chore: promote changelog [Unreleased] → [01.02.00]

chore(release): build 01.02.00 [skip ci]
v1.0 assessment: fix all blockers, add MokoSuiteShop, close 18 issues (#54 )
2026-06-21 22:02:01 +00:00 · 2026-06-21 22:01:53 +00:00 · 2026-06-21 22:01:41 +00:00 · 2026-06-21 22:00:50 +00:00 · 2026-06-21 22:00:38 +00:00 · 2026-06-21 17:00:19 -05:00
153 changed files with 3729 additions and 1129 deletions
@@ -113,7 +113,7 @@ releases/
 build/
 dist/
 out/
-site/
+/site/
 *.map
 *.css.map
 *.js.map
@@ -152,7 +152,7 @@ package-lock.json
 # PHP / Composer tooling
 # ============================================================
 vendor/
-!src/media/vendor/
+!source/media/vendor/
 composer.lock
 *.phar
 codeception.phar
@@ -0,0 +1,67 @@
+# MokoJoomOpenGraph
+
+Open Graph, Twitter Card, and social sharing meta tag management for Joomla. Per-article SEO with auto-generation fallback.
+
+## Quick Reference
+
+| Field | Value |
+|---|---|
+| **Package** | `pkg_mokoog` |
+| **Language** | PHP 8.1+ |
+| **Branch** | develop on `dev`, merge to `main` (protected) |
+| **Wiki** | [MokoJoomOpenGraph Wiki](https://git.mokoconsulting.tech/MokoConsulting/MokoJoomOpenGraph/wiki) |
+
+## Commands
+
+```bash
+make build        # Build package ZIP
+make lint         # Run linters
+make validate     # Validate structure
+make release      # Full release pipeline
+make clean        # Clean build artifacts
+composer install  # Install PHP dependencies
+```
+
+## Architecture
+
+Joomla **package** with three sub-extensions:
+
+### com_mokoog (Component)
+- Admin backend for viewing/managing all OG tag records
+- Joomla 4/5 MVC: `Controller/DisplayController`, `Model/TagsModel`, `View/Tags/HtmlView`, `Table/TagTable`
+- Namespace: `Joomla\Component\MokoOG\Administrator`
+
+### plg_system_mokoog (System Plugin)
+- Hooks `onBeforeCompileHead` to inject `<meta property="og:*">` and `<meta name="twitter:*">`
+- Auto-generates tags from article title, description, images when no custom tags exist
+- Supports articles (`com_content`), menu items, extensible content types
+
+### plg_content_mokoog (Content Plugin)
+- Hooks `onContentPrepareForm` to add OG fields tab to article/menu editors
+- Hooks `onContentAfterSave`/`onContentAfterDelete` to persist/clean OG data
+
+### Database Schema
+
+Single table `#__mokoog_tags`:
+- `content_type` + `content_id` = unique key for any content item
+- `og_title`, `og_description`, `og_image`, `og_type` = custom OG overrides
+- `published` flag for per-item enable/disable
+
+## Rules
+
+- **Never commit** `.claude/`, `.mcp.json`, `TODO.md`, `*.min.css`/`*.min.js`
+- **Attribution**: `Authored-by: Moko Consulting`
+- **Workflow directory**: `.mokogitea/` (not `.gitea/` or `.github/`)
+- **Minification**: handled at build time (CI)
+- **Wiki**: documentation lives in the Gitea wiki, not `docs/` files
+- **Standards**: [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home)
+
+## Coding Standards
+
+- PHP 8.1+ minimum
+- Joomla 4/5 DI container pattern: `services/provider.php` → Extension class
+- Legacy stub `.php` file required for plugin loader but empty
+- `SubscriberInterface` for event subscription (not `on*` method naming)
+- `bind() → check() → store()` for Table operations (not `save()`)
+- Language file placement: site (no `folder`) vs admin (`folder="administrator"`)
+- SPDX license headers on all PHP files
@@ -0,0 +1,251 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/branch-protection.yml
+# BRIEF: Apply standardised branch protection rules to all governed repositories
+#
+# +========================================================================+
+# |                   BRANCH PROTECTION SETUP                              |
+# +========================================================================+
+# |                                                                        |
+# |  Applies protection rules for: main, dev, rc, beta, alpha       |
+# |                                                                        |
+# |  main  — Require PR, block rejected reviews, no force push             |
+# |  dev   — Allow push, no force push, no delete                          |
+# |  rc  — Allow push, no force push, no delete                          |
+# |  beta — Allow push, no force push, no delete                         |
+# |  alpha — Allow push, no force push, no delete                        |
+# |                                                                        |
+# |  jmiller has override authority on all branches.                       |
+# |                                                                        |
+# +========================================================================+
+
+name: Branch Protection Setup
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly Monday 02:00 UTC
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Preview mode (no changes)'
+        required: false
+        type: boolean
+        default: false
+      repos:
+        description: 'Comma-separated repo names (empty = all governed repos)'
+        required: false
+        type: string
+        default: ''
+
+env:
+  GITEA_URL: https://git.mokoconsulting.tech
+  GITEA_ORG: MokoConsulting
+
+permissions:
+  contents: read
+
+jobs:
+  protect:
+    name: Apply Branch Protection Rules
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Determine target repos
+        id: repos
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+
+          # Platform/standards/infra repos to exclude
+          EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
+          EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
+
+          if [ -n "${{ inputs.repos }}" ]; then
+            # User-specified repos
+            REPOS=$(echo "${{ inputs.repos }}" | tr ',' ' ')
+          else
+            # Fetch all org repos
+            PAGE=1
+            REPOS=""
+            while true; do
+              BATCH=$(curl -sS \
+                -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
+                | jq -r '.[].name // empty')
+              [ -z "$BATCH" ] && break
+              REPOS="$REPOS $BATCH"
+              PAGE=$((PAGE + 1))
+            done
+
+            # Filter out excluded repos
+            FILTERED=""
+            for REPO in $REPOS; do
+              SKIP=false
+              for EX in $EXCLUDE; do
+                if [ "$REPO" = "$EX" ]; then
+                  SKIP=true
+                  break
+                fi
+              done
+              if [ "$SKIP" = "false" ]; then
+                FILTERED="$FILTERED $REPO"
+              fi
+            done
+            REPOS="$FILTERED"
+          fi
+
+          echo "repos=$REPOS" >> "$GITHUB_OUTPUT"
+          COUNT=$(echo "$REPOS" | wc -w)
+          echo "📋 Target repos (${COUNT}): $REPOS"
+
+      - name: Apply protection rules
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          DRY_RUN: ${{ inputs.dry_run || 'false' }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+          REPOS="${{ steps.repos.outputs.repos }}"
+
+          SUCCESS=0
+          FAILED=0
+          SKIPPED=0
+
+          # ── Rule definitions ──────────────────────────────────────
+          # Only the CI bot (jmiller token) can push directly.
+          # All human contributors must use PRs.
+          # Force push disabled on all branches.
+
+          RULE_MAIN='{
+            "rule_name": "main",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "dismiss_stale_approvals": true,
+            "block_on_rejected_reviews": true,
+            "block_on_outdated_branch": false,
+            "priority": 1
+          }'
+
+          RULE_DEV='{
+            "rule_name": "dev",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 2
+          }'
+
+          RULE_RC='{
+            "rule_name": "rc",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 3
+          }'
+
+          RULE_BETA='{
+            "rule_name": "beta",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 4
+          }'
+
+          RULE_ALPHA='{
+            "rule_name": "alpha",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 5
+          }'
+
+          RULES=("$RULE_MAIN" "$RULE_DEV" "$RULE_RC" "$RULE_BETA" "$RULE_ALPHA")
+          RULE_NAMES=("main" "dev" "rc" "beta" "alpha")
+
+          # ── Apply rules to each repo ──────────────────────────────
+          for REPO in $REPOS; do
+            echo ""
+            echo "═══ ${REPO} ═══"
+
+            for i in "${!RULES[@]}"; do
+              RULE="${RULES[$i]}"
+              NAME="${RULE_NAMES[$i]}"
+
+              if [ "$DRY_RUN" = "true" ]; then
+                echo "  [DRY RUN] Would apply rule: ${NAME}"
+                SKIPPED=$((SKIPPED + 1))
+                continue
+              fi
+
+              # Delete existing rule if present (idempotent recreate)
+              ENCODED_NAME=$(echo "$NAME" | sed 's|/|%2F|g')
+              curl -sS -o /dev/null -w "" \
+                -X DELETE \
+                -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections/${ENCODED_NAME}" 2>/dev/null || true
+
+              # Create rule
+              RESPONSE=$(curl -sS -w "\n%{http_code}" \
+                -X POST \
+                -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                -d "$RULE" \
+                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections")
+
+              HTTP=$(echo "$RESPONSE" | tail -1)
+              BODY=$(echo "$RESPONSE" | sed '$d')
+
+              if [ "$HTTP" = "201" ]; then
+                echo "  ✅ ${NAME}"
+                SUCCESS=$((SUCCESS + 1))
+              else
+                echo "  ❌ ${NAME} (HTTP ${HTTP}): $(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)"
+                FAILED=$((FAILED + 1))
+              fi
+            done
+          done
+
+          # ── Summary ───────────────────────────────────────────────
+          echo ""
+          echo "════════════════════════════════════════"
+          echo "  ✅ Success: ${SUCCESS}"
+          echo "  ❌ Failed:  ${FAILED}"
+          echo "  ⏭️  Skipped: ${SKIPPED}"
+          echo "════════════════════════════════════════"
+
+          if [ "$FAILED" -gt 0 ]; then
+            echo "::warning::${FAILED} rule(s) failed to apply"
+          fi
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Moko Platform Repository Manifest
-  See: https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home
-->
-<moko-platform xmlns="https://standards.mokoconsulting.tech/moko-platform/1.0" schema-version="1.0">
-  <identity>
-    <name>MokoJoomOpenGraph</name>
-    <display-name>Package - MokoJoomOpenGraph</display-name>
-    <org>MokoConsulting</org>
-    <description>Open Graph, SEO meta tags, and social sharing image management for Joomla articles and menu items</description>
-    <version>01.00.01</version>
-    <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
-  </identity>
-  <governance>
-    <platform>joomla</platform>
-    <standards-version>05.00.00</standards-version>
-    <standards-source>https://git.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
-    <last-synced>2026-05-23T22:16:00+00:00</last-synced>
-  </governance>
-  <build>
-    <language>PHP</language>
-    <package-type>joomla-extension</package-type>
-    <entry-point>src/</entry-point>
-  </build>
-</moko-platform>
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# INGROUP: mokocli.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 # PATH: /.mokogitea/workflows/auto-bump.yml
 # VERSION: 09.02.00
 # BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
@@ -43,19 +43,19 @@ jobs:
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 1

-      - name: Setup moko-platform tools
+      - name: Setup mokocli tools
        run: |
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
-          if [ -d "/opt/moko-platform/cli" ]; then
-            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
+          if [ -d "/opt/mokocli/cli" ]; then
+            echo "MOKO_CLI=/opt/mokocli/cli" >> "$GITHUB_ENV"
          else
            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
-              /tmp/moko-platform-api
-            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokocli.git" \
+              /tmp/mokocli
+            cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
+            echo "MOKO_CLI=/tmp/mokocli/cli" >> "$GITHUB_ENV"
          fi

      - name: Bump version
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# INGROUP: mokocli.Release
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
 # PATH: /templates/workflows/universal/auto-release.yml.template
 # VERSION: 05.00.00
 # BRIEF: Universal build & release � detects platform from manifest.xml
@@ -17,7 +17,7 @@
 # |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
 # |                                                                        |
 # |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    joomla:   XML manifest, type-prefixed packages                      |
 # |    dolibarr: mod*.class.php, update.txt, dev version reset             |
 # |    generic:  README-only, no update stream                             |
 # |                                                                        |
@@ -66,25 +66,30 @@ jobs:
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 1

-      - name: Setup moko-platform tools
+      - name: Setup mokocli tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokocli
+            echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
+          else
+            echo Falling back to fresh clone
+            if ! command -v composer > /dev/null 2>&1; then
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
+            fi
+            rm -rf /tmp/mokocli
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
+            cd /tmp/mokocli
+            composer install --no-dev --no-interaction --quiet
+            echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet

      - name: Rename branch to rc
        run: |
-          php /tmp/moko-platform-api/cli/branch_rename.php \
+          php ${MOKO_CLI}/branch_rename.php \
            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
@@ -100,15 +105,49 @@ jobs:

      - name: Publish RC release
        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
+          php ${MOKO_CLI}/release_publish.php \
            --path . --stability rc --bump minor --branch rc \
            --token "${{ secrets.MOKOGITEA_TOKEN }}"

+      - name: Update RC release notes from CHANGELOG.md
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Extract [Unreleased] section from changelog
+          NOTES=""
+          if [ -f "CHANGELOG.md" ]; then
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
+          fi
+          [ -z "$NOTES" ] && NOTES="Release candidate"
+
+          # Find the RC release and update its body
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/releases/tags/release-candidate" \
+            | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$RELEASE_ID" ]; then
+            python3 -c "
+          import json, urllib.request
+          body = open('/dev/stdin').read()
+          payload = json.dumps({'body': body}).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=payload, method='PATCH',
+              headers={
+                  'Authorization': 'token ${TOKEN}',
+                  'Content-Type': 'application/json'
+              })
+          urllib.request.urlopen(req)
+          " <<< "$NOTES"
+            echo "RC release notes updated from CHANGELOG.md"
+          fi
+
      - name: Summary
        if: always()
        run: |
          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-          echo "Branch renamed to rc, minor bump, RC + lesser stream releases built, updates.xml synced" >> $GITHUB_STEP_SUMMARY
+          echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY

  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
  release:
@@ -131,31 +170,143 @@ jobs:
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"

-      - name: Setup moko-platform tools
+      - name: Check for merge conflict markers
+        run: |
+          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
+          if [ -n "$CONFLICTS" ]; then
+            echo "::error::Merge conflict markers found — aborting release"
+            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "No conflict markers found"
+
+      - name: Setup mokocli tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokocli
+            echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
+          else
+            echo Falling back to fresh clone
+            if ! command -v composer > /dev/null 2>&1; then
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
+            fi
+            rm -rf /tmp/mokocli
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
+            cd /tmp/mokocli
+            composer install --no-dev --no-interaction --quiet
+            echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet

+      - name: "Detect platform"
+        id: platform
+        run: |
+          php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
+          php ${MOKO_CLI}/manifest_read.php --path . --github-output 2>/dev/null || true
+
+      - name: "Determine version bump level"
+        id: bump
+        run: |
+          # Fix/patch branches: version was already bumped by pre-release, just strip suffix
+          # Feature/dev branches: bump minor for the new stable release
+          HEAD_REF="${{ github.event.pull_request.head.ref || 'dev' }}"
+          case "$HEAD_REF" in
+            fix/*|patch/*|hotfix/*|bugfix/*) BUMP="none" ;;
+            *)                               BUMP="minor" ;;
+          esac
+          echo "level=${BUMP}" >> "$GITHUB_OUTPUT"
+          echo "Bump level: ${BUMP} (from branch: ${HEAD_REF})"

      - name: "Publish stable release"
        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability stable --bump minor --branch main \
+          BUMP_FLAG=""
+          if [ "${{ steps.bump.outputs.level }}" != "none" ]; then
+            BUMP_FLAG="--bump ${{ steps.bump.outputs.level }}"
+          fi
+          php ${MOKO_CLI}/release_publish.php \
+            --path . --stability stable ${BUMP_FLAG} --branch main \
            --token "${{ secrets.MOKOGITEA_TOKEN }}"

+      - name: "Read published version"
+        id: version
+        run: |
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "")
+          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
+          [ -z "$VERSION" ] && VERSION="00.00.00" && echo "skip=true" >> "$GITHUB_OUTPUT"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "tag=stable" >> "$GITHUB_OUTPUT"
+          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
+          echo "branch=main" >> "$GITHUB_OUTPUT"
+          echo "Published version: ${VERSION}"
+
+      - name: Update release notes and promote changelog
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Get the stable release info (version and ID)
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/releases/tags/stable" 2>/dev/null || echo '{}')
+          RELEASE_ID=$(python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" <<< "$RELEASE_JSON" 2>/dev/null || true)
+          # Extract version from release name (e.g. "06.17.00" or "v06.17.00")
+          VERSION=$(python3 -c "
+          import json, sys, re
+          r = json.load(sys.stdin)
+          name = r.get('name', '')
+          m = re.search(r'(\d+\.\d+\.\d+)', name)
+          print(m.group(1) if m else '')
+          " <<< "$RELEASE_JSON" 2>/dev/null || true)
+
+          # Extract [Unreleased] section from changelog
+          NOTES=""
+          if [ -f "CHANGELOG.md" ]; then
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
+          fi
+          [ -z "$NOTES" ] && NOTES="Stable release"
+
+          # Update release body via API
+          if [ -n "$RELEASE_ID" ]; then
+            python3 -c "
+          import json, urllib.request
+          body = open('/dev/stdin').read()
+          payload = json.dumps({'body': body}).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=payload, method='PATCH',
+              headers={
+                  'Authorization': 'token ${TOKEN}',
+                  'Content-Type': 'application/json'
+              })
+          urllib.request.urlopen(req)
+          " <<< "$NOTES"
+            echo "Release notes updated from CHANGELOG.md"
+          fi
+
+          # Promote [Unreleased] → [version] in CHANGELOG.md and reset
+          if [ -n "$VERSION" ] && [ -f "CHANGELOG.md" ]; then
+            DATE=$(date +%Y-%m-%d)
+            python3 -c "
+          import sys
+          version, date = sys.argv[1], sys.argv[2]
+          content = open('CHANGELOG.md').read()
+          old = '## [Unreleased]'
+          new = f'## [Unreleased]\n\n## [{version}] --- {date}'
+          content = content.replace(old, new, 1)
+          open('CHANGELOG.md', 'w').write(content)
+          " "$VERSION" "$DATE"
+            git add CHANGELOG.md
+            git commit -m "chore: promote changelog [Unreleased] → [${VERSION}]" || true
+            git push origin main || true
+            echo "Changelog promoted: [Unreleased] → [${VERSION}]"
+          fi
+
      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
      - name: "Step 9: Mirror release to GitHub"
        if: >-
@@ -167,7 +318,7 @@ jobs:
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_mirror.php \
+          php ${MOKO_CLI}/release_mirror.php \
            --version "$VERSION" --tag "$RELEASE_TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
@@ -241,7 +392,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/version_reset_dev.php \
+          php ${MOKO_CLI}/version_reset_dev.php \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
            --branch dev --path . 2>&1 || true

@@ -0,0 +1,48 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /.mokogitea/workflows/branch-cleanup.yml
+# VERSION: 01.00.00
+# BRIEF: Delete feature branches after PR merge
+
+name: "Branch Cleanup"
+
+on:
+  pull_request:
+    types: [closed]
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  cleanup:
+    name: Delete merged branch
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      github.event.pull_request.head.ref != 'dev' &&
+      github.event.pull_request.head.ref != 'main'
+
+    steps:
+      - name: Delete source branch
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
+          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
+
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
+            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
+            "${API}/${ENCODED}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "204" ]; then
+            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          elif [ "$STATUS" = "404" ]; then
+            echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
+          fi
@@ -0,0 +1,191 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.CI
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
+# PATH: /.gitea/workflows/ci-generic.yml
+# VERSION: 01.00.00
+# BRIEF: CI pipeline — lint, validate, and test for generic projects (PHP + Node.js)
+
+name: "Generic: Project CI"
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Lint & Validate ───────────────────────────────────────────────────
+  lint:
+    name: Lint & Validate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect toolchain
+        id: detect
+        run: |
+          HAS_PHP=false
+          HAS_NODE=false
+          [ -f "composer.json" ] && HAS_PHP=true
+          [ -f "package.json" ] && HAS_NODE=true
+          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
+          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
+          echo "Toolchain: PHP=$HAS_PHP Node=$HAS_NODE"
+
+      - name: Setup PHP
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+          php -v
+
+      - name: Setup Node.js
+        if: steps.detect.outputs.has_node == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install PHP dependencies
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "composer.json" ]; then
+            composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
+          fi
+
+      - name: Install Node.js dependencies
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "package.json" ]; then
+            npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true
+          fi
+
+      - name: PHP syntax check
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              echo "::error file=${file}::PHP syntax error"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -not -path "./node_modules/*" -print0)
+
+          echo "## PHP Lint" >> $GITHUB_STEP_SUMMARY
+          if [ "$ERRORS" -eq 0 ]; then
+            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "${ERRORS} file(s) with syntax errors." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: TypeScript/JavaScript lint
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "node_modules/.bin/eslint" ]; then
+            npx eslint src/ --quiet 2>&1 || { echo "::error::ESLint errors found"; exit 1; }
+            echo "## ESLint" >> $GITHUB_STEP_SUMMARY
+            echo "All files passed ESLint." >> $GITHUB_STEP_SUMMARY
+          elif [ -f ".eslintrc.json" ] || [ -f ".eslintrc.js" ] || [ -f "eslint.config.js" ]; then
+            echo "::warning::ESLint config found but eslint not installed"
+          else
+            echo "No ESLint configured — skipping"
+          fi
+
+      - name: TypeScript compile check
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "tsconfig.json" ] && [ -f "node_modules/.bin/tsc" ]; then
+            npx tsc --noEmit 2>&1 || { echo "::error::TypeScript compilation errors"; exit 1; }
+            echo "## TypeScript" >> $GITHUB_STEP_SUMMARY
+            echo "TypeScript compilation passed." >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: PHPStan static analysis
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "phpstan.neon" ] && [ -f "vendor/bin/phpstan" ]; then
+            vendor/bin/phpstan analyse --no-progress 2>&1 || { echo "::warning::PHPStan found issues"; }
+          fi
+
+  # ── Tests ─────────────────────────────────────────────────────────────
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+    needs: lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect toolchain
+        id: detect
+        run: |
+          HAS_PHP=false
+          HAS_NODE=false
+          [ -f "composer.json" ] && HAS_PHP=true
+          [ -f "package.json" ] && HAS_NODE=true
+          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
+          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
+
+      - name: Setup PHP
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+
+      - name: Setup Node.js
+        if: steps.detect.outputs.has_node == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          [ -f "composer.json" ] && composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
+          [ -f "package.json" ] && { npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true; }
+
+      - name: Run PHP tests
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "vendor/bin/phpunit" ]; then
+            vendor/bin/phpunit --testdox 2>&1
+            echo "## PHPUnit" >> $GITHUB_STEP_SUMMARY
+            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
+          elif [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
+            echo "::warning::PHPUnit config found but phpunit not installed"
+          else
+            echo "No PHPUnit configured — skipping"
+          fi
+
+      - name: Run Node.js tests
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if jq -e '.scripts.test' package.json > /dev/null 2>&1; then
+            npm test 2>&1
+            echo "## Node.js Tests" >> $GITHUB_STEP_SUMMARY
+            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No test script in package.json — skipping"
+          fi
+
+      - name: Build check
+        run: |
+          if [ -f "Makefile" ]; then
+            make build 2>&1 || echo "::warning::Build failed or not configured"
+          elif [ -f "package.json" ] && jq -e '.scripts.build' package.json > /dev/null 2>&1; then
+            npm run build 2>&1 || echo "::warning::Build failed"
+          fi
@@ -35,25 +35,32 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4

      - name: Setup PHP
        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
          php -v && composer --version

-      - name: Clone MokoStandards
+      - name: Setup mokocli tools
        env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.GA_TOKEN || github.token }}
          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
        run: |
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api
+          if [ -d "/opt/mokocli" ] || [ -d "/tmp/mokocli" ]; then
+            echo "mokocli already available on runner — skipping clone"
+          else
+            git clone --depth 1 --branch main --quiet \
+              "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git" \
+              /tmp/mokocli 2>/dev/null || echo "mokocli clone skipped — continuing without it"
+          fi

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || secrets.GA_TOKEN || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install \
@@ -124,8 +131,8 @@ jobs:
              echo "Manifest is well-formed XML." >> $GITHUB_STEP_SUMMARY
            fi

-            # Check required tags: name, version, author, namespace (Joomla 5+)
-            for TAG in name version author namespace; do
+            # Check required tags: name, version, author
+            for TAG in name version author; do
              if ! grep -q "<${TAG}>" "$MANIFEST" 2>/dev/null; then
                echo "Missing required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
                ERRORS=$((ERRORS + 1))
@@ -133,6 +140,19 @@ jobs:
                echo "Found required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
              fi
            done
+
+            # Namespace is required for components/plugins but not packages
+            EXT_TYPE=$(grep -oP '<extension[^>]*\btype="\K[^"]+' "$MANIFEST" | head -1)
+            if [ "$EXT_TYPE" != "package" ]; then
+              if ! grep -q "<namespace" "$MANIFEST" 2>/dev/null; then
+                echo "Missing required tag: \`<namespace>\` (required for Joomla 5+ ${EXT_TYPE} extensions)" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                echo "Found required tag: \`<namespace>\`" >> $GITHUB_STEP_SUMMARY
+              fi
+            else
+              echo "Package extension — \`<namespace>\` not required." >> $GITHUB_STEP_SUMMARY
+            fi
          fi

          if [ "${ERRORS}" -gt 0 ]; then
@@ -225,14 +245,417 @@ jobs:
            echo "All ${CHECKED} directories contain index.html." >> $GITHUB_STEP_SUMMARY
          fi

