feat(licenses): store keys in plaintext, show full key with copy button

License keys are domain-locked so hashing is unnecessary. Store the full key in KeyRaw column for permanent visibility. Keys table now shows the complete key with a clipboard copy button per row. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat(licenses): platform enforcement, key deletion, expired key cleanup
2026-05-31 10:07:20 -05:00 · 2026-05-31 10:03:23 -05:00 · 2026-05-31 09:54:38 -05:00 · 2026-05-31 14:48:15 +00:00 · 2026-05-31 09:47:51 -05:00 · 2026-05-31 09:37:42 -05:00
51 changed files with 3132 additions and 1143 deletions
@@ -4,13 +4,13 @@
        <name>MokoGitea</name>
        <org>MokoConsulting</org>
        <description>Moko fork of Gitea — adding project board REST API endpoints and custom enhancements</description>
-        <version>05.08.00</version>
+        <version>05.14.00</version>
        <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
    </identity>
    <governance>
        <platform>go</platform>
        <standards-version>05.00.00</standards-version>
-        <standards-source>https://git.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
+        <standards-source>https://code.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
    </governance>
    <build>
        <language>Go</language>
@@ -1,66 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.mokogitea/workflows/auto-bump.yml
-# VERSION: 09.02.00
-# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
-
-name: "Universal: Auto Version Bump"
-
-on:
-  push:
-    branches:
-      - dev
-      - rc
-      - 'feature/**'
-      - 'patch/**'
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-permissions:
-  contents: write
-
-jobs:
-  bump:
-    name: Version Bump
-    runs-on: release
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip bump]') &&
-      !startsWith(github.event.head_commit.message, 'Merge pull request')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup moko-platform tools
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          if [ -d "/opt/moko-platform/cli" ]; then
-            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
-          else
-            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
-              /tmp/moko-platform-api
-            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-          fi
-
-      - name: Bump version
-        run: |
-          php ${MOKO_CLI}/version_auto_bump.php \
-            --path . --branch "${GITHUB_REF_NAME}" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
@@ -1,270 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 05.00.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
-#
-# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
-# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
-# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
-# |                                                                        |
-# +========================================================================+
-
-name: "Universal: Build & Release"
-
-on:
-  pull_request:
-    types: [opened, closed]
-    branches:
-      - main
-  workflow_dispatch:
-    inputs:
-      action:
-        description: 'Action to perform'
-        required: false
-        type: choice
-        default: release
-        options:
-          - release
-          - promote-rc
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
-  promote-rc:
-    name: Promote to RC
-    runs-on: release
-    if: >-
-      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
-      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-      - name: Rename branch to rc
-        run: |
-          php /tmp/moko-platform-api/cli/branch_rename.php \
-            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
-            --pr "${{ github.event.pull_request.number }}"
-
-      - name: Checkout rc and configure git
-        run: |
-          git fetch origin rc
-          git checkout rc
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-      - name: Publish RC release
-        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability rc --bump minor --branch rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-          echo "Branch renamed to rc, minor bump, RC + lesser stream releases built, updates.xml synced" >> $GITHUB_STEP_SUMMARY
-
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
-  release:
-    name: Build & Release Pipeline
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true ||
-      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Configure git for bot pushes
-        run: |
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
-        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-
-      - name: "Publish stable release"
-        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability stable --bump minor --branch main \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_mirror.php \
-            --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
-            --branch main 2>&1 || true
-          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
-
-      - name: "Step 11: Delete rc branch and recreate dev from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          # Delete rc branch (ephemeral — created by promote-rc)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/rc" 2>/dev/null \
-            && echo "Deleted rc branch" || echo "rc branch not found"
-
-          # Delete dev branch
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-
-          # Recreate dev from main (now includes version bump + changelog promotion)
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-
-          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
-
-      - name: "Step 12: Create version branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          BRANCH_NAME="version/${VERSION}"
-          MAIN_SHA=$(git rev-parse HEAD)
-
-          # Delete old version branch if it exists (same version re-release)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-
-          # Create version/XX.YY.ZZ from main
-          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-
-          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
-
-
-
-      # -- Dolibarr post-release: Reset dev version -----------------------------
-      - name: "Post-release: Reset dev version"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/version_reset_dev.php \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
-            --branch dev --path . 2>&1 || true
-
-      # -- Summary --------------------------------------------------------------
-      - name: Pipeline Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-          fi
@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
-# VERSION: 05.08.00
+# VERSION: 05.14.00
 # BRIEF: Auto-create feature branch when an issue is opened

 name: "Universal: Issue Branch"
@@ -1,233 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 05.01.00
-# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
-
-name: "Universal: Pre-Release"
-
-on:
-  pull_request:
-    types: [closed]
-    branches:
-      - dev
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Pre-release channel'
-        required: true
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - release-candidate
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-jobs:
-  build:
-    name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
-    runs-on: release
-    if: >-
-      github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-          echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: |
-          php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve metadata and bump version
-        id: meta
-        run: |
-          STABILITY="${{ inputs.stability || 'development' }}"
-
-          case "$STABILITY" in
-            development)        SUFFIX="-dev";   TAG="development" ;;
-            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)               SUFFIX="-beta";  TAG="beta" ;;
-            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
-          esac
-
-          # Read current version (bump already handled by push workflow)
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
-          [ -z "$VERSION" ] && VERSION="00.00.01"
-
-          # Strip any existing suffix from version before applying stability
-          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
-
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
-
-          # Verify version consistency across all files
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Update VERSION variable with suffix
-          if [ -n "$SUFFIX" ]; then
-            VERSION="${VERSION}${SUFFIX}"
-          fi
-
-          # Commit version bump
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1
-          }
-
-          # Auto-detect element via manifest_element.php
-          php ${MOKO_CLI}/manifest_element.php \
-            --path . --version "$VERSION" --stability "$STABILITY" \
-            --repo "${GITEA_REPO}" --github-output
-
-          # Read back element outputs
-          EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
-          ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
-          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-
-          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
-
-      - name: Create release
-        id: release
-        run: |
-          TAG="${{ steps.meta.outputs.tag }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch dev --prerelease
-
-      - name: Build package and upload
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml -- skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          CURRENT_BRANCH="${{ github.ref_name }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-
-          for BRANCH in main dev; do
-            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
-            echo "Syncing updates.xml -> ${BRANCH}"
-            git fetch origin "${BRANCH}" 2>/dev/null || continue
-            git checkout "origin/${BRANCH}" -- updates.xml 2>/dev/null || continue
-            git checkout "${CURRENT_BRANCH}" -- updates.xml
-            if ! git diff --quiet updates.xml 2>/dev/null; then
-              git add updates.xml
-              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
-              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-            fi
-            git checkout "${CURRENT_BRANCH}" 2>/dev/null
-          done
-
-      - name: "Delete lesser pre-release channels (cascade)"
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          php ${MOKO_CLI}/release_cascade.php \
-            --stability "${{ steps.meta.outputs.stability }}" \
-            --token "${TOKEN}" \
-            --api-base "${API_BASE}"
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-          echo "## Pre-Release Complete" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Channel | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| SHA-256 | \`${SHA256:-n/a}\` |" >> $GITHUB_STEP_SUMMARY
@@ -1,312 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/update-server.yml
-# VERSION: 05.00.00
-# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
-#
-# Thin wrapper around moko-platform CLI tools.
-# Builds packages, updates updates.xml, and optionally deploys via SFTP.
-#
-# Joomla filters update entries by the user's "Minimum Stability" setting.
-
-name: "Update Server"
-
-on:
-  push:
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  pull_request:
-    types: [closed]
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'development'
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - rc
-          - stable
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  update-xml:
-    name: Update Server
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform 2>/dev/null || true
-          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
-            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve stability and bump version
-        id: meta
-        run: |
-          BRANCH="${{ github.ref_name }}"
-
-          # Configure git for bot pushes
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-          # Auto-bump patch version
-          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
-
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
-
-          # Strip any existing suffix before applying stability
-          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
-
-          # Determine stability from branch or manual input
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          elif [[ "$BRANCH" == rc/* ]]; then
-            STABILITY="rc"
-          elif [[ "$BRANCH" == beta/* ]]; then
-            STABILITY="beta"
-          elif [[ "$BRANCH" == alpha/* ]]; then
-            STABILITY="alpha"
-          else
-            STABILITY="development"
-          fi
-
-          # Version suffix per stability stream
-          case "$STABILITY" in
-            development) SUFFIX="-dev";  TAG="development" ;;
-            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)        SUFFIX="-beta";  TAG="beta" ;;
-            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
-            *)           SUFFIX="";       TAG="stable" ;;
-          esac
-
-          # Propagate version with stability suffix to all manifest files
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Re-read version (now includes suffix from version_set_platform)
-          if [ -n "$SUFFIX" ]; then
-            VERSION="${VERSION}${SUFFIX}"
-          fi
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
-
-          # Commit version bump if changed
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push
-          }
-
-      - name: Create release and upload package
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Create or update Gitea release
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
-
-          # Build package and upload
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml — skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push updates.xml
-          git add updates.xml
-          git diff --cached --quiet || {
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push
-          }
-
-      - name: Sync updates.xml to main
-        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-
-          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
-            python3 -c "
-          import base64, json, urllib.request, sys
-          with open('updates.xml', 'rb') as f:
-              content = base64.b64encode(f.read()).decode()
-          payload = json.dumps({
-              'content': content,
-              'sha': '${FILE_SHA}',
-              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
-              'branch': 'main'
-          }).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/contents/updates.xml',
-              data=payload, method='PUT',
-              headers={
-                  'Authorization': 'token ${GITEA_TOKEN}',
-                  'Content-Type': 'application/json'
-              })
-          try:
-              urllib.request.urlopen(req)
-              print('updates.xml synced to main')
-          except Exception as e:
-              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
-          "
-          fi
-
-      - name: SFTP deploy to dev server
-        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
-        env:
-          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
-          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
-          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
-          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
-          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
-          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-        run: |
-          # Permission check: admin or maintain role required
-          ACTOR="${{ github.actor }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
-          case "$PERMISSION" in
-            admin|maintain|write) ;;
-            *)
-              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
-              exit 0
-              ;;
-          esac
-
-          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
-
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && exit 0
-
-          PORT="${DEV_PORT:-22}"
-          REMOTE="${DEV_PATH%/}"
-          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
-          if [ -n "$DEV_KEY" ]; then
-            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
-          fi
-
-          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          fi
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          DISPLAY="${{ steps.meta.outputs.display_version }}"
-          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
@@ -1,161 +1,161 @@
-# Contributing to Moko Consulting Projects
-
-Thank you for your interest in contributing. All Moko Consulting repositories follow this universal workflow and version policy.
-
-## Branching Workflow
-
-```
-feature/* ──PR──> dev ──draft PR──> (renamed to rc) ──merge──> main
-```
-
-### Step by step
-
-1. **Create a feature branch** from `dev`:
-   ```bash
-   git checkout dev && git pull
-   git checkout -b feature/my-change
-   ```
-
-2. **Work and commit** on your feature branch. Push to origin.
-
-3. **Open a PR**: `feature/my-change` → `dev`. After review and checks, merge it.
-
-4. **When ready for release**, open a **draft PR**: `dev` → `main`.
-   - This automatically renames the source branch to `rc` (release candidate)
-   - An RC pre-release is built and uploaded
-
-5. **Alpha and beta branches** are created by manually renaming the branch before the RC stage:
-   - Rename `dev` to `alpha` for early testing → alpha pre-release is built
-   - Rename `alpha` to `beta` for feature-complete testing → beta pre-release is built
-   - When the draft PR is created, the branch is renamed to `rc`
-
-6. **Once PR checks pass** on the `rc` branch, mark the PR as ready and merge to `main`.
-
-7. **Merging to main** triggers the stable release pipeline:
-   - Minor version bump (e.g., `02.09.xx` → `02.10.00`)
-   - Stability suffix stripped (clean version)
-   - Gitea release created with ZIP/tar.gz packages
-   - `updates.xml` updated (Joomla extensions)
-   - `dev` branch recreated from `main`
-
-### Branch summary
-
-| Branch | Purpose | Created by |
-|--------|---------|-----------|
-| `feature/*` | New features and fixes | Developer |
-| `dev` | Integration branch | Auto-recreated after release |
-| `alpha` | Alpha pre-release testing | Manual rename from `dev` |
-| `beta` | Beta pre-release testing | Manual rename from `alpha` |
-| `rc` | Release candidate | Auto-renamed on draft PR to main |
-| `main` | Stable releases | Protected, merge only |
-| `version/XX.YY.ZZ` | Archived release snapshots | Auto-created by CI |
-
-### Protected branches
-
-| Branch | Direct push | Merge via |
-|--------|------------|-----------|
-| `main` | Blocked (CI bot whitelisted) | PR merge only |
-| `dev` | Blocked (CI bot whitelisted) | PR merge from feature/* |
-| `rc` | Blocked (CI bot whitelisted) | Auto-created on draft PR |
-| `alpha` | Blocked (CI bot whitelisted) | Manual rename |
-| `beta` | Blocked (CI bot whitelisted) | Manual rename |
-| `feature/*` | Open | N/A (source branch) |
-
-## Version Policy
-
-### Format
-
-All versions use `XX.YY.ZZ` — three two-digit segments, zero-padded:
-
- **XX** — Major version (breaking changes)
- **YY** — Minor version (new features, bumped on release to main)
- **ZZ** — Patch version (auto-incremented on every push to dev/feature branches)
-
-Rollover: patch `99` → `00` increments minor; minor `99` → `00` increments major.
-
-### Stability suffixes
-
-Each branch appends a suffix to indicate stability:
-
-| Branch | Suffix | Example |
-|--------|--------|---------|
-| `main` | (none) | `02.09.00` |
-| `dev` | `-dev` | `02.09.01-dev` |
-| `feature/*` | `-dev` | `02.09.01-dev` |
-| `alpha` | `-alpha` | `02.09.01-alpha` |
-| `beta` | `-beta` | `02.09.01-beta` |
-| `rc` | `-rc` | `02.09.01-rc` |
-
-### Auto version bump
-
-On every push to `dev`, `feature/*`, or `patch/*`:
-
-1. Patch version incremented
-2. Stability suffix `-dev` applied
-3. All version-bearing files updated (manifests, CHANGELOG, PHP headers, etc.)
-4. Commit created with `[skip ci]` to avoid loops
-
-### Release version flow
-
-Version bumps happen at specific release events:
-
-| Event | Bump | Example |
-|-------|------|---------|
-| Feature merged to dev | Patch bump after dev release | `02.09.01-dev` → release → `02.09.02-dev` |
-| Dev promoted to RC | Minor bump | `02.09.02-dev` → `02.10.00-rc` |
-| RC merged to main | Minor bump | `02.10.00-rc` → `02.11.00` (stable) |
-| Dev recreated from main | Patch bump | `02.11.00` → `02.11.01-dev` |
-
-### Release stream copies
-
-When a higher-stability release is published, copies are created for all lesser streams with the same base version:
-
- **RC `02.10.00-rc`** also creates: `02.10.00-dev`, `02.10.00-alpha`, `02.10.00-beta`
- **Stable `02.11.00`** also creates: `02.11.00-dev`, `02.11.00-alpha`, `02.11.00-beta`, `02.11.00-rc`
-
-This ensures Joomla sites on ANY stability channel see the update (Joomla only shows versions higher than what's installed).
-
-### Version files
-
-The version tools update all files containing version stamps:
-
- `.mokogitea/manifest.xml` (canonical source)
- Joomla XML manifests (`<version>` tag)
- `README.md`, `CHANGELOG.md` (`VERSION:` pattern)
- `package.json`, `pyproject.toml`
- Any text file with a `VERSION: XX.YY.ZZ` label
-
-Files synced from other repos (with a `# REPO:` header) are not touched.
-
-## Code Standards
-
- **PHP**: PSR-12, tabs for indentation
- **Copyright**: all files must include the Moko Consulting copyright header
- **License**: SPDX identifier `GPL-3.0-or-later` (or as specified per repo)
- **Attribution**: use `Authored-by: Moko Consulting` in commits, not individual names
-
-## Commit Messages
-
-Use conventional commit format:
-
-```
-type(scope): short description
-
-Optional body with context.
-
-Authored-by: Moko Consulting
-```
-
-Types: `feat`, `fix`, `chore`, `docs`, `style`, `refactor`, `test`, `ci`
-
-Special flags in commit messages:
- `[skip ci]` — skip all CI workflows
- `[skip bump]` — skip auto version bump only
-
-## Reporting Issues
-
-Use the repository's issue tracker with the appropriate template.
-
---
-
-*Moko Consulting <hello@mokoconsulting.tech>*
+# Contributing to Moko Consulting Projects
+
+Thank you for your interest in contributing. All Moko Consulting repositories follow this universal workflow and version policy.
+
+## Branching Workflow
+
+```
+feature/* ──PR──> dev ──draft PR──> (renamed to rc) ──merge──> main
+```
+
+### Step by step
+
+1. **Create a feature branch** from `dev`:
+   ```bash
+   git checkout dev && git pull
+   git checkout -b feature/my-change
+   ```
+
+2. **Work and commit** on your feature branch. Push to origin.
+
+3. **Open a PR**: `feature/my-change` → `dev`. After review and checks, merge it.
+
+4. **When ready for release**, open a **draft PR**: `dev` → `main`.
+   - This automatically renames the source branch to `rc` (release candidate)
+   - An RC pre-release is built and uploaded
+
+5. **Alpha and beta branches** are created by manually renaming the branch before the RC stage:
+   - Rename `dev` to `alpha` for early testing → alpha pre-release is built
+   - Rename `alpha` to `beta` for feature-complete testing → beta pre-release is built
+   - When the draft PR is created, the branch is renamed to `rc`
+
+6. **Once PR checks pass** on the `rc` branch, mark the PR as ready and merge to `main`.
+
+7. **Merging to main** triggers the stable release pipeline:
+   - Minor version bump (e.g., `02.09.xx` → `02.10.00`)
+   - Stability suffix stripped (clean version)
+   - Gitea release created with ZIP/tar.gz packages
+   - `updates.xml` updated (Joomla extensions)
+   - `dev` branch recreated from `main`
+
+### Branch summary
+
+| Branch | Purpose | Created by |
+|--------|---------|-----------|
+| `feature/*` | New features and fixes | Developer |
+| `dev` | Integration branch | Auto-recreated after release |
+| `alpha` | Alpha pre-release testing | Manual rename from `dev` |
+| `beta` | Beta pre-release testing | Manual rename from `alpha` |
+| `rc` | Release candidate | Auto-renamed on draft PR to main |
+| `main` | Stable releases | Protected, merge only |
+| `version/XX.YY.ZZ` | Archived release snapshots | Auto-created by CI |
+
+### Protected branches
+
+| Branch | Direct push | Merge via |
+|--------|------------|-----------|
+| `main` | Blocked (CI bot whitelisted) | PR merge only |
+| `dev` | Blocked (CI bot whitelisted) | PR merge from feature/* |
+| `rc` | Blocked (CI bot whitelisted) | Auto-created on draft PR |
+| `alpha` | Blocked (CI bot whitelisted) | Manual rename |
+| `beta` | Blocked (CI bot whitelisted) | Manual rename |
+| `feature/*` | Open | N/A (source branch) |
+
+## Version Policy
+
+### Format
+
+All versions use `XX.YY.ZZ` — three two-digit segments, zero-padded:
+
+- **XX** — Major version (breaking changes)
+- **YY** — Minor version (new features, bumped on release to main)
+- **ZZ** — Patch version (auto-incremented on every push to dev/feature branches)
+
+Rollover: patch `99` → `00` increments minor; minor `99` → `00` increments major.
+
+### Stability suffixes
+
+Each branch appends a suffix to indicate stability:
+
+| Branch | Suffix | Example |
+|--------|--------|---------|
+| `main` | (none) | `02.09.00` |
+| `dev` | `-dev` | `02.09.01-dev` |
+| `feature/*` | `-dev` | `02.09.01-dev` |
+| `alpha` | `-alpha` | `02.09.01-alpha` |
+| `beta` | `-beta` | `02.09.01-beta` |
+| `rc` | `-rc` | `02.09.01-rc` |
+
+### Auto version bump
+
+On every push to `dev`, `feature/*`, or `patch/*`:
+
+1. Patch version incremented
+2. Stability suffix `-dev` applied
+3. All version-bearing files updated (manifests, CHANGELOG, PHP headers, etc.)
+4. Commit created with `[skip ci]` to avoid loops
+
+### Release version flow
+
+Version bumps happen at specific release events:
+
+| Event | Bump | Example |
+|-------|------|---------|
+| Feature merged to dev | Patch bump after dev release | `02.09.01-dev` → release → `02.09.02-dev` |
+| Dev promoted to RC | Minor bump | `02.09.02-dev` → `02.10.00-rc` |
+| RC merged to main | Minor bump | `02.10.00-rc` → `02.11.00` (stable) |
+| Dev recreated from main | Patch bump | `02.11.00` → `02.11.01-dev` |
+
+### Release stream copies
+
+When a higher-stability release is published, copies are created for all lesser streams with the same base version:
+
+- **RC `02.10.00-rc`** also creates: `02.10.00-dev`, `02.10.00-alpha`, `02.10.00-beta`
+- **Stable `02.11.00`** also creates: `02.11.00-dev`, `02.11.00-alpha`, `02.11.00-beta`, `02.11.00-rc`
+
+This ensures Joomla sites on ANY stability channel see the update (Joomla only shows versions higher than what's installed).
+
+### Version files
+
+The version tools update all files containing version stamps:
+
+- `.mokogitea/manifest.xml` (canonical source)
+- Joomla XML manifests (`<version>` tag)
+- `README.md`, `CHANGELOG.md` (`VERSION:` pattern)
+- `package.json`, `pyproject.toml`
+- Any text file with a `VERSION: XX.YY.ZZ` label
+
+Files synced from other repos (with a `# REPO:` header) are not touched.
+
+## Code Standards
+
+- **PHP**: PSR-12, tabs for indentation
+- **Copyright**: all files must include the Moko Consulting copyright header
+- **License**: SPDX identifier `GPL-3.0-or-later` (or as specified per repo)
+- **Attribution**: use `Authored-by: Moko Consulting` in commits, not individual names
+
+## Commit Messages
+
+Use conventional commit format:
+
+```
+type(scope): short description
+
+Optional body with context.
+
+Authored-by: Moko Consulting
+```
+
+Types: `feat`, `fix`, `chore`, `docs`, `style`, `refactor`, `test`, `ci`
+
+Special flags in commit messages:
+- `[skip ci]` — skip all CI workflows
+- `[skip bump]` — skip auto version bump only
+
+## Reporting Issues
+
+Use the repository's issue tracker with the appropriate template.
+
+---
+
+*Moko Consulting <hello@mokoconsulting.tech>*
@@ -24,16 +24,19 @@ type LicenseKey struct {
 	ID                int64              `xorm:"pk autoincr"`
 	PackageID         int64              `xorm:"INDEX NOT NULL"`           // FK to license_package
 	OwnerID           int64              `xorm:"INDEX NOT NULL"`           // org or user that issued it
-	KeyHash           string             `xorm:"UNIQUE NOT NULL"`          // SHA-256 of the raw key
+	KeyHash           string             `xorm:"UNIQUE NOT NULL"`          // SHA-256 of the raw key (for fast lookup)
+	KeyRaw            string             `xorm:"TEXT"`                     // plaintext key (viewable by admins)
 	KeyPrefix         string             `xorm:"NOT NULL"`                 // first 8 chars for display
 	LicenseeName      string             `xorm:""`                         // customer name
 	LicenseeEmail     string             `xorm:""`                         // customer email
 	DomainRestriction string             `xorm:"TEXT"`                     // comma-separated allowed domains
 	MaxSites          int                `xorm:"NOT NULL DEFAULT 0"`       // 0 = use package default
+	PaymentRef        string             `xorm:"UNIQUE"`                   // idempotency key from payment system
 	IsInternal        bool               `xorm:"NOT NULL DEFAULT false"`   // true = base org/repo key
 	IsActive          bool               `xorm:"NOT NULL DEFAULT true"`
 	StartsUnix        timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // custom start, 0 = creation
 	ExpiresUnix       timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // 0 = never
+	LastHeartbeatUnix timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // last successful validation
 	CreatedUnix       timeutil.TimeStamp `xorm:"INDEX CREATED"`
 	UpdatedUnix       timeutil.TimeStamp `xorm:"UPDATED"`
 }
@@ -58,8 +61,7 @@ func HashKey(rawKey string) string {
 	return hex.EncodeToString(h[:])
 }

