chore: sync .mokogitea/workflows/repo-health.yml from moko-platform [skip ci]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.mokogitea/workflows/auto-release.yml

@@ -0,0 +1,283 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Release
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/universal/auto-release.yml.template
+# VERSION: 05.00.00
+# BRIEF: Universal build & release � detects platform from manifest.xml
+#
+# +========================================================================+
+# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
+# +========================================================================+
+# |                                                                        |
+# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
+# |                                                                        |
+# |  Platform-specific:                                                    |
+# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
+# |    generic:  README-only, no update stream                             |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Build & Release"
+
+on:
+  pull_request:
+    types: [opened, closed]
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      action:
+        description: 'Action to perform'
+        required: false
+        type: choice
+        default: release
+        options:
+          - release
+          - promote-rc
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+
+jobs:
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
+  promote-rc:
+    name: Promote to RC
+    runs-on: release
+    if: >-
+      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
+      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          fetch-depth: 1
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          # Always fetch latest CLI tools — never use stale cache from previous runs
+          rm -rf /tmp/moko-platform-api
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api
+          cd /tmp/moko-platform-api
+          composer install --no-dev --no-interaction --quiet
+
+      - name: Rename branch to rc
+        run: |
+          php /tmp/moko-platform-api/cli/branch_rename.php \
+            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
+            --pr "${{ github.event.pull_request.number }}"
+
+      - name: Checkout rc and configure git
+        run: |
+          git fetch origin rc
+          git checkout rc
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+
+      - name: Publish RC release
+        run: |
+          php /tmp/moko-platform-api/cli/release_publish.php \
+            --path . --stability rc --bump minor --branch rc \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}"
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
+          echo "Branch renamed to rc, minor bump, RC + lesser stream releases built, updates.xml synced" >> $GITHUB_STEP_SUMMARY
+
+  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
+  release:
+    name: Build & Release Pipeline
+    runs-on: release
+    if: >-
+      github.event.pull_request.merged == true ||
+      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          fetch-depth: 0
+
+      - name: Configure git for bot pushes
+        run: |
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+
+      - name: Check for merge conflict markers
+        run: |
+          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
+          if [ -n "$CONFLICTS" ]; then
+            echo "::error::Merge conflict markers found — aborting release"
+            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "No conflict markers found"
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
+        run: |
+          # Ensure PHP + Composer are available
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          # Always fetch latest CLI tools — never use stale cache from previous runs
+          rm -rf /tmp/moko-platform-api
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api
+          cd /tmp/moko-platform-api
+          composer install --no-dev --no-interaction --quiet
+
+
+      - name: "Publish stable release"
+        run: |
+          php /tmp/moko-platform-api/cli/release_publish.php \
+            --path . --stability stable --bump minor --branch main \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}"
+
+      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
+      - name: "Step 9: Mirror release to GitHub"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          secrets.GH_MIRROR_TOKEN != ''
+        continue-on-error: true
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/release_mirror.php \
+            --version "$VERSION" --tag "$RELEASE_TAG" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
+            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
+            --branch main 2>&1 || true
+          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
+      - name: "Step 10: Push main to GitHub mirror"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          secrets.GH_MIRROR_TOKEN != ''
+        continue-on-error: true
+        run: |
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
+          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
+          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git fetch origin main --depth=1
+          git push github origin/main:refs/heads/main --force 2>/dev/null \
+            && echo "main branch pushed to GitHub mirror" \
+            || echo "WARNING: GitHub mirror push failed"
+
+      - name: "Step 11: Delete rc branch and recreate dev from main"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Delete rc branch (ephemeral — created by promote-rc)
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/branches/rc" 2>/dev/null \
+            && echo "Deleted rc branch" || echo "rc branch not found"
+
+          # Delete dev branch
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
+
+          # Recreate dev from main (now includes version bump + changelog promotion)
+          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/branches" \
+            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
+
+          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
+
+      - name: "Step 12: Create version branch from main"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          BRANCH_NAME="version/${VERSION}"
+          MAIN_SHA=$(git rev-parse HEAD)
+
+          # Delete old version branch if it exists (same version re-release)
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
+
+          # Create version/XX.YY.ZZ from main
+          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
+
+          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
+
+
+
+      # -- Dolibarr post-release: Reset dev version -----------------------------
+      - name: "Post-release: Reset dev version"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/version_reset_dev.php \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
+            --branch dev --path . 2>&1 || true
+
+      # -- Summary --------------------------------------------------------------
+      - name: Pipeline Summary
+        if: always()
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
+            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
+            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
+            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
+            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
+          fi