+      - name: Check config.xml and access.xml for components
+        run: |
+          echo "### Component Config & ACL Check" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Find all component manifests (XML with type="component")
+          COMP_MANIFESTS=$(find . -maxdepth 4 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*" -exec grep -l '<extension[^>]*type="component"' {} ; 2>/dev/null || true)
+
+          if [ -z "$COMP_MANIFESTS" ]; then
+            echo "No component extensions found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            for MANIFEST in $COMP_MANIFESTS; do
+              COMP_DIR=$(dirname "$MANIFEST")
+              COMP_NAME=$(basename "$COMP_DIR")
+              echo "Component: `${COMP_NAME}` (manifest: `${MANIFEST}`)" >> $GITHUB_STEP_SUMMARY
+
+              # Check access.xml exists
+              ACCESS_FILE=$(find "$COMP_DIR" -name "access.xml" -not -path "./.git/*" 2>/dev/null | head -1)
+              if [ -z "$ACCESS_FILE" ]; then
+                echo "- Missing `access.xml` — ACL permissions will not work." >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                if command -v php &> /dev/null; then
+                  if ! php -r "@simplexml_load_file('$ACCESS_FILE') ?: exit(1);" 2>/dev/null; then
+                    echo "- `access.xml` is not well-formed XML." >> $GITHUB_STEP_SUMMARY
+                    ERRORS=$((ERRORS + 1))
+                  else
+                    for ACTION in core.admin core.manage; do
+                      if ! grep -q "name=\"${ACTION}\"" "$ACCESS_FILE" 2>/dev/null; then
+                        echo "- `access.xml` missing required action: `${ACTION}`" >> $GITHUB_STEP_SUMMARY
+                        ERRORS=$((ERRORS + 1))
+                      fi
+                    done
+                    echo "- `access.xml`: valid" >> $GITHUB_STEP_SUMMARY
+                  fi
+                fi
+              fi
+
+              # Check config.xml exists
+              CONFIG_FILE=$(find "$COMP_DIR" -name "config.xml" -not -path "./.git/*" 2>/dev/null | head -1)
+              if [ -z "$CONFIG_FILE" ]; then
+                echo "- Missing `config.xml` — component Options page will be empty." >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                if command -v php &> /dev/null; then
+                  if ! php -r "@simplexml_load_file('$CONFIG_FILE') ?: exit(1);" 2>/dev/null; then
+                    echo "- `config.xml` is not well-formed XML." >> $GITHUB_STEP_SUMMARY
+                    ERRORS=$((ERRORS + 1))
+                  else
+                    echo "- `config.xml`: valid" >> $GITHUB_STEP_SUMMARY
+                  fi
+                fi
+              fi
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} config/ACL issue(s) found.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Component config & ACL check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: SQL schema validation
+        run: |
+          echo "### SQL Schema Validation" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Find SQL files in source/htdocs
+          SQL_FILES=$(find . -name "*.sql" -path "*/sql/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$SQL_FILES" ]; then
+            echo "No SQL files found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Found $(echo "$SQL_FILES" | wc -l) SQL file(s)" >> $GITHUB_STEP_SUMMARY
+
+            for FILE in $SQL_FILES; do
+              # Basic syntax check: balanced parentheses, no empty files
+              SIZE=$(wc -c < "$FILE" | tr -d ' ')
+              if [ "$SIZE" -eq 0 ]; then
+                echo "- Empty SQL file: \`${FILE}\`" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+                continue
+              fi
+
+              # Check for common SQL errors
+              if grep -qP '^\s*$' "$FILE" && [ "$SIZE" -lt 5 ]; then
+                echo "- Whitespace-only SQL file: \`${FILE}\`" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+                continue
+              fi
+
+              echo "- \`${FILE}\`: ${SIZE} bytes" >> $GITHUB_STEP_SUMMARY
+            done
+
+            # Check update SQL files follow version numbering pattern
+            UPDATE_DIR=$(find . -path "*/sql/updates/mysql" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+            if [ -n "$UPDATE_DIR" ]; then
+              BAD_NAMES=0
+              for UFILE in "$UPDATE_DIR"/*.sql; do
+                [ ! -f "$UFILE" ] && continue
+                BASENAME=$(basename "$UFILE" .sql)
+                if ! echo "$BASENAME" | grep -qP '^\d+\.\d+\.\d+'; then
+                  echo "- Update file \`${UFILE}\` does not follow version naming (expected X.Y.Z.sql)" >> $GITHUB_STEP_SUMMARY
+                  BAD_NAMES=$((BAD_NAMES + 1))
+                fi
+              done
+              if [ "$BAD_NAMES" -gt 0 ]; then
+                ERRORS=$((ERRORS + BAD_NAMES))
+              fi
+            fi
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} SQL issue(s) found.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**SQL schema validation passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Manifest file references check
+        run: |
+          echo "### Manifest File References" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          MANIFEST=""
+          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
+            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
+              MANIFEST="$XML_FILE"
+              break
+            fi
+          done
+
+          if [ -z "$MANIFEST" ]; then
+            echo "No manifest found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            MANIFEST_DIR=$(dirname "$MANIFEST")
+
+            # Check <filename> references
+            FILENAMES=$(grep -oP '<filename[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
+            for F in $FILENAMES; do
+              if [ ! -f "${MANIFEST_DIR}/${F}" ] && [ ! -d "${MANIFEST_DIR}/${F}" ]; then
+                echo "- Missing: \`${F}\` (referenced in manifest)" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+
+            # Check <folder> references
+            FOLDERS=$(grep -oP '<folder[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
+            for F in $FOLDERS; do
+              if [ ! -d "${MANIFEST_DIR}/${F}" ]; then
+                echo "- Missing folder: \`${F}\` (referenced in manifest)" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+
+            # Check <file> references in package manifests (ZIP files won't exist in source)
+            EXT_TYPE=$(grep -oP '<extension[^>]*\btype="\K[^"]+' "$MANIFEST" | head -1)
+            if [ "$EXT_TYPE" != "package" ]; then
+              FILES=$(grep -oP '<file[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
+              for F in $FILES; do
+                if [ ! -f "${MANIFEST_DIR}/${F}" ]; then
+                  echo "- Missing file: \`${F}\` (referenced in manifest)" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS + 1))
+                fi
+              done
+            fi
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} missing file reference(s).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Manifest file references check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Form XML validation
+        run: |
+          echo "### Form XML Validation" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          FORM_FILES=$(find . -name "*.xml" -path "*/forms/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$FORM_FILES" ]; then
+            echo "No form XML files found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Found $(echo "$FORM_FILES" | wc -l) form file(s)" >> $GITHUB_STEP_SUMMARY
+            for FILE in $FORM_FILES; do
+              if command -v php &> /dev/null; then
+                if ! php -r "@simplexml_load_file('$FILE') ?: exit(1);" 2>/dev/null; then
+                  echo "- \`${FILE}\`: malformed XML" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS + 1))
+                else
+                  # Check for valid Joomla form structure
+                  if ! grep -qE '<form|<field|<fieldset' "$FILE" 2>/dev/null; then
+                    echo "- \`${FILE}\`: no \`<form>\`, \`<field>\`, or \`<fieldset>\` elements found" >> $GITHUB_STEP_SUMMARY
+                    ERRORS=$((ERRORS + 1))
+                  else
+                    echo "- \`${FILE}\`: valid" >> $GITHUB_STEP_SUMMARY
+                  fi
+                fi
+              fi
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} form XML issue(s).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Form XML validation passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Deprecated Joomla API check
+        continue-on-error: true
+        run: |
+          echo "### Deprecated Joomla API Check" >> $GITHUB_STEP_SUMMARY
+          WARNINGS=0
+
+          SRC_DIR=""
+          for DIR in source/ src/ htdocs/; do
+            [ -d "$DIR" ] && SRC_DIR="$DIR" && break
+          done
+
+          if [ -z "$SRC_DIR" ]; then
+            echo "No source directory found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            # Joomla 3/4 deprecated patterns that break in Joomla 6
+            PATTERNS=(
+              'JFactory::'
+              'JText::'
+              'JHtml::'
+              'JRoute::'
+              'JUri::'
+              'JLog::'
+              'JTable::'
+              'JInput'
+              'CMSFactory::\$application'
+              'JApplicationCms'
+            )
+
+            for PATTERN in "${PATTERNS[@]}"; do
+              HITS=$(grep -rnl "$PATTERN" "$SRC_DIR" --include="*.php" 2>/dev/null || true)
+              if [ -n "$HITS" ]; then
+                COUNT=$(echo "$HITS" | wc -l)
+                echo "- \`${PATTERN}\` found in ${COUNT} file(s)" >> $GITHUB_STEP_SUMMARY
+                WARNINGS=$((WARNINGS + COUNT))
+              fi
+            done
+
+            echo "" >> $GITHUB_STEP_SUMMARY
+            if [ "$WARNINGS" -gt 0 ]; then
+              echo "**${WARNINGS} deprecated API usage(s) found.** These will break in Joomla 6." >> $GITHUB_STEP_SUMMARY
+            else
+              echo "**No deprecated APIs found.**" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+      - name: Template output escaping check
+        continue-on-error: true
+        run: |
+          echo "### Template Output Escaping" >> $GITHUB_STEP_SUMMARY
+          WARNINGS=0
+
+          TMPL_FILES=$(find . -name "*.php" -path "*/tmpl/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$TMPL_FILES" ]; then
+            echo "No template files found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Found $(echo "$TMPL_FILES" | wc -l) template file(s)" >> $GITHUB_STEP_SUMMARY
+
+            for FILE in $TMPL_FILES; do
+              # Check for unescaped output: <?= $var ?> or echo $var without escape()
+              UNESCAPED=$(grep -nP '<\?=\s*\$(?!this->escape)' "$FILE" 2>/dev/null || true)
+              if [ -n "$UNESCAPED" ]; then
+                HITS=$(echo "$UNESCAPED" | wc -l)
+                echo "- \`${FILE}\`: ${HITS} unescaped \`<?= \$var ?>\` output(s) — use \`<?= \$this->escape(\$var) ?>\`" >> $GITHUB_STEP_SUMMARY
+                WARNINGS=$((WARNINGS + HITS))
+              fi
+
+              # Check for echo without escaping in template context
+              RAW_ECHO=$(grep -nP '^\s*echo\s+\$(?!this->escape)' "$FILE" 2>/dev/null || true)
+              if [ -n "$RAW_ECHO" ]; then
+                HITS=$(echo "$RAW_ECHO" | wc -l)
+                echo "- \`${FILE}\`: ${HITS} raw \`echo \$var\` — consider \`echo \$this->escape(\$var)\`" >> $GITHUB_STEP_SUMMARY
+                WARNINGS=$((WARNINGS + HITS))
+              fi
+            done
+
+            echo "" >> $GITHUB_STEP_SUMMARY
+            if [ "$WARNINGS" -gt 0 ]; then
+              echo "**${WARNINGS} potential XSS risk(s) in templates.** Review unescaped output." >> $GITHUB_STEP_SUMMARY
+            else
+              echo "**All template output appears properly escaped.**" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+      - name: Namespace consistency check
+        run: |
+          echo "### Namespace Consistency" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Find component/plugin manifests with <namespace> tags
+          MANIFESTS=$(find . -maxdepth 4 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*" -exec grep -l '<namespace' {} \; 2>/dev/null || true)
+
+          if [ -z "$MANIFESTS" ]; then
+            echo "No manifests with \`<namespace>\` found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            for MANIFEST in $MANIFESTS; do
+              NS_PATH=$(grep -oP '<namespace[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null | head -1)
+              [ -z "$NS_PATH" ] && continue
+              MANIFEST_DIR=$(dirname "$MANIFEST")
+
+              echo "Manifest: \`${MANIFEST}\` → namespace \`${NS_PATH}\`" >> $GITHUB_STEP_SUMMARY
+
+              # Check PHP files have matching namespace
+              while IFS= read -r -d '' PHP_FILE; do
+                FILE_NS=$(grep -oP '^\s*namespace\s+\K[^;]+' "$PHP_FILE" 2>/dev/null | head -1)
+                [ -z "$FILE_NS" ] && continue
+
+                # Namespace should start with the manifest namespace path
+                if ! echo "$FILE_NS" | grep -qF "${NS_PATH}"; then
+                  echo "- \`${PHP_FILE}\`: namespace \`${FILE_NS}\` doesn't match manifest \`${NS_PATH}\`" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS + 1))
+                fi
+              done < <(find "$MANIFEST_DIR" -name "*.php" -path "*/src/*" -not -path "./vendor/*" -print0 2>/dev/null)
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} namespace mismatch(es).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Namespace consistency check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: SPDX license header check
+        continue-on-error: true
+        run: |
+          echo "### SPDX License Headers" >> $GITHUB_STEP_SUMMARY
+          MISSING=0
+
+          SRC_DIR=""
+          for DIR in source/ src/ htdocs/; do
+            [ -d "$DIR" ] && SRC_DIR="$DIR" && break
+          done
+
+          if [ -z "$SRC_DIR" ]; then
+            echo "No source directory found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            TOTAL=0
+            while IFS= read -r -d '' FILE; do
+              TOTAL=$((TOTAL + 1))
+              if ! head -10 "$FILE" | grep -qi "SPDX"; then
+                echo "- Missing SPDX header: \`${FILE}\`" >> $GITHUB_STEP_SUMMARY
+                MISSING=$((MISSING + 1))
+              fi
+            done < <(find "$SRC_DIR" -name "*.php" -not -path "./vendor/*" -print0)
+
+            echo "" >> $GITHUB_STEP_SUMMARY
+            if [ "$MISSING" -gt 0 ]; then
+              echo "**${MISSING}/${TOTAL} PHP file(s) missing SPDX license header.**" >> $GITHUB_STEP_SUMMARY
+            else
+              echo "**All ${TOTAL} PHP files have SPDX headers.**" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+      - name: Service provider check
+        run: |
+          echo "### Service Provider Check" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          PROVIDERS=$(find . -name "provider.php" -path "*/services/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$PROVIDERS" ]; then
+            echo "No service providers found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            for FILE in $PROVIDERS; do
+              # Must return a ServiceProviderInterface
+              if ! grep -qP 'ServiceProviderInterface|ComponentInterface|MVCFactoryInterface|DispatcherInterface' "$FILE" 2>/dev/null; then
+                echo "- \`${FILE}\`: does not reference ServiceProviderInterface or component interfaces" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                echo "- \`${FILE}\`: valid service provider" >> $GITHUB_STEP_SUMMARY
+              fi
+
+              # Must have return statement
+              if ! grep -qP '^\s*return\s+new\s+' "$FILE" 2>/dev/null; then
+                echo "- \`${FILE}\`: missing \`return new ...\` statement" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} service provider issue(s).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Service provider check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
  release-readiness:
    name: Release Readiness Check
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.base_ref == 'main'
+    continue-on-error: true

