Security hardening, site-wide OG defaults, platform-specific social tags #45

Open

jmiller wants to merge 110 commits from dev into main

pull from: dev

merge into: :main

:main

:dev

:feature/33-add-unit-and-integration-test-suite

:feature/34-json-ld-script-tag-vulnerable-to-xss-via

:feature/35-csv-import-missing-file-type-and-size-va

:feature/36-content-type-adapters-k2-virtuemart-hika

:feature/37-batch-and-importexport-controllers-lack-

:feature/38-system-plugin-db-queries-run-on-every-pa

:feature/39-direct-access-to-protected-links-propert

:feature/40-missing-spdx-license-identifiers-on-all-

:feature/41-content-plugin-ignores-language-when-loa

:feature/42-batch-process-limit-parameter-not-capped

:feature/43-tagtable-check-does-not-validate-field-v

:feature/44-update-server-xml-excludes-joomla-4-and-

:a66e1d5e86aabedcb20012b059ed84d84cbe31d5

:d10c3bc0eace6eb03b491299b167c7e1441e1992

:717cfe9a0ef23162c80eb157eda4a76606fbf973

:3d5e7eec8ad292a7d559f8e846174dd76b305022

:fbbe74079d856e6df2c66ae24c049879eb1ca79c

:6fc6c704ba1a5d486b3b63441fe16958a3276cff

Conversation 0 Commits 110 Files Changed 145

+4928 -2734

jmiller commented 2026-05-31 01:41:49 +00:00

Owner

Copy Link

Copy Source

Summary

• Fix 4 security vulnerabilities: JSON-LD XSS (#34), missing ACL checks (#37), CSV import validation (#35), multilingual data corruption (#41)
• Add site-wide default OG title, description, and image parameters as baseline for all pages
• Add platform-specific social meta tags: Discord embed color, LinkedIn article dates/author, og:image dimensions
• Add onMokoOGAfterRender extensibility event for third-party plugins to add custom social tags
• Includes all prior feature work: Web Services API, live preview, CSV import/export, batch generation, JSON-LD, image overlay, multilingual support, content type adapters

Security Fixes

• #34 JSON-LD </script> XSS — escape </ sequences in inline JSON
• #37 ACL permission checks on Batch and ImportExport controllers
• #35 CSV import file type (.csv), MIME type, size (2MB), and content_type regex validation
• #41 Content plugin now filters by language on load/save, preventing multilingual data corruption

New Features

• Site-wide default OG title and description plugin parameters (fallback chain: custom → page → site default)
• Discord embed color via theme-color meta tag (color picker in plugin config)
• article:published_time, article:modified_time, article:author for LinkedIn previews
• og:image:width / og:image:height for faster social preview rendering
• onMokoOGAfterRender event — third-party plugins can subscribe to add custom OG/social tags

Test Plan

• Install package on Joomla 4/5 test site
• Verify OG tags render on article, menu item, and category pages
• Verify site-wide defaults appear when no custom OG data exists
• Test CSV import with invalid file types, oversized files, and malformed content_type values
• Verify batch generation and export require proper ACL permissions
• Test multilingual: set different OG data per language, verify correct data loads in editor
• Share a page on Facebook, Twitter, LinkedIn, and Discord — verify previews render correctly
• Inspect JSON-LD output for articles with </script> in title