.mokogitea/workflows/repo-health.yml

@@ -11,7 +11,7 @@
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/joomla/repo_health.yml.template
 # VERSION: 09.23.00
-# BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts.
+# BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
 # ============================================================================
 
 name: "Generic: Repo Health"
@@ -24,13 +24,12 @@ on:
   workflow_dispatch:
     inputs:
       profile:
-        description: 'Validation profile: all, release, scripts, or repo'
+        description: 'Validation profile: all, scripts, or repo'
         required: true
         default: all
         type: choice
         options:
           - all
-          - release
           - scripts
           - repo
   pull_request:
@@ -40,10 +39,6 @@ permissions:
   contents: read
 
 env:
-  # Release policy - Repository Variables Only
-  RELEASE_REQUIRED_REPO_VARS: RS_FTP_PATH_SUFFIX
-  RELEASE_OPTIONAL_REPO_VARS: DEV_FTP_SUFFIX
-
   # Scripts governance policy
   SCRIPTS_REQUIRED_DIRS:
   SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
@@ -138,101 +133,6 @@ jobs:
           printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
           exit 1
 
-  release_config:
-    name: Release configuration
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Guardrails release vars
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-          RS_FTP_PATH_SUFFIX: ${{ vars.RS_FTP_PATH_SUFFIX }}
-          DEV_FTP_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'scripts' ] || [ "${profile}" = 'repo' ]; then
-            {
-              printf '%s\n' '### Release configuration (Repository Variables)'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes release validation'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          IFS=',' read -r -a required <<< "${RELEASE_REQUIRED_REPO_VARS}"
-          IFS=',' read -r -a optional <<< "${RELEASE_OPTIONAL_REPO_VARS}"
-
-          missing=()
-          missing_optional=()
-
-          for k in "${required[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing+=("${k}")
-          done
-
-          for k in "${optional[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing_optional+=("${k}")
-          done
-
-          {
-            printf '%s\n' '### Release configuration (Repository Variables)'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Variable | Status |'
-            printf '%s\n' '|---|---|'
-            printf '%s\n' "| RS_FTP_PATH_SUFFIX | ${RS_FTP_PATH_SUFFIX:-NOT SET} |"
-            printf '%s\n' "| DEV_FTP_SUFFIX | ${DEV_FTP_SUFFIX:-NOT SET} |"
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${#missing_optional[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing optional repository variables'
-              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          if [ "${#missing[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing required repository variables'
-              for m in "${missing[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository variables.'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 1
-          fi
-
-          {
-            printf '%s\n' '### Repository variables validation result'
-            printf '%s\n' 'Status: OK'
-            printf '%s\n' 'All required repository variables present.'
-            printf '%s\n' ''
-            printf '%s\n' '**Note**: Organization secrets (RS_FTP_HOST, RS_FTP_USER, etc.) are validated at deployment time, not in repository health checks.'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
   scripts_governance:
     name: Scripts governance
     needs: access_check
@@ -256,14 +156,14 @@ jobs:
 
           profile="${PROFILE_RAW:-all}"
           case "${profile}" in
-            all|release|scripts|repo) ;;
+            all|scripts|repo) ;;
             *)
               printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
               exit 1
               ;;
           esac
 
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'repo' ]; then
+          if [ "${profile}" = 'repo' ]; then
             {
               printf '%s\n' '### Scripts governance'
               printf '%s\n' "Profile: ${profile}"
@@ -370,14 +270,14 @@ jobs:
 
           profile="${PROFILE_RAW:-all}"
           case "${profile}" in
-            all|release|scripts|repo) ;;
+            all|scripts|repo) ;;
             *)
               printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
               exit 1
               ;;
           esac
 
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'scripts' ]; then
+          if [ "${profile}" = 'scripts' ]; then
             {
               printf '%s\n' '### Repository health'
               printf '%s\n' "Profile: ${profile}"
@@ -704,7 +604,7 @@ jobs:
             printf '%s\n' '| Domain | Status | Notes |'
             printf '%s\n' '|---|---|---|'
             printf '%s\n' '| Access control | OK | Admin-only execution gate |'
-            printf '%s\n' '| Release variables | OK | Repository variables validation |'
+            printf '%s\n' '| Release policy | N/A | Releases handled by MokoGitea |'
             printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
             printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
             printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
@@ -773,11 +673,10 @@ jobs:
   report-issues:
     name: "Report Issues"
     runs-on: ubuntu-latest
-    needs: [access_check, release_config, scripts_governance, repo_health]
+    needs: [access_check, scripts_governance, repo_health]
     if: >-
       always() &&
-      (needs.release_config.result == 'failure' ||
-       needs.scripts_governance.result == 'failure' ||
+      (needs.scripts_governance.result == 'failure' ||
        needs.repo_health.result == 'failure')
 