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4

      - name: Validate release readiness
        run: |
@@ -338,15 +761,19 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4

      - name: Setup PHP ${{ matrix.php }}
        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
          php -v && composer --version

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || secrets.GA_TOKEN || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install \
@@ -384,14 +811,19 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4

      - name: Setup PHP
-        run: php -v && composer --version
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          php -v && composer --version

      - name: Install dependencies
        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || secrets.GA_TOKEN || github.token }}"}}'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-interaction --prefer-dist --optimize-autoloader
@@ -448,3 +880,24 @@ jobs:
            echo '```' >> $GITHUB_STEP_SUMMARY
          fi
          exit $EXIT
+
+  pre-release:
+    name: Build RC Pre-Release
+    runs-on: ubuntu-latest
+    needs: [lint-and-validate, test]
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Trigger pre-release build
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ github.head_ref }}
+        run: |
+          curl -s -X POST \
+            "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches" \
+            -H "Authorization: token ${GA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
+          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
+          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,76 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: "Publish to Composer"
+
+on:
+  push:
+    tags:
+      - 'v*'
+      - '[0-9]*.[0-9]*.[0-9]*'
+  release:
+    types: [published]
+  workflow_dispatch:
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  publish:
+    name: Publish Package
+    runs-on: ubuntu-latest
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip publish]')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+
+      - name: Install dependencies
+        run: composer install --no-dev --no-interaction --prefer-dist --quiet
+
+      - name: Determine version
+        id: version
+        run: |
+          VERSION=$(php -r "echo json_decode(file_get_contents('composer.json'))->version;")
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Package version: ${VERSION}"
+
+      # Gitea Composer Registry — auto-publishes from tags
+      # The tag push itself registers the package at:
+      # https://git.mokoconsulting.tech/api/packages/MokoConsulting/composer
+      - name: Verify Gitea registry
+        run: |
+          echo "Gitea Composer registry auto-publishes from tags."
+          echo "Package available at: ${GITEA_URL}/api/packages/MokoConsulting/composer"
+          echo "Install: composer require mokoconsulting/mokocli"
+
+      # Packagist — notify of new version
+      - name: Notify Packagist
+        if: secrets.PACKAGIST_TOKEN != ''
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "Notifying Packagist of version ${VERSION}..."
+          curl -sf -X POST \
+            -H "Content-Type: application/json" \
+            -d '{"repository":{"url":"https://git.mokoconsulting.tech/MokoConsulting/mokocli"}}' \
+            "https://packagist.org/api/update-package?username=mokoconsulting&apiToken=${{ secrets.PACKAGIST_TOKEN }}" \
+            && echo "Packagist notified" \
+            || echo "::warning::Packagist notification failed (package may not be registered yet)"
+
+      - name: Summary
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "## Composer Package Published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Registry | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|----------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Gitea | \`composer require mokoconsulting/mokocli:${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Packagist | \`composer require mokoconsulting/mokocli\` |" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,126 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Deploy
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+# PATH: /templates/workflows/joomla/deploy-manual.yml.template
+# VERSION: 04.07.00
+# BRIEF: Manual SFTP deploy to dev server for Joomla repos
+
+name: "Universal: Deploy to Dev (Manual)"
+
+on:
+  workflow_dispatch:
+    inputs:
+      clear_remote:
+        description: 'Delete all remote files before uploading'
+        required: false
+        default: 'false'
+        type: boolean
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: SFTP Deploy to Dev
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP
+        run: |
+          php -v && composer --version
+
+      - name: Setup MokoStandards tools
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
+            /tmp/mokostandards-api 2>/dev/null || true
+          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
+            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+
+      - name: Check FTP configuration
+        id: check
+        env:
+          HOST: ${{ vars.DEV_FTP_HOST }}
+          PATH_VAR: ${{ vars.DEV_FTP_PATH }}
+          PORT: ${{ vars.DEV_FTP_PORT }}
+        run: |
+          if [ -z "$HOST" ] || [ -z "$PATH_VAR" ]; then
+            echo "DEV_FTP_HOST or DEV_FTP_PATH not configured -- cannot deploy"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+          echo "host=$HOST" >> "$GITHUB_OUTPUT"
+
+          REMOTE="${PATH_VAR%/}"
+          echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"
+
+          [ -z "$PORT" ] && PORT="22"
+          echo "port=$PORT" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy via SFTP
+        if: steps.check.outputs.skip != 'true'
+        env:
+          SFTP_KEY: ${{ secrets.DEV_FTP_KEY }}
+          SFTP_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
+          SFTP_USER: ${{ vars.DEV_FTP_USERNAME }}
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ -- nothing to deploy"; exit 0; }
+
+          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
+            "${{ steps.check.outputs.host }}" "${{ steps.check.outputs.port }}" "$SFTP_USER" "${{ steps.check.outputs.remote }}" \
+            > /tmp/sftp-config.json
+
+          if [ -n "$SFTP_KEY" ]; then
+            echo "$SFTP_KEY" > /tmp/deploy_key
+            chmod 600 /tmp/deploy_key
+            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
+          else
+            printf ',"password":"%s"}' "$SFTP_PASS" >> /tmp/sftp-config.json
+          fi
+
+          DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
+          [ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)
+
+          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
+            php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
+          else
+            php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
+          fi
+
+          rm -f /tmp/deploy_key /tmp/sftp-config.json
+
+      - name: Summary
+        if: always()
+        run: |
+          if [ "${{ steps.check.outputs.skip }}" = "true" ]; then
+            echo "### Deploy Skipped -- FTP not configured" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "### Manual Dev Deploy Complete" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+            echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Host | \`${{ steps.check.outputs.host }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Remote | \`${{ steps.check.outputs.remote }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Clear | ${{ inputs.clear_remote }} |" >> $GITHUB_STEP_SUMMARY
+          fi
@@ -25,10 +25,6 @@
 name: "Universal: Secret Scanning"

 on:
-  pull_request:
-    branches:
-      - main
-      - 'dev/**'
  schedule:
    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
  workflow_dispatch:
@@ -0,0 +1,73 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Automation
+# VERSION: 01.02.00
+# BRIEF: Auto-create feature branch when an issue is opened
+
+name: "Universal: Issue Branch"
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: write
+  issues: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  create-branch:
+    name: Create feature branch
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create branch and comment
+        run: |
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          ISSUE_NUM="${{ github.event.issue.number }}"
+          ISSUE_TITLE="${{ github.event.issue.title }}"
+
+          # Build slug from title: lowercase, replace non-alnum with dash, trim
+          SLUG=$(echo "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40)
+          BRANCH="feature/${ISSUE_NUM}-${SLUG}"
+
+          # Check dev branch exists
+          DEV_EXISTS=$(curl -sf -o /dev/null -w '%{http_code}' \
+            -H "Authorization: token ${TOKEN}" \
+            "${API}/branches/dev" 2>/dev/null || echo "000")
+
+          if [ "${DEV_EXISTS}" != "200" ]; then
+            echo "No dev branch -- skipping"
+            exit 0
+          fi
+
+          # Create branch from dev
+          HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
+            -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API}/branches" \
+            -d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"dev\"}" 2>/dev/null || echo "000")
+
+          if [ "${HTTP}" = "201" ]; then
+            echo "Created branch: ${BRANCH}"
+
+            # Comment on issue with branch link
+            REPO_URL="${GITEA_URL}/${{ github.repository }}"
+            BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
+
+            curl -sf -X POST \
+              -H "Authorization: token ${TOKEN}" \
+              -H "Content-Type: application/json" \
+              "${API}/issues/${ISSUE_NUM}/comments" \
+              -d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
+
+            echo "Commented on issue #${ISSUE_NUM}"
+          else
+            echo "Failed to create branch (HTTP ${HTTP}) -- may already exist"
+          fi
@@ -7,7 +7,7 @@
 # INGROUP: moko-platform.CI
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/universal/pr-check.yml.template
-# VERSION: 05.00.00
+# VERSION: 09.23.00
 # BRIEF: PR gate — branch policy + code validation before merge

 name: "Universal: PR Check"
@@ -96,6 +96,32 @@ jobs:
          echo "Branch policy: OK (${HEAD} → ${BASE})"
          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY

+  # ── Secret Scanning ──────────────────────────────────────────────────
+  gitleaks:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          GITLEAKS_VERSION="8.21.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+
+      - name: Scan PR commits for secrets
+        run: |
+          if gitleaks detect --source . --verbose \
+            --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} 2>&1; then
+            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::error::Potential secrets detected in PR commits"
+            exit 1
+          fi
+
  # ── Code Validation ────────────────────────────────────────────────────
  validate:
    name: Validate PR
@@ -105,6 +131,19 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4

+      - name: Check for merge conflict markers
+        run: |
+          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
+          if [ -n "$CONFLICTS" ]; then
+            echo "::error::Merge conflict markers found in source files"
+            echo "## Conflict Markers Found" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "No conflict markers found"
+
      - name: Detect platform
        id: platform
        run: |
@@ -134,6 +173,98 @@ jobs:
          echo "PHP lint: ${ERRORS} error(s)"
          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }

+      - name: Joomla JEXEC guard check
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            # Skip vendor, node_modules, and index.html stub files
+            case "$file" in ./vendor/*|./node_modules/*) continue ;; esac
+            # Check first 10 lines for JEXEC or JPATH guard
+            if ! head -20 "$file" | grep -qE "defined\s*\(\s*['\"](_JEXEC|JPATH_BASE|\\\\JPATH_PLATFORM)['\"]"; then
+              echo "::error file=${file}::Missing JEXEC guard: ${file}"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -path "*/src/*" -not -path "./.git/*" -not -path "./vendor/*" -print0)
+          if [ "$ERRORS" -gt 0 ]; then
+            echo "::error::${ERRORS} PHP file(s) missing defined('_JEXEC') or die guard"
+            echo "## JEXEC Guard Check: Failed" >> $GITHUB_STEP_SUMMARY
+            echo "${ERRORS} file(s) in src/ are missing the Joomla execution guard." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "JEXEC guard: OK"
+
+      - name: Joomla directory listing protection
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          MISSING=0
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && exit 0
+          while IFS= read -r dir; do
+            if [ ! -f "${dir}/index.html" ]; then
+              echo "::warning::Missing index.html in ${dir} (directory listing protection)"
+              MISSING=$((MISSING + 1))
+            fi
+          done < <(find "$SOURCE_DIR" -type d -not -path "./.git/*" -not -path "*/vendor/*" -not -path "*/node_modules/*")
+          if [ "$MISSING" -gt 0 ]; then
+            echo "## Directory Protection" >> $GITHUB_STEP_SUMMARY
+            echo "${MISSING} director(ies) missing index.html" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "Directory protection: ${MISSING} missing (advisory)"
+
+      - name: Joomla script file and asset checks
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          ERRORS=0
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          [ -z "$MANIFEST" ] && exit 0
+          MANIFEST_DIR=$(dirname "$MANIFEST")
+
+          # Check scriptfile exists if declared
+          SCRIPTFILE=$(sed -n 's/.*<scriptfile>\([^<]*\)<\/scriptfile>.*/\1/p' "$MANIFEST" 2>/dev/null)
+          if [ -n "$SCRIPTFILE" ]; then
+            if [ ! -f "${MANIFEST_DIR}/${SCRIPTFILE}" ]; then
+              echo "::error::Manifest declares <scriptfile>${SCRIPTFILE}</scriptfile> but file not found at ${MANIFEST_DIR}/${SCRIPTFILE}"
+              ERRORS=$((ERRORS + 1))
+            else
+              echo "Script file: ${MANIFEST_DIR}/${SCRIPTFILE} (OK)"
+            fi
+          fi
+
+          # Require joomla.asset.json and validate it
+          ASSET_JSON=$(find "$MANIFEST_DIR" -name "joomla.asset.json" -not -path "./.git/*" 2>/dev/null | head -1)
+          if [ -z "$ASSET_JSON" ]; then
+            echo "::error::joomla.asset.json not found — Joomla asset system is required"
+            ERRORS=$((ERRORS + 1))
+          else
+            if command -v php &> /dev/null; then
+              php -r "json_decode(file_get_contents('$ASSET_JSON')); if(json_last_error()!==JSON_ERROR_NONE){echo json_last_error_msg();exit(1);}" 2>&1 || {
+                echo "::error::joomla.asset.json is not valid JSON"
+                ERRORS=$((ERRORS + 1))
+              }
+            fi
+            echo "joomla.asset.json: valid"
+          fi
+
+          # Validate all XML files in src/ are well-formed
+          XML_ERRORS=0
+          if command -v php &> /dev/null; then
+            while IFS= read -r -d '' xmlfile; do
+              if ! php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$xmlfile'); if(!\$x){foreach(libxml_get_errors() as \$e) echo trim(\$e->message) . ' in $xmlfile'; exit(1);}" 2>&1; then
+                XML_ERRORS=$((XML_ERRORS + 1))
+              fi
+            done < <(find "$MANIFEST_DIR" -name "*.xml" -not -path "./.git/*" -print0)
+          fi
+          if [ "$XML_ERRORS" -gt 0 ]; then
+            echo "::error::${XML_ERRORS} XML file(s) are malformed"
+            ERRORS=$((ERRORS + 1))
+          else
+            echo "XML well-formedness: OK"
+          fi
+
+          [ "$ERRORS" -gt 0 ] && exit 1
+          echo "Joomla asset checks: OK"
+
      - name: Validate platform manifest
        run: |
          PLATFORM="${{ steps.platform.outputs.platform }}"
@@ -151,6 +282,13 @@ jobs:
              for ELEMENT in name version description; do
                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
              done
+              # Block legacy raw/branch update server URLs on MokoGitea
+              RAW_URLS=$(grep -n 'raw/branch' "$MANIFEST" | grep -i 'mokoconsulting\|mokogitea\|git\.mokoconsulting\.tech' || true)
+              if [ -n "$RAW_URLS" ]; then
+                echo "::error::Manifest contains legacy raw/branch update server URL on MokoGitea. Use the Gitea Pages URL instead (e.g. /{REPO}/updates.xml not /{REPO}/raw/branch/main/updates.xml)"
+                echo "$RAW_URLS"
+                exit 1
+              fi
              echo "Joomla manifest valid"
              ;;
            dolibarr)
@@ -183,6 +321,138 @@ jobs:
              ;;
          esac