-// CreateLicenseKey generates a new key, hashes it, stores it, and returns the raw key.
-// The raw key is only available at creation time.
+// CreateLicenseKey generates a new key, stores it in plaintext and hashed, and returns the raw key.
 func CreateLicenseKey(ctx context.Context, key *LicenseKey) (rawKey string, err error) {
 	rawKey, err = GenerateKeyString()
 	if err != nil {
@@ -67,6 +69,7 @@ func CreateLicenseKey(ctx context.Context, key *LicenseKey) (rawKey string, err
 	}

 	key.KeyHash = HashKey(rawKey)
+	key.KeyRaw = rawKey
 	key.KeyPrefix = rawKey[:12] + "..."

 	if _, err := db.GetEngine(ctx).Insert(key); err != nil {
@@ -75,6 +78,19 @@ func CreateLicenseKey(ctx context.Context, key *LicenseKey) (rawKey string, err
 	return rawKey, nil
 }

+// CreateLicenseKeyCustom stores a key with a user-provided raw key string.
+func CreateLicenseKeyCustom(ctx context.Context, key *LicenseKey, rawKey string) error {
+	key.KeyHash = HashKey(rawKey)
+	key.KeyRaw = rawKey
+	if len(rawKey) > 12 {
+		key.KeyPrefix = rawKey[:12] + "..."
+	} else {
+		key.KeyPrefix = rawKey
+	}
+	_, err := db.GetEngine(ctx).Insert(key)
+	return err
+}
+
 // GetLicenseKeyByHash looks up a key by its SHA-256 hash.
 func GetLicenseKeyByHash(ctx context.Context, hash string) (*LicenseKey, error) {
 	key := new(LicenseKey)
@@ -113,12 +129,55 @@ func ListLicenseKeysByPackage(ctx context.Context, packageID int64) ([]*LicenseK
 	return keys, db.GetEngine(ctx).Where("package_id = ?", packageID).Find(&keys)
 }

+// GetLicenseKeyByPaymentRef looks up a key by its payment reference (idempotency).
+func GetLicenseKeyByPaymentRef(ctx context.Context, paymentRef string) (*LicenseKey, error) {
+	if paymentRef == "" {
+		return nil, db.ErrNotExist{Resource: "LicenseKey"}
+	}
+	key := new(LicenseKey)
+	has, err := db.GetEngine(ctx).Where("payment_ref = ?", paymentRef).Get(key)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, db.ErrNotExist{Resource: "LicenseKey"}
+	}
+	return key, nil
+}
+
+// CountKeysByPackage returns the number of keys for a package.
+func CountKeysByPackage(ctx context.Context, packageID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("package_id = ?", packageID).Count(new(LicenseKey))
+}
+
 // UpdateLicenseKey updates a license key.
 func UpdateLicenseKey(ctx context.Context, key *LicenseKey) error {
 	_, err := db.GetEngine(ctx).ID(key.ID).AllCols().Update(key)
 	return err
 }

+// DeleteLicenseKey permanently removes a license key by ID.
+func DeleteLicenseKey(ctx context.Context, id int64) error {
+	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicenseKey))
+	return err
+}
+
+// DeleteExpiredKeys removes keys that expired more than the given duration ago.
+func DeleteExpiredKeys(ctx context.Context, olderThanDays int) (int64, error) {
+	cutoff := timeutil.TimeStampNow() - timeutil.TimeStamp(int64(olderThanDays)*86400)
+	return db.GetEngine(ctx).
+		Where("expires_unix > 0 AND expires_unix < ? AND is_internal = ?", cutoff, false).
+		Delete(new(LicenseKey))
+}
+
+// TouchHeartbeat updates the last heartbeat timestamp for a key.
+func TouchHeartbeat(ctx context.Context, keyID int64) error {
+	_, err := db.GetEngine(ctx).ID(keyID).
+		Cols("last_heartbeat_unix").
+		Update(&LicenseKey{LastHeartbeatUnix: timeutil.TimeStampNow()})
+	return err
+}
+
 // DeleteLicenseKey deletes a license key by ID.
 func DeleteLicenseKey(ctx context.Context, id int64) error {
 	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicenseKey))
@@ -127,7 +186,11 @@ func DeleteLicenseKey(ctx context.Context, id int64) error {

 // ValidateLicenseKey validates a raw key string against the database.
 // Returns the key record and its associated package, or an error.
-func ValidateLicenseKey(ctx context.Context, rawKey string) (*LicenseKey, *LicensePackage, error) {
+// The domain parameter is optional — when provided, it is checked against
+// the key's DomainRestriction list and the MaxSites limit.
+// On first heartbeat with a domain, if no DomainRestriction is set, the domain
+// is automatically associated as the key's restriction (lock-on-first-use).
+func ValidateLicenseKey(ctx context.Context, rawKey, domain string) (*LicenseKey, *LicensePackage, error) {
 	hash := HashKey(rawKey)
 	key, err := GetLicenseKeyByHash(ctx, hash)
 	if err != nil {
@@ -155,5 +218,103 @@ func ValidateLicenseKey(ctx context.Context, rawKey string) (*LicenseKey, *Licen
 		return nil, nil, fmt.Errorf("license package is deactivated")
 	}

+	// Domain restriction check — skip for internal/master keys.
+	if domain != "" && !key.IsInternal {
+		if key.DomainRestriction != "" {
+			allowed := false
+			for _, d := range strings.Split(key.DomainRestriction, ",") {
+				if strings.EqualFold(strings.TrimSpace(d), domain) {
+					allowed = true
+					break
+				}
+			}
+			if !allowed {
+				return nil, nil, fmt.Errorf("domain not allowed for this license key")
+			}
+		} else {
+			// No domain restriction set — auto-associate on first heartbeat.
+			// Append this domain to the restriction list, enforcing max_sites.
+			maxSites := key.MaxSites
+			if maxSites == 0 {
+				maxSites = pkg.MaxSites
+			}
+			domainKnown, _ := IsDomainKnownForKey(ctx, key.ID, domain)
+			if !domainKnown {
+				if maxSites > 0 {
+					uniqueDomains, err := CountUniqueDomainsByKey(ctx, key.ID)
+					if err != nil {
+						return nil, nil, fmt.Errorf("failed to count domains: %w", err)
+					}
+					if uniqueDomains >= int64(maxSites) {
+						return nil, nil, fmt.Errorf("site limit reached (%d/%d)", uniqueDomains, maxSites)
+					}
+				}
+				// Append this domain to the key's restriction list.
+				_ = updateDomainRestriction(ctx, key.ID, domain)
+				if key.DomainRestriction == "" {
+					key.DomainRestriction = domain
+				} else {
+					key.DomainRestriction = key.DomainRestriction + "," + domain
+				}
+			}
+		}
+
+		// Site limit check: use key's MaxSites, fall back to package default.
+		maxSites := key.MaxSites
+		if maxSites == 0 {
+			maxSites = pkg.MaxSites
+		}
+		if maxSites > 0 {
+			uniqueDomains, err := CountUniqueDomainsByKey(ctx, key.ID)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to count domains: %w", err)
+			}
+			// Allow if this domain is already recorded, or if under the limit.
+			domainKnown, _ := IsDomainKnownForKey(ctx, key.ID, domain)
+			if !domainKnown && uniqueDomains >= int64(maxSites) {
+				return nil, nil, fmt.Errorf("site limit reached (%d/%d)", uniqueDomains, maxSites)
+			}
+		}
+	}
+
 	return key, pkg, nil
 }
+
+// updateDomainRestriction appends a domain to a key's DomainRestriction field in the DB.
+func updateDomainRestriction(ctx context.Context, keyID int64, domain string) error {
+	key, err := GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		return err
+	}
+	if key.DomainRestriction == "" {
+		key.DomainRestriction = domain
+	} else {
+		key.DomainRestriction = key.DomainRestriction + "," + domain
+	}
+	_, err = db.GetEngine(ctx).ID(keyID).Cols("domain_restriction").Update(key)
+	return err
+}
+
+// RenewLicenseKey extends the expiration of a key by the given number of days
+// from the current expiry (or from now if already expired/no expiry set).
+func RenewLicenseKey(ctx context.Context, keyID int64, days int) error {
+	key, err := GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		return err
+	}
+
+	now := timeutil.TimeStampNow()
+	var base timeutil.TimeStamp
+	if key.ExpiresUnix > 0 && key.ExpiresUnix > now {
+		// Key still valid — extend from current expiry.
+		base = key.ExpiresUnix
+	} else {
+		// Key expired or has no expiry — extend from now.
+		base = now
+	}
+
+	key.ExpiresUnix = base + timeutil.TimeStamp(int64(days)*86400)
+	key.IsActive = true
+	_, err = db.GetEngine(ctx).ID(keyID).Cols("expires_unix", "is_active").Update(key)
+	return err
+}
@@ -47,3 +47,19 @@ func GetRecentUsage(ctx context.Context, keyID int64, limit int) ([]*LicenseKeyU
 func CountUsageByKey(ctx context.Context, keyID int64) (int64, error) {
 	return db.GetEngine(ctx).Where("key_id = ?", keyID).Count(new(LicenseKeyUsage))
 }
+
+// CountUniqueDomainsByKey returns the number of distinct domains that have used a key.
+func CountUniqueDomainsByKey(ctx context.Context, keyID int64) (int64, error) {
+	count, err := db.GetEngine(ctx).
+		Where("key_id = ? AND domain != ''", keyID).
+		Distinct("domain").
+		Count(new(LicenseKeyUsage))
+	return count, err
+}
+
+// IsDomainKnownForKey checks whether a specific domain has already been recorded for a key.
+func IsDomainKnownForKey(ctx context.Context, keyID int64, domain string) (bool, error) {
+	return db.GetEngine(ctx).
+		Where("key_id = ? AND domain = ?", keyID, domain).
+		Exist(new(LicenseKeyUsage))
+}
@@ -8,6 +8,8 @@ import (

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+
+	"xorm.io/builder"
 )

 func init() {
@@ -55,6 +57,20 @@ func GetLicensePackageByID(ctx context.Context, id int64) (*LicensePackage, erro
 	return pkg, nil
 }

+// FindLicensePackageOptions for db.Find/db.Count.
+type FindLicensePackageOptions struct {
+	db.ListOptions
+	OwnerID int64
+}
+
+func (opts FindLicensePackageOptions) ToConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.OwnerID > 0 {
+		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	}
+	return cond
+}
+
 // ListLicensePackages returns all packages for the given owner.
 func ListLicensePackages(ctx context.Context, ownerID int64) ([]*LicensePackage, error) {
 	pkgs := make([]*LicensePackage, 0, 10)
@@ -67,6 +83,11 @@ func UpdateLicensePackage(ctx context.Context, pkg *LicensePackage) error {
 	return err
 }