🤖 Generated with Claude Code

## Summary - Fix 4 security vulnerabilities: JSON-LD XSS (#34), missing ACL checks (#37), CSV import validation (#35), multilingual data corruption (#41) - Add site-wide default OG title, description, and image parameters as baseline for all pages - Add platform-specific social meta tags: Discord embed color, LinkedIn article dates/author, og:image dimensions - Add `onMokoOGAfterRender` extensibility event for third-party plugins to add custom social tags - Includes all prior feature work: Web Services API, live preview, CSV import/export, batch generation, JSON-LD, image overlay, multilingual support, content type adapters ## Security Fixes - **#34** JSON-LD `</script>` XSS — escape `</` sequences in inline JSON - **#37** ACL permission checks on Batch and ImportExport controllers - **#35** CSV import file type (.csv), MIME type, size (2MB), and content_type regex validation - **#41** Content plugin now filters by language on load/save, preventing multilingual data corruption ## New Features - Site-wide default OG title and description plugin parameters (fallback chain: custom → page → site default) - Discord embed color via `theme-color` meta tag (color picker in plugin config) - `article:published_time`, `article:modified_time`, `article:author` for LinkedIn previews - `og:image:width` / `og:image:height` for faster social preview rendering - `onMokoOGAfterRender` event — third-party plugins can subscribe to add custom OG/social tags ## Test Plan - [ ] Install package on Joomla 4/5 test site - [ ] Verify OG tags render on article, menu item, and category pages - [ ] Verify site-wide defaults appear when no custom OG data exists - [ ] Test CSV import with invalid file types, oversized files, and malformed content_type values - [ ] Verify batch generation and export require proper ACL permissions - [ ] Test multilingual: set different OG data per language, verify correct data loads in editor - [ ] Share a page on Facebook, Twitter, LinkedIn, and Discord — verify previews render correctly - [ ] Inspect JSON-LD output for articles with `</script>` in title 🤖 Generated with [Claude Code](https://claude.com/claude-code)

jmiller added 85 commits 2026-05-31 01:41:50 +00:00

Merge pull request 'chore: cascade main → dev (27bb22e) [skip ci]' (#13) from main into dev ... 6d1eb2d993

chore: cascade main → dev [skip ci]

Merge pull request 'chore: cascade main → dev (98ac42c) [skip ci]' (#14) from main into dev ... 1f0b373ba3

chore: cascade main → dev [skip ci]

feat(seo): add SEO meta tag management (closes #8) ... 54bf5f7737

- Add seo_title, meta_description, robots, canonical_url columns
- SQL migration for upgrades (01.01.00.sql) + updated install schema
- New "SEO Meta Tags" fieldset in article/menu editor with:
  - SEO title (70 char max, overrides <title>)
  - Meta description (200 char max)
  - Robots directive (noindex, nofollow, nosnippet, etc.)
  - Canonical URL override
- System plugin applies SEO tags in onBeforeCompileHead before OG tags
- SEO audit column in admin tag list (missing desc, title too long, noindex)
- Content plugin saves/loads all SEO fields alongside OG data

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(batch): add batch OG tag generation for existing articles (closes #1) ... 935185b46f

- BatchController with count() and process() AJAX endpoints
- Chunked processing (50 articles per request) to avoid PHP timeouts
- LEFT JOIN query to find articles without existing OG records
- Auto-extracts og_title from article title, og_description from
  metadesc or introtext (160 char), og_image from article images JSON
- Also populates meta_description from article metadesc
- Progress bar UI in admin tag list with real-time updates
- "Batch Generate" toolbar button in Tags view
- Auto-reloads page after completion

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(images): auto-resize OG images to 1200x630px (closes #2) ... 5fc0fbfc07

- New ImageHelper class with resize(), validate(), cleanup() methods
- Center-crop algorithm maintains aspect ratio to target dimensions
- GD-based processing, supports JPEG/PNG/GIF/WebP input, outputs JPEG
- Generated images cached in images/mokoog/generated/ with hash naming
- Skips resize if image already at or below target dimensions
- Skips regeneration if cached version is newer than source
- validate() checks minimum 200x200px (Facebook/WhatsApp requirement)
- cleanup() removes generated images when OG records are deleted
- Auto-resize toggle in system plugin advanced settings (default: on)
- Integrated into resolveImageUrl() in the system plugin

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Merge pull request 'feat(images): auto-resize OG images (#2)' (#17) from feature/2-image-auto-resize into dev ... d6624af876

chore: cascade main → dev [skip ci]

Merge pull request 'feat(batch): batch OG tag generation (#1)' (#16) from feature/1-batch-processing into dev ... 6fc6c704ba

feat(batch): batch OG tag generation (closes #1)

feat(categories): add category-level OG tag support (closes #4) ... 7ef1d79336

- Content plugin now hooks com_categories.categorycom_content forms
- Category OG data stored as content_type 'com_content.category'
- System plugin detects category views and merges category OG as fallback
- Article image fallback chain: article image → category image → default
- New loadOgDataByType() helper for flexible type lookups