     steps:
@@ -803,10 +702,6 @@ jobs:
             fi
           }
 
-          report_gate "Release Configuration" \
-            "${{ needs.release_config.result }}" \
-            "Required repository variables are missing (RS_FTP_PATH_SUFFIX). Check repository settings."
-
           report_gate "Scripts Governance" \
             "${{ needs.scripts_governance.result }}" \
             "Scripts directory policy violations detected. Review required and allowed directories."
@@ -814,4 +709,3 @@ jobs:
           report_gate "Repository Health" \
             "${{ needs.repo_health.result }}" \
             "Repository health checks failed — missing required artifacts, disallowed files, or content warnings. Check the CI run summary."
-

CHANGELOG.md

@@ -10,11 +10,11 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
     * Package archiving with soft-delete and collapsible archived section
     * Search keys by customer, domain, key number, email, or payment ref
     * Download gating (none/prerelease/all modes)
-    * Feed visibility (public/no-download/hidden modes)
     * Domain lock grace period (DomainLockHours)
     * RepoScope enforcement — packages scoped to specific repos
+    * Configurable license key prefix per organization
+    * Manual release-to-stream mapping with UI selector
     * Joomla changelog XML endpoint (/changelog.xml)
-    * WordPress PUC-compatible update feed (/updates/wordpress.json)
     * SHA256 checksums from sidecar files in Joomla updates.xml
     * Joomla-standard tag values (dev/alpha/beta/rc/stable)
     * Double confirmation modals for permanent deletion
@@ -23,12 +23,42 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
     * API: package CRUD, key revoke, key renew, settings GET/PUT
     * API: purchase webhook with PaymentRef idempotency
     * API: public validation endpoint (no auth)
-    * Migration v340: all new columns synced
-  * feat(updates): infourl defaults to release listing page
+    * Migration v340-v342: all new columns synced
+  * feat(updates): 7 platform update feeds
+    * Joomla XML with downloadkey, SHA256, changelog URL
+    * Dolibarr JSON with channel filtering
+    * WordPress PUC-compatible JSON (plugin-update-checker)
+    * Composer packages.json
+    * PrestaShop module update XML
+    * Drupal update status XML
+    * WHMCS module update JSON
+  * feat(updates): feed always public — downloads gated separately
+  * feat(updates): stream-name tags supported alongside version tags
+  * feat(updates): version extraction via regex from release titles
+  * feat(updates): infourl defaults to release listing / support URL
   * feat(updates): downloadkey prefix matches Akeeba pattern (dlid=)
+  * feat(orgs): enterprise sub-org hierarchy with parent-child relationships
+  * feat(repos): three-level visibility — Public (200), Private (403), Hidden (404)
+  * feat(settings): separate licensing settings page (/settings/licensing)
+  * feat(settings): advanced settings on dedicated page (/settings/advanced)
+  * feat(settings): section headers with dividers and icons
+  * feat(ui): icons on all settings navbars (repo, org, user, admin)
+  * feat(ui): styled 403 Access Denied page with inline login form
+  * feat(ui): open-in-new-tab button on feed URLs
+* SECURITY
+  * fix(security): ownership guards on all API handlers (cross-org prevention)
+  * fix(security): RepoScope JSON parsing (substring matching bug)
+  * fix(security): CSRF tokens in delete confirmation modals
+  * fix(security): XSS escaping in WordPress changelog HTML
+  * fix(security): require login for licenses and actions pages
+  * fix(security): 403 for all users on private repos (not 404)
+  * fix(security): licensed private repos allow release viewing for signed-in users
+  * fix(security): anonymous download access respects download_gating setting
+* FIXES
   * fix(licenses): expanded delete permissions to org owners + site admins
-  * fix(licenses): no-download mode shows release notes but hides files
-  * fix(licenses): releases require login in hidden feed visibility mode
+  * fix(licenses): explicit xorm column names for UpdateStreamConfig fields
+  * fix(licenses): feed always public when licensing enabled
+  * fix(build): permanent fixes for AI migration, feed/file.go, unused imports
 