+      - name: Validate Joomla language files
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          ERRORS=0
+          WARNINGS=0
+
+          # Require both en-GB and en-US language directories
+          LANG_ROOT=$(find . -path "*/language" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+          if [ -z "$LANG_ROOT" ]; then
+            echo "No language/ directory found — skipping"
+            exit 0
+          fi
+
+          if [ ! -d "$LANG_ROOT/en-GB" ]; then
+            echo "::error::Missing en-GB language directory (${LANG_ROOT}/en-GB)"
+            ERRORS=$((ERRORS + 1))
+          fi
+          if [ ! -d "$LANG_ROOT/en-US" ]; then
+            echo "::error::Missing en-US language directory (${LANG_ROOT}/en-US)"
+            ERRORS=$((ERRORS + 1))
+          fi
+
+          # Check that en-GB and en-US have matching .ini files
+          if [ -d "$LANG_ROOT/en-GB" ] && [ -d "$LANG_ROOT/en-US" ]; then
+            for GB_INI in "$LANG_ROOT/en-GB"/*.ini; do
+              [ ! -f "$GB_INI" ] && continue
+              US_INI="$LANG_ROOT/en-US/$(basename "$GB_INI")"
+              if [ ! -f "$US_INI" ]; then
+                echo "::error::$(basename "$GB_INI") exists in en-GB but missing from en-US"
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+            for US_INI in "$LANG_ROOT/en-US"/*.ini; do
+              [ ! -f "$US_INI" ] && continue
+              GB_INI="$LANG_ROOT/en-GB/$(basename "$US_INI")"
+              if [ ! -f "$GB_INI" ]; then
+                echo "::error::$(basename "$US_INI") exists in en-US but missing from en-GB"
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+          fi
+
+          # Find all .ini language files
+          INI_FILES=$(find . -path "*/language/*/*.ini" -not -path "./.git/*" 2>/dev/null)
+          if [ -z "$INI_FILES" ]; then
+            echo "No .ini language files found"
+            [ "$ERRORS" -gt 0 ] && exit 1
+            exit 0
+          fi
+
+          echo "Found $(echo "$INI_FILES" | wc -l) language file(s)"
+
+          for FILE in $INI_FILES; do
+            FNAME=$(basename "$FILE")
+            LINENUM=0
+            SEEN_KEYS=""
+
+            while IFS= read -r line || [ -n "$line" ]; do
+              LINENUM=$((LINENUM + 1))
+
+              # Skip empty lines and comments
+              [ -z "$line" ] && continue
+              echo "$line" | grep -qE '^\s*;' && continue
+              echo "$line" | grep -qE '^\s*$' && continue
+
+              # Must match KEY="VALUE" format
+              if ! echo "$line" | grep -qE '^[A-Z_][A-Z0-9_]*=".*"$'; then
+                echo "::error file=${FILE},line=${LINENUM}::Malformed line: ${line}"
+                ERRORS=$((ERRORS + 1))
+                continue
+              fi
+
+              # Extract key and check for duplicates
+              KEY=$(echo "$line" | sed 's/=.*//')
+              if echo "$SEEN_KEYS" | grep -qx "$KEY"; then
+                echo "::error file=${FILE},line=${LINENUM}::Duplicate key: ${KEY}"
+                ERRORS=$((ERRORS + 1))
+              fi
+              SEEN_KEYS="${SEEN_KEYS}
+          ${KEY}"
+            done < "$FILE"
+
+            echo "  ${FILE}: checked ${LINENUM} lines"
+          done
+
+          # Cross-check en-GB vs en-US key consistency
+          GB_DIR=$(find . -path "*/language/en-GB" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+          US_DIR=$(find . -path "*/language/en-US" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+
+          if [ -n "$GB_DIR" ] && [ -n "$US_DIR" ]; then
+            for GB_FILE in "$GB_DIR"/*.ini; do
+              [ ! -f "$GB_FILE" ] && continue
+              FNAME=$(basename "$GB_FILE")
+              US_FILE="$US_DIR/$FNAME"
+              [ ! -f "$US_FILE" ] && continue
+
+              GB_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$GB_FILE" 2>/dev/null | sort)
+              US_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$US_FILE" 2>/dev/null | sort)
+
+              # Keys in en-GB but not en-US
+              MISSING_US=$(comm -23 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
+              if [ -n "$MISSING_US" ]; then
+                echo "::warning::Keys in en-GB/$FNAME but missing from en-US/$FNAME:"
+                echo "$MISSING_US" | while read -r k; do echo "  - $k"; done
+                WARNINGS=$((WARNINGS + 1))
+              fi
+
+              # Keys in en-US but not en-GB
+              MISSING_GB=$(comm -13 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
+              if [ -n "$MISSING_GB" ]; then
+                echo "::warning::Keys in en-US/$FNAME but missing from en-GB/$FNAME:"
+                echo "$MISSING_GB" | while read -r k; do echo "  - $k"; done
+                WARNINGS=$((WARNINGS + 1))
+              fi
+            done
+          fi
+
+          {
+            echo "### Language File Validation"
+            echo "| Metric | Count |"
+            echo "|---|---|"
+            echo "| Files checked | $(echo "$INI_FILES" | wc -l) |"
+            echo "| Errors | ${ERRORS} |"
+            echo "| Warnings | ${WARNINGS} |"
+          } >> $GITHUB_STEP_SUMMARY
+
+          if [ "$ERRORS" -gt 0 ]; then
+            echo "::error::Language validation failed with ${ERRORS} error(s)"
+            exit 1
+          fi
+          echo "Language files: OK (${WARNINGS} warning(s))"
+
      - name: Check changelog has unreleased entry
        run: |
          if [ ! -f "CHANGELOG.md" ]; then
@@ -234,3 +504,31 @@ jobs:
          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
+
+  # ── Issue Reporter ──────────────────────────────────────────────────────
+  report-issues:
+    name: Report Issues
+    runs-on: ubuntu-latest
+    needs: [branch-policy, validate]
+    if: >-
+      always() &&
+      needs.validate.result == 'failure'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: automation/ci-issue-reporter.sh
+          sparse-checkout-cone-mode: false
+
+      - name: "File issue for PR validation failure"
+        env:
+          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+        run: |
+          chmod +x automation/ci-issue-reporter.sh
+          ./automation/ci-issue-reporter.sh \
+            --gate "PR Validation" \
+            --workflow "PR Check" \
+            --severity error \
+            --details "PR validation failed (syntax, manifest, changelog, or source checks). See the CI run for the specific check that failed."
@@ -0,0 +1,71 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Validation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /templates/workflows/joomla/pr-metadata-check.yml.template
+# VERSION: 01.00.00
+# BRIEF: Validate MokoGitea metadata matches Joomla extension manifest on PRs
+
+name: "Joomla: Metadata Validation"
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, converted_to_draft, ready_for_review]
+
+permissions:
+  contents: read
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+jobs:
+  validate-metadata:
+    name: "Validate Joomla Metadata"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup mokocli tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+        run: |
+          if [ -f /opt/mokocli/cli/joomla_metadata_validate.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokocli
+            echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
+          else
+            echo Falling back to fresh clone
+            if ! command -v composer > /dev/null 2>&1; then
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
+            fi
+            rm -rf /tmp/mokocli
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
+            cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
+            echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
+          fi
+
+      - name: Validate metadata against Joomla manifest
+        env:
+          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          php ${MOKO_CLI}/joomla_metadata_validate.php \
+            --path . \
+            --token "${GITEA_TOKEN}" \
+            --org "${GITEA_ORG}" \
+            --repo "${GITEA_REPO}" \
+            --api-base "${GITEA_URL}/api/v1" \
+            --ci
+
+          if [ $? -ne 0 ]; then
+            echo "::error::Joomla metadata mismatch — update delivery will fail. Run 'php cli/joomla_metadata_validate.php' locally to see details."
+            exit 1
+          fi
@@ -4,20 +4,26 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# INGROUP: mokocli.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 # PATH: /templates/workflows/universal/pre-release.yml.template
 # VERSION: 05.01.00
-# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
+# BRIEF: Auto pre-release on push to dev/alpha/beta/rc branches

 name: "Universal: Pre-Release"

 on:
-  pull_request:
-    types: [opened, ready_for_review, closed]
+  push:
    branches:
      - dev
-      - main
+      - 'fix/**'
+      - 'patch/**'
+      - 'hotfix/**'
+      - 'bugfix/**'
+      - 'chore/**'
+      - alpha
+      - beta
+      - rc
  workflow_dispatch:
    inputs:
      stability:
@@ -40,12 +46,11 @@ env:

 jobs:
  build:
-    name: "Build Pre-Release (${{ inputs.stability || (github.event.pull_request.base.ref == 'main' && 'release-candidate') || 'development' }})"
+    name: "Build Pre-Release (${{ inputs.stability || github.ref_name }})"
    runs-on: release
    if: >-
      github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev') ||
-      (github.event.action != 'closed' && github.event.pull_request.base.ref == 'main')
+      github.event_name == 'push'

    steps:
      - name: Checkout
@@ -53,54 +58,59 @@ jobs:
        with:
          fetch-depth: 0
          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          ref: ${{ github.ref_name }}

-      - name: Setup moko-platform tools
+      - name: Setup mokocli tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          # Use pre-installed /opt/mokocli if available (updated by cron every 6h)
+          if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/cli/manifest_element.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokocli
+            echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
+          else
+            echo Falling back to fresh clone
+            if ! command -v composer > /dev/null 2>&1; then
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
+            fi
+            rm -rf /tmp/mokocli
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
+            cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
+            echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-          echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"

      - name: Detect platform
        id: platform
        run: |
+          # Auto-detect and update platform if not set in manifest
+          php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
          php ${MOKO_CLI}/manifest_read.php --path . --github-output

-      - name: Rename branch to rc on PR draft to main
-        if: >-
-          github.event.action != 'closed' &&
-          github.event.pull_request.base.ref == 'main'
+      - name: Check platform eligibility (Joomla only)
+        id: eligibility
        run: |
-          HEAD_BRANCH="${{ github.event.pull_request.head.ref }}"
-          if [ "$HEAD_BRANCH" != "rc" ]; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-            git checkout -b rc
-            git push origin rc 2>&1 || true
-            # Update PR head branch via API
-            curl -s -X PATCH \
-              -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-              -H "Content-Type: application/json" \
-              -d "{\"head\": \"rc\"}" \
-              "${GITEA_URL}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}" || true
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [[ "$PLATFORM" == joomla* ]] || [[ "$PLATFORM" == "joomla" ]]; then
+            echo "proceed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "proceed=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::Platform '$PLATFORM' — non-Joomla, skipping pre-release auto-bump"
          fi

      - name: Resolve metadata and bump version
        id: meta
+        if: steps.eligibility.outputs.proceed == 'true'
        run: |
-          # Auto-detect RC when PR targets main
-          if [ "${{ github.event.pull_request.base.ref }}" = "main" ] && [ "${{ github.event.action }}" != "closed" ]; then
-            STABILITY="release-candidate"
+          # Auto-detect stability from branch name on push, or use input on dispatch
+          if [ "${{ github.event_name }}" = "push" ]; then
+            case "${{ github.ref_name }}" in
+              rc)    STABILITY="release-candidate" ;;
+              alpha) STABILITY="alpha" ;;
+              beta)  STABILITY="beta" ;;
+              *)     STABILITY="development" ;;
+            esac
          else
            STABILITY="${{ inputs.stability || 'development' }}"
          fi
@@ -112,20 +122,26 @@ jobs:
            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
          esac