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(social): add WhatsApp/Telegram link preview optimization (closes #10) ... 6f5cc4425e

- Telegram channel meta tag config and output (telegram:channel)
- Image validation via ImageHelper::validate() already covers
  WhatsApp minimum requirements (300x200px)
- Auto-resize (from #2) ensures images meet all platform specs

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(preview): live social sharing preview in article editor (closes #3) ... 71c1fea356

- Facebook and Twitter/X card previews update in real-time
- Renders below the OG fieldset in article/menu editors
- Reads og_title, og_description, og_image with fallback to
  article title and meta description
- CSS mockups of each platform's card layout
- Registered via joomla.asset.json Web Asset Manager
- Safe DOM construction (no innerHTML with user data)
- MutationObserver watches media field for image changes

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(jsonld): add JSON-LD structured data output (closes #6) ... 5217986478

- JsonLdBuilder helper with Article, WebPage, BreadcrumbList, Organization
- Article schema includes headline, author, datePublished, dateModified, image
- BreadcrumbList built from Joomla's pathway
- Toggle JSON-LD and breadcrumbs independently in plugin settings
- Output via addCustomTag() in onBeforeCompileHead

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(adapters): add third-party content type adapter architecture (closes #5) ... 8dc1e8175a

- ContentTypeInterface with canHandle(), getTitle(), getDescription(), getImage()
- VirtueMartAdapter for product pages (com_virtuemart)
- K2Adapter for K2 items (com_k2)
- HikaShopAdapter for HikaShop products (com_hikashop)

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(debug): add social platform debugger quick links (closes #9) ... 94b5eb084c

- Debug column in admin tag list with FB, LinkedIn, Google buttons
- Links open platform debugger tools in new tab with page URL
- Facebook Sharing Debugger, LinkedIn Post Inspector, Google Rich Results

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(i18n): add multilingual OG tag support (closes #11) ... 04d1da29d4

- Add language column to #__mokoog_tags (default * for all languages)
- Updated unique key to include language
- SQL migration 01.02.00 for upgrades
- og:locale output from current Joomla language (en-GB to en_GB)
- Language-aware OG data loading: exact match preferred over wildcard

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(overlay): add OG image text overlay generator (closes #7) ... 9275a4f980

ImageGenerator class renders article title onto a template background:
- Center-crop template to 1200x630px
- Semi-transparent dark overlay band for text readability
- TTF font rendering with word wrapping (max 3 lines)
- Cached output in images/mokoog/generated/overlay_*.jpg
- Configurable font size, color, quality

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(csv): add CSV import/export for OG tags (closes #12) ... fdf4835051

ImportExportController with export() and import() actions:
- Export: CSV with all OG + SEO fields, joined with article titles
- Import: Upload CSV, match on content_type + content_id
- Upsert logic: creates new or updates existing records
- Reports created/updated/skipped counts
- Toolbar buttons ready for integration

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Merge pull request 'feat(categories): category-level OG tags (#4)' (#18) from feature/4-category-og-tags into dev fbbe74079d

Merge pull request 'feat(social): WhatsApp/Telegram optimization (#10)' (#19) from feature/10-whatsapp-telegram into dev 3d5e7eec8a

Merge pull request 'feat(adapters): third-party extension support (#5)' (#21) from feature/5-third-party-adapters into dev 717cfe9a0e

Merge pull request 'feat(debug): debugger quick links (#9)' (#22) from feature/9-debugger-links into dev d10c3bc0ea

Merge branch 'feature/6-jsonld' into dev ... b9738f0b5f

# Conflicts:
#	src/packages/plg_system_mokoog/src/Extension/MokoOG.php

Merge branch 'feature/11-multilingual' into dev b28703465d

Merge branch 'feature/7-image-overlay' into dev 26e3d39e01

Merge branch 'feature/12-csv-import-export' into dev fcce208278

Merge branch 'feature/3-social-preview' into dev 19035b1171

feat(api): add Joomla Web Services API for OG tags (closes #27) ... ce0bbe821a

New sub-extension: plg_webservices_mokoog
- Registers REST API routes via onBeforeApiRoute
- CRUD endpoints at /api/index.php/v1/mokoog/tags
- Lookup endpoint at /api/index.php/v1/mokoog/lookup/:type/:id
- SubscriberInterface pattern with DI container