+// CountOrgPackages returns the number of license packages for an organization.
+func CountOrgPackages(ctx context.Context, orgID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("owner_id = ?", orgID).Count(new(LicensePackage))
+}
+
 // DeleteLicensePackage deletes a license package by ID.
 func DeleteLicensePackage(ctx context.Context, id int64) error {
 	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicensePackage))
@@ -0,0 +1,89 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package licenses
+
+import (
+	"context"
+	"fmt"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+)
+
+const (
+	MasterPackageName = "Master (Internal)"
+	MasterPackageDesc = "Auto-created master package with unlimited access to all channels."
+)
+
+// EnsureMasterKey ensures that a master license package and key exist for the given owner.
+// Returns the master key's raw key string only if it was just created (empty string otherwise).
+func EnsureMasterKey(ctx context.Context, ownerID int64) (rawKey string, err error) {
+	// Check if a master package already exists.
+	pkgs, err := ListLicensePackages(ctx, ownerID)
+	if err != nil {
+		return "", err
+	}
+
+	var masterPkg *LicensePackage
+	for _, pkg := range pkgs {
+		if pkg.Name == MasterPackageName {
+			masterPkg = pkg
+			break
+		}
+	}
+
+	// Create master package if it doesn't exist.
+	if masterPkg == nil {
+		masterPkg = &LicensePackage{
+			OwnerID:      ownerID,
+			Name:         MasterPackageName,
+			Description:  MasterPackageDesc,
+			DurationDays: 0, // lifetime
+			MaxSites:     0, // unlimited
+			RepoScope:    "all",
+			IsActive:     true,
+		}
+		if err := CreateLicensePackage(ctx, masterPkg); err != nil {
+			return "", fmt.Errorf("CreateLicensePackage: %w", err)
+		}
+	}
+
+	// Check if a master key already exists for this package.
+	keys, err := ListLicenseKeysByPackage(ctx, masterPkg.ID)
+	if err != nil {
+		return "", err
+	}
+
+	for _, key := range keys {
+		if key.IsInternal {
+			return "", nil // already exists, don't return raw key
+		}
+	}
+
+	// Create the master key.
+	masterKey := &LicenseKey{
+		PackageID:  masterPkg.ID,
+		OwnerID:    ownerID,
+		IsInternal: true,
+		IsActive:   true,
+	}
+	rawKey, err = CreateLicenseKey(ctx, masterKey)
+	if err != nil {
+		return "", fmt.Errorf("CreateLicenseKey: %w", err)
+	}
+
+	return rawKey, nil
+}
+
+// GetMasterKey returns the master key for an owner, if it exists.
+func GetMasterKey(ctx context.Context, ownerID int64) (*LicenseKey, error) {
+	key := new(LicenseKey)
+	has, err := db.GetEngine(ctx).Where("owner_id = ? AND is_internal = ?", ownerID, true).Get(key)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, nil
+	}
+	return key, nil
+}
@@ -0,0 +1,183 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package licenses
+
+import (
+	"context"
+	"strings"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+)
+
+func init() {
+	db.RegisterModel(new(UpdateStreamConfig))
+}
+
+// UpdateStreamConfig stores update stream settings at org or repo level.
+// When OwnerID is set and RepoID is 0, it's an org-level default.
+// When RepoID is set, it's a per-repo override.
+type UpdateStreamConfig struct {
+	ID          int64              `xorm:"pk autoincr"`
+	OwnerID     int64              `xorm:"INDEX NOT NULL"`         // org or user
+	RepoID      int64              `xorm:"INDEX NOT NULL DEFAULT 0"` // 0 = org-level default
+	StreamMode  string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, custom
+	Platform    string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, dolibarr, both
+	LicensingEnabled bool          `xorm:"NOT NULL DEFAULT false"`    // master toggle for licensing system
+	RequireKey  bool               `xorm:"NOT NULL DEFAULT false"`    // require license key for update feed
+	// CustomStreams is a JSON array of stream definitions.
+	// Each entry: {"name":"lts","suffix":"-lts","description":"Long-term support"}
+	CustomStreams string            `xorm:"TEXT"`
+	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix  timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (UpdateStreamConfig) TableName() string {
+	return "update_stream_config"
+}
+
+// StreamDef defines a single update stream/channel.
+type StreamDef struct {
+	Name        string `json:"name"`        // e.g. "stable", "lts", "nightly"
+	Suffix      string `json:"suffix"`      // tag suffix to match, e.g. "-lts", "-rc"
+	Description string `json:"description"` // human-readable label
+}
+
+// DefaultJoomlaStreams returns the standard Joomla update streams.
+func DefaultJoomlaStreams() []StreamDef {
+	return []StreamDef{
+		{Name: "stable", Suffix: "", Description: "Stable releases"},
+		{Name: "release-candidate", Suffix: "-rc", Description: "Release candidates"},
+		{Name: "beta", Suffix: "-beta", Description: "Beta testing"},
+		{Name: "alpha", Suffix: "-alpha", Description: "Alpha / early access"},
+		{Name: "development", Suffix: "-dev", Description: "Development builds"},
+	}
+}
+
+// GetCustomStreams parses the CustomStreams JSON field.
+func (c *UpdateStreamConfig) GetCustomStreams() []StreamDef {
+	if c.CustomStreams == "" {
+		return nil
+	}
+	var streams []StreamDef
+	if err := json.Unmarshal([]byte(c.CustomStreams), &streams); err != nil {
+		return nil
+	}
+	return streams
+}
+
+// GetActiveStreams returns the effective streams for this config.
+func (c *UpdateStreamConfig) GetActiveStreams() []StreamDef {
+	if c.StreamMode == "custom" {
+		if custom := c.GetCustomStreams(); len(custom) > 0 {
+			return custom
+		}
+	}
+	return DefaultJoomlaStreams()
+}
+
+// GetOrgConfig returns the org-level update stream config.
+func GetOrgConfig(ctx context.Context, ownerID int64) (*UpdateStreamConfig, error) {
+	cfg := new(UpdateStreamConfig)
+	has, err := db.GetEngine(ctx).Where("owner_id = ? AND repo_id = 0", ownerID).Get(cfg)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return &UpdateStreamConfig{OwnerID: ownerID, StreamMode: "joomla"}, nil
+	}
+	return cfg, nil
+}
+
+// GetRepoConfig returns the repo-level override, or nil if none exists.
+func GetRepoConfig(ctx context.Context, repoID int64) (*UpdateStreamConfig, error) {
+	cfg := new(UpdateStreamConfig)
+	has, err := db.GetEngine(ctx).Where("repo_id = ?", repoID).Get(cfg)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, nil
+	}
+	return cfg, nil
+}
+
+// GetEffectiveStreams resolves the streams for a repo: repo override → org default → Joomla default.
+func GetEffectiveStreams(ctx context.Context, ownerID, repoID int64) []StreamDef {
+	// Check repo-level override first.
+	repoCfg, err := GetRepoConfig(ctx, repoID)
+	if err == nil && repoCfg != nil {
+		return repoCfg.GetActiveStreams()
+	}
+
+	// Fall back to org-level config.
+	orgCfg, err := GetOrgConfig(ctx, ownerID)
+	if err == nil && orgCfg != nil {
+		return orgCfg.GetActiveStreams()
+	}
+
+	return DefaultJoomlaStreams()
+}
+
+// SaveConfig creates or updates an update stream config.
+func SaveConfig(ctx context.Context, cfg *UpdateStreamConfig) error {
+	existing := new(UpdateStreamConfig)
+	var has bool
+	var err error
+	if cfg.RepoID > 0 {
+		has, err = db.GetEngine(ctx).Where("repo_id = ?", cfg.RepoID).Get(existing)
+	} else {
+		has, err = db.GetEngine(ctx).Where("owner_id = ? AND repo_id = 0", cfg.OwnerID).Get(existing)
+	}
+	if err != nil {
+		return err
+	}
+
+	if has {
+		cfg.ID = existing.ID
+		_, err = db.GetEngine(ctx).ID(cfg.ID).AllCols().Update(cfg)
+	} else {
+		_, err = db.GetEngine(ctx).Insert(cfg)
+	}
+	return err
+}
+
+// MatchStreamFromTag determines which stream a tag belongs to based on the given stream definitions.
+func MatchStreamFromTag(tagName string, isPrerelease bool, streams []StreamDef) string {
+	lower := strings.ToLower(tagName)
+
+	// Check custom suffixes (longest match first to avoid "-rc" matching before "-rc-special").
+	var bestMatch string
+	bestLen := 0
+	for _, s := range streams {
+		if s.Suffix == "" {
+			continue // stable/default stream handled below
+		}
+		if strings.Contains(lower, s.Suffix) && len(s.Suffix) > bestLen {
+			bestMatch = s.Name
+			bestLen = len(s.Suffix)
+		}
+	}
+	if bestMatch != "" {
+		return bestMatch
+	}
+
+	// If prerelease and no suffix matched, use the first prerelease stream.
+	if isPrerelease {
+		for _, s := range streams {
+			if s.Suffix != "" {
+				return s.Name
+			}
+		}
+	}
+
+	// Default: first stream with empty suffix (stable).
+	for _, s := range streams {
+		if s.Suffix == "" {
+			return s.Name
+		}
+	}
+	return "stable"
+}
@@ -413,6 +413,9 @@ func prepareMigrationTasks() []*migration {
 		newMigration(333, "Add require_2fa to user table for org enforcement", v1_27.AddRequire2FAToUser),
 		newMigration(334, "Add actions user whitelist to protected branches", v1_27.AddActionsUserWhitelistToProtectedBranch),
 		newMigration(335, "Add license key tables for update server", v1_27.AddLicenseKeyTables),
+		newMigration(336, "Add update stream config table", v1_27.AddUpdateStreamConfigTable),
+		newMigration(337, "Add key_plain column to license_key", v1_27.AddKeyPlainToLicenseKey),
+		newMigration(338, "Add platform and require_key to update_stream_config", v1_27.AddPlatformAndRequireKeyToStreamConfig),
 	}
 	return preparedMigrations
 }
@@ -0,0 +1,29 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import (
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+type updateStreamConfig336 struct {
+	ID           int64              `xorm:"pk autoincr"`
+	OwnerID      int64              `xorm:"INDEX NOT NULL"`
+	RepoID       int64              `xorm:"INDEX NOT NULL DEFAULT 0"`
+	StreamMode   string             `xorm:"NOT NULL DEFAULT 'joomla'"`
+	CustomStreams string             `xorm:"TEXT"`
+	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX CREATED"`
+	UpdatedUnix  timeutil.TimeStamp `xorm:"UPDATED"`
+}
+
+func (updateStreamConfig336) TableName() string {
+	return "update_stream_config"
+}
+
+// AddUpdateStreamConfigTable creates the update_stream_config table.
+func AddUpdateStreamConfigTable(x *xorm.Engine) error {
+	return x.Sync(new(updateStreamConfig336))
+}
@@ -0,0 +1,20 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import "xorm.io/xorm"
+
+type licenseKey337 struct {
+	ID       int64  `xorm:"pk autoincr"`
+	KeyPlain string `xorm:""`
+}
+
+func (licenseKey337) TableName() string {
+	return "license_key"
+}
+
+// AddKeyPlainToLicenseKey adds the key_plain column to license_key table.
+func AddKeyPlainToLicenseKey(x *xorm.Engine) error {
+	return x.Sync(new(licenseKey337))
+}
@@ -0,0 +1,22 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import "xorm.io/xorm"
+
+type updateStreamConfig338 struct {
+	ID         int64  `xorm:"pk autoincr"`
+	Platform   string `xorm:"NOT NULL DEFAULT 'joomla'"`
+	RequireKey bool   `xorm:"NOT NULL DEFAULT false"`
+}
+
+func (updateStreamConfig338) TableName() string {
+	return "update_stream_config"
+}
+
+// AddPlatformAndRequireKeyToStreamConfig adds platform and require_key
+// columns to update_stream_config.
+func AddPlatformAndRequireKeyToStreamConfig(x *xorm.Engine) error {
+	return x.Sync(new(updateStreamConfig338))
+}
@@ -31,6 +31,11 @@ func (t TeamList) UnitMaxAccess(tp unit.Type) perm.AccessMode {
 		if team.IsOwnerTeam() {
 			return perm.AccessModeOwner
 		}
+		// Admin-level teams implicitly have admin access to all units,
+		// even units added after the team was created (no TeamUnit record needed).
+		if team.HasAdminAccess() && maxAccess < perm.AccessModeAdmin {
+			maxAccess = perm.AccessModeAdmin
+		}
 		for _, teamUnit := range team.Units {
 			if teamUnit.Type != tp {
 				continue
@@ -52,7 +52,7 @@ func RemoveTeamRepo(ctx context.Context, teamID, repoID int64) error {

 // GetTeamsWithAccessToAnyRepoUnit returns all teams in an organization that have given access level to the repository special unit.
 // This function is only used for finding some teams that can be used as branch protection allowlist or reviewers, it isn't really used for access control.
-// FIXME: TEAM-UNIT-PERMISSION this logic is not complete, search the fixme keyword to see more details
+// Note: admin-level teams (authorize >= Admin) implicitly have access to all units.
 func GetTeamsWithAccessToAnyRepoUnit(ctx context.Context, orgID, repoID int64, mode perm.AccessMode, unitType unit.Type, unitTypesMore ...unit.Type) (teams []*Team, err error) {
 	teamIDs, err := getTeamIDsWithAccessToAnyRepoUnit(ctx, orgID, repoID, mode, unitType, unitTypesMore...)
 	if err != nil {
@@ -33,9 +33,7 @@ const (
 	TypeProjects        // 8 Projects
 	TypePackages        // 9 Packages
 	TypeActions         // 10 Actions
-
-	// FIXME: TEAM-UNIT-PERMISSION: the team unit "admin" permission's design is not right, when a new unit is added in the future,
-	// admin team won't inherit the correct admin permission for the new unit, need to have a complete fix before adding any new unit.
+	TypeLicenses        // 11 Licenses
 )

 // Value returns integer value for unit type (used by template)
@@ -65,6 +63,7 @@ var (
 		TypeProjects,
 		TypePackages,
 		TypeActions,
+		TypeLicenses,
 	}

 	// DefaultRepoUnits contains the default unit types
@@ -328,6 +327,15 @@ var (
 		perm.AccessModeOwner,
 	}

+	UnitLicenses = Unit{
+		TypeLicenses,
+		"repo.licenses",
+		"/licenses",
+		"repo.licenses.desc",
+		8,
+		perm.AccessModeOwner,
+	}
+
 	// Units contains all the units
 	Units = map[Type]Unit{
 		TypeCode:            UnitCode,
@@ -340,6 +348,7 @@ var (
 		TypeProjects:        UnitProjects,
 		TypePackages:        UnitPackages,
 		TypeActions:         UnitActions,
+		TypeLicenses:        UnitLicenses,
 	}
 )

@@ -60,6 +60,8 @@ type LicenseKey struct {
 	// swagger:strfmt date-time
 	ExpiresAt *time.Time `json:"expires_at"`
 	// swagger:strfmt date-time
+	LastHeartbeat *time.Time `json:"last_heartbeat,omitempty"`
+	// swagger:strfmt date-time
 	Created time.Time `json:"created_at"`
 }

@@ -93,6 +95,32 @@ type EditLicenseKeyOption struct {
 	ExpiresAt         *time.Time `json:"expires_at"`
 }