-          # Read current version (bump already handled by push workflow)
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
-          [ -z "$VERSION" ] && VERSION="00.00.01"
+          # Bump version via CLI: patch for dev/alpha/beta, minor for RC
+          case "$STABILITY" in
+            release-candidate) BUMP="minor" ;;
+            *)                 BUMP="patch" ;;
+          esac

-          # Strip any existing suffix from version before applying stability
+          php ${MOKO_CLI}/version_bump.php --path . $([ "$BUMP" = "minor" ] && echo "--minor") 2>/dev/null || true
+
+          # Set stability suffix and verify consistency
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "00.00.01")
          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')

          php ${MOKO_CLI}/version_set_platform.php \
            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
-
-          # Verify version consistency across all files
          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true

-          # Update VERSION variable with suffix
+          # Ensure licensing tags (updateservers, dlid) if enabled in manifest.xml
+          php ${MOKO_CLI}/manifest_licensing.php --path . --fix 2>/dev/null || true
+
+          # Append suffix for output
          if [ -n "$SUFFIX" ]; then
            VERSION="${VERSION}${SUFFIX}"
          fi
@@ -162,6 +178,7 @@ jobs:

      - name: Create release
        id: release
+        if: steps.eligibility.outputs.proceed == 'true'
        run: |
          TAG="${{ steps.meta.outputs.tag }}"
          VERSION="${{ steps.meta.outputs.version }}"
@@ -171,8 +188,45 @@ jobs:
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease

+      - name: Update release notes from CHANGELOG.md
+        if: steps.eligibility.outputs.proceed == 'true'
+        run: |
+          TAG="${{ steps.meta.outputs.tag }}"
+          VERSION="${{ steps.meta.outputs.version }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Extract [Unreleased] section from changelog (everything between [Unreleased] and next ## heading)
+          if [ -f "CHANGELOG.md" ]; then
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
+            [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+          else
+            NOTES="Release ${VERSION}"
+          fi
+
+          # Update release body via API
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${TAG}" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$RELEASE_ID" ]; then
+            python3 -c "
+          import json, urllib.request
+          body = open('/dev/stdin').read()
+          payload = json.dumps({'body': body}).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=payload, method='PATCH',
+              headers={
+                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
+                  'Content-Type': 'application/json'
+              })
+          urllib.request.urlopen(req)
+          " <<< "$NOTES"
+            echo "Release notes updated from CHANGELOG.md"
+          fi
+
      - name: Build package and upload
        id: package
+        if: steps.eligibility.outputs.proceed == 'true'
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          TAG="${{ steps.meta.outputs.tag }}"
@@ -182,57 +236,11 @@ jobs:
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true

-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml -- skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          CURRENT_BRANCH="${{ github.ref_name }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-
-          for BRANCH in main dev; do
-            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
-            echo "Syncing updates.xml -> ${BRANCH}"
-            git fetch origin "${BRANCH}" 2>/dev/null || continue
-            git checkout "origin/${BRANCH}" -- updates.xml 2>/dev/null || continue
-            git checkout "${CURRENT_BRANCH}" -- updates.xml
-            if ! git diff --quiet updates.xml 2>/dev/null; then
-              git add updates.xml
-              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
-              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-            fi
-            git checkout "${CURRENT_BRANCH}" 2>/dev/null
-          done
+      # updates.xml is generated dynamically by MokoGitea license server
+      # No need to build, commit, or sync updates.xml from workflows

      - name: "Delete lesser pre-release channels (cascade)"
+        if: steps.eligibility.outputs.proceed == 'true'
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
@@ -0,0 +1,66 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /.mokogitea/workflows/rc-revert.yml
+# VERSION: 09.23.00
+# BRIEF: Rename rc/ branch back to dev/ when PR is closed without merge
+
+name: "RC Revert"
+
+on:
+  pull_request:
+    types: [closed]
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  revert:
+    name: Rename rc/ back to dev/
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == false &&
+      startsWith(github.event.pull_request.head.ref, 'rc/')
+
+    steps:
+      - name: Rename branch
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          SUFFIX="${BRANCH#rc/}"
+          DEV_BRANCH="dev/${SUFFIX}"
+          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Create dev/ branch from rc/ branch
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
+            -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
+            "${API}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "201" ]; then
+            echo "Created branch: ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"
+            exit 1
+          fi
+
+          # Delete rc/ branch
+          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
+            -H "Authorization: token ${TOKEN}" \
+            "${API}/${ENCODED}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "204" ]; then
+            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
+          fi
+
+          echo "### RC Reverted" >> $GITHUB_STEP_SUMMARY
+          echo "${BRANCH} → ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
@@ -7,11 +7,11 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Validation
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# INGROUP: mokocli.Validation
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
 # PATH: /templates/workflows/joomla/repo_health.yml.template
-# VERSION: 04.06.00
-# BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts.
+# VERSION: 09.23.00
+# BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
 # ============================================================================

 name: "Generic: Repo Health"
@@ -24,26 +24,22 @@ on:
  workflow_dispatch:
    inputs:
      profile:
-        description: 'Validation profile: all, release, scripts, or repo'
+        description: 'Validation profile: all, scripts, or repo'
        required: true
        default: all
        type: choice
        options:
          - all
-          - release
          - scripts
          - repo
  pull_request:
-  push:
+    branches:
+      - main

 permissions:
  contents: read

 env:
-  # Release policy - Repository Variables Only
-  RELEASE_REQUIRED_REPO_VARS: RS_FTP_PATH_SUFFIX
-  RELEASE_OPTIONAL_REPO_VARS: DEV_FTP_SUFFIX
-
  # Scripts governance policy
  SCRIPTS_REQUIRED_DIRS:
  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
@@ -138,101 +134,6 @@ jobs:
          printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
          exit 1

-  release_config:
-    name: Release configuration
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Guardrails release vars
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-          RS_FTP_PATH_SUFFIX: ${{ vars.RS_FTP_PATH_SUFFIX }}
-          DEV_FTP_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'scripts' ] || [ "${profile}" = 'repo' ]; then
-            {
-              printf '%s\n' '### Release configuration (Repository Variables)'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes release validation'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          IFS=',' read -r -a required <<< "${RELEASE_REQUIRED_REPO_VARS}"
-          IFS=',' read -r -a optional <<< "${RELEASE_OPTIONAL_REPO_VARS}"
-
-          missing=()
-          missing_optional=()
-
-          for k in "${required[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing+=("${k}")
-          done
-
-          for k in "${optional[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing_optional+=("${k}")
-          done
-
-          {
-            printf '%s\n' '### Release configuration (Repository Variables)'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Variable | Status |'
-            printf '%s\n' '|---|---|'
-            printf '%s\n' "| RS_FTP_PATH_SUFFIX | ${RS_FTP_PATH_SUFFIX:-NOT SET} |"
-            printf '%s\n' "| DEV_FTP_SUFFIX | ${DEV_FTP_SUFFIX:-NOT SET} |"
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${#missing_optional[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing optional repository variables'
-              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          if [ "${#missing[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing required repository variables'
-              for m in "${missing[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository variables.'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 1
-          fi
-
-          {
-            printf '%s\n' '### Repository variables validation result'
-            printf '%s\n' 'Status: OK'
-            printf '%s\n' 'All required repository variables present.'
-            printf '%s\n' ''
-            printf '%s\n' '**Note**: Organization secrets (RS_FTP_HOST, RS_FTP_USER, etc.) are validated at deployment time, not in repository health checks.'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
  scripts_governance:
    name: Scripts governance
    needs: access_check
@@ -256,14 +157,14 @@ jobs:

          profile="${PROFILE_RAW:-all}"
          case "${profile}" in
-            all|release|scripts|repo) ;;
+            all|scripts|repo) ;;
            *)
              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
              exit 1
              ;;
          esac

-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'repo' ]; then
+          if [ "${profile}" = 'repo' ]; then
            {
              printf '%s\n' '### Scripts governance'
              printf '%s\n' "Profile: ${profile}"
@@ -370,14 +271,14 @@ jobs:

          profile="${PROFILE_RAW:-all}"
          case "${profile}" in
-            all|release|scripts|repo) ;;
+            all|scripts|repo) ;;
            *)
              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
              exit 1
              ;;
          esac

-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'scripts' ]; then
+          if [ "${profile}" = 'scripts' ]; then
            {
              printf '%s\n' '### Repository health'
              printf '%s\n' "Profile: ${profile}"
@@ -704,7 +605,7 @@ jobs:
            printf '%s\n' '| Domain | Status | Notes |'
            printf '%s\n' '|---|---|---|'
            printf '%s\n' '| Access control | OK | Admin-only execution gate |'
-            printf '%s\n' '| Release variables | OK | Repository variables validation |'
+            printf '%s\n' '| Release policy | N/A | Releases handled by MokoGitea |'
            printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
            printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
            printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
@@ -767,3 +668,45 @@ jobs:
          echo "### Site Health" >> $GITHUB_STEP_SUMMARY
          echo "Uptime and SSL checks completed." >> $GITHUB_STEP_SUMMARY

+  # ═══════════════════════════════════════════════════════════════════════
+  # Issue Reporter — file issues for failed gates
+  # ═══════════════════════════════════════════════════════════════════════
+  report-issues:
+    name: "Report Issues"
+    runs-on: ubuntu-latest
+    needs: [access_check, scripts_governance, repo_health]
+    if: >-
+      always() &&
+      (needs.scripts_governance.result == 'failure' ||
+       needs.repo_health.result == 'failure')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: automation/ci-issue-reporter.sh
+          sparse-checkout-cone-mode: false
+
+      - name: "File issues for failed gates"
+        env:
+          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+        run: |
+          chmod +x automation/ci-issue-reporter.sh
+          REPORTER="./automation/ci-issue-reporter.sh"
+          WF="Repo Health"
+
+          report_gate() {
+            local gate="$1" result="$2" details="$3"
+            if [ "$result" = "failure" ]; then
+              "$REPORTER" --gate "$gate" --details "$details" --workflow "$WF" --severity error
+            fi
+          }
+
+          report_gate "Scripts Governance" \
+            "${{ needs.scripts_governance.result }}" \
+            "Scripts directory policy violations detected. Review required and allowed directories."
+
+          report_gate "Repository Health" \
+            "${{ needs.repo_health.result }}" \
+            "Repository health checks failed — missing required artifacts, disallowed files, or content warnings. Check the CI run summary."
@@ -0,0 +1,73 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /.mokogitea/workflows/workflow-sync-trigger.yml
+# VERSION: 01.01.00
+# BRIEF: Trigger workflow sync to live repos when a PR is merged to main
+
+name: "Universal: Workflow Sync Trigger"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  sync:
+    name: Sync workflows to live repos
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      !contains(github.event.pull_request.title, '[skip sync]')
+
+    steps:
+      - name: Determine platform from repo name
+        id: platform
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          case "$REPO" in
+            Template-Joomla)   PLATFORM="joomla" ;;
+            Template-Dolibarr) PLATFORM="dolibarr" ;;
+            Template-Go)       PLATFORM="go" ;;
+            Template-MCP)      PLATFORM="mcp" ;;
+            Template-Generic)  PLATFORM="" ;;
+            *)                 PLATFORM="" ;;
+          esac
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+          echo "Platform: ${PLATFORM:-all}"
+
+      - name: Clone mokocli
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          GITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
+          git clone --depth 1 "${GITEA_URL}/MokoConsulting/mokocli.git" /tmp/mokocli
+
+      - name: Install dependencies
+        run: |
+          cd /tmp/mokocli
+          composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+
+      - name: Run workflow sync
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          ARGS="--token ${MOKOGITEA_TOKEN}"
+          ARGS="${ARGS} --org ${{ vars.GITEA_ORG || github.repository_owner }}"
+          ARGS="${ARGS} --phase repos"
+
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ -n "$PLATFORM" ]; then
+            ARGS="${ARGS} --platform-filter ${PLATFORM}"
+          fi
+
+          php /tmp/mokocli/cli/workflow_sync.php ${ARGS}
@@ -1,12 +1,17 @@
 # Changelog

-<!-- VERSION: 01.00.01 -->
+## [Unreleased]

-All notable changes to MokoJoomOpenGraph will be documented in this file.
+## [01.02.00] --- 2026-06-21
+
+
+<!-- VERSION: 01.02.00 -->
+
+All notable changes to MokoSuiteOpenGraph will be documented in this file.