Component API layer (com_mokoog/api/):
- TagsController extending ApiController for CRUD operations
- JsonapiView with whitelisted fields for JSON:API output
- TagModel (AdminModel) for single-item operations

Package updates:
- pkg_mokoog.xml includes plg_webservices_mokoog
- Install script auto-enables webservices plugin
- Component manifest declares api/ directory

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Merge pull request 'chore: cascade main → dev (1b09c5d) [skip ci]' (#28) from main into dev ... f9b4ca880c

chore: cascade main → dev [skip ci]

Merge pull request 'feat(api): Joomla Web Services API for OG tags (#27)' (#29) from feature/27-webservices-api into dev a66e1d5e86

chore: update updates.xml (development: 01.00.00-dev) [skip ci] 44d9ccfda6

Merge pull request 'chore: cascade main → dev (8b8ba12) [skip ci]' (#30) from main into dev ... 2ab883103c

chore: cascade main → dev [skip ci]

fix: production readiness improvements for admin panel and installer ... 97bc2526c0

Add search/filter tools to tags list view, fix API content type naming,
build proper frontend URLs for social debugger links, and auto-enable
the content plugin on package install.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chore: update updates.xml (development: 01.00.00-dev) [skip ci] 52a4bf7e5d

feat(seo): add SEO meta tag management (closes #8) ... 15ec388b52

- Add seo_title, meta_description, robots, canonical_url columns
- SQL migration for upgrades (01.01.00.sql) + updated install schema
- New "SEO Meta Tags" fieldset in article/menu editor with:
  - SEO title (70 char max, overrides <title>)
  - Meta description (200 char max)
  - Robots directive (noindex, nofollow, nosnippet, etc.)
  - Canonical URL override
- System plugin applies SEO tags in onBeforeCompileHead before OG tags
- SEO audit column in admin tag list (missing desc, title too long, noindex)
- Content plugin saves/loads all SEO fields alongside OG data

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(images): auto-resize OG images to 1200x630px (closes #2) ... 3ec4b163bb

- New ImageHelper class with resize(), validate(), cleanup() methods
- Center-crop algorithm maintains aspect ratio to target dimensions
- GD-based processing, supports JPEG/PNG/GIF/WebP input, outputs JPEG
- Generated images cached in images/mokoog/generated/ with hash naming
- Skips resize if image already at or below target dimensions
- Skips regeneration if cached version is newer than source
- validate() checks minimum 200x200px (Facebook/WhatsApp requirement)
- cleanup() removes generated images when OG records are deleted
- Auto-resize toggle in system plugin advanced settings (default: on)
- Integrated into resolveImageUrl() in the system plugin

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(batch): add batch OG tag generation for existing articles (closes #1) ... 9a6cd6fce8

- BatchController with count() and process() AJAX endpoints
- Chunked processing (50 articles per request) to avoid PHP timeouts
- LEFT JOIN query to find articles without existing OG records
- Auto-extracts og_title from article title, og_description from
  metadesc or introtext (160 char), og_image from article images JSON
- Also populates meta_description from article metadesc
- Progress bar UI in admin tag list with real-time updates
- "Batch Generate" toolbar button in Tags view
- Auto-reloads page after completion

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(categories): add category-level OG tag support (closes #4) ... 4c9486173b

- Content plugin now hooks com_categories.categorycom_content forms
- Category OG data stored as content_type 'com_content.category'
- System plugin detects category views and merges category OG as fallback
- Article image fallback chain: article image → category image → default
- New loadOgDataByType() helper for flexible type lookups

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(social): add WhatsApp/Telegram link preview optimization (closes #10) ... e6ee93b79b