+// PurchaseLicenseKeyOption options for purchasing a license key via webhook.
+type PurchaseLicenseKeyOption struct {
+	PackageID    int64  `json:"package_id" binding:"Required"`
+	LicenseeName string `json:"licensee_name"`
+	LicenseeEmail string `json:"licensee_email"`
+	Domain       string `json:"domain"`
+	PaymentRef   string `json:"payment_ref"`
+}
+
+// ValidateLicenseKeyOption options for validating a license key.
+type ValidateLicenseKeyOption struct {
+	Key    string `json:"key" binding:"Required"`
+	Domain string `json:"domain"`
+}
+
+// ValidateLicenseKeyResponse is the response from license key validation.
+type ValidateLicenseKeyResponse struct {
+	Valid       bool       `json:"valid"`
+	Message     string     `json:"message,omitempty"`
+	PackageName string     `json:"package_name,omitempty"`
+	Channels    string     `json:"channels,omitempty"`
+	ExpiresAt   *time.Time `json:"expires_at,omitempty"`
+	SitesUsed   int64      `json:"sites_used"`
+	MaxSites    int        `json:"max_sites"`
+}
+
 // LicenseKeyUsage represents a usage tracking entry.
 type LicenseKeyUsage struct {
 	ID          int64  `json:"id"`
@@ -2144,6 +2144,19 @@
  "repo.settings.pulls.default_delete_branch_after_merge": "Delete pull request branch after merge by default",
  "repo.settings.pulls.default_allow_edits_from_maintainers": "Allow edits from maintainers by default",
  "repo.settings.releases_desc": "Enable Repository Releases",
+  "repo.settings.unit_visibility": "Visibility",
+  "repo.settings.unit_visibility_private": "Private (follow repo visibility)",
+  "repo.settings.unit_visibility_public": "Public (anyone can read)",
+  "repo.settings.unit_visibility_releases_help": "Controls whether the releases page is visible to anonymous visitors.",
+  "repo.settings.licensing_section": "Licensing & Updates",
+  "repo.settings.licensing_section_desc": "Manage commercial license keys and gated update feeds for this repository. When enabled, the Licenses tab appears and release tags must follow update stream naming.",
+  "repo.settings.update_platform": "Update Feed Format",
+  "repo.settings.update_platform_both": "Both (Joomla + Dolibarr)",
+  "repo.settings.update_platform_help": "Choose which update feed format to generate. All formats support license key validation.",
+  "repo.settings.require_update_key": "Require license key for update feeds",
+  "repo.settings.require_update_key_help": "When enabled, update feeds return empty results unless a valid license key is provided. Joomla clients will see a Download Key field in Update Sites.",
+  "repo.settings.enable_licensing": "Enable licensing for this repository",
+  "repo.settings.enable_licensing_help": "Show the Licenses tab and enable license key management for this repository.",
  "repo.settings.packages_desc": "Enable Repository Packages Registry",
  "repo.settings.projects_desc": "Enable Projects",
  "repo.settings.projects_mode_desc": "Projects Mode (which kinds of projects to show)",
@@ -2608,6 +2621,74 @@
  "repo.release.detail": "Release details",
  "repo.release.tags": "Tags",
  "repo.release.new_release": "New Release",
+  "repo.release.update_feed": "Update Feed",
+  "repo.licenses": "Licenses",
+  "repo.licenses.packages": "License Packages",
+  "repo.licenses.package_name": "Package",
+  "repo.licenses.duration": "Duration",
+  "repo.licenses.channels": "Channels",
+  "repo.licenses.keys_issued": "Keys",
+  "repo.licenses.status": "Status",
+  "repo.licenses.lifetime": "Lifetime",
+  "repo.licenses.days": "days",
+  "repo.licenses.all_channels": "All channels",
+  "repo.licenses.active": "Active",
+  "repo.licenses.inactive": "Inactive",
+  "repo.licenses.none": "No License Packages",
+  "repo.licenses.none_desc": "Create a license package to start managing keys and gating update feeds.",
+  "repo.licenses.issued_keys": "Issued Keys",
+  "repo.licenses.key_prefix": "Key",
+  "repo.licenses.licensee": "Licensee",
+  "repo.licenses.expires": "Expires",
+  "repo.licenses.never": "Never",
+  "repo.licenses.new_package": "New Package",
+  "repo.licenses.description": "Description",
+  "repo.licenses.max_sites": "Max Sites",
+  "repo.licenses.channels_help": "Select which update channels this package grants access to. Leave all unchecked for all channels.",
+  "repo.licenses.create_package": "Create License Package",
+  "repo.licenses.create_new_package": "Create New License Package",
+  "repo.licenses.package_created": "License package created successfully.",
+  "repo.licenses.generate_key": "Generate Key",
+  "repo.licenses.key_created": "License Key Created",
+  "repo.licenses.key_created_copy": "Your new license key is shown below. You can also view and copy it from the keys table at any time.",
+  "repo.licenses.revoke": "Revoke",
+  "repo.licenses.edit_package": "Edit License Package",
+  "repo.licenses.delete_package": "Delete Package",
+  "repo.licenses.package_updated": "License package updated.",
+  "repo.licenses.package_deleted": "License package deleted.",
+  "repo.licenses.key_revoked": "License key revoked.",
+  "repo.licenses.master_key_created": "Master License Key Created",
+  "repo.licenses.master_key_created_copy": "This is your organization master key with unlimited access to all update channels. Copy it now — it will not be shown again.",
+  "repo.licenses.update_feeds": "Update Feed URLs",
+  "repo.licenses.edit_key": "Edit License Key",
+  "repo.licenses.licensee_name": "Licensee Name",
+  "repo.licenses.licensee_email": "Licensee Email",
+  "repo.licenses.domain_restriction": "Domain Restriction",
+  "repo.licenses.domain_restriction_help": "Comma-separated list of allowed domains. Leave empty for no restriction.",
+  "repo.licenses.use_package_default": "use package default",
+  "repo.licenses.expires_at": "Expires At",
+  "repo.licenses.expires_at_help": "Leave empty for no expiry (lifetime).",
+  "repo.licenses.key_updated": "License key updated.",
+  "repo.licenses.last_seen": "Last Seen",
+  "repo.licenses.confirm_delete_package": "Delete this package? This action cannot be undone.",
+  "repo.licenses.confirm_revoke_key": "Revoke this license key? The licensee will immediately lose access to update feeds.",
+  "repo.licenses.feed_joomla_xml": "Joomla XML",
+  "repo.licenses.feed_dolibarr_json": "Dolibarr JSON",
+  "repo.licenses.feed_joomla_updates": "Joomla updates.xml",
+  "repo.licenses.feed_dolibarr_updates": "Dolibarr JSON",
+  "repo.licenses.master_label": "Master",
+  "repo.licenses.unlimited": "unlimited",
+  "repo.licenses.active_help_package": "Deactivating blocks new key creation and disables all issued keys.",
+  "repo.licenses.active_help_key": "Deactivating immediately blocks update feed access for this licensee.",
+  "repo.licenses.renew": "Renew",
+  "repo.licenses.key_renewed": "License key renewed for %d days.",
+  "repo.licenses.confirm_renew_key": "Renew this license key? The expiration will be extended by the package duration.",
+  "repo.licenses.desc": "License packages and keys for gating update feeds.",
+  "repo.licenses.custom_key_placeholder": "Custom key (optional)",
+  "repo.licenses.custom_key_help": "Leave empty to auto-generate. Site admins and org owners can set a custom key value.",
+  "repo.licenses.delete_key": "Delete Key",
+  "repo.licenses.confirm_delete_key": "Permanently delete this license key? This cannot be undone.",
+  "repo.licenses.key_deleted": "License key deleted.",
  "repo.release.draft": "Draft",
  "repo.release.prerelease": "Pre-Release",
  "repo.release.stable": "Stable",
@@ -2749,6 +2830,26 @@
  "org.form.create_org_not_allowed": "You are not allowed to create an organization.",
  "org.settings": "Settings",
  "org.settings.options": "Organization",
+  "org.settings.update_streams": "Licensing & Update Streams",
+  "org.settings.licensing": "Licensing",
+  "org.settings.licensing_desc": "Control commercial license key management and gated update feeds across all repositories in this organization.",
+  "org.settings.enable_licensing": "Enable licensing for this organization",
+  "org.settings.enable_licensing_help": "Show the Licenses page in the org menu and enable license key management. Individual repos can also enable licensing independently.",
+  "org.settings.require_key": "Require license key for all update feeds",
+  "org.settings.require_key_help": "Update feeds return empty results unless a valid key is provided. Joomla clients will see a Download Key field. Individual repos can override this.",
+  "org.settings.update_streams_heading": "Update Streams",
+  "org.settings.update_streams_desc": "Configure the default update streams for all repositories. Release tags are matched to streams by their suffix. Repos can override with per-repo settings.",
+  "org.settings.stream_mode": "Stream Mode",
+  "org.settings.stream_mode_joomla": "Standard Joomla streams (stable, release-candidate, beta, alpha, development)",
+  "org.settings.stream_mode_custom": "Custom streams (define your own channels and tag patterns)",
+  "org.settings.default_streams": "Active Streams",
+  "org.settings.stream_name": "Channel",
+  "org.settings.stream_suffix": "Tag Suffix",
+  "org.settings.no_suffix": "none (stable)",
+  "org.settings.streams_tag_help": "When licensing is active, release tags with prerelease suffixes must match one of the streams above (e.g. v1.0.0-rc1 matches the -rc stream).",
+  "org.settings.custom_streams": "Custom Stream Definitions (JSON)",
+  "org.settings.custom_streams_help": "JSON array of stream objects. Each needs: name, suffix, description. Example: [{\"name\":\"lts\",\"suffix\":\"-lts\",\"description\":\"Long-term support\"}]",
+  "org.settings.update_streams_saved": "Settings saved.",
  "org.settings.full_name": "Full Name",
  "org.settings.email": "Contact Email Address",
  "org.settings.website": "Website",
@@ -1351,11 +1351,14 @@ func Routes() *web.Router {
 					m.Combo("").Get(repo.ListLicensePackages).
 						Post(bind(api.CreateLicensePackageOption{}), repo.CreateLicensePackage)
 				}, reqToken(), reqAdmin())
+				m.Post("/license-keys/validate", bind(api.ValidateLicenseKeyOption{}), repo.ValidateLicenseKey)
 				m.Group("/license-keys", func() {
 					m.Combo("").Get(repo.ListLicenseKeys).
 						Post(bind(api.CreateLicenseKeyOption{}), repo.CreateLicenseKey)
+					m.Post("/purchase", bind(api.PurchaseLicenseKeyOption{}), repo.PurchaseLicenseKey)
 					m.Group("/{id}", func() {
 						m.Delete("", repo.DeleteLicenseKey)
+						m.Patch("", bind(api.EditLicenseKeyOption{}), repo.EditLicenseKey)
 						m.Get("/usage", repo.GetLicenseKeyUsage)
 					})
 				}, reqToken(), reqAdmin())
@@ -52,6 +52,10 @@ func toLicenseKeyAPI(key *licenses.LicenseKey) *structs.LicenseKey {
 		t := time.Unix(int64(key.ExpiresUnix), 0)
 		lk.ExpiresAt = &t
 	}
+	if key.LastHeartbeatUnix > 0 {
+		t := time.Unix(int64(key.LastHeartbeatUnix), 0)
+		lk.LastHeartbeat = &t
+	}
 	return lk
 }

@@ -82,6 +86,7 @@ func CreateLicensePackage(ctx *context.APIContext) {
 		MaxSites:        form.MaxSites,
 		RepoScope:       form.RepoScope,
 		AllowedChannels: form.AllowedChannels,
+		IsActive:        true,
 	}
 	if pkg.RepoScope == "" {
 		pkg.RepoScope = "all"
@@ -121,6 +126,7 @@ func CreateLicenseKey(ctx *context.APIContext) {
 		LicenseeEmail:     form.LicenseeEmail,
 		DomainRestriction: form.DomainRestriction,
 		MaxSites:          form.MaxSites,
+		IsActive:          true,
 	}

 	if form.StartsAt != nil {
@@ -159,6 +165,100 @@ func CreateLicenseKey(ctx *context.APIContext) {
 	ctx.JSON(http.StatusCreated, resp)
 }

+// EditLicenseKey edits a license key via API.
+func EditLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.EditLicenseKeyOption)
+	keyID := ctx.PathParamInt64("id")
+
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.APIErrorNotFound(err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.APIError(http.StatusForbidden, "master keys cannot be edited")
+		return
+	}
+
+	if form.LicenseeName != nil {
+		key.LicenseeName = *form.LicenseeName
+	}
+	if form.LicenseeEmail != nil {
+		key.LicenseeEmail = *form.LicenseeEmail
+	}
+	if form.DomainRestriction != nil {
+		key.DomainRestriction = *form.DomainRestriction
+	}
+	if form.MaxSites != nil {
+		key.MaxSites = *form.MaxSites
+	}
+	if form.IsActive != nil {
+		key.IsActive = *form.IsActive
+	}
+	if form.ExpiresAt != nil {
+		key.ExpiresUnix = timeutil.TimeStamp(form.ExpiresAt.Unix())
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, toLicenseKeyAPI(key))
+}
+
+// PurchaseLicenseKey handles purchase webhook — creates a key from a payment event.
+func PurchaseLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.PurchaseLicenseKeyOption)
+
+	// Idempotency check: if payment_ref already exists, return existing key.
+	if form.PaymentRef != "" {
+		existing, err := licenses.GetLicenseKeyByPaymentRef(ctx, form.PaymentRef)
+		if err == nil {
+			resp := &structs.LicenseKeyCreated{
+				LicenseKey: *toLicenseKeyAPI(existing),
+				RawKey:     "", // raw key not available after creation
+			}
+			ctx.JSON(http.StatusOK, resp)
+			return
+		}
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, form.PackageID)
+	if err != nil {
+		ctx.APIErrorNotFound(err)
+		return
+	}
+
+	key := &licenses.LicenseKey{
+		PackageID:         form.PackageID,
+		OwnerID:           ctx.Repo.Repository.OwnerID,
+		LicenseeName:      form.LicenseeName,
+		LicenseeEmail:     form.LicenseeEmail,
+		DomainRestriction: form.Domain,
+		PaymentRef:        form.PaymentRef,
+		IsActive:          true,
+	}
+
+	if pkg.DurationDays > 0 {
+		expires := time.Now().AddDate(0, 0, pkg.DurationDays)
+		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+	}
+
+	rawKey, err := licenses.CreateLicenseKey(ctx, key)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	resp := &structs.LicenseKeyCreated{
+		LicenseKey: *toLicenseKeyAPI(key),
+		RawKey:     rawKey,
+	}
+	ctx.JSON(http.StatusCreated, resp)
+}
+
 // DeleteLicenseKey deletes a license key.
 func DeleteLicenseKey(ctx *context.APIContext) {
 	if err := licenses.DeleteLicenseKey(ctx, ctx.PathParamInt64("id")); err != nil {
@@ -168,6 +268,44 @@ func DeleteLicenseKey(ctx *context.APIContext) {
 	ctx.Status(http.StatusNoContent)
 }

+// ValidateLicenseKey validates a license key — public endpoint (no auth required).
+func ValidateLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.ValidateLicenseKeyOption)
+
+	key, pkg, err := licenses.ValidateLicenseKey(ctx, form.Key, form.Domain)
+	if err != nil {
+		ctx.JSON(http.StatusOK, &structs.ValidateLicenseKeyResponse{
+			Valid:   false,
+			Message: err.Error(),
+		})
+		return
+	}
+
+	_ = licenses.TouchHeartbeat(ctx, key.ID)
+
+	var expiresAt *time.Time
+	if key.ExpiresUnix > 0 {
+		t := time.Unix(int64(key.ExpiresUnix), 0)
+		expiresAt = &t
+	}
+
+	maxSites := key.MaxSites
+	if maxSites == 0 {
+		maxSites = pkg.MaxSites
+	}
+
+	sitesUsed, _ := licenses.CountUniqueDomainsByKey(ctx, key.ID)
+
+	ctx.JSON(http.StatusOK, &structs.ValidateLicenseKeyResponse{
+		Valid:       true,
+		PackageName: pkg.Name,
+		Channels:    pkg.AllowedChannels,
+		ExpiresAt:   expiresAt,
+		SitesUsed:   sitesUsed,
+		MaxSites:    maxSites,
+	})
+}
+
 // GetLicenseKeyUsage returns usage logs for a license key.
 func GetLicenseKeyUsage(ctx *context.APIContext) {
 	usages, err := licenses.GetRecentUsage(ctx, ctx.PathParamInt64("id"), 100)
@@ -9,6 +9,7 @@ import (
 	"strings"

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/organization"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/renderhelper"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
@@ -107,6 +108,13 @@ func home(ctx *context.Context, viewRepositories bool) {
 	ctx.Data["Teams"] = ctx.Org.Teams
 	ctx.Data["IsOrganizationMember"] = ctx.Org.IsMember
 	ctx.Data["IsOrganizationOwner"] = ctx.Org.IsOwner
+
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, ctx.Org.Organization.ID)
+	ctx.Data["OrgLicensingEnabled"] = orgCfg != nil && orgCfg.LicensingEnabled
+	if orgCfg != nil && orgCfg.LicensingEnabled {
+		numPkgs, _ := licenses_model.CountOrgPackages(ctx, ctx.Org.Organization.ID)
+		ctx.Data["NumOrgLicensePackages"] = numPkgs
+	}
 	ctx.Data["IsPublicMember"] = func(uid int64) bool {
 		return membersIsPublic[uid]
 	}
@@ -0,0 +1,454 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm"
+	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+const tplOrgLicenses templates.TplName = "org/licenses"
+
+// parseOrgAllowedChannels splits an AllowedChannels string (CSV or JSON array) into a slice.
+func parseOrgAllowedChannels(s string) []string {
+	if s == "" {
+		return nil
+	}
+	if strings.HasPrefix(s, "[") {
+		var parsed []string
+		if err := json.Unmarshal([]byte(s), &parsed); err == nil {
+			return parsed
+		}
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if t := strings.TrimSpace(p); t != "" {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
+// LicensePackageDisplay is used in templates.
+type LicensePackageDisplay struct {
+	*licenses.LicensePackage
+	KeyCount int64
+	Created  time.Time
+}
+
+// Licenses shows the org-level license packages and keys.
+func Licenses(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["IsLicensesPage"] = true
+
+	org := ctx.Org.Organization
+	ownerID := org.ID
+
+	canWriteLicenses := ctx.Org.Organization.UnitPermission(ctx, ctx.Doer, unit_model.TypeLicenses) >= perm.AccessModeWrite || ctx.IsUserSiteAdmin()
+
+	// Auto-create master key if has write access.
+	if canWriteLicenses {
+		newMasterKey, err := licenses.EnsureMasterKey(ctx, ownerID)
+		if err != nil {
+			ctx.ServerError("EnsureMasterKey", err)
+			return
+		}
+		if newMasterKey != "" {
+			ctx.Data["NewMasterKey"] = newMasterKey
+		}
+	}
+
+	pkgs, err := licenses.ListLicensePackages(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicensePackages", err)
+		return
+	}
+
+	var display []LicensePackageDisplay
+	for _, pkg := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, pkg.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: pkg,
+			KeyCount:       count,
+			Created:        time.Unix(int64(pkg.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+
+	keys, err := licenses.ListLicenseKeys(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicenseKeys", err)
+		return
+	}
+	ctx.Data["LicenseKeys"] = keys
+	ctx.Data["IsRepoAdmin"] = canWriteLicenses
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+	ctx.Data["IsOrganizationOwner"] = ctx.Org.IsOwner
+	ctx.Data["OrgLicensingEnabled"] = true
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicenses)
+}
+
+// LicensesCreatePackage handles POST to create a new org-level license package.
+func LicensesCreatePackage(ctx *context.Context) {
+	name := ctx.FormString("name")
+	if name == "" {
+		ctx.Flash.Error("Package name is required")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+
+	channels := ctx.Req.Form["allowed_channels"]
+	var allowedChannels string
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		allowedChannels = string(data)
+	}
+
+	pkg := &licenses.LicensePackage{
+		OwnerID:         ctx.Org.Organization.ID,
+		Name:            name,
+		Description:     ctx.FormString("description"),
+		DurationDays:    durationDays,
+		MaxSites:        maxSites,
+		AllowedChannels: allowedChannels,
+		RepoScope:       "all",
+		IsActive:        true,
+	}
+
+	if err := licenses.CreateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("CreateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_created"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesGenerateKey handles POST to generate a key from an org package.
+func LicensesGenerateKey(ctx *context.Context) {
+	packageID, _ := strconv.ParseInt(ctx.FormString("package_id"), 10, 64)
+	if packageID == 0 {
+		ctx.Flash.Error("Invalid package")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, packageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	key := &licenses.LicenseKey{
+		PackageID: packageID,
+		OwnerID:   ctx.Org.Organization.ID,
+		IsActive:  true,
+	}
+
+	if pkg.DurationDays > 0 {
+		expires := time.Now().AddDate(0, 0, pkg.DurationDays)
+		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+	}
+
+	// Site admins and org owners can manually set a custom key.
+	var rawKey string
+	customKey := strings.TrimSpace(ctx.FormString("custom_key"))
+	if customKey != "" && (ctx.IsUserSiteAdmin() || ctx.Org.IsOwner) {
+		if err := licenses.CreateLicenseKeyCustom(ctx, key, customKey); err != nil {
+			ctx.ServerError("CreateLicenseKeyCustom", err)
+			return
+		}
+		rawKey = customKey
+	} else {
+		rawKey, err = licenses.CreateLicenseKey(ctx, key)
+		if err != nil {
+			ctx.ServerError("CreateLicenseKey", err)
+			return
+		}
+	}
+
+	// Re-render with the new key shown.
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["IsRepoAdmin"] = ctx.Org.IsOwner
+	ctx.Data["NewKeyCreated"] = rawKey
+
+	ownerID := ctx.Org.Organization.ID
+	pkgs, _ := licenses.ListLicensePackages(ctx, ownerID)
+	var display []LicensePackageDisplay
+	for _, p := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, p.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: p,
+			KeyCount:       count,
+			Created:        time.Unix(int64(p.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+	keys, _ := licenses.ListLicenseKeys(ctx, ownerID)
+	ctx.Data["LicenseKeys"] = keys
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicenses)
+}
+
+const tplOrgLicensesEditPackage templates.TplName = "org/licenses_edit_package"
+const tplOrgLicensesEditKey templates.TplName = "repo/licenses_edit_key"
+
+// LicensesEditPackage shows the edit form for an org license package.
+func LicensesEditPackage(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_package")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Package"] = pkg
+	ctx.Data["SelectedChannels"] = parseOrgAllowedChannels(pkg.AllowedChannels)
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ctx.Org.Organization.ID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicensesEditPackage)
+}
+
+// LicensesEditPackagePost saves edits to an org license package.
+func LicensesEditPackagePost(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	pkg.Name = ctx.FormString("name")
+	pkg.Description = ctx.FormString("description")
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	pkg.DurationDays = durationDays
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	pkg.MaxSites = maxSites
+
+	channels := ctx.Req.Form["allowed_channels"]
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		pkg.AllowedChannels = string(data)
+	} else {
+		pkg.AllowedChannels = ""
+	}
+
+	pkg.IsActive = ctx.FormString("is_active") == "on"
+
+	if err := licenses.UpdateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("UpdateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_updated"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesDeletePackage deletes an org license package. Site admin only.
+func LicensesDeletePackage(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be deleted")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+	if err := licenses.DeleteLicensePackage(ctx, pkgID); err != nil {
+		ctx.ServerError("DeleteLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_deleted"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesEditKey shows the edit form for an org license key.
+func LicensesEditKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_key")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Key"] = key
+	ctx.Data["FormAction"] = ctx.Org.OrgLink + "/-/licenses/keys/" + strconv.FormatInt(key.ID, 10) + "/edit"
+	ctx.Data["BackLink"] = ctx.Org.OrgLink + "/-/licenses"
+
+	if key.ExpiresUnix > 0 {
+		ctx.Data["ExpiresDate"] = time.Unix(int64(key.ExpiresUnix), 0).Format("2006-01-02")
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicensesEditKey)
+}
+
+// LicensesEditKeyPost saves edits to an org license key.
+func LicensesEditKeyPost(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	key.LicenseeName = ctx.FormString("licensee_name")
+	key.LicenseeEmail = ctx.FormString("licensee_email")
+	key.DomainRestriction = ctx.FormString("domain_restriction")
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	key.MaxSites = maxSites
+	key.IsActive = ctx.FormString("is_active") == "on"
+
+	expiresStr := ctx.FormString("expires_at")
+	if expiresStr != "" {
+		t, err := time.Parse("2006-01-02", expiresStr)
+		if err == nil {
+			key.ExpiresUnix = timeutil.TimeStamp(t.Unix())
+		}
+	} else {
+		key.ExpiresUnix = 0
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_updated"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesRevokeKey handles POST to revoke an org license key.
+func LicensesRevokeKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	key.IsActive = false
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_revoked"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesRenewKey extends a license key's expiration by the package's duration.
+func LicensesRenewKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, key.PackageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	days := pkg.DurationDays
+	if days == 0 {
+		days = 365 // default to 1 year for lifetime packages
+	}
+
+	if err := licenses.RenewLicenseKey(ctx, keyID, days); err != nil {
+		ctx.ServerError("RenewLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_renewed", days))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesDeleteKey permanently deletes a license key. Site admin only.
+func LicensesDeleteKey(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	keyID := ctx.PathParamInt64("id")
+	if err := licenses.DeleteLicenseKey(ctx, keyID); err != nil {
+		ctx.ServerError("DeleteLicenseKey", err)
+		return
+	}
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_deleted"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
@@ -324,19 +324,9 @@ func NewTeam(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplTeamNew)
 }

