_mode_joomla"}}</label>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input name="stream_mode" type="radio" value="custom" {{if eq .StreamConfig.StreamMode "custom"}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "org.settings.stream_mode_custom"}}</label>
+					</div>
+				</div>
+			</div>
+
+			<div class="field">
+				<label>{{ctx.Locale.Tr "org.settings.default_streams"}}</label>
+				<table class="ui small compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "org.settings.stream_name"}}</th>
+							<th>{{ctx.Locale.Tr "org.settings.stream_suffix"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.description"}}</th>
+						</tr>
+					</thead>
+					<tbody>
+						{{range .EffectiveStreams}}
+							<tr>
+								<td><code>{{.Name}}</code></td>
+								<td>{{if .Suffix}}<code>{{.Suffix}}</code>{{else}}<span class="text grey">{{ctx.Locale.Tr "org.settings.no_suffix"}}</span>{{end}}</td>
+								<td>{{.Description}}</td>
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+				<p class="help">{{ctx.Locale.Tr "org.settings.streams_tag_help"}}</p>
+			</div>
+
+			<div class="field">
+				<label>{{ctx.Locale.Tr "org.settings.custom_streams"}}</label>
+				<textarea name="custom_streams" rows="6" placeholder='[{"name":"lts","suffix":"-lts","description":"Long-term support"}]'>{{.StreamConfig.CustomStreams}}</textarea>
+				<p class="help">{{ctx.Locale.Tr "org.settings.custom_streams_help"}}</p>
+			</div>
+
+			<div class="field">
+				<button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
+			</div>
+		</form>
+	</div>
+</div>
+{{template "org/settings/layout_footer" .}}
@@ -47,7 +47,7 @@
 					<h3>{{ctx.Locale.Tr "org.settings.permission"}}</h3>
 					{{ctx.Locale.Tr "org.teams.write_permission_desc"}}
 				{{else if (eq .Team.AccessMode 3)}}
-					{{/* FIXME: here might not right, see "FIXME: TEAM-UNIT-PERMISSION", new units might not have correct admin permission*/}}
+					{{/* Admin teams implicitly have admin access to all units (including newly added ones) */}}
 					<h3>{{ctx.Locale.Tr "org.settings.permission"}}</h3>
 					{{ctx.Locale.Tr "org.teams.admin_permission_desc"}}
 				{{else}}
@@ -128,6 +128,15 @@
 						</a>
 					{{end}}

+					{{if or .EnableLicenses .IsRepoAdmin}}
+						<a href="{{.RepoLink}}/licenses" class="{{if .IsLicensesPage}}active {{end}}item">
+							{{svg "octicon-key"}} {{ctx.Locale.Tr "repo.licenses"}}
+							{{if .NumLicensePackages}}
+								<span class="ui small label">{{CountFmt .NumLicensePackages}}</span>
+							{{end}}
+						</a>
+					{{end}}
+
 					{{$projectsUnit := .Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeProjects}}
 					{{if and (not ctx.Consts.RepoUnitTypeProjects.UnitGlobalDisabled) (.Permission.CanRead ctx.Consts.RepoUnitTypeProjects) ($projectsUnit.ProjectsConfig.IsProjectsAllowed "repo")}}
 						<a href="{{.RepoLink}}/projects" class="{{if .IsProjectsPage}}active {{end}}item">
@@ -0,0 +1,225 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
+	{{template "repo/header" .}}
+	<div class="ui container">
+
+		{{if .NewMasterKey}}
+			<div class="ui info message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.master_key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.master_key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-master-key" type="text" readonly value="{{.NewMasterKey}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-master-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		{{if .NewKeyCreated}}
+			<div class="ui success message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-license-key" type="text" readonly value="{{.NewKeyCreated}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-license-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		{{/* ── License Packages ── */}}
+		<h4 class="ui top attached header">
+			{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}
+		</h4>
+		<div class="ui attached segment">
+			{{if .LicensePackages}}
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.package_name"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.duration"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.channels"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.keys_issued"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicensePackages}}
+							<tr>
+								<td><strong>{{.Name}}</strong>{{if eq .Name "Master (Internal)"}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
+								<td>{{if eq .DurationDays 0}}{{ctx.Locale.Tr "repo.licenses.lifetime"}}{{else}}{{.DurationDays}} {{ctx.Locale.Tr "repo.licenses.days"}}{{end}}</td>
+								<td>{{if .AllowedChannels}}<code>{{.AllowedChannels}}</code>{{else}}{{ctx.Locale.Tr "repo.licenses.all_channels"}}{{end}}</td>
+								<td>{{.KeyCount}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										<form method="post" action="{{$.RepoLink}}/licenses/keys/generate" class="tw-inline tw-flex tw-gap-1 tw-items-center">
+											{{$.CsrfTokenHtml}}
+											<input type="hidden" name="package_id" value="{{.ID}}">
+											{{if $.IsSiteAdmin}}
+											<input type="text" name="custom_key" placeholder="{{ctx.Locale.Tr "repo.licenses.custom_key_placeholder"}}" class="tw-w-32 tw-text-xs" title="{{ctx.Locale.Tr "repo.licenses.custom_key_help"}}">
+											{{end}}
+											<button class="ui tiny primary button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.generate_key"}}">
+												{{svg "octicon-plus" 14}}
+											</button>
+										</form>
+										{{if ne .Name "Master (Internal)"}}
+										<a class="ui tiny button" href="{{$.RepoLink}}/licenses/packages/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_package"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/packages/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_package"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_package"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			{{else}}
+				<div class="empty-placeholder">
+					{{svg "octicon-key" 48}}
+					<h2>{{ctx.Locale.Tr "repo.licenses.none"}}</h2>
+					<p>{{ctx.Locale.Tr "repo.licenses.none_desc"}}</p>
+				</div>
+			{{end}}
+		</div>
+
+		{{/* ── Create New License Package ── */}}
+		{{if .IsRepoAdmin}}
+			<div class="tw-mt-4">
+				<details>
+					<summary class="ui primary button">{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.new_package"}}</summary>
+					<div class="ui segment tw-mt-2">
+						<form class="ui form" method="post" action="{{.RepoLink}}/licenses/packages">