- Telegram channel meta tag config and output (telegram:channel)
- Image validation via ImageHelper::validate() already covers
  WhatsApp minimum requirements (300x200px)
- Auto-resize (from #2) ensures images meet all platform specs

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(adapters): add third-party content type adapter architecture (closes #5) ... a34091ffbe

- ContentTypeInterface with canHandle(), getTitle(), getDescription(), getImage()
- VirtueMartAdapter for product pages (com_virtuemart)
- K2Adapter for K2 items (com_k2)
- HikaShopAdapter for HikaShop products (com_hikashop)

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(debug): add social platform debugger quick links (closes #9) ... 9e953646d7

- Debug column in admin tag list with FB, LinkedIn, Google buttons
- Links open platform debugger tools in new tab with page URL
- Facebook Sharing Debugger, LinkedIn Post Inspector, Google Rich Results

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(jsonld): add JSON-LD structured data output (closes #6) ... 3d73ea2f9c

- JsonLdBuilder helper with Article, WebPage, BreadcrumbList, Organization
- Article schema includes headline, author, datePublished, dateModified, image
- BreadcrumbList built from Joomla's pathway
- Toggle JSON-LD and breadcrumbs independently in plugin settings
- Output via addCustomTag() in onBeforeCompileHead

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(i18n): add multilingual OG tag support (closes #11) ... 4a9433d2bb

- Add language column to #__mokoog_tags (default * for all languages)
- Updated unique key to include language
- SQL migration 01.02.00 for upgrades
- og:locale output from current Joomla language (en-GB to en_GB)
- Language-aware OG data loading: exact match preferred over wildcard

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(overlay): add OG image text overlay generator (closes #7) ... 6674f354c6

ImageGenerator class renders article title onto a template background:
- Center-crop template to 1200x630px
- Semi-transparent dark overlay band for text readability
- TTF font rendering with word wrapping (max 3 lines)
- Cached output in images/mokoog/generated/overlay_*.jpg
- Configurable font size, color, quality

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(csv): add CSV import/export for OG tags (closes #12) ... 3d855f829f

ImportExportController with export() and import() actions:
- Export: CSV with all OG + SEO fields, joined with article titles
- Import: Upload CSV, match on content_type + content_id
- Upsert logic: creates new or updates existing records
- Reports created/updated/skipped counts
- Toolbar buttons ready for integration

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(preview): live social sharing preview in article editor (closes #3) ... 78fbe252cb

- Facebook and Twitter/X card previews update in real-time
- Renders below the OG fieldset in article/menu editors
- Reads og_title, og_description, og_image with fallback to
  article title and meta description
- CSS mockups of each platform's card layout
- Registered via joomla.asset.json Web Asset Manager
- Safe DOM construction (no innerHTML with user data)
- MutationObserver watches media field for image changes

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat(api): add Joomla Web Services API for OG tags (closes #27) ... 400d3759e5

New sub-extension: plg_webservices_mokoog
- Registers REST API routes via onBeforeApiRoute
- CRUD endpoints at /api/index.php/v1/mokoog/tags
- Lookup endpoint at /api/index.php/v1/mokoog/lookup/:type/:id
- SubscriberInterface pattern with DI container

Component API layer (com_mokoog/api/):
- TagsController extending ApiController for CRUD operations
- JsonapiView with whitelisted fields for JSON:API output
- TagModel (AdminModel) for single-item operations

Package updates:
- pkg_mokoog.xml includes plg_webservices_mokoog
- Install script auto-enables webservices plugin
- Component manifest declares api/ directory

Authored-by: Moko Consulting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chore: update updates.xml (development: 01.00.00-dev) [skip ci] f7826ca60a

fix: production readiness improvements for admin panel and installer ... 0509980b50