-// FIXME: TEAM-UNIT-PERMISSION: this design is not right, when a new unit is added in the future,
-// The existing teams won't inherit the correct admin permission for the new unit.
-// The full history is like this:
-// 1. There was only "team", no "team unit", so "team.authorize" was used to determine the team permission.
-// 2. Later, "team unit" was introduced, then the usage of "team.authorize" became inconsistent, and causes various bugs.
-//   - Sometimes, "team.authorize" is used to determine the team permission, e.g. admin, owner
-//   - Sometimes, "team unit" is used not really used and "team unit" is used.
-//   - Some functions like `GetTeamsWithAccessToAnyRepoUnit` use both.
-//
-// 3. After introducing "team unit" and more unclear changes, it becomes difficult to maintain team permissions.
-//   - Org owner need to click the permission for each unit, but can't just set a common "write" permission for all units.
-//
-// Ideally, "team.authorize=write" should mean the team has write access to all units including newly (future) added ones.
+// getUnitPerms parses the unit permission form values for a team.
+// Note: admin teams (team.authorize >= Admin) implicitly have admin access to
+// all units via UnitMaxAccess(), so explicit TeamUnit records are supplementary.
 func getUnitPerms(forms url.Values, teamPermission perm.AccessMode) map[unit_model.Type]perm.AccessMode {
 	unitPerms := make(map[unit_model.Type]perm.AccessMode)
 	for _, ut := range unit_model.AllRepoUnitTypes {
@@ -0,0 +1,59 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	"net/http"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+const tplSettingsUpdateStreams templates.TplName = "org/settings/update_streams"
+
+// SettingsUpdateStreams shows the org-level update stream settings.
+func SettingsUpdateStreams(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("org.settings.update_streams")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsSettingsUpdateStreams"] = true
+
+	orgID := ctx.Org.Organization.ID
+
+	cfg, err := licenses.GetOrgConfig(ctx, orgID)
+	if err != nil {
+		ctx.ServerError("GetOrgConfig", err)
+		return
+	}
+	ctx.Data["StreamConfig"] = cfg
+	ctx.Data["EffectiveStreams"] = cfg.GetActiveStreams()
+
+	ctx.HTML(http.StatusOK, tplSettingsUpdateStreams)
+}
+
+// SettingsUpdateStreamsPost saves the org-level update stream settings.
+func SettingsUpdateStreamsPost(ctx *context.Context) {
+	orgID := ctx.Org.Organization.ID
+
+	cfg := &licenses.UpdateStreamConfig{
+		OwnerID:          orgID,
+		RepoID:           0,
+		StreamMode:       ctx.FormString("stream_mode"),
+		CustomStreams:     ctx.FormString("custom_streams"),
+		LicensingEnabled: ctx.FormString("licensing_enabled") == "on",
+		RequireKey:       ctx.FormString("require_key") == "on",
+	}
+
+	if cfg.StreamMode == "" {
+		cfg.StreamMode = "joomla"
+	}
+
+	if err := licenses.SaveConfig(ctx, cfg); err != nil {
+		ctx.ServerError("SaveConfig", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("org.settings.update_streams_saved"))
+	ctx.Redirect(ctx.Org.OrgLink + "/settings/update-streams")
+}
@@ -0,0 +1,457 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package repo
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+const tplLicenses templates.TplName = "repo/licenses"
+
+// parseAllowedChannels splits an AllowedChannels string (CSV or JSON array) into a slice.
+func parseAllowedChannels(s string) []string {
+	if s == "" {
+		return nil
+	}
+	if strings.HasPrefix(s, "[") {
+		var parsed []string
+		if err := json.Unmarshal([]byte(s), &parsed); err == nil {
+			return parsed
+		}
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if t := strings.TrimSpace(p); t != "" {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
+// LicensePackageDisplay is used in templates.
+type LicensePackageDisplay struct {
+	*licenses.LicensePackage
+	KeyCount int64
+	Created  time.Time
+}
+
+// Licenses shows the license packages and keys for a repo.
+func Licenses(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	canWriteLicenses := ctx.Repo.Permission.CanWrite(unit_model.TypeLicenses) || ctx.IsUserSiteAdmin()
+	ctx.Data["IsRepoAdmin"] = canWriteLicenses
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+
+	ownerID := ctx.Repo.Repository.OwnerID
+
+	// Auto-create master package + key if admin and none exist.
+	if canWriteLicenses {
+		newMasterKey, err := licenses.EnsureMasterKey(ctx, ownerID)
+		if err != nil {
+			ctx.ServerError("EnsureMasterKey", err)
+			return
+		}
+		if newMasterKey != "" {
+			ctx.Data["NewMasterKey"] = newMasterKey
+		}
+	}
+
+	pkgs, err := licenses.ListLicensePackages(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicensePackages", err)
+		return
+	}
+
+	var display []LicensePackageDisplay
+	for _, pkg := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, pkg.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: pkg,
+			KeyCount:       count,
+			Created:        time.Unix(int64(pkg.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+
+	keys, err := licenses.ListLicenseKeys(ctx, ownerID)
+	if err != nil {
+		ctx.ServerError("ListLicenseKeys", err)
+		return
+	}
+	ctx.Data["LicenseKeys"] = keys
+
+	// Load available streams for the channels multiselect.
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplLicenses)
+}
+
+// LicensesCreatePackage handles POST to create a new license package.
+func LicensesCreatePackage(ctx *context.Context) {
+	name := ctx.FormString("name")
+	if name == "" {
+		ctx.Flash.Error("Package name is required")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+
+	channels := ctx.Req.Form["allowed_channels"]
+	var allowedChannels string
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		allowedChannels = string(data)
+	}
+
+	pkg := &licenses.LicensePackage{
+		OwnerID:         ctx.Repo.Repository.OwnerID,
+		Name:            name,
+		Description:     ctx.FormString("description"),
+		DurationDays:    durationDays,
+		MaxSites:        maxSites,
+		AllowedChannels: allowedChannels,
+		RepoScope:       "all",
+		IsActive:        true,
+	}
+
+	if err := licenses.CreateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("CreateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_created"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesGenerateKey handles POST to generate a new key from a package.
+func LicensesGenerateKey(ctx *context.Context) {
+	packageID, _ := strconv.ParseInt(ctx.FormString("package_id"), 10, 64)
+	if packageID == 0 {
+		ctx.Flash.Error("Invalid package")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, packageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	key := &licenses.LicenseKey{
+		PackageID: packageID,
+		OwnerID:   ctx.Repo.Repository.OwnerID,
+		IsActive:  true,
+	}
+
+	// Auto-calculate expiry from package duration.
+	if pkg.DurationDays > 0 {
+		expires := time.Now().AddDate(0, 0, pkg.DurationDays)
+		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+	}
+
+	// Site admins and org owners can manually set a custom key.
+	var rawKey string
+	customKey := strings.TrimSpace(ctx.FormString("custom_key"))
+	if customKey != "" && (ctx.IsUserSiteAdmin() || ctx.Repo.Permission.IsOwner()) {
+		if err := licenses.CreateLicenseKeyCustom(ctx, key, customKey); err != nil {
+			ctx.ServerError("CreateLicenseKeyCustom", err)
+			return
+		}
+		rawKey = customKey
+	} else {
+		rawKey, err = licenses.CreateLicenseKey(ctx, key)
+		if err != nil {
+			ctx.ServerError("CreateLicenseKey", err)
+			return
+		}
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.CanWrite(unit_model.TypeLicenses) || ctx.IsUserSiteAdmin()
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+	ctx.Data["NewKeyCreated"] = rawKey
+
+	// Re-render the page with the new key displayed.
+	ownerID := ctx.Repo.Repository.OwnerID
+	pkgs, _ := licenses.ListLicensePackages(ctx, ownerID)
+	var display []LicensePackageDisplay
+	for _, p := range pkgs {
+		count, _ := licenses.CountKeysByPackage(ctx, p.ID)
+		display = append(display, LicensePackageDisplay{
+			LicensePackage: p,
+			KeyCount:       count,
+			Created:        time.Unix(int64(p.CreatedUnix), 0),
+		})
+	}
+	ctx.Data["LicensePackages"] = display
+	keys, _ := licenses.ListLicenseKeys(ctx, ownerID)
+	ctx.Data["LicenseKeys"] = keys
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplLicenses)
+}
+
+// LicensesRevokeKey handles POST to revoke a license key.
+func LicensesRevokeKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	key.IsActive = false
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_revoked"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+const tplLicensesEditPackage templates.TplName = "repo/licenses_edit_package"
+const tplLicensesEditKey templates.TplName = "repo/licenses_edit_key"
+
+// LicensesEditKey shows the edit form for a license key.
+func LicensesEditKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_key")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Key"] = key
+	ctx.Data["FormAction"] = ctx.Repo.RepoLink + "/licenses/keys/" + strconv.FormatInt(key.ID, 10) + "/edit"
+	ctx.Data["BackLink"] = ctx.Repo.RepoLink + "/licenses"
+
+	if key.ExpiresUnix > 0 {
+		ctx.Data["ExpiresDate"] = time.Unix(int64(key.ExpiresUnix), 0).Format("2006-01-02")
+	}
+
+	ctx.HTML(http.StatusOK, tplLicensesEditKey)
+}
+
+// LicensesEditKeyPost saves edits to a license key.
+func LicensesEditKeyPost(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	key.LicenseeName = ctx.FormString("licensee_name")
+	key.LicenseeEmail = ctx.FormString("licensee_email")
+	key.DomainRestriction = ctx.FormString("domain_restriction")
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	key.MaxSites = maxSites
+	key.IsActive = ctx.FormString("is_active") == "on"
+
+	expiresStr := ctx.FormString("expires_at")
+	if expiresStr != "" {
+		t, err := time.Parse("2006-01-02", expiresStr)
+		if err == nil {
+			key.ExpiresUnix = timeutil.TimeStamp(t.Unix())
+		}
+	} else {
+		key.ExpiresUnix = 0
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_updated"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesEditPackage shows the edit form for a license package.
+func LicensesEditPackage(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_package")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Package"] = pkg
+	ctx.Data["SelectedChannels"] = parseAllowedChannels(pkg.AllowedChannels)
+
+	ownerID := ctx.Repo.Repository.OwnerID
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplLicensesEditPackage)
+}
+
+// LicensesEditPackagePost saves edits to a license package.
+func LicensesEditPackagePost(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	pkg.Name = ctx.FormString("name")
+	pkg.Description = ctx.FormString("description")
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	pkg.DurationDays = durationDays
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	pkg.MaxSites = maxSites
+
+	channels := ctx.Req.Form["allowed_channels"]
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		pkg.AllowedChannels = string(data)
+	} else {
+		pkg.AllowedChannels = ""
+	}
+
+	pkg.IsActive = ctx.FormString("is_active") == "on"
+
+	if err := licenses.UpdateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("UpdateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_updated"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesDeletePackage deletes a license package. Site admin only.
+func LicensesDeletePackage(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be deleted")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+	if err := licenses.DeleteLicensePackage(ctx, pkgID); err != nil {
+		ctx.ServerError("DeleteLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_deleted"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesRenewKey extends a license key's expiration by the package's duration.
+func LicensesRenewKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, key.PackageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	days := pkg.DurationDays
+	if days == 0 {
+		days = 365 // default to 1 year for lifetime packages
+	}
+
+	if err := licenses.RenewLicenseKey(ctx, keyID, days); err != nil {
+		ctx.ServerError("RenewLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_renewed", days))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesDeleteKey permanently deletes a license key. Site admin only.
+func LicensesDeleteKey(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	keyID := ctx.PathParamInt64("id")
+	if err := licenses.DeleteLicenseKey(ctx, keyID); err != nil {
+		ctx.ServerError("DeleteLicenseKey", err)
+		return
+	}
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_deleted"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
@@ -12,6 +12,8 @@ import (

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/organization"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
@@ -99,6 +101,8 @@ func SettingsCtxData(ctx *context.Context) {

 // Settings show a repository's settings page
 func Settings(ctx *context.Context) {
+	repoCfg, _ := licenses_model.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+	ctx.Data["RepoUpdateConfig"] = repoCfg
 	ctx.HTML(http.StatusOK, tplSettingsOptions)
 }

@@ -510,6 +514,17 @@ func newRepoUnit(repo *repo_model.Repository, unitType unit_model.Type, config c
 	return repoUnit
 }

+// applyUnitVisibility sets AnonymousAccessMode on a unit based on the form value.
+// Values: "" or "not-set" = none, "anonymous-read" = anonymous read.
+func applyUnitVisibility(unit *repo_model.RepoUnit, visibility string) {
+	switch visibility {
+	case "anonymous-read":
+		unit.AnonymousAccessMode = perm.AccessModeRead
+	default:
+		unit.AnonymousAccessMode = perm.AccessModeNone
+	}
+}
+
 func handleSettingsPostAdvanced(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.RepoSettingForm)
 	repo := ctx.Repo.Repository
@@ -527,7 +542,9 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 	}

 	if form.EnableCode && !unit_model.TypeCode.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeCode, nil))
+		u := newRepoUnit(repo, unit_model.TypeCode, nil)
+		applyUnitVisibility(&u, form.CodeVisibility)
+		units = append(units, u)
 	} else if !unit_model.TypeCode.UnitGlobalDisabled() {
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeCode)
 	}
@@ -544,7 +561,9 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 		}))
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeWiki)
 	} else if form.EnableWiki && !form.EnableExternalWiki && !unit_model.TypeWiki.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeWiki, new(repo_model.UnitConfig)))
+		u := newRepoUnit(repo, unit_model.TypeWiki, new(repo_model.UnitConfig))
+		applyUnitVisibility(&u, form.WikiVisibility)
+		units = append(units, u)
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeExternalWiki)
 	} else {
 		if !unit_model.TypeExternalWiki.UnitGlobalDisabled() {
@@ -581,11 +600,13 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 		}))
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeIssues)
 	} else if form.EnableIssues && !form.EnableExternalTracker && !unit_model.TypeIssues.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeIssues, &repo_model.IssuesConfig{
+		u := newRepoUnit(repo, unit_model.TypeIssues, &repo_model.IssuesConfig{
 			EnableTimetracker:                form.EnableTimetracker,
 			AllowOnlyContributorsToTrackTime: form.AllowOnlyContributorsToTrackTime,
 			EnableDependencies:               form.EnableIssueDependencies,
-		}))
+		})
+		applyUnitVisibility(&u, form.IssuesVisibility)
+		units = append(units, u)
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeExternalTracker)
 	} else {
 		if !unit_model.TypeExternalTracker.UnitGlobalDisabled() {
@@ -605,7 +626,9 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 	}

 	if form.EnableReleases && !unit_model.TypeReleases.UnitGlobalDisabled() {
-		units = append(units, newRepoUnit(repo, unit_model.TypeReleases, nil))
+		u := newRepoUnit(repo, unit_model.TypeReleases, nil)
+		applyUnitVisibility(&u, form.ReleasesVisibility)
+		units = append(units, u)
 	} else if !unit_model.TypeReleases.UnitGlobalDisabled() {
 		deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeReleases)
 	}
@@ -652,6 +675,23 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 			return
 		}
 	}
+	// Save update server platform and require-key settings.
+	updatePlatform := form.UpdatePlatform
+	if updatePlatform == "" {
+		updatePlatform = "joomla"
+	}
+	updateCfg := &licenses_model.UpdateStreamConfig{
+		OwnerID:          repo.OwnerID,
+		RepoID:           repo.ID,
+		Platform:         updatePlatform,
+		LicensingEnabled: form.EnableLicensing,
+		RequireKey:       form.RequireUpdateKey,
+		StreamMode:       "joomla", // inherit org default
+	}
+	if err := licenses_model.SaveConfig(ctx, updateCfg); err != nil {
+		log.Error("SaveConfig: %v", err)
+	}
+
 	log.Trace("Repository advanced settings updated: %s/%s", ctx.Repo.Owner.Name, repo.Name)

 	ctx.Flash.Success(ctx.Tr("repo.settings.update_settings_success"))
@@ -21,23 +21,34 @@ func validateUpdateKey(ctx *context.Context) (allowedChannels []string, ok bool)
 	if rawKey == "" {
 		rawKey = ctx.FormString("download_key")
 	}
+	if rawKey == "" {
+		rawKey = ctx.FormString("dlid")
+	}

 	if rawKey == "" {
-		// No key provided — allow public access (all channels).
+		// Check if this repo requires a key for update feed access.
+		repoCfg, _ := licenses.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+		if repoCfg != nil && repoCfg.RequireKey {
+			// Key required but not provided — return empty.
+			return nil, false
+		}
+		// No key required — allow public access (all channels).
 		return nil, true
 	}

-	key, pkg, err := licenses.ValidateLicenseKey(ctx, rawKey)
+	domain := ctx.FormString("domain")
+	key, pkg, err := licenses.ValidateLicenseKey(ctx, rawKey, domain)
 	if err != nil {
 		log.Debug("License key validation failed: %v", err)
 		return nil, false
 	}