 ## [v1.26.1-moko.05.15.00] - 2026-05-31
 

models/licenses/update_stream_config.go

@@ -23,27 +23,27 @@ type UpdateStreamConfig struct {
 	ID          int64              `xorm:"pk autoincr"`
 	OwnerID     int64              `xorm:"INDEX NOT NULL"`         // org or user
 	RepoID      int64              `xorm:"INDEX NOT NULL DEFAULT 0"` // 0 = org-level default
-	StreamMode  string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, custom
+	StreamMode  string             `xorm:"NOT NULL DEFAULT 'joomla' 'stream_mode'"` // joomla, custom
 	Platform    string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, dolibarr, both, wordpress, prestashop, drupal
-	LicensingEnabled bool          `xorm:"NOT NULL DEFAULT false"`    // master toggle for licensing system
-	RequireKey  bool               `xorm:"NOT NULL DEFAULT false"`    // require license key for update feed
-	FeedVisibility string          `xorm:"VARCHAR(20) NOT NULL DEFAULT 'public'"` // public, no-download, hidden
-	DownloadGating string          `xorm:"VARCHAR(20) NOT NULL DEFAULT 'none'"` // none, all, prerelease
-	SupportURL  string             `xorm:"TEXT"`                      // wiki or external support page URL
-	KeyPrefix   string             `xorm:"VARCHAR(20)"`               // org-specific license key prefix (e.g. "ACME")
+	LicensingEnabled bool          `xorm:"NOT NULL DEFAULT false 'licensing_enabled'"` // master toggle
+	RequireKey  bool               `xorm:"NOT NULL DEFAULT false 'require_key'"`     // require license key for update feed
+	FeedVisibility string          `xorm:"VARCHAR(20) NOT NULL DEFAULT 'public' 'feed_visibility'"` // public, no-download, hidden
+	DownloadGating string          `xorm:"VARCHAR(20) NOT NULL DEFAULT 'none' 'download_gating'"` // none, all, prerelease
+	SupportURL  string             `xorm:"TEXT 'support_url'"`        // wiki or external support page URL
+	KeyPrefix   string             `xorm:"VARCHAR(20) 'key_prefix'"`  // org-specific license key prefix (e.g. "ACME")
 	// Extension metadata — used in update feed generation.
-	ExtensionName    string         `xorm:"TEXT"`                     // element identifier (e.g. pkg_mokowaas, com_mokowaas)
-	DisplayName      string         `xorm:"TEXT"`                     // human-readable name (e.g. "Package - MokoWaaS")
+	ExtensionName    string         `xorm:"TEXT 'extension_name'"`    // element identifier (e.g. pkg_mokowaas, com_mokowaas)
+	DisplayName      string         `xorm:"TEXT 'display_name'"`     // human-readable name (e.g. "Package - MokoWaaS")
 	Description      string         `xorm:"TEXT"`                     // short description for update feeds
-	ExtensionType    string         `xorm:"VARCHAR(50)"`              // component, module, plugin, package, template, library
+	ExtensionType    string         `xorm:"VARCHAR(50) 'extension_type'"` // component, module, plugin, package, template, library
 	Maintainer       string         `xorm:"TEXT"`                     // maintainer/author name
-	MaintainerURL    string         `xorm:"TEXT"`                     // maintainer website
-	InfoURL          string         `xorm:"TEXT"`                     // extension info/product page URL
-	TargetVersion    string         `xorm:"TEXT"`                     // target platform version regex (e.g. "(5|6)\..*")
-	PHPMinimum       string         `xorm:"VARCHAR(20)"`              // minimum PHP version (e.g. "8.1")
+	MaintainerURL    string         `xorm:"TEXT 'maintainer_url'"`    // maintainer website
+	InfoURL          string         `xorm:"TEXT 'info_url'"`          // extension info/product page URL
+	TargetVersion    string         `xorm:"TEXT 'target_version'"`    // target platform version regex (e.g. "(5|6)\..*")
+	PHPMinimum       string         `xorm:"VARCHAR(20) 'php_minimum'"` // minimum PHP version (e.g. "8.1")
 	// CustomStreams is a JSON array of stream definitions.
 	// Each entry: {"name":"lts","suffix":"-lts","description":"Long-term support"}
-	CustomStreams string            `xorm:"TEXT"`
+	CustomStreams string            `xorm:"TEXT 'custom_streams'"`
 	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX CREATED"`
 	UpdatedUnix  timeutil.TimeStamp `xorm:"UPDATED"`
 }