Add search/filter tools to tags list view, fix API content type naming,
build proper frontend URLs for social debugger links, and auto-enable
the content plugin on package install.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Merge pull request 'chore: cascade main -> dev [skip ci]' (#32) from main into dev ... 11ad5be25e

chore: cascade main → dev [skip ci]

chore(version): bump 01.00.00 → 01.00.00-dev [skip ci] fc148084a1

chore: update development channel 01.00.00 [skip ci] 0b97a62c82

chore(ci): update pre-release.yml from moko-platform [skip ci] 3563c62ec2

chore(ci): update auto-release.yml from moko-platform [skip ci] 292265841e

chore(ci): update auto-release.yml from moko-platform [skip ci] bbda9318d8

chore(ci): update pre-release.yml from moko-platform [skip ci] 23de6dcb07

fix(ci): use release_package.php for Joomla package builds [skip ci] 105d282077

chore(ci): add auto-bump.yml from moko-platform [skip ci] 72e0f85e4b

chore(ci): update pre-release.yml from moko-platform [skip ci] 2b5b42567b

chore(ci): update auto-release.yml from moko-platform [skip ci] fa732f44c8

chore(ci): update auto-bump.yml from moko-platform [skip ci] 1954b36720

chore(ci): update auto-release.yml from moko-platform [skip ci] 943b5077b3

chore(ci): update pre-release.yml from moko-platform [skip ci] f86d1bca41

chore(ci): update auto-release.yml from moko-platform [skip ci] 2c90881a5b

chore(ci): update auto-bump.yml from moko-platform [skip ci] e1c826a46a

chore(ci): update pre-release.yml from moko-platform [skip ci] 129a9d547b

feat(workflows): append stability suffix to manifest versions [skip bump] 000d9a8fb6

fix(workflows): proper suffix handling — use version_set_platform instead of sed [skip bump] 72639c1155

refactor(workflows): rename secrets MOKOGITEA_TOKEN/GITHUB_TOKEN, use x-access-token [skip bump] f3a76c93be

chore(workflows): sync all universal workflows from moko-platform [skip bump] a1d5953015

fix(workflows): GITHUB_TOKEN→GH_MIRROR_TOKEN (reserved name) [skip bump] 90bcabd2fa

fix(workflows): rename remaining old secrets in repo-specific workflows [skip bump] 5d34cbced4

chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci] 4fef3cd528

chore: sync .mokogitea/workflows/update-server.yml from moko-platform [skip ci] afb431a62c

chore: sync .mokogitea/workflows/pre-release.yml from moko-platform [skip ci] 29917529ca

chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci] 9a88daec9d

chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci] 7e4b391004

chore: sync .mokogitea/workflows/update-server.yml from moko-platform [skip ci] efd86ee77e

chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci] 56d7d8784b

chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci] 182e8caa90

chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci] 5c175ebc21

chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci] 0ff6798918

chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci] d46f726a78

refactor: rename MokoOpenGraph → MokoJoomOpenGraph, add moko-platform standards compliance ... a5b14048f4

- Rename project display name across 69 files (PHP, XML, INI, SQL, CSS, JS, JSON, MD)
- Add <display-name> to .mokogitea/manifest.xml per moko-platform schema
- Update pkg_mokoog.xml <name> to "Package - MokoJoomOpenGraph" (Joomla convention)
- Update all update server URLs to new repo path
- Add CONTRIBUTING.md and CODE_OF_CONDUCT.md (required by repo-health workflow)
- Add .gitattributes for line-ending normalization and export-ignore rules
- Add .gitignore

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix(security): harden controllers, add site defaults, platform-specific OG tags ... de9f7eeb58

Security fixes:
- Fix JSON-LD XSS via </script> injection in content data (#34)
- Add ACL permission checks to Batch and ImportExport controllers (#37)
- Add CSV import file type, MIME, and size validation (#35)
- Fix multilingual bug in content plugin load/save OG data (#41)

Enhancements:
- Add site-wide default OG title and description plugin parameters
- Add Discord embed color (theme-color) plugin parameter
- Add og:image:width/height for faster social previews
- Add article:published_time, article:modified_time, article:author for LinkedIn
- Add onMokoOGAfterRender event for third-party plugin extensibility
- Add content_type regex validation on CSV import rows