+							{{.CsrfTokenHtml}}
+							<div class="two fields">
+								<div class="required field">
+									<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+									<input name="name" required placeholder="e.g. Pro Annual, Basic Monthly">
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+									<input name="description" placeholder="e.g. Annual pro subscription with all channels">
+								</div>
+							</div>
+							<div class="three fields">
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+									<input name="duration_days" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+									<input name="max_sites" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+									{{if .AvailableStreams}}
+										{{range .AvailableStreams}}
+										<div class="ui checkbox tw-mr-4 tw-mb-2">
+											<input name="allowed_channels" type="checkbox" value="{{.Name}}">
+											<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+										</div>
+										{{end}}
+									{{end}}
+									<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+								</div>
+							</div>
+							<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
+						</form>
+					</div>
+				</details>
+			</div>
+		{{end}}
+
+		{{/* ── Issued Keys ── */}}
+		{{if .LicenseKeys}}
+			<h4 class="ui top attached header tw-mt-4">
+				{{svg "octicon-lock" 16}} {{ctx.Locale.Tr "repo.licenses.issued_keys"}}
+			</h4>
+			<div class="ui attached segment">
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.licensee"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.expires"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.last_seen"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicenseKeys}}
+							<tr>
+								<td>
+									<div class="tw-flex tw-items-center tw-gap-1">
+										<code class="js-license-key-{{.ID}}">{{if .KeyRaw}}{{.KeyRaw}}{{else}}{{.KeyPrefix}}{{end}}</code>
+										{{if .KeyRaw}}<button class="ui tiny icon button" data-clipboard-target=".js-license-key-{{.ID}}" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 12}}</button>{{end}}
+										{{if .IsInternal}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}
+									</div>
+								</td>
+								<td>{{.LicenseeName}}{{if .LicenseeEmail}} <small>({{.LicenseeEmail}})</small>{{end}}</td>
+								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .LastHeartbeatUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .LastHeartbeatUnix}}{{end}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										{{if not .IsInternal}}
+										<a class="ui tiny button" href="{{$.RepoLink}}/licenses/keys/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_key"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										<button class="ui tiny green button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/renew" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_renew_key"}}" title="{{ctx.Locale.Tr "repo.licenses.renew"}}">
+											{{svg "octicon-sync" 14}}
+										</button>
+										{{end}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/revoke" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_revoke_key"}}" title="{{ctx.Locale.Tr "repo.licenses.revoke"}}">
+											{{svg "octicon-x" 14}}
+										</button>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_key"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_key"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			</div>
+		{{end}}
+
+		{{/* ── Update Feed URLs ── */}}
+		{{if .LicensingEnabled}}
+		<h4 class="ui top attached header tw-mt-4">
+			{{svg "octicon-rss" 16}} {{ctx.Locale.Tr "repo.licenses.update_feeds"}}
+		</h4>
+		<div class="ui attached segment">
+			{{if or (eq .RepoUpdatePlatform "joomla") (eq .RepoUpdatePlatform "both") (eq .RepoUpdatePlatform "")}}
+			<div class="field">
+				<label>{{ctx.Locale.Tr "repo.licenses.feed_joomla_updates"}}</label>
+				<div class="ui action input tw-w-full">
+					<input class="js-feed-url-joomla" type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates.xml" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-feed-url-joomla" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+			{{end}}
+			{{if or (eq .RepoUpdatePlatform "dolibarr") (eq .RepoUpdatePlatform "both")}}
+			<div class="field tw-mt-2">
+				<label>{{ctx.Locale.Tr "repo.licenses.feed_dolibarr_updates"}}</label>
+				<div class="ui action input tw-w-full">
+					<input class="js-feed-url-dolibarr" type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates/dolibarr.json" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-feed-url-dolibarr" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+			{{end}}
+		</div>
+		{{end}}
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -0,0 +1,56 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
+	{{template "repo/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_key"}}
+		</h4>
+		<div class="ui attached segment">
+			<div class="tw-mb-4">
+				<strong>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}:</strong> <code>{{.Key.KeyPrefix}}</code>
+			</div>
+			<form class="ui form" method="post" action="{{.FormAction}}">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.licensee_name"}}</label>
+						<input name="licensee_name" value="{{.Key.LicenseeName}}" placeholder="Customer name">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.licensee_email"}}</label>
+						<input name="licensee_email" type="email" value="{{.Key.LicenseeEmail}}" placeholder="customer@example.com">
+					</div>
+				</div>
+				<div class="two fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.domain_restriction"}}</label>
+						<input name="domain_restriction" value="{{.Key.DomainRestriction}}" placeholder="example.com,example.org">
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.domain_restriction_help"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Key.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.use_package_default"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<label>{{ctx.Locale.Tr "repo.licenses.expires_at"}}</label>
+					<input name="expires_at" type="date" value="{{.ExpiresDate}}">
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.expires_at_help"}}</p>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Key.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_key"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{.BackLink}}">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}
--- a/Show More
+++ b/Show More