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

-## [Unreleased]
+## [01.02.00] --- 2026-06-21

 ### Security
 - Fix JSON-LD XSS vulnerability via `</script>` injection in content data (#34)
@@ -25,9 +30,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - CSV import/export for bulk OG tag management (#12)
 - OG image text overlay generator (#7)
 - Multilingual OG tag support with per-language records (#11)
- JSON-LD structured data: Article, WebPage, BreadcrumbList schemas (#6)
+- JSON-LD structured data: Article, Product, WebPage, BreadcrumbList schemas (#6)
 - Social platform debugger quick links (Facebook, LinkedIn, Google) (#9)
- Content type adapter architecture for K2, VirtueMart, HikaShop (#5)
+- MokoSuiteShop product OG tag support with pricing meta and JSON-LD Product schema (#53)
 - WhatsApp and Telegram link preview optimization (#10)
 - Category-level OG tag support (#4)
 - Batch OG tag generation for existing articles (#1)
@@ -40,5 +45,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Facebook App ID and Telegram channel support
 - Database table `#__mokoog_tags` with multilingual unique key

+### Changed
+- Consolidated article DB queries into single cached lookup — 5 queries reduced to 1 (#38)
+- Dynamic `og:image:width`/`og:image:height` from actual image dimensions instead of hardcoded (#39)
+- Replace GD `@` error suppression with `Log::add()` warnings (#49)
+- TagTable::check() validates og_type, field lengths, canonical_url, robots directives (#43)
+- CSV import/export now includes language column for multilingual support (#52)
+- Batch process limit capped at 200 per request (#42)
+- Canonical URL replacement uses public `getHeadData()`/`setHeadData()` API (#39)
+- Language-aware queries on `loadOgDataByType()` and `loadOgDataByMenu()` (#47)
+
 ### Removed
- Removed deploy-manual.yml workflow — using Joomla update server for distribution
+- Removed dead ContentType adapters (K2, VirtueMart, HikaShop) — not targeting these platforms (#36)
+- Removed `<updateservers>` from package manifest — managed externally (#44)
+- Removed deploy-manual.yml workflow
@@ -1,78 +0,0 @@
-# CLAUDE.md
-
-This file provides guidance to Claude Code when working with this repository.
-
-## Project Overview
-
-**MokoJoomOpenGraph** -- Open Graph, Twitter Card, and social sharing meta tag management for Joomla
-
-| Field | Value |
-|---|---|
-| **Platform** | joomla |
-| **Language** | PHP |
-| **Default branch** | main |
-| **License** | GPL-3.0-or-later |
-| **Wiki** | [MokoJoomOpenGraph Wiki](https://git.mokoconsulting.tech/MokoConsulting/MokoJoomOpenGraph/wiki) |
-| **Standards** | [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home) |
-
-## Common Commands
-
-```bash
-make build        # Build the project
-make lint         # Run linters
-make validate     # Validate structure
-make release      # Full release pipeline
-make minify       # Minify CSS/JS assets
-make clean        # Clean build artifacts
-```
-
-```bash
-composer install  # Install PHP dependencies
-```
-
-## Architecture
-
-This is a Joomla **package** extension (`pkg_mokoog`) containing three sub-extensions:
-
-### com_mokoog (Component)
- Admin backend for viewing and managing all OG tag records
- Joomla 4/5 MVC: `Controller/DisplayController`, `Model/TagsModel`, `View/Tags/HtmlView`, `Table/TagTable`
- Namespace: `Joomla\Component\MokoOG\Administrator`
- Database table: `#__mokoog_tags` — stores custom OG data per content item
-
-### plg_system_mokoog (System Plugin)
- Hooks `onBeforeCompileHead` to inject `<meta property="og:*">` and `<meta name="twitter:*">` tags
- Auto-generates tags from article title, description, and images when no custom tags exist
- Supports articles (`com_content`), menu items, and extensible content types
- Namespace: `Joomla\Plugin\System\MokoOG`
-
-### plg_content_mokoog (Content Plugin)
- Hooks `onContentPrepareForm` to add OG fields tab to article and menu item editors
- Hooks `onContentAfterSave` / `onContentAfterDelete` to persist/clean OG data
- Namespace: `Joomla\Plugin\Content\MokoOG`
-
-### Database Schema
-
-Single table `#__mokoog_tags`:
- `content_type` + `content_id` = unique key identifying any content item
- `og_title`, `og_description`, `og_image`, `og_type` = custom OG overrides
- `published` flag for enabling/disabling per-item
-
-## Rules
-
- **Never commit** `.claude/`, `.mcp.json`, `TODO.md`, or `*.min.css`/`*.min.js`
- **Attribution**: use `Authored-by: Moko Consulting` in commits
- **Branch strategy**: develop on `dev`, merge to `main` for release
- **Minification**: handled at build time (CI)
- **Wiki**: documentation lives in the Gitea wiki, not in `docs/` files
- **Standards**: this repo follows [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home)
-
-## Coding Standards
-
- PHP 8.1+ minimum
- Joomla 4/5 DI container pattern: `services/provider.php` → Extension class
- Legacy stub `.php` file required for plugin loader but empty
- `SubscriberInterface` for event subscription (not `on*` method naming)
- `bind() → check() → store()` for Table operations (not `save()`)
- Language file placement: site (no `folder`) vs admin (`folder="administrator"`)
- SPDX license headers on all PHP files
@@ -0,0 +1,318 @@
+# MokoSuiteOpenGraph — Code Assessment Issues
+
+Generated: 2026-06-06
+Updated: 2026-06-21
+Reviewed: Full codebase (all PHP, SQL, XML, JS, CSS, templates)
+
+---
+
+## Status Legend
+
+- FIXED — Verified resolved in codebase
+- OPEN — Still present, needs work
+- WONTFIX — Intentional or acceptable as-is
+
+---
+
+## Bugs
+
+### BUG-01: Batch generation offset pagination skips articles — FIXED
+
+**Severity:** High
+**File:** `source/packages/com_mokoog/src/Controller/BatchController.php:89`
+
+The `process()` method now correctly uses `$db->setQuery($query, 0, $limit)` with a comment explaining that processed articles are automatically excluded by the LEFT JOIN filter.
+
+---
+
+### BUG-02: License key session flag set before check completes — FIXED
+
+**Severity:** Medium
+**File:** `source/packages/plg_system_mokoog/src/Extension/MokoOG.php:543`
+
+Session flag is now set after the DB query succeeds, inside the try block but after query setup. If the query throws, the catch block runs without the flag being set.
+
+---
+
+### BUG-03: Hardcoded og:image dimensions are often wrong — FIXED
+
+**Severity:** Medium
+**File:** `source/packages/plg_system_mokoog/src/Extension/MokoOG.php:129-134`
+
+Now uses `$this->getImageDimensions($image)` which calls `getimagesize()` to detect actual dimensions. Dimension meta tags only emitted when dimensions are successfully detected.
+
+---
+
+### BUG-04: `strlen()` vs `mb_strlen()` inconsistency in truncation — FIXED
+
+**Severity:** Low
+**Files:** MokoOG.php, BatchController.php, HikaShopAdapter.php, K2Adapter.php
+
+All instances now consistently use `mb_strlen()` for length checks with `mb_substr()` for truncation.
+
+---
+
+### BUG-05: `ImageGenerator::wrapText()` can produce broken output — FIXED
+
+**Severity:** Low
+**File:** `source/packages/plg_system_mokoog/src/Helper/ImageGenerator.php:156`
+
+Now checks `mb_strlen($lines[2]) > 3` before truncating. Short lines get `'...'` appended instead.
+
+---
+
+## Potential Issues
+
+### ISSUE-01: ContentType adapters exist but are never wired up — OPEN
+
+**Severity:** High (wasted code)
+**Files:**
+- `source/packages/com_mokoog/src/ContentType/ContentTypeInterface.php`
+- `source/packages/com_mokoog/src/ContentType/HikaShopAdapter.php`
+- `source/packages/com_mokoog/src/ContentType/K2Adapter.php`
+- `source/packages/com_mokoog/src/ContentType/VirtueMartAdapter.php`
+
+The system plugin (`MokoOG.php`) still never references or loads these adapters. The `findImage()` and `loadOgData()` methods only handle `com_content`. Third-party content types get no auto-generated OG tags.
+
+**Action:** Wire adapters into the system plugin's `onBeforeCompileHead` flow, or remove them if not planned for v1.
+
+---
+
+### ISSUE-02: `applySeoTags()` accesses internal `$doc->_links` property — OPEN
+
+**Severity:** Medium
+**File:** `source/packages/plg_system_mokoog/src/Extension/MokoOG.php:257-259`
+
+Still directly accessing `$doc->_links` (protected/internal property). Fragile across Joomla versions.
+
+**Fix:** Use `$doc->getHeadData()` to read links and `$doc->addHeadLink()` with proper clearing logic.
+
+---
+
+### ISSUE-03: No input sanitization on OG values before output — OPEN
+
+**Severity:** Medium
+**File:** `source/packages/plg_content_mokoog/src/Extension/MokoOGContent.php`
+
+No `htmlspecialchars()` or `InputFilter` found in the content plugin's save path. While Joomla's `setMetaData()` escapes on output, defense-in-depth recommends sanitizing on input.
+
+**Fix:** Apply `htmlspecialchars()` or Joomla's `InputFilter` when saving OG data.
+
+---
+
+### ISSUE-04: `loadOgDataByType()` and `loadOgDataByMenu()` ignore language — OPEN
+
+**Severity:** Medium
+**Files:**
+- `source/packages/plg_system_mokoog/src/Extension/MokoOG.php:324-337` (`loadOgDataByType`)
+- `source/packages/plg_system_mokoog/src/Extension/MokoOG.php:346-359` (`loadOgDataByMenu`)
+
+These methods still have no language filter. On multilingual sites, category fallback or menu OG data could come from any language. The unique key is now `(content_type, content_id, language)` but these queries don't filter by language, so `loadObject()` returns an arbitrary match.
+
+**Fix:** Add the same language filter pattern used in `loadOgData()`.
+
+---
+
+### ISSUE-05: VirtueMart adapter interpolates language into table name — OPEN (low risk)
+
+**Severity:** Low (defense-in-depth)
+**File:** `source/packages/com_mokoog/src/ContentType/VirtueMartAdapter.php:34,47`
+
+Language tag is interpolated into the table name. While `quoteName()` wraps the result, the language tag itself is not validated against an allowlist.
+
+**Fix:** Validate tag format with a regex before interpolation.
+
+---
+
+### ISSUE-06: No admin list controller for publish/delete operations — OPEN
+
+**Severity:** Medium
+**File:** `source/packages/com_mokoog/src/Controller/`
+
+No `TagsController extends AdminController` exists. The admin list view toolbar buttons for delete/publish/unpublish will produce task routing errors.
+
+**Fix:** Add a `TagsController extends AdminController` with proper CSRF and ACL checks.
+
+---
+
+### ISSUE-07: CSV import/export does not handle `language` column — OPEN
+
+**Severity:** Low
+**File:** `source/packages/com_mokoog/src/Controller/ImportExportController.php`
+
+No reference to `language` found in the controller. Export omits the column, import creates records with default `*` language. Multilingual sites cannot bulk import/export language-specific OG data.
+
+**Fix:** Add `language` as a column in export, and parse it on import with a fallback to `*`.
+
+---
+
+### ISSUE-08: No ACL check in content plugin form injection — WONTFIX
+
+**Severity:** Low
+**File:** `source/packages/plg_content_mokoog/src/Extension/MokoOGContent.php:49`
+
+Any user who can edit an article can modify OG tags. This is acceptable behavior for most sites — if you can edit the article, you should be able to control its social sharing appearance.
+
+---
+
+## New Issues (Found 2026-06-21)
+
+### ISSUE-09: ImageGenerator uses @ error suppression on GD functions
+
+**Severity:** Medium
+**File:** `source/packages/plg_system_mokoog/src/Helper/ImageGenerator.php`
+
+All GD library calls use the `@` suppression operator, making debugging difficult. If the GD extension is missing or a font file is not found, failures are completely silent.
+
+**Fix:** Replace `@` suppression with proper error checking and logging via `Log::add()`.
+
+---
+
+### ISSUE-10: No TTF font file bundled or documented
+
+**Severity:** Medium
+**File:** `source/packages/plg_system_mokoog/src/Helper/ImageGenerator.php`
+
+The image generator requires a TTF font file for text overlay, but no font is included in the package and no fallback or documentation exists for configuring the font path.
+
+**Fix:** Bundle a permissively-licensed font (e.g., Open Sans, Noto Sans) or document the required configuration.
+
+---
+
+### ISSUE-11: ImageGenerator cache grows unbounded
+
+**Severity:** Low
+**File:** `source/packages/plg_system_mokoog/src/Helper/ImageGenerator.php`
+
+Generated images in `images/mokoog/generated/` are never cleaned up. On sites with many articles, this directory grows indefinitely.
+
+**Fix:** Add a cleanup CLI command or admin button (see FEAT-07), or implement LRU/TTL-based cache eviction.
+
+---
+
+### ISSUE-12: JSON-LD missing common schema types
+
+**Severity:** Low
+**File:** `source/packages/plg_system_mokoog/src/Helper/JsonLdBuilder.php`
+
+Only 4 schema types are implemented (Article, WebPage, BreadcrumbList, Organization). Missing: NewsArticle, BlogPosting, Product, VideoObject, Event — some of which correspond to existing `og_type` dropdown values.
+
+**Fix:** Add at least NewsArticle and BlogPosting as Article subtypes.
+
+---
+
+### ISSUE-13: No API input validation beyond field whitelisting
+
+**Severity:** Low
+**Files:**
+- `source/packages/com_mokoog/api/src/Controller/TagsController.php`
+- `source/packages/com_mokoog/api/src/View/Tags/JsonapiView.php`
+
+The REST API exposes full CRUD but has no validation for field content (e.g., max lengths, valid URLs for og_image/canonical_url, valid og_type values).
+
+**Fix:** Add validation rules matching the form XML constraints.
+
+---
+
+## Feature Expansion Opportunities
+
+### FEAT-01: Wire up ContentType adapter system — NOT IMPLEMENTED
+
+Connect the existing `ContentTypeInterface` adapters to the system plugin so HikaShop products, K2 items, and VirtueMart products automatically get OG tags. Blocked by ISSUE-01.
+
+---
+
+### FEAT-02: Admin edit view for individual OG tag records — NOT IMPLEMENTED
+
+A `TagModel` and `tag.xml` form exist but there's no edit template (`tmpl/tag/`) or `TagController`. Users can only manage OG tags through article/menu editors.
+
+---
+
+### FEAT-03: Publish/unpublish toggle in admin list — NOT IMPLEMENTED
+
+Blocked by ISSUE-06 (no TagsController). The list view shows published status as text but has no clickable toggle.
+
+---
+
+### FEAT-04: Actual image dimension detection for og:image meta — FIXED
+
+Implemented via `getImageDimensions()` method using `getimagesize()`. See BUG-03.
+
+---
+
+### FEAT-05: Duplicate OG tag detection — NOT IMPLEMENTED
+
+No detection for conflicting OG meta tags from other extensions.
+
+---
+
+### FEAT-06: Support og:video and og:audio URLs — NOT IMPLEMENTED
+
+No `og_video` or `og_audio` columns, form fields, or rendering logic found anywhere in the codebase.
+
+---
+
+### FEAT-07: Generated image cache cleanup — NOT IMPLEMENTED
+
+No CLI command or admin purge button. See ISSUE-11.
+
+---
+
+### FEAT-08: Sitemap integration — NOT IMPLEMENTED
+
+No sitemap generation or integration exists.
+
+---
+
+### FEAT-09: Social share preview in admin list — NOT IMPLEMENTED
+
+No thumbnails or inline validation in the admin list view. Live preview only exists in the article/menu editor (via plg_content_mokoog).
+
+---
+
+### FEAT-10: Bulk OG tag editing — NOT IMPLEMENTED
+
+No batch edit modal for selecting multiple items and changing common fields.
+
+---
+
+## Security Fixes (from CHANGELOG [Unreleased])
+
+All 4 claimed security fixes have been **verified as implemented**:
+
+| Fix | Status | Evidence |
+|-----|--------|----------|
+| JSON-LD XSS (#34) | IMPLEMENTED | `</` escaping in `JsonLdBuilder::toScriptTag()` |
+| ACL on Batch/ImportExport (#37) | IMPLEMENTED | `authorise()` checks on all controller methods |
+| CSV import validation (#35) | IMPLEMENTED | File type, MIME, size (2MB), content_type regex |
+| Multilingual data corruption (#41) | IMPLEMENTED | Language-aware load/save in content plugin |
+
+Additional security review found **no vulnerabilities** for: SQL injection, CSRF, file upload, path traversal, code injection, or XSS in output.
+
+---
+
+## Summary
+
+| Category | Total | Fixed | Open | Won't Fix |
+|----------|-------|-------|------|-----------|
+| Bugs | 5 | 5 | 0 | 0 |
+| Issues | 13 | 0 | 12 | 1 |
+| Features | 10 | 1 | 9 | 0 |
+| Security | 4 | 4 | 0 | 0 |
+
+### Priority for v1.0.0 Release
+
+**Must fix:**
+- ISSUE-06: TagsController for admin list operations (publish/delete broken)
+- ISSUE-04: Language filter on loadOgDataByType/loadOgDataByMenu (data integrity on multilingual sites)
+
+**Should fix:**
+- ISSUE-02: Replace `$doc->_links` access (Joomla version fragility)
+- ISSUE-03: Input sanitization on save (defense-in-depth)
+- ISSUE-09: GD error suppression (debuggability)
+- ISSUE-10: Bundle or document TTF font requirement
+
+**Nice to have for v1.0.0:**
+- FEAT-02: Admin edit view
+- FEAT-03: Publish/unpublish toggle
+- ISSUE-07: Language column in CSV import/export
@@ -1,12 +1,12 @@
-# MokoJoomOpenGraph
+# MokoSuiteOpenGraph