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chore(version): auto-bump 01.00.01-dev [skip ci] 5125fff078

chore: update development channel 01.00.01-dev [skip ci] e1eb409943

jmiller added 1 commit 2026-05-31 01:46:06 +00:00

chore: sync .mokogitea/workflows/cascade-dev.yml from moko-platform [skip ci] 5da49ce416

jmiller added 1 commit 2026-05-31 01:46:48 +00:00

chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci] 381557e79b

jmiller added 1 commit 2026-05-31 01:47:27 +00:00

docs: update README and CHANGELOG for v1.0.0 release ... e1cf4cb385

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 01:54:14 +00:00

feat(ci): trigger RC build on PR draft to main, rename branch to rc ... fe92892310

When a PR is opened or drafted targeting main, the pre-release workflow
now automatically builds a release-candidate package and renames the
source branch to 'rc'.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 01:54:53 +00:00

chore(version): pre-release bump to 01.00.01-rc [skip ci] 516e2a4a47

jmiller added 1 commit 2026-05-31 01:54:55 +00:00

chore: update release-candidate channel 01.00.01-rc [skip ci] 5a6f315403

jmiller added 1 commit 2026-05-31 01:57:48 +00:00

revert(ci): restore pre-release.yml to upstream template ... 073e24bf4e

RC-on-PR-to-main is already handled by auto-release.yml (promote-rc job).
pre-release.yml only needs to handle dev releases (PR merged to dev) and
manual dispatch.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:06:34 +00:00

refactor(ci): simplify workflows — merge update-server into pre-release, remove redundancy ... 5cbd0b64d4

Changes:
- Delete cascade-dev.yml (disabled; auto-release Step 11 handles dev recreation)
- Delete update-server.yml (merged into pre-release.yml)
- Consolidate pre-release.yml: now handles push triggers on dev/alpha/beta/rc
  branches, PR merged to dev, manual dispatch, SFTP deploy, and updates.xml sync
- Remove pre-release RC trigger from pr-check.yml (auto-release.yml handles RC
  via promote-rc job on PR opened to main)
- Restrict repo-health.yml to manual dispatch only (was noisy on every push/PR)

Workflow count: 12 → 10

Before:
  pre-release.yml  — PR merged to dev + manual
  update-server.yml — push to dev + PR merged to dev + manual + SFTP deploy
  pr-check.yml     — branch policy + validate + trigger pre-release RC
  cascade-dev.yml  — disabled
  repo-health.yml  — push + PR + manual

After:
  pre-release.yml  — push to dev + PR merged to dev + manual + SFTP deploy
  pr-check.yml     — branch policy + validate (no RC trigger)
  repo-health.yml  — manual only

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:16:31 +00:00

fix(ci): always clone fresh moko-platform tools, fix composer constraint ... ad09eae874

- auto-bump.yml: remove stale /opt/moko-platform check, always clone
  fresh from git (matches pre-release.yml pattern)
- composer.json: fix joomla/coding-standards ^4.0 → ^3.0 (v4 doesn't
  exist on Packagist)

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:23:43 +00:00

fix: add minimum-stability alpha for joomla/coding-standards ... e1747da3ff

joomla/coding-standards has no stable release — only 3.0.0-alpha.
Add minimum-stability: alpha with prefer-stable: true.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:26:12 +00:00

fix(ci): use GH_MIRROR_TOKEN for composer GitHub auth ... 90e5f8c717

MOKOGITEA_TOKEN is a Gitea token — cannot authenticate against github.com
for Packagist downloads. Use GH_MIRROR_TOKEN (GitHub PAT) instead.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:41:51 +00:00

fix(ci): skip namespace check for package manifests, secrets already set ... ba62e95e58

Package type extensions (pkg_*) don't have <namespace> tags — only
component/plugin manifests do. Skip the check when type="package".