-	// Record usage.
+	// Update heartbeat and record usage.
+	_ = licenses.TouchHeartbeat(ctx, key.ID)
 	_ = licenses.RecordUsage(ctx, &licenses.LicenseKeyUsage{
 		KeyID:       key.ID,
 		RepoID:      ctx.Repo.Repository.ID,
-		Domain:      ctx.FormString("domain"),
+		Domain:      domain,
 		IPAddress:   ctx.RemoteAddr(),
 		UserAgent:   ctx.Req.UserAgent(),
 		VersionFrom: ctx.FormString("version"),
@@ -56,6 +67,10 @@ func validateUpdateKey(ctx *context.Context) (allowedChannels []string, ok bool)
 				channels = parsed
 			}
 		}
+		// Normalize shorthand names to full Joomla convention.
+		for i := range channels {
+			channels[i] = updateserver.NormalizeChannel(channels[i])
+		}
 		return channels, true
 	}

@@ -66,6 +81,13 @@ func validateUpdateKey(ctx *context.Context) (allowedChannels []string, ok bool)
 // ServeUpdatesXML generates and serves a Joomla-compatible updates.xml
 // from the repository's releases.
 func ServeUpdatesXML(ctx *context.Context) {
+	// Block if platform doesn't include joomla.
+	platform := ctx.Data["RepoUpdatePlatform"]
+	if platform == "dolibarr" {
+		ctx.NotFound(nil)
+		return
+	}
+
 	allowedChannels, ok := validateUpdateKey(ctx)
 	if !ok {
 		// Return empty updates XML for invalid keys (Joomla-compatible).
@@ -75,7 +97,11 @@ func ServeUpdatesXML(ctx *context.Context) {
 		return
 	}

-	xmlData, err := updateserver.GenerateJoomlaXML(ctx, ctx.Repo.Repository, allowedChannels...)
+	// Check if this repo requires a license key for update feed access.
+	repoCfg, _ := licenses.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+	requireKey := repoCfg != nil && repoCfg.RequireKey
+
+	xmlData, err := updateserver.GenerateJoomlaXML(ctx, ctx.Repo.Repository, requireKey, allowedChannels...)
 	if err != nil {
 		ctx.ServerError("GenerateJoomlaXML", err)
 		return
@@ -87,9 +113,26 @@ func ServeUpdatesXML(ctx *context.Context) {
 }

 // ServeDolibarrJSON generates and serves a Dolibarr-compatible update feed
-// from the repository's releases.
+// from the repository's releases. Uses the same license key validation as the
+// Joomla XML feed — all platforms share the same licensing system.
 func ServeDolibarrJSON(ctx *context.Context) {
-	data, err := updateserver.GenerateDolibarrJSON(ctx, ctx.Repo.Repository)
+	// Block if platform doesn't include dolibarr.
+	platform := ctx.Data["RepoUpdatePlatform"]
+	if platform == "joomla" || platform == "" {
+		ctx.NotFound(nil)
+		return
+	}
+
+	allowedChannels, ok := validateUpdateKey(ctx)
+	if !ok {
+		// Return empty updates for invalid keys.
+		ctx.Resp.Header().Set("Content-Type", "application/json; charset=utf-8")
+		ctx.Resp.WriteHeader(http.StatusOK)
+		_, _ = ctx.Resp.Write([]byte(`{"module":"","updates":[]}`))
+		return
+	}
+
+	data, err := updateserver.GenerateDolibarrJSON(ctx, ctx.Repo.Repository, allowedChannels...)
 	if err != nil {
 		ctx.ServerError("GenerateDolibarrJSON", err)
 		return
@@ -1057,6 +1057,11 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 					m.Get("", org.BlockedUsers)
 					m.Post("", web.Bind(forms.BlockUserForm{}), org.BlockedUsersPost)
 				})
+
+				m.Group("/update-streams", func() {
+					m.Get("", org.SettingsUpdateStreams)
+					m.Post("", org.SettingsUpdateStreamsPost)
+				})
 			}, ctxDataSet("EnableOAuth2", setting.OAuth2.Enabled, "EnablePackages", setting.Packages.Enabled, "PageIsOrgSettings", true))
 		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireOwner: true}))
 	}, reqSignIn)
@@ -1099,6 +1104,22 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 		// at the moment, only editing "owner-level projects" need to "mention", maybe in the future we can relax the permission check
 		m.Get("/mentions-in-owner", reqUnitAccess(unit.TypeProjects, perm.AccessModeWrite, true), org.GetMentionsInOwner)

+		m.Group("/licenses", func() {
+			m.Get("", org.Licenses)
+			m.Group("", func() {
+				m.Post("/packages", org.LicensesCreatePackage)
+				m.Get("/packages/{id}/edit", org.LicensesEditPackage)
+				m.Post("/packages/{id}/edit", org.LicensesEditPackagePost)
+				m.Post("/packages/{id}/delete", org.LicensesDeletePackage)
+				m.Post("/keys/generate", org.LicensesGenerateKey)
+				m.Get("/keys/{id}/edit", org.LicensesEditKey)
+				m.Post("/keys/{id}/edit", org.LicensesEditKeyPost)
+				m.Post("/keys/{id}/revoke", org.LicensesRevokeKey)
+				m.Post("/keys/{id}/renew", org.LicensesRenewKey)
+				m.Post("/keys/{id}/delete", org.LicensesDeleteKey)
+			}, reqUnitAccess(unit.TypeLicenses, perm.AccessModeWrite, true))
+		}, reqUnitAccess(unit.TypeLicenses, perm.AccessModeRead, true))
+
 		m.Get("/repositories", org.Repositories)
 		m.Get("/heatmap", user.DashboardHeatmap)

@@ -1501,6 +1522,24 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 	}, optSignIn, context.RepoAssignment)
 	// end "/{username}/{reponame}": update server

+	// "/{username}/{reponame}": licenses page
+	// Note: page visibility is controlled by LicensingEnabled (org config).
+	// Write permissions are checked in handlers via CanWrite(TypeLicenses).
+	m.Group("/{username}/{reponame}/licenses", func() {
+		m.Get("", repo.Licenses)
+		m.Post("/packages", repo.LicensesCreatePackage)
+		m.Get("/packages/{id}/edit", repo.LicensesEditPackage)
+		m.Post("/packages/{id}/edit", repo.LicensesEditPackagePost)
+		m.Post("/packages/{id}/delete", repo.LicensesDeletePackage)
+		m.Post("/keys/generate", repo.LicensesGenerateKey)
+		m.Get("/keys/{id}/edit", repo.LicensesEditKey)
+		m.Post("/keys/{id}/edit", repo.LicensesEditKeyPost)
+		m.Post("/keys/{id}/revoke", repo.LicensesRevokeKey)
+		m.Post("/keys/{id}/renew", repo.LicensesRenewKey)
+		m.Post("/keys/{id}/delete", repo.LicensesDeleteKey)
+	}, optSignIn, context.RepoAssignment)
+	// end "/{username}/{reponame}": licenses
+
 	m.Group("/{username}/{reponame}", func() { // to maintain compatibility with old attachments
 		m.Get("/attachments/{uuid}", webAuth.AllowBasic, webAuth.AllowOAuth2, repo.GetAttachment)
 	}, optSignIn, context.RepoAssignment)
@@ -18,6 +18,7 @@ import (
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
 	issues_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/issues"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	access_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm/access"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
@@ -605,6 +606,28 @@ func repoAssignmentPrepareTemplateData(ctx *Context, data *repoAssignmentPrepare
 		return
 	}

+	// Check if licensing is enabled for this repo/org.
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+	repoUpdateCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+	licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+		(repoUpdateCfg != nil && repoUpdateCfg.LicensingEnabled)
+
+	numLicensePackages, _ := db.Count[licenses_model.LicensePackage](ctx, licenses_model.FindLicensePackageOptions{
+		OwnerID: repo.OwnerID,
+	})
+	ctx.Data["NumLicensePackages"] = numLicensePackages
+	ctx.Data["EnableLicenses"] = licensingEnabled || numLicensePackages > 0
+	ctx.Data["LicensingEnabled"] = licensingEnabled
+	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.IsAdmin()
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+
+	// Load repo update config for platform-aware UI.
+	if repoUpdateCfg != nil {
+		ctx.Data["RepoUpdatePlatform"] = repoUpdateCfg.Platform
+	} else {
+		ctx.Data["RepoUpdatePlatform"] = "joomla"
+	}
+
 	ctx.Data["Title"] = repo.Owner.Name + "/" + repo.Name
 	ctx.Data["PageTitleCommon"] = repo.Name + " - " + setting.AppName
 	ctx.Data["Repository"] = repo
@@ -9,9 +9,11 @@ import (

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/webhook"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/git/gitcmd"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/updatechecker"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/auth"
@@ -158,6 +160,24 @@ func registerCleanupPackages() {
 	})
 }

+func registerCleanupExpiredLicenseKeys() {
+	RegisterTaskFatal("cleanup_expired_license_keys", &BaseConfig{
+		Enabled:    true,
+		RunAtStart: false,
+		Schedule:   "@weekly",
+	}, func(ctx context.Context, _ *user_model.User, config Config) error {
+		// Delete non-internal keys that expired more than 365 days ago.
+		deleted, err := licenses_model.DeleteExpiredKeys(ctx, 365)
+		if err != nil {
+			return err
+		}
+		if deleted > 0 {
+			log.Info("Cleaned up %d expired license keys (expired >1 year)", deleted)
+		}
+		return nil
+	})
+}
+
 func registerSyncRepoLicenses() {
 	RegisterTaskFatal("sync_repo_licenses", &BaseConfig{
 		Enabled:    false,
@@ -185,6 +205,7 @@ func initBasicTasks() {
 		registerCleanupPackages()
 	}
 	registerSyncRepoLicenses()
+	registerCleanupExpiredLicenseKeys()
 	if setting.UpdateChecker.Enabled {
 		registerUpdateChecker()
 	}
@@ -110,12 +110,14 @@ type RepoSettingForm struct {
 	EnablePrune            bool

 	// Advanced settings
-	EnableCode bool
+	EnableCode     bool
+	CodeVisibility string

-	EnableWiki         bool
-	EnableExternalWiki bool
-	DefaultWikiBranch  string
-	ExternalWikiURL    string
+	EnableWiki             bool
+	EnableExternalWiki     bool
+	DefaultWikiBranch      string
+	ExternalWikiURL        string
+	WikiVisibility         string

 	EnableIssues                          bool
 	EnableExternalTracker                 bool
@@ -124,13 +126,18 @@ type RepoSettingForm struct {
 	TrackerIssueStyle                     string
 	ExternalTrackerRegexpPattern          string
 	EnableCloseIssuesViaCommitInAnyBranch bool
+	IssuesVisibility                      string

 	EnableProjects bool
 	ProjectsMode   string

-	EnableReleases bool
+	EnableReleases     bool
+	ReleasesVisibility string
+	UpdatePlatform     string
+	RequireUpdateKey   bool
+	EnableLicensing    bool

-	EnablePackages bool
+	EnablePackages     bool

 	EnablePulls                      bool
 	PullsIgnoreWhitespace            bool
@@ -11,6 +11,7 @@ import (

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/container"
@@ -166,6 +167,64 @@ func createTag(ctx context.Context, gitRepo *git.Repository, rel *repo_model.Rel
 }

 // CreateRelease creates a new release of repository.
+// ErrTagDoesNotMatchStream indicates a tag doesn't match any configured update stream.
+type ErrTagDoesNotMatchStream struct {
+	TagName string
+}
+
+func (e ErrTagDoesNotMatchStream) Error() string {
+	return fmt.Sprintf("tag %q does not match any configured update stream", e.TagName)
+}
+
+// validateTagAgainstStreams checks that a release tag follows the update stream
+// naming convention when licensing is active. Tags must start with a version
+// prefix (v1.0.0) and any suffix must match a configured stream (e.g. -rc, -beta).
+// When licensing is disabled, any tag is allowed.
+func validateTagAgainstStreams(ctx context.Context, rel *repo_model.Release) error {
+	if rel.IsDraft || rel.IsTag {
+		return nil // drafts and lightweight tags are not validated
+	}
+
+	// Load the repo to get the owner ID.
+	repo, err := repo_model.GetRepositoryByID(ctx, rel.RepoID)
+	if err != nil {
+		return nil // non-fatal, skip validation
+	}
+
+	// Check if licensing is enabled at org or repo level.
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+	repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+	licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+		(repoCfg != nil && repoCfg.LicensingEnabled)
+
+	if !licensingEnabled {
+		return nil // licensing off — any tag is fine
+	}
+
+	// Check that the tag contains a stream-compatible suffix.
+	// Any prerelease suffix in the tag must match a configured stream suffix.
+	streams := licenses_model.GetEffectiveStreams(ctx, repo.OwnerID, repo.ID)
+	lower := strings.ToLower(rel.TagName)
+	for _, s := range streams {
+		if s.Suffix == "" {
+			continue // stable stream matches everything
+		}
+		if strings.Contains(lower, s.Suffix) {
+			return nil // matches a configured stream
+		}
+	}
+
+	// If the tag has a prerelease-looking suffix but it doesn't match any stream, reject.
+	for _, indicator := range []string{"-rc", "-beta", "-alpha", "-dev"} {
+		if strings.Contains(lower, indicator) {
+			return ErrTagDoesNotMatchStream{TagName: rel.TagName}
+		}
+	}
+
+	// No prerelease suffix — this is a stable release, always allowed.
+	return nil
+}
+
 func CreateRelease(gitRepo *git.Repository, rel *repo_model.Release, attachmentUUIDs []string, msg string) error {
 	has, err := repo_model.IsReleaseExist(gitRepo.Ctx, rel.RepoID, rel.TagName)
 	if err != nil {
@@ -176,6 +235,11 @@ func CreateRelease(gitRepo *git.Repository, rel *repo_model.Release, attachmentU
 		}
 	}

+	// When licensing is enabled, validate that the tag matches a configured update stream.
+	if err := validateTagAgainstStreams(gitRepo.Ctx, rel); err != nil {
+		return err
+	}
+
 	if _, err = createTag(gitRepo.Ctx, gitRepo, rel, msg); err != nil {
 		return err
 	}
@@ -10,6 +10,7 @@ import (
 	"time"

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
 )
@@ -34,7 +35,8 @@ type DolibarrUpdates struct {
 }

 // GenerateDolibarrJSON builds a Dolibarr-compatible update feed from releases.
-func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository) (*DolibarrUpdates, error) {
+// allowedChannels optionally restricts output to specific channels (nil = all).
+func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository, allowedChannels ...string) (*DolibarrUpdates, error) {
 	releases, err := db.Find[repo_model.Release](ctx, repo_model.FindReleasesOptions{
 		RepoID:        repo.ID,
 		ListOptions:   db.ListOptionsAll,
@@ -56,20 +58,35 @@ func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository) (*Do
 		Module: repo.Name,
 	}

+	// Resolve effective streams.
+	streams := licenses.GetEffectiveStreams(ctx, repo.OwnerID, repo.ID)
+
 	// Track best release per channel.
 	bestByChannel := make(map[string]*repo_model.Release)
 	for _, rel := range releases {
 		if rel.IsDraft || rel.IsTag {
 			continue
 		}
-		ch := channelFromTag(rel.TagName, rel.IsPrerelease)
+		ch := licenses.MatchStreamFromTag(rel.TagName, rel.IsPrerelease, streams)
 		existing, ok := bestByChannel[ch]
 		if !ok || rel.CreatedUnix > existing.CreatedUnix {
 			bestByChannel[ch] = rel
 		}
 	}

-	for _, ch := range []string{"stable", "rc", "beta", "alpha", "dev"} {
+	// Build allowed channel set for filtering.
+	channelAllowed := make(map[string]bool)
+	if len(allowedChannels) > 0 {
+		for _, c := range allowedChannels {
+			channelAllowed[NormalizeChannel(c)] = true
+		}
+	}
+
+	for _, stream := range streams {
+		ch := stream.Name
+		if len(channelAllowed) > 0 && !channelAllowed[ch] {
+			continue
+		}
 		rel, ok := bestByChannel[ch]
 		if !ok {
 			continue
@@ -91,7 +108,10 @@ func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository) (*Do
 		}

 		version := extractVersion(rel.TagName)
-		suffix := channelSuffix(ch)
+		suffix := stream.Suffix
+		if suffix == "" {
+			suffix = channelSuffix(ch)
+		}
 		if suffix != "" {
 			version = version + suffix
 		}
@@ -11,6 +11,7 @@ import (
 	"time"

 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
 )
@@ -23,21 +24,27 @@ type xmlUpdates struct {
 }

 type xmlUpdate struct {
-	Name           string         `xml:"name"`
-	Description    string         `xml:"description"`
-	Element        string         `xml:"element"`
-	Type           string         `xml:"type"`
-	Client         string         `xml:"client"`
-	Version        string         `xml:"version"`
-	CreationDate   string         `xml:"creationDate"`
-	InfoURL        xmlInfoURL     `xml:"infourl"`
-	Downloads      xmlDownloads   `xml:"downloads"`
-	SHA256         string         `xml:"sha256,omitempty"`
-	Tags           xmlTags        `xml:"tags"`
-	ChangelogURL   string         `xml:"changelogurl,omitempty"`
-	Maintainer     string         `xml:"maintainer,omitempty"`
-	MaintainerURL  string         `xml:"maintainerurl,omitempty"`
-	TargetPlatform xmlTargetPlat  `xml:"targetplatform"`
+	Name           string          `xml:"name"`
+	Description    string          `xml:"description"`
+	Element        string          `xml:"element"`
+	Type           string          `xml:"type"`
+	Client         string          `xml:"client"`
+	Version        string          `xml:"version"`
+	CreationDate   string          `xml:"creationDate"`
+	InfoURL        xmlInfoURL      `xml:"infourl"`
+	Downloads      xmlDownloads    `xml:"downloads"`
+	SHA256         string          `xml:"sha256,omitempty"`
+	Tags           xmlTags         `xml:"tags"`
+	ChangelogURL   string          `xml:"changelogurl,omitempty"`
+	Maintainer     string          `xml:"maintainer,omitempty"`
+	MaintainerURL  string          `xml:"maintainerurl,omitempty"`
+	TargetPlatform xmlTargetPlat   `xml:"targetplatform"`
+	DownloadKey    *xmlDownloadKey `xml:"downloadkey,omitempty"`
+}
+
+type xmlDownloadKey struct {
+	Prefix string `xml:"prefix,attr"`
+	Suffix string `xml:"suffix,attr"`
 }

 type xmlInfoURL struct {
@@ -64,22 +71,54 @@ type xmlTargetPlat struct {
 	Version string `xml:"version,attr"`
 }