services/updateserver/joomla.go

@@ -202,10 +202,12 @@ func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, require
 		maintainer = cfg.Maintainer
 	}
 	maintainerURL := fmt.Sprintf("%s/%s", baseURL, repo.Owner.Name)
-	if cfg != nil && cfg.MaintainerURL != "" {
+	if cfg != nil && cfg.SupportURL != "" {
+		maintainerURL = cfg.SupportURL
+	} else if cfg != nil && cfg.MaintainerURL != "" {
 		maintainerURL = cfg.MaintainerURL
 	}
-	targetVersion := ".*"
+	targetVersion := "(5|6)\\..*"
 	if cfg != nil && cfg.TargetVersion != "" {
 		targetVersion = cfg.TargetVersion
 	}
@@ -307,9 +309,7 @@ func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, require
 		}
 
 		infoURL := fmt.Sprintf("%s/releases", repoLink)
-		if cfg != nil && cfg.SupportURL != "" {
-			infoURL = cfg.SupportURL
-		} else if cfg != nil && cfg.InfoURL != "" {
+		if cfg != nil && cfg.InfoURL != "" {
 			infoURL = cfg.InfoURL
 		}
 

updates.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
  SPDX-License-Identifier: GPL-3.0-or-later
- VERSION: 05.14.00
+ VERSION: 05.17.00
  -->
 
 <updates>
@@ -87,15 +87,15 @@
     <element>mokogitea</element>
     <type>application</type>
     <client>site</client>
-    <version>05.14.00</version>
-    <creationDate>2026-05-31</creationDate>
-    <infourl title='MokoGitea'>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable</infourl>
+    <version>05.17.00</version>
+    <creationDate>2026-06-03</creationDate>
+    <infourl title='MokoGitea'>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable</infourl>
     <downloads>
-      <downloadurl type='full' format='zip'>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.14.00.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.17.00.zip</downloadurl>
     </downloads>
-    <sha256>bec4bf5a1a841f8e72d9826451004db5d8afc70144231dfedc7fb01a6695955c</sha256>
+    <sha256>7f50295f58e207f1c2d2be92a172f4d077a4115ad1337c663e6f33e065e0cff9</sha256>
     <tags><tag>stable</tag></tags>
-    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>
     <targetplatform name="go" version=".*" />

wiki/license-management.md

@@ -426,10 +426,11 @@ The update feed system currently supports:
 | **Joomla** | `/{repo}/updates.xml` | XML with `<downloadkey>` | Production |
 | **Dolibarr** | `/{repo}/updates/dolibarr.json` | JSON | Production |
 | **WordPress** | `/{repo}/updates/wordpress.json` | PUC-compatible JSON | Production |
-| **Drupal** | Planned | XML/JSON | Planned (#353) |
-| **PrestaShop** | Planned | XML | Planned (#352) |
-| **Composer** | Planned | packages.json | Planned (#354) |
-| **WHMCS** | Planned | Custom | Planned (#355) |
+| **Composer** | `/{repo}/updates/packages.json` | packages.json | Production |
+| **PrestaShop** | `/{repo}/updates/prestashop.xml` | Module update XML | Production |
+| **Drupal** | `/{repo}/updates/drupal.xml` | Update status XML | Production |
+| **WHMCS** | `/{repo}/updates/whmcs.json` | Module update JSON | Production |
+| **Changelog** | `/{repo}/changelog.xml` | Joomla changelog XML | Production |
 
 All platforms share the same licensing backend — the same keys, packages, and validation work across all feed formats.
 
@@ -444,3 +445,4 @@ All platforms share the same licensing backend — the same keys, packages, and
 | 1.2 | 2026-05-31 | Jonathan Miller (@jmiller) | Add permissions (TypeLicenses unit), renewal, auto-domain, custom keys, UI/UX cleanup |
 | 1.3 | 2026-06-01 | Jonathan Miller (@jmiller) | Add package archiving, expanded delete permissions, migration v340, API renew, step-by-step guides |
 | 1.4 | 2026-06-02 | Jonathan Miller (@jmiller) | WordPress feed, feed visibility modes, download gating, RepoScope enforcement, API package CRUD, settings API, combolist channel picker, double confirmation modals, extension metadata in repo settings, domain lock timer, Joomla-standard tags, SHA256 in XML, changelog XML, no-download release page mode |
+| 1.5 | 2026-06-02 | Jonathan Miller (@jmiller) | All 7 platform feeds (Composer, PrestaShop, Drupal, WHMCS), enterprise sub-org hierarchy, three-level repo visibility (Public/Private/Hidden), styled 403 page with login form, separate licensing/advanced settings pages, icons on all navbars, manual stream mapping, configurable key prefix, feed always public, xorm column name fixes, security hardening |