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:46:23 +00:00

fix: add missing index.html to all extension directories ... 8c0fcfe81f

Joomla security requirement — prevents directory listing on misconfigured
servers. Added to all 57 directories that were missing them.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:46:36 +00:00

chore(version): pre-release bump to 01.00.01-dev [skip ci] 01055aa844

jmiller added 1 commit 2026-05-31 02:46:39 +00:00

chore: update development channel 01.00.01-dev [skip ci] 2dcc6860c2

jmiller added 1 commit 2026-05-31 02:51:54 +00:00

fix(ci): support HTML comment VERSION format, add en-GB/en-US check ... d001ef7c35

- Release readiness: support <!-- VERSION: XX.YY.ZZ --> format in
  README.md (not just FILE INFORMATION block format)
- Add language directory check: verify en-GB and en-US exist in all
  language/ directories under src/ or htdocs/

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 02:59:59 +00:00

fix(ci): replace PCRE grep with sed for Alpine compat ... 23caf15df6

Alpine Linux grep doesn't support -P (PCRE). Use sed for VERSION
and manifest version extraction.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-05-31 03:35:20 +00:00

chore(ci): remove release workflows for update server migration ... 87fc0930a0

Delete auto-release.yml, pre-release.yml, and auto-bump.yml in
preparation for the new update server system.

Remaining workflows: ci-joomla, cleanup, gitleaks, notify, pr-check,
repo-health, security-audit (7 total).

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

jmiller added 1 commit 2026-06-02 20:38:32 +00:00

chore(ci): add CI issue reporter for auto-filing gate failures 6a38ca957a

jmiller added 1 commit 2026-06-02 20:38:33 +00:00

chore(ci): add CI issue reporter for auto-filing gate failures 922f74d37a

jmiller added 1 commit 2026-06-02 20:38:34 +00:00

chore(ci): add CI issue reporter for auto-filing gate failures 5d32a37258

jmiller added 1 commit 2026-06-02 21:52:11 +00:00

chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci] 9d0d772dd4

jmiller added 1 commit 2026-06-02 23:47:58 +00:00

chore: add .mokogitea/workflows/auto-release.yml from moko-platform [skip ci] 2bb8aaf8b4

jmiller added 1 commit 2026-06-03 03:11:21 +00:00

chore: sync .mokogitea/workflows/repo-health.yml from moko-platform [skip ci] 26e146bcf4

jmiller added 1 commit 2026-06-03 09:37:33 +00:00

chore: sync .mokogitea/workflows/repo-health.yml from moko-platform [skip ci] 7091e64e2c

This pull request has changes conflicting with the target branch.

• .mokogitea/workflows/auto-release.yml
• .mokogitea/workflows/cascade-dev.yml
• .mokogitea/workflows/pr-check.yml
• .mokogitea/workflows/pre-release.yml
• .mokogitea/workflows/repo-health.yml
• .mokogitea/workflows/update-server.yml
• CONTRIBUTING.md
• updates.xml

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin dev:dev

git checkout dev

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something is broken

documentation

Documentation improvements

enhancement

priority: high

priority: low

priority: medium

production-readiness

Required before v1.0 release

security

Security vulnerability or hardening

testing

Test coverage and QA

bug

Something is not working

chore

Maintenance and housekeeping

documentation

Documentation improvements

enhancement

Improvement to existing functionality

feature

New feature or request

pending: dependency

Blocked by another issue or external dependency

pending: deployment

Tested and approved, awaiting deployment to production

pending: design

Needs UI/UX or architecture design before implementation

pending: documentation

Feature works, needs documentation/wiki update

pending: feedback

Awaiting feedback or decision from stakeholder

pending: review

Implementation complete, awaiting code review

pending: testing

Feature implemented but not yet tested

priority: critical

Must fix immediately

priority: high

Should fix soon

priority: low

Nice to have

priority: medium

Fix when convenient

refactor

Code restructuring without behavior change

roadmap

Planned feature or enhancement tracked on the roadmap

scope: client

Client-specific work

scope: dolibarr

Dolibarr modules and customizations

scope: infrastructure

Server, CI, backups, monitoring

scope: joomla

Joomla templates and extensions

scope: waas

MokoWaaS platform

security

Security vulnerability or hardening

status: blocked

Waiting on external dependency

status: duplicate

Duplicate of another issue

status: in-progress

Being worked on

status: needs-review

Ready for review

status: wontfix

Will not be addressed

No labels

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoJoomOpenGraph#45