+// channelFromTag maps a release tag name to a Joomla update channel.
+// Joomla update stream names (full convention).
+const (
+	ChannelStable           = "stable"
+	ChannelReleaseCandidate = "release-candidate"
+	ChannelBeta             = "beta"
+	ChannelAlpha            = "alpha"
+	ChannelDevelopment      = "development"
+)
+
+// AllChannels in display order (most stable first).
+var AllChannels = []string{ChannelStable, ChannelReleaseCandidate, ChannelBeta, ChannelAlpha, ChannelDevelopment}
+
 // channelFromTag maps a release tag name to a Joomla update channel.
 func channelFromTag(tagName string, isPrerelease bool) string {
 	lower := strings.ToLower(tagName)
 	switch {
 	case strings.Contains(lower, "-dev") || strings.Contains(lower, "development"):
-		return "dev"
-	case strings.Contains(lower, "-alpha") || strings.Contains(lower, "alpha"):
-		return "alpha"
-	case strings.Contains(lower, "-beta") || strings.Contains(lower, "beta"):
-		return "beta"
+		return ChannelDevelopment
+	case strings.Contains(lower, "-alpha"):
+		return ChannelAlpha
+	case strings.Contains(lower, "-beta"):
+		return ChannelBeta
 	case strings.Contains(lower, "-rc") || strings.Contains(lower, "release-candidate"):
-		return "rc"
+		return ChannelReleaseCandidate
 	case isPrerelease:
-		return "rc"
+		return ChannelReleaseCandidate
 	default:
-		return "stable"
+		return ChannelStable
+	}
+}
+
+// NormalizeChannel maps shorthand channel names to the full Joomla convention.
+// Accepts both "rc" and "release-candidate", "dev" and "development", etc.
+func NormalizeChannel(ch string) string {
+	switch strings.ToLower(ch) {
+	case "rc", "release-candidate":
+		return ChannelReleaseCandidate
+	case "dev", "development":
+		return ChannelDevelopment
+	case "alpha":
+		return ChannelAlpha
+	case "beta":
+		return ChannelBeta
+	case "stable":
+		return ChannelStable
+	default:
+		return ch
 	}
 }

@@ -87,7 +126,7 @@ func channelFromTag(tagName string, isPrerelease bool) string {
 // It returns the raw XML bytes. The element, maintainer, and target platform
 // are derived from the repo name and owner.
 // allowedChannels optionally restricts output to specific channels (nil = all).
-func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, allowedChannels ...string) ([]byte, error) {
+func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, requireKey bool, allowedChannels ...string) ([]byte, error) {
 	releases, err := db.Find[repo_model.Release](ctx, repo_model.FindReleasesOptions{
 		RepoID:        repo.ID,
 		ListOptions:   db.ListOptionsAll,
@@ -110,13 +149,16 @@ func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, allowed

 	element := strings.ToLower(repo.Name)

+	// Resolve effective streams (repo override → org default → Joomla default).
+	streams := licenses.GetEffectiveStreams(ctx, repo.OwnerID, repo.ID)
+
 	// Track best (latest) release per channel to emit one entry per channel.
 	bestByChannel := make(map[string]*repo_model.Release)
 	for _, rel := range releases {
 		if rel.IsDraft || rel.IsTag {
 			continue
 		}
-		ch := channelFromTag(rel.TagName, rel.IsPrerelease)
+		ch := licenses.MatchStreamFromTag(rel.TagName, rel.IsPrerelease, streams)
 		existing, ok := bestByChannel[ch]
 		if !ok || rel.CreatedUnix > existing.CreatedUnix {
 			bestByChannel[ch] = rel
@@ -124,15 +166,17 @@ func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, allowed
 	}

 	// Build allowed channel set for filtering.
+	// Normalize shorthand names so both "rc" and "release-candidate" work.
 	channelAllowed := make(map[string]bool)
 	if len(allowedChannels) > 0 {
 		for _, c := range allowedChannels {
-			channelAllowed[strings.ToLower(c)] = true
+			channelAllowed[NormalizeChannel(c)] = true
 		}
 	}

 	var updates xmlUpdates
-	for _, ch := range []string{"stable", "rc", "beta", "alpha", "dev"} {
+	for _, stream := range streams {
+		ch := stream.Name
 		// Skip channels not in the allowed set (when filtering is active).
 		if len(channelAllowed) > 0 && !channelAllowed[ch] {
 			continue
@@ -161,7 +205,10 @@ func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, allowed
 		}

 		version := extractVersion(rel.TagName)
-		suffix := channelSuffix(ch)
+		suffix := stream.Suffix
+		if suffix == "" {
+			suffix = channelSuffix(ch) // fallback for Joomla defaults
+		}
 		if suffix != "" {
 			version = version + suffix
 		}
@@ -193,6 +240,10 @@ func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, allowed
 			},
 		}

+		if requireKey {
+			u.DownloadKey = &xmlDownloadKey{Prefix: "&dlid=", Suffix: ""}
+		}
+
 		updates.Updates = append(updates.Updates, u)
 	}

@@ -223,13 +274,13 @@ func extractVersion(tagName string) string {
 // channelSuffix returns the version suffix for a channel.
 func channelSuffix(channel string) string {
 	switch channel {
-	case "dev":
+	case ChannelDevelopment:
 		return "-dev"
-	case "alpha":
+	case ChannelAlpha:
 		return "-alpha"
-	case "beta":
+	case ChannelBeta:
 		return "-beta"
-	case "rc":
+	case ChannelReleaseCandidate:
 		return "-rc"
 	default:
 		return ""
@@ -0,0 +1,192 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content organization">
+	{{template "org/header" .}}
+	<div class="ui container">
+
+		{{if .NewMasterKey}}
+			<div class="ui info message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.master_key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.master_key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-master-key" type="text" readonly value="{{.NewMasterKey}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-master-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		{{if .NewKeyCreated}}
+			<div class="ui success message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-license-key" type="text" readonly value="{{.NewKeyCreated}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-license-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		<h4 class="ui top attached header">
+			{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}
+		</h4>
+		<div class="ui attached segment">
+			{{if .IsRepoAdmin}}
+				<details class="tw-mb-4">
+					<summary class="ui primary button">{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.new_package"}}</summary>
+					<div class="tw-mt-4">
+						<form class="ui form" method="post" action="{{$.Org.HomeLink}}/-/licenses/packages">
+							{{.CsrfTokenHtml}}
+							<div class="two fields">
+								<div class="required field">
+									<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+									<input name="name" required placeholder="e.g. Pro Annual, Basic Monthly">
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+									<input name="description" placeholder="e.g. Annual pro subscription">
+								</div>
+							</div>
+							<div class="three fields">
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+									<input name="duration_days" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+									<input name="max_sites" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+									{{if $.AvailableStreams}}
+										{{range $.AvailableStreams}}
+										<div class="ui checkbox tw-mr-4 tw-mb-2">
+											<input name="allowed_channels" type="checkbox" value="{{.Name}}">
+											<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+										</div>
+										{{end}}
+									{{end}}
+									<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+								</div>
+							</div>
+							<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
+						</form>
+					</div>
+				</details>
+			{{end}}
+			{{if .LicensePackages}}
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.package_name"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.duration"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.channels"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.keys_issued"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicensePackages}}
+							<tr>
+								<td><strong>{{.Name}}</strong>{{if eq .Name "Master (Internal)"}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
+								<td>{{if eq .DurationDays 0}}{{ctx.Locale.Tr "repo.licenses.lifetime"}}{{else}}{{.DurationDays}} {{ctx.Locale.Tr "repo.licenses.days"}}{{end}}</td>
+								<td>{{if .AllowedChannels}}<code>{{.AllowedChannels}}</code>{{else}}{{ctx.Locale.Tr "repo.licenses.all_channels"}}{{end}}</td>
+								<td>{{.KeyCount}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										<form method="post" action="{{$.Org.HomeLink}}/-/licenses/keys/generate" class="tw-inline tw-flex tw-gap-1 tw-items-center">
+											{{$.CsrfTokenHtml}}
+											<input type="hidden" name="package_id" value="{{.ID}}">
+											{{if or $.IsSiteAdmin $.IsOrganizationOwner}}
+											<input type="text" name="custom_key" placeholder="{{ctx.Locale.Tr "repo.licenses.custom_key_placeholder"}}" class="tw-w-32 tw-text-xs" title="{{ctx.Locale.Tr "repo.licenses.custom_key_help"}}">
+											{{end}}
+											<button class="ui tiny primary button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.generate_key"}}">
+												{{svg "octicon-plus" 14}}
+											</button>
+										</form>
+										{{if ne .Name "Master (Internal)"}}
+										<a class="ui tiny button" href="{{$.Org.HomeLink}}/-/licenses/packages/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_package"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/packages/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_package"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_package"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			{{else}}
+				<div class="empty-placeholder">
+					{{svg "octicon-key" 48}}
+					<h2>{{ctx.Locale.Tr "repo.licenses.none"}}</h2>
+					<p>{{ctx.Locale.Tr "repo.licenses.none_desc"}}</p>
+				</div>
+			{{end}}
+		</div>
+
+		{{if .LicenseKeys}}
+			<h4 class="ui top attached header tw-mt-4">
+				{{svg "octicon-lock" 16}} {{ctx.Locale.Tr "repo.licenses.issued_keys"}}
+			</h4>
+			<div class="ui attached segment">
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.licensee"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.expires"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.last_seen"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicenseKeys}}
+							<tr>
+								<td>
+									<div class="tw-flex tw-items-center tw-gap-1">
+										<code class="js-license-key-{{.ID}}">{{if .KeyRaw}}{{.KeyRaw}}{{else}}{{.KeyPrefix}}{{end}}</code>
+										{{if .KeyRaw}}<button class="ui tiny icon button" data-clipboard-target=".js-license-key-{{.ID}}" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 12}}</button>{{end}}
+										{{if .IsInternal}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}
+									</div>
+								</td>
+								<td>{{.LicenseeName}}{{if .LicenseeEmail}} <small>({{.LicenseeEmail}})</small>{{end}}</td>
+								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .LastHeartbeatUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .LastHeartbeatUnix}}{{end}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										{{if not .IsInternal}}
+										<a class="ui tiny button" href="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_key"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										<button class="ui tiny green button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/renew" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_renew_key"}}" title="{{ctx.Locale.Tr "repo.licenses.renew"}}">
+											{{svg "octicon-sync" 14}}
+										</button>
+										{{end}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/revoke" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_revoke_key"}}" title="{{ctx.Locale.Tr "repo.licenses.revoke"}}">
+											{{svg "octicon-x" 14}}
+										</button>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_key"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_key"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			</div>
+		{{end}}
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -0,0 +1,60 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content organization">
+	{{template "org/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_package"}}
+		</h4>
+		<div class="ui attached segment">
+			<form class="ui form" method="post" action="{{$.Org.HomeLink}}/-/licenses/packages/{{.Package.ID}}/edit">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="required field">
+						<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+						<input name="name" required value="{{.Package.Name}}">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+						<input name="description" value="{{.Package.Description}}">
+					</div>
+				</div>
+				<div class="three fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+						<input name="duration_days" type="number" value="{{.Package.DurationDays}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Package.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+						{{if .AvailableStreams}}
+							{{range .AvailableStreams}}
+							<div class="ui checkbox tw-mr-4 tw-mb-2">
+								<input name="allowed_channels" type="checkbox" value="{{.Name}}" {{if SliceUtils.Contains $.SelectedChannels .Name}}checked{{end}}>
+								<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+							</div>
+							{{end}}
+						{{end}}
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Package.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_package"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{$.Org.HomeLink}}/-/licenses">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -25,6 +25,14 @@
 				{{svg "octicon-package"}} {{ctx.Locale.Tr "packages.title"}}
 			</a>
 			{{end}}
+			{{if and .IsOrganizationMember (or .OrgLicensingEnabled .IsLicensesPage)}}
+			<a class="{{if .IsLicensesPage}}active {{end}}item" href="{{$.Org.HomeLink}}/-/licenses">
+				{{svg "octicon-key"}} {{ctx.Locale.Tr "repo.licenses"}}
+				{{if .NumOrgLicensePackages}}
+					<div class="ui small label">{{.NumOrgLicensePackages}}</div>
+				{{end}}
+			</a>
+			{{end}}
 			{{if and .IsRepoIndexerEnabled .CanReadCode}}
 			<a class="{{if .IsCodePage}}active {{end}}item" href="{{$.Org.HomeLink}}/-/code">
 				{{svg "octicon-code"}} {{ctx.Locale.Tr "org.code"}}
@@ -25,6 +25,9 @@
 			{{ctx.Locale.Tr "packages.title"}}
 		</a>
 		{{end}}
+		<a class="{{if .PageIsSettingsUpdateStreams}}active {{end}}item" href="{{.OrgLink}}/settings/update-streams">
+			{{svg "octicon-key"}} {{ctx.Locale.Tr "org.settings.update_streams"}}
+		</a>
 		{{if .EnableActions}}
 		<details class="item toggleable-item" {{if or .PageIsOrgSettingsActionsGeneral .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>
@@ -0,0 +1,87 @@
+{{template "org/settings/layout_head" (dict "pageClass" "organization settings")}}
+<div class="org-setting-content">
+
+	{{/* ── Section 1: Licensing ── */}}
+	<h4 class="ui top attached header">
+		{{svg "octicon-key" 16}} {{ctx.Locale.Tr "org.settings.licensing"}}
+	</h4>
+	<div class="ui attached segment">
+		<form class="ui form" method="post" action="{{.OrgLink}}/settings/update-streams">
+			{{.CsrfTokenHtml}}
+
+			<p>{{ctx.Locale.Tr "org.settings.licensing_desc"}}</p>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input name="licensing_enabled" type="checkbox" {{if .StreamConfig.LicensingEnabled}}checked{{end}}>
+					<label><strong>{{ctx.Locale.Tr "org.settings.enable_licensing"}}</strong></label>
+				</div>
+				<p class="help">{{ctx.Locale.Tr "org.settings.enable_licensing_help"}}</p>
+			</div>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input name="require_key" type="checkbox" {{if .StreamConfig.RequireKey}}checked{{end}}>
+					<label><strong>{{ctx.Locale.Tr "org.settings.require_key"}}</strong></label>
+				</div>
+				<p class="help">{{ctx.Locale.Tr "org.settings.require_key_help"}}</p>
+			</div>
+
+			<div class="ui divider"></div>
+
+			{{/* ── Section 2: Update Streams ── */}}
+			<h5>{{svg "octicon-rss" 14}} {{ctx.Locale.Tr "org.settings.update_streams_heading"}}</h5>
+			<p>{{ctx.Locale.Tr "org.settings.update_streams_desc"}}</p>
+
+			<div class="grouped fields">
+				<label>{{ctx.Locale.Tr "org.settings.stream_mode"}}</label>
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input name="stream_mode" type="radio" value="joomla" {{if or (eq .StreamConfig.StreamMode "") (eq .StreamConfig.StreamMode "joomla")}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "org.settings.stream_mode_joomla"}}</label>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input name="stream_mode" type="radio" value="custom" {{if eq .StreamConfig.StreamMode "custom"}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "org.settings.stream_mode_custom"}}</label>
+					</div>
+				</div>
+			</div>
+
+			<div class="field">
+				<label>{{ctx.Locale.Tr "org.settings.default_streams"}}</label>
+				<table class="ui small compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "org.settings.stream_name"}}</th>
+							<th>{{ctx.Locale.Tr "org.settings.stream_suffix"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.description"}}</th>
+						</tr>
+					</thead>
+					<tbody>
+						{{range .EffectiveStreams}}
+							<tr>
+								<td><code>{{.Name}}</code></td>
+								<td>{{if .Suffix}}<code>{{.Suffix}}</code>{{else}}<span class="text grey">{{ctx.Locale.Tr "org.settings.no_suffix"}}</span>{{end}}</td>
+								<td>{{.Description}}</td>
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+				<p class="help">{{ctx.Locale.Tr "org.settings.streams_tag_help"}}</p>
+			</div>
+
+			<div class="field">
+				<label>{{ctx.Locale.Tr "org.settings.custom_streams"}}</label>
+				<textarea name="custom_streams" rows="6" placeholder='[{"name":"lts","suffix":"-lts","description":"Long-term support"}]'>{{.StreamConfig.CustomStreams}}</textarea>
+				<p class="help">{{ctx.Locale.Tr "org.settings.custom_streams_help"}}</p>
+			</div>
+
+			<div class="field">
+				<button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
+			</div>
+		</form>
+	</div>
+</div>
+{{template "org/settings/layout_footer" .}}
@@ -47,7 +47,7 @@
 					<h3>{{ctx.Locale.Tr "org.settings.permission"}}</h3>
 					{{ctx.Locale.Tr "org.teams.write_permission_desc"}}
 				{{else if (eq .Team.AccessMode 3)}}
-					{{/* FIXME: here might not right, see "FIXME: TEAM-UNIT-PERMISSION", new units might not have correct admin permission*/}}
+					{{/* Admin teams implicitly have admin access to all units (including newly added ones) */}}
 					<h3>{{ctx.Locale.Tr "org.settings.permission"}}</h3>
 					{{ctx.Locale.Tr "org.teams.admin_permission_desc"}}
 				{{else}}
@@ -128,6 +128,15 @@
 						</a>
 					{{end}}

+					{{if or .EnableLicenses .IsRepoAdmin}}
+						<a href="{{.RepoLink}}/licenses" class="{{if .IsLicensesPage}}active {{end}}item">
+							{{svg "octicon-key"}} {{ctx.Locale.Tr "repo.licenses"}}
+							{{if .NumLicensePackages}}
+								<span class="ui small label">{{CountFmt .NumLicensePackages}}</span>
+							{{end}}
+						</a>
+					{{end}}
+
 					{{$projectsUnit := .Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeProjects}}
 					{{if and (not ctx.Consts.RepoUnitTypeProjects.UnitGlobalDisabled) (.Permission.CanRead ctx.Consts.RepoUnitTypeProjects) ($projectsUnit.ProjectsConfig.IsProjectsAllowed "repo")}}
 						<a href="{{.RepoLink}}/projects" class="{{if .IsProjectsPage}}active {{end}}item">
@@ -0,0 +1,225 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
+	{{template "repo/header" .}}
+	<div class="ui container">
+
+		{{if .NewMasterKey}}
+			<div class="ui info message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.master_key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.master_key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-master-key" type="text" readonly value="{{.NewMasterKey}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-master-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		{{if .NewKeyCreated}}
+			<div class="ui success message">
+				<div class="header">{{ctx.Locale.Tr "repo.licenses.key_created"}}</div>
+				<p>{{ctx.Locale.Tr "repo.licenses.key_created_copy"}}</p>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-license-key" type="text" readonly value="{{.NewKeyCreated}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-license-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+		{{end}}
+
+		{{/* ── License Packages ── */}}
+		<h4 class="ui top attached header">
+			{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}
+		</h4>
+		<div class="ui attached segment">
+			{{if .LicensePackages}}
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.package_name"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.duration"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.channels"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.keys_issued"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicensePackages}}
+							<tr>
+								<td><strong>{{.Name}}</strong>{{if eq .Name "Master (Internal)"}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
+								<td>{{if eq .DurationDays 0}}{{ctx.Locale.Tr "repo.licenses.lifetime"}}{{else}}{{.DurationDays}} {{ctx.Locale.Tr "repo.licenses.days"}}{{end}}</td>
+								<td>{{if .AllowedChannels}}<code>{{.AllowedChannels}}</code>{{else}}{{ctx.Locale.Tr "repo.licenses.all_channels"}}{{end}}</td>
+								<td>{{.KeyCount}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										<form method="post" action="{{$.RepoLink}}/licenses/keys/generate" class="tw-inline tw-flex tw-gap-1 tw-items-center">
+											{{$.CsrfTokenHtml}}
+											<input type="hidden" name="package_id" value="{{.ID}}">
+											{{if $.IsSiteAdmin}}
+											<input type="text" name="custom_key" placeholder="{{ctx.Locale.Tr "repo.licenses.custom_key_placeholder"}}" class="tw-w-32 tw-text-xs" title="{{ctx.Locale.Tr "repo.licenses.custom_key_help"}}">
+											{{end}}
+											<button class="ui tiny primary button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.generate_key"}}">
+												{{svg "octicon-plus" 14}}
+											</button>
+										</form>
+										{{if ne .Name "Master (Internal)"}}
+										<a class="ui tiny button" href="{{$.RepoLink}}/licenses/packages/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_package"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/packages/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_package"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_package"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			{{else}}
+				<div class="empty-placeholder">
+					{{svg "octicon-key" 48}}
+					<h2>{{ctx.Locale.Tr "repo.licenses.none"}}</h2>
+					<p>{{ctx.Locale.Tr "repo.licenses.none_desc"}}</p>
+				</div>
+			{{end}}
+		</div>
+
+		{{/* ── Create New License Package ── */}}
+		{{if .IsRepoAdmin}}
+			<div class="tw-mt-4">
+				<details>
+					<summary class="ui primary button">{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.new_package"}}</summary>
+					<div class="ui segment tw-mt-2">
+						<form class="ui form" method="post" action="{{.RepoLink}}/licenses/packages">
+							{{.CsrfTokenHtml}}
+							<div class="two fields">
+								<div class="required field">
+									<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+									<input name="name" required placeholder="e.g. Pro Annual, Basic Monthly">
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+									<input name="description" placeholder="e.g. Annual pro subscription with all channels">
+								</div>
+							</div>
+							<div class="three fields">
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+									<input name="duration_days" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+									<input name="max_sites" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+									{{if .AvailableStreams}}
+										{{range .AvailableStreams}}
+										<div class="ui checkbox tw-mr-4 tw-mb-2">
+											<input name="allowed_channels" type="checkbox" value="{{.Name}}">
+											<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+										</div>
+										{{end}}
+									{{end}}
+									<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+								</div>
+							</div>
+							<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
+						</form>
+					</div>
+				</details>
+			</div>
+		{{end}}
+
+		{{/* ── Issued Keys ── */}}
+		{{if .LicenseKeys}}
+			<h4 class="ui top attached header tw-mt-4">
+				{{svg "octicon-lock" 16}} {{ctx.Locale.Tr "repo.licenses.issued_keys"}}
+			</h4>
+			<div class="ui attached segment">
+				<table class="ui compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.licensee"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.expires"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.last_seen"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
+							{{if .IsRepoAdmin}}<th></th>{{end}}
+						</tr>
+					</thead>
+					<tbody>
+						{{range .LicenseKeys}}
+							<tr>
+								<td>
+									<div class="tw-flex tw-items-center tw-gap-1">
+										<code class="js-license-key-{{.ID}}">{{if .KeyRaw}}{{.KeyRaw}}{{else}}{{.KeyPrefix}}{{end}}</code>
+										{{if .KeyRaw}}<button class="ui tiny icon button" data-clipboard-target=".js-license-key-{{.ID}}" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 12}}</button>{{end}}
+										{{if .IsInternal}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}
+									</div>
+								</td>
+								<td>{{.LicenseeName}}{{if .LicenseeEmail}} <small>({{.LicenseeEmail}})</small>{{end}}</td>
+								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .LastHeartbeatUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .LastHeartbeatUnix}}{{end}}</td>
+								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
+								{{if $.IsRepoAdmin}}
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										{{if not .IsInternal}}
+										<a class="ui tiny button" href="{{$.RepoLink}}/licenses/keys/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_key"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										<button class="ui tiny green button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/renew" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_renew_key"}}" title="{{ctx.Locale.Tr "repo.licenses.renew"}}">
+											{{svg "octicon-sync" 14}}
+										</button>
+										{{end}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/revoke" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_revoke_key"}}" title="{{ctx.Locale.Tr "repo.licenses.revoke"}}">
+											{{svg "octicon-x" 14}}
+										</button>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_key"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_key"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+									</td>
+								{{end}}
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+			</div>
+		{{end}}
+
+		{{/* ── Update Feed URLs ── */}}
+		{{if .LicensingEnabled}}
+		<h4 class="ui top attached header tw-mt-4">
+			{{svg "octicon-rss" 16}} {{ctx.Locale.Tr "repo.licenses.update_feeds"}}
+		</h4>
+		<div class="ui attached segment">
+			{{if or (eq .RepoUpdatePlatform "joomla") (eq .RepoUpdatePlatform "both") (eq .RepoUpdatePlatform "")}}
+			<div class="field">
+				<label>{{ctx.Locale.Tr "repo.licenses.feed_joomla_updates"}}</label>
+				<div class="ui action input tw-w-full">
+					<input class="js-feed-url-joomla" type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates.xml" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-feed-url-joomla" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+			{{end}}
+			{{if or (eq .RepoUpdatePlatform "dolibarr") (eq .RepoUpdatePlatform "both")}}
+			<div class="field tw-mt-2">
+				<label>{{ctx.Locale.Tr "repo.licenses.feed_dolibarr_updates"}}</label>
+				<div class="ui action input tw-w-full">
+					<input class="js-feed-url-dolibarr" type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates/dolibarr.json" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-feed-url-dolibarr" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
+			</div>
+			{{end}}
+		</div>
+		{{end}}
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -0,0 +1,56 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
+	{{template "repo/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_key"}}
+		</h4>
+		<div class="ui attached segment">
+			<div class="tw-mb-4">
+				<strong>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}:</strong> <code>{{.Key.KeyPrefix}}</code>
+			</div>
+			<form class="ui form" method="post" action="{{.FormAction}}">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.licensee_name"}}</label>
+						<input name="licensee_name" value="{{.Key.LicenseeName}}" placeholder="Customer name">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.licensee_email"}}</label>
+						<input name="licensee_email" type="email" value="{{.Key.LicenseeEmail}}" placeholder="customer@example.com">
+					</div>
+				</div>
+				<div class="two fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.domain_restriction"}}</label>
+						<input name="domain_restriction" value="{{.Key.DomainRestriction}}" placeholder="example.com,example.org">
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.domain_restriction_help"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Key.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.use_package_default"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<label>{{ctx.Locale.Tr "repo.licenses.expires_at"}}</label>
+					<input name="expires_at" type="date" value="{{.ExpiresDate}}">
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.expires_at_help"}}</p>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Key.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_key"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{.BackLink}}">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -0,0 +1,60 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
+	{{template "repo/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_package"}}
+		</h4>
+		<div class="ui attached segment">
+			<form class="ui form" method="post" action="{{.RepoLink}}/licenses/packages/{{.Package.ID}}/edit">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="required field">
+						<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+						<input name="name" required value="{{.Package.Name}}">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+						<input name="description" value="{{.Package.Description}}">
+					</div>
+				</div>
+				<div class="three fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+						<input name="duration_days" type="number" value="{{.Package.DurationDays}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Package.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+						{{if .AvailableStreams}}
+							{{range .AvailableStreams}}
+							<div class="ui checkbox tw-mr-4 tw-mb-2">
+								<input name="allowed_channels" type="checkbox" value="{{.Name}}" {{if SliceUtils.Contains $.SelectedChannels .Name}}checked{{end}}>
+								<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+							</div>
+							{{end}}
+						{{end}}
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Package.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_package"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{.RepoLink}}/licenses">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}
@@ -16,6 +16,18 @@
 				{{svg "octicon-rss" 16}} {{ctx.Locale.Tr "rss_feed"}}
 			</a>
 		{{end}}
+		{{if and (not .PageIsTagList) .LicensingEnabled}}
+			{{if or (eq .RepoUpdatePlatform "joomla") (eq .RepoUpdatePlatform "both") (eq .RepoUpdatePlatform "")}}
+				<a class="ui small button" href="{{.RepoLink}}/updates.xml" target="_blank">
+					{{svg "octicon-download" 16}} {{ctx.Locale.Tr "repo.licenses.feed_joomla_xml"}}
+				</a>
+			{{end}}
+			{{if or (eq .RepoUpdatePlatform "dolibarr") (eq .RepoUpdatePlatform "both")}}
+				<a class="ui small button" href="{{.RepoLink}}/updates/dolibarr.json" target="_blank">
+					{{svg "octicon-download" 16}} {{ctx.Locale.Tr "repo.licenses.feed_dolibarr_json"}}
+				</a>
+			{{end}}
+		{{end}}
 		{{if and (not .PageIsTagList) .CanCreateRelease}}
 			<a class="ui small primary button" href="{{$.RepoLink}}/releases/new{{if .PageIsSingleTag}}?tag={{.SingleReleaseTagName}}{{end}}">
 				{{ctx.Locale.Tr "repo.release.new_release"}}
@@ -62,7 +62,7 @@
 									{{.Name}}
 								</a>
 								<div class="item-body flex-text-block">
-									{{/*FIXME: TEAM-UNIT-PERMISSION this display is not right, search the fixme keyword to see more details */}}
+									{{/* Team access mode: 0=per-unit, 1=read, 2=write, 3=admin (all units), 4=owner */}}
 									{{svg "octicon-shield-lock"}}
 									{{if eq .AccessMode 0}}
 										{{ctx.Locale.Tr "repo.settings.collaboration.per_unit"}}
@@ -330,6 +330,13 @@
 							<label>{{ctx.Locale.Tr "repo.settings.default_wiki_branch_name"}}</label>
 							<input name="default_wiki_branch" value="{{.Repository.DefaultWikiBranch}}">
 						</div>
+						<div class="inline field">
+							<label>{{ctx.Locale.Tr "repo.settings.unit_visibility"}}</label>
+							<select name="wiki_visibility" class="ui dropdown">
+								<option value="not-set" {{if not (eq (.Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeWiki).AnonymousAccessMode 1)}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.unit_visibility_private"}}</option>
+								<option value="anonymous-read" {{if eq (.Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeWiki).AnonymousAccessMode 1}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.unit_visibility_public"}}</option>
+							</select>
+						</div>
 					</div>
 					<div class="field">
 						<div class="ui radio checkbox{{if $isExternalWikiGlobalDisabled}} disabled{{end}}"{{if $isExternalWikiGlobalDisabled}} data-tooltip-content="{{ctx.Locale.Tr "repo.unit_disabled"}}"{{end}}>
@@ -389,6 +396,13 @@
 							<input name="enable_close_issues_via_commit_in_any_branch" type="checkbox" {{if .Repository.CloseIssuesViaCommitInAnyBranch}}checked{{end}}>
 							<label>{{ctx.Locale.Tr "repo.settings.admin_enable_close_issues_via_commit_in_any_branch"}}</label>
 						</div>
+						<div class="inline field tw-mt-2">
+							<label>{{ctx.Locale.Tr "repo.settings.unit_visibility"}}</label>
+							<select name="issues_visibility" class="ui dropdown">
+								<option value="not-set" {{if not (eq (.Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeIssues).AnonymousAccessMode 1)}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.unit_visibility_private"}}</option>
+								<option value="anonymous-read" {{if eq (.Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeIssues).AnonymousAccessMode 1}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.unit_visibility_public"}}</option>
+							</select>
+						</div>
 					</div>
 					<div class="field">
 						<div class="ui radio checkbox{{if $isExternalTrackerGlobalDisabled}} disabled{{end}}"{{if $isExternalTrackerGlobalDisabled}} data-tooltip-content="{{ctx.Locale.Tr "repo.unit_disabled"}}"{{end}}>
@@ -487,10 +501,50 @@
 				<div class="inline field">
 					<label>{{ctx.Locale.Tr "repo.releases"}}</label>
 					<div class="ui checkbox{{if $isReleasesGlobalDisabled}} disabled{{end}}"{{if $isReleasesGlobalDisabled}} data-tooltip-content="{{ctx.Locale.Tr "repo.unit_disabled"}}"{{end}}>
-						<input class="enable-system" name="enable_releases" type="checkbox" {{if $isReleasesEnabled}}checked{{end}}>
+						<input class="enable-system" name="enable_releases" type="checkbox" data-target="#releases_visibility_box" {{if $isReleasesEnabled}}checked{{end}}>
 						<label>{{ctx.Locale.Tr "repo.settings.releases_desc"}}</label>
 					</div>
 				</div>
+				<div class="field tw-pl-4{{if not $isReleasesEnabled}} disabled{{end}}" id="releases_visibility_box">
+					<div class="inline field">
+						<label>{{ctx.Locale.Tr "repo.settings.unit_visibility"}}</label>
+						<select name="releases_visibility" class="ui dropdown">
+							<option value="not-set" {{if not (eq (.Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeReleases).AnonymousAccessMode 1)}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.unit_visibility_private"}}</option>
+							<option value="anonymous-read" {{if eq (.Repository.MustGetUnit ctx ctx.Consts.RepoUnitTypeReleases).AnonymousAccessMode 1}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.unit_visibility_public"}}</option>
+						</select>
+						<p class="help">{{ctx.Locale.Tr "repo.settings.unit_visibility_releases_help"}}</p>
+					</div>
+				</div>
+
+				<div class="divider"></div>
+
+				{{/* ── Licensing & Update Feeds ── */}}
+				<div class="inline field">
+					<label>{{ctx.Locale.Tr "repo.settings.licensing_section"}}</label>
+					<div class="ui checkbox">
+						<input class="enable-system" name="enable_licensing" type="checkbox" data-target="#licensing_options_box" {{if and .RepoUpdateConfig .RepoUpdateConfig.LicensingEnabled}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.settings.enable_licensing"}}</label>
+					</div>
+				</div>
+				<div class="field tw-pl-4{{if not (and .RepoUpdateConfig .RepoUpdateConfig.LicensingEnabled)}} disabled{{end}}" id="licensing_options_box">
+					<p class="help tw-mb-4">{{ctx.Locale.Tr "repo.settings.licensing_section_desc"}}</p>
+					<div class="inline field">
+						<label>{{ctx.Locale.Tr "repo.settings.update_platform"}}</label>
+						<select name="update_platform" class="ui dropdown">
+							<option value="joomla" {{if or (not .RepoUpdateConfig) (eq .RepoUpdateConfig.Platform "joomla") (eq .RepoUpdateConfig.Platform "")}}selected{{end}}>Joomla (updates.xml)</option>
+							<option value="dolibarr" {{if and .RepoUpdateConfig (eq .RepoUpdateConfig.Platform "dolibarr")}}selected{{end}}>Dolibarr (JSON)</option>
+							<option value="both" {{if and .RepoUpdateConfig (eq .RepoUpdateConfig.Platform "both")}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.update_platform_both"}}</option>
+						</select>
+						<p class="help">{{ctx.Locale.Tr "repo.settings.update_platform_help"}}</p>
+					</div>
+					<div class="inline field">
+						<div class="ui checkbox">
+							<input name="require_update_key" type="checkbox" {{if and .RepoUpdateConfig .RepoUpdateConfig.RequireKey}}checked{{end}}>
+							<label>{{ctx.Locale.Tr "repo.settings.require_update_key"}}</label>
+						</div>
+						<p class="help">{{ctx.Locale.Tr "repo.settings.require_update_key_help"}}</p>
+					</div>
+				</div>

 				{{$isPackagesEnabled := .Repository.UnitEnabled ctx ctx.Consts.RepoUnitTypePackages}}
 				{{$isPackagesGlobalDisabled := ctx.Consts.RepoUnitTypePackages.UnitGlobalDisabled}}
@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
- VERSION: 05.08.00
+ VERSION: 05.14.00
 -->

 <updates>
@@ -13,13 +13,13 @@
    <client>site</client>
    <version>05.05.00-dev</version>
    <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/development</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/development</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/development/mokogitea-05.05.00-dev.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/development/mokogitea-05.05.00-dev.zip</downloadurl>
    </downloads>
    <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
    <tags><tag>dev</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
    <targetplatform name="go" version=".*"/>
@@ -32,13 +32,13 @@
    <client>site</client>
    <version>05.05.00-alpha</version>
    <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/alpha</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/alpha</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/alpha/mokogitea-05.05.00-alpha.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/alpha/mokogitea-05.05.00-alpha.zip</downloadurl>
    </downloads>
    <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
    <tags><tag>alpha</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
    <targetplatform name="go" version=".*"/>
@@ -51,13 +51,13 @@
    <client>site</client>
    <version>05.05.00-beta</version>
    <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/beta</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/beta</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/beta/mokogitea-05.05.00-beta.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/beta/mokogitea-05.05.00-beta.zip</downloadurl>
    </downloads>
    <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
    <tags><tag>beta</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
    <targetplatform name="go" version=".*"/>
@@ -70,13 +70,13 @@
    <client>site</client>
    <version>05.05.00-rc</version>
    <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/release-candidate</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/release-candidate</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/release-candidate/mokogitea-05.05.00-rc.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/release-candidate/mokogitea-05.05.00-rc.zip</downloadurl>
    </downloads>
    <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
    <tags><tag>rc</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
    <targetplatform name="go" version=".*"/>
@@ -87,15 +87,15 @@
    <element>mokogitea</element>
    <type>application</type>
    <client>site</client>
-    <version>05.05.00</version>
-    <creationDate>2026-05-30</creationDate>
-    <infourl title='MokoGitea'>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable</infourl>
+    <version>05.14.00</version>
+    <creationDate>2026-05-31</creationDate>
+    <infourl title='MokoGitea'>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.05.00.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.14.00.zip</downloadurl>
    </downloads>
-    <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
+    <sha256>bec4bf5a1a841f8e72d9826451004db5d8afc70144231dfedc7fb01a6695955c</sha256>
    <tags><tag>stable</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
    <targetplatform name="go" version=".*" />