-<!-- VERSION: 01.00.01 -->
+<!-- VERSION: 01.02.00 -->

 Open Graph, Twitter Card, and social sharing meta tag management for Joomla 4/5/6.

 ## Overview

-MokoJoomOpenGraph gives you full control over how your Joomla content appears when shared on Facebook, Twitter/X, LinkedIn, Discord, WhatsApp, Telegram, and other social platforms. Set custom titles, descriptions, and images per article, menu item, and category — or let the extension auto-generate them from your existing content.
+MokoSuiteOpenGraph gives you full control over how your Joomla content appears when shared on Facebook, Twitter/X, LinkedIn, Discord, WhatsApp, Telegram, and other social platforms. Set custom titles, descriptions, and images per article, menu item, and category — or let the extension auto-generate them from your existing content.

 ## Features

@@ -31,7 +31,7 @@ MokoJoomOpenGraph gives you full control over how your Joomla content appears wh
 - **Meta description** — Per-page meta description control
 - **Robots directive** — Per-page noindex/nofollow settings
 - **Canonical URL** — Custom canonical URL overrides
- **JSON-LD structured data** — Article, WebPage, BreadcrumbList, Organization schemas
+- **JSON-LD structured data** — Article, Product, WebPage, BreadcrumbList, Organization schemas

 ### Admin Tools
 - **Tag manager dashboard** — View and manage all OG records centrally
@@ -43,19 +43,19 @@ MokoJoomOpenGraph gives you full control over how your Joomla content appears wh

 ### Developer Features
 - **REST API** — Full CRUD via Joomla Web Services (`/api/v1/mokoog/tags`)
- **Content type adapters** — Extensible architecture for K2, VirtueMart, HikaShop
+- **MokoSuiteShop integration** — Auto-generated OG/JSON-LD for product pages with pricing meta
 - **Plugin event** — `onMokoOGAfterRender` for third-party plugins to add custom social tags
 - **OG image generator** — Text overlay on template backgrounds with auto-resize to 1200x630

 ## Installation

-1. Download the latest `pkg_mokoog-*.zip` from [Releases](https://git.mokoconsulting.tech/MokoConsulting/MokoJoomOpenGraph/releases)
+1. Download the latest `pkg_mokoog-*.zip` from [Releases](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteOpenGraph/releases)
 2. In Joomla Administrator → Extensions → Install → Upload Package File
 3. All plugins are enabled automatically on install

 ## Configuration

-Navigate to **Extensions → Plugins → System - MokoJoomOpenGraph** to configure:
+Navigate to **Extensions → Plugins → System - MokoSuiteOpenGraph** to configure:
 - Site name override
 - Default OG title and description (site-wide fallback)
 - Default fallback image
@@ -0,0 +1,237 @@
+#!/usr/bin/env bash
+# ============================================================================
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Automation.CI
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /automation/ci-issue-reporter.sh
+# VERSION: 09.23.00
+# BRIEF: Creates or updates a Gitea issue when a CI gate fails.
+#        Deduplicates by searching open issues with the "ci-auto" label
+#        whose title matches the gate. If a matching issue exists, a comment
+#        is appended instead of opening a duplicate.
+# ============================================================================
+
+set -euo pipefail
+
+# ── Defaults ────────────────────────────────────────────────────────────────
+GITEA_URL="${GITEA_URL:-https://git.mokoconsulting.tech}"
+GITEA_TOKEN="${GITEA_TOKEN:-}"
+REPO="${GITHUB_REPOSITORY:-}"
+RUN_URL="${GITHUB_SERVER_URL:-${GITEA_URL}}/${REPO}/actions/runs/${GITHUB_RUN_ID:-0}"
+LABEL_NAME="ci-auto"
+LABEL_COLOR="#e11d48"
+
+GATE=""
+DETAILS=""
+SEVERITY="error"
+WORKFLOW=""
+
+# ── Parse arguments ─────────────────────────────────────────────────────────
+usage() {
+  cat <<EOF
+Usage: ci-issue-reporter.sh --gate NAME --details TEXT [OPTIONS]
+
+Required:
+  --gate      CI gate name (e.g. "Code Quality", "Self-Health")
+  --details   Human-readable failure description
+
+Optional:
+  --severity  "error" (default) or "warning"
+  --workflow  Workflow name for the issue title
+  --repo      owner/repo (default: \$GITHUB_REPOSITORY)
+  --run-url   URL to the CI run (auto-detected from env)
+  --token     Gitea API token (default: \$GITEA_TOKEN)
+  --url       Gitea base URL (default: \$GITEA_URL)
+EOF
+  exit 1
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --gate)     GATE="$2";       shift 2 ;;
+    --details)  DETAILS="$2";    shift 2 ;;
+    --severity) SEVERITY="$2";   shift 2 ;;
+    --workflow) WORKFLOW="$2";   shift 2 ;;
+    --repo)     REPO="$2";      shift 2 ;;
+    --run-url)  RUN_URL="$2";   shift 2 ;;
+    --token)    GITEA_TOKEN="$2"; shift 2 ;;
+    --url)      GITEA_URL="$2"; shift 2 ;;
+    -h|--help)  usage ;;
+    *)          echo "Unknown option: $1"; usage ;;
+  esac
+done
+
+[[ -z "$GATE" ]]         && { echo "ERROR: --gate is required"; usage; }
+[[ -z "$DETAILS" ]]      && { echo "ERROR: --details is required"; usage; }
+[[ -z "$GITEA_TOKEN" ]]  && { echo "ERROR: GITEA_TOKEN not set"; exit 1; }
+[[ -z "$REPO" ]]         && { echo "ERROR: GITHUB_REPOSITORY not set"; exit 1; }
+
+API="${GITEA_URL}/api/v1/repos/${REPO}"
+
+# ── Build title ─────────────────────────────────────────────────────────────
+if [[ -n "$WORKFLOW" ]]; then
+  TITLE="[CI] ${WORKFLOW}: ${GATE} failed"
+else
+  TITLE="[CI] ${GATE} failed"
+fi
+
+# ── Ensure label exists ─────────────────────────────────────────────────────
+ensure_label() {
+  local exists
+  exists=$(curl -sf -o /dev/null -w '%{http_code}' \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API}/labels" 2>/dev/null || echo "000")
+
+  if [[ "$exists" == "200" ]]; then
+    # Check if label already exists
+    local found
+    found=$(curl -sf \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      "${API}/labels" 2>/dev/null \
+      | grep -o "\"name\":\"${LABEL_NAME}\"" || true)
+
+    if [[ -z "$found" ]]; then
+      curl -sf -X POST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        "${API}/labels" \
+        -d "{\"name\":\"${LABEL_NAME}\",\"color\":\"${LABEL_COLOR}\",\"description\":\"Auto-created by CI issue reporter\"}" \
+        > /dev/null 2>&1 || true
+    fi
+  fi
+}
+
+# ── Search for existing open issue ──────────────────────────────────────────
+find_existing_issue() {
+  # URL-encode the gate name for the query
+  local query
+  query=$(printf '%s' "[CI] ${GATE}" | sed 's/ /%20/g; s/\[/%5B/g; s/\]/%5D/g')
+
+  local response
+  response=$(curl -sf \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API}/issues?type=issues&state=open&labels=${LABEL_NAME}&q=${query}&limit=5" \
+    2>/dev/null || echo "[]")
+
+  # Extract the first matching issue number
+  echo "$response" \
+    | grep -oP '"number":\s*\K[0-9]+' \
+    | head -1
+}
+
+# ── Build issue body ────────────────────────────────────────────────────────
+build_body() {
+  local severity_badge
+  if [[ "$SEVERITY" == "error" ]]; then
+    severity_badge="**Severity:** Error"
+  else
+    severity_badge="**Severity:** Warning"
+  fi
+
+  cat <<BODY
+## CI Gate Failure: ${GATE}
+
+${severity_badge}
+**Workflow:** ${WORKFLOW:-unknown}
+**Branch:** ${GITHUB_REF_NAME:-unknown}
+**Commit:** \`${GITHUB_SHA:0:8}\`
+**Run:** [View CI run](${RUN_URL})
+
+### Details
+
+${DETAILS}
+
+### Resolution
+
+Fix the issue described above and push a new commit. This issue will be closed automatically when the gate passes, or can be closed manually.
+
+---
+*Auto-created by [ci-issue-reporter](${GITEA_URL}/${REPO}/src/branch/main/automation/ci-issue-reporter.sh)*
+BODY
+}
+
+# ── Build comment body (for existing issues) ────────────────────────────────
+build_comment() {
+  cat <<COMMENT
+### CI failure recurrence
+
+**Branch:** ${GITHUB_REF_NAME:-unknown}
+**Commit:** \`${GITHUB_SHA:0:8}\`
+**Run:** [View CI run](${RUN_URL})
+
+${DETAILS}
+COMMENT
+}
+
+# ── Main ────────────────────────────────────────────────────────────────────
+ensure_label
+
+EXISTING=$(find_existing_issue)
+
+if [[ -n "$EXISTING" ]]; then
+  # Append comment to existing issue
+  COMMENT_BODY=$(build_comment)
+  COMMENT_JSON=$(printf '%s' "$COMMENT_BODY" | python3 -c "
+import sys, json
+print(json.dumps({'body': sys.stdin.read()}))" 2>/dev/null)
+
+  HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${API}/issues/${EXISTING}/comments" \
+    -d "${COMMENT_JSON}" 2>/dev/null || echo "000")
+
+  if [[ "$HTTP" == "201" ]]; then
+    echo "Commented on existing issue #${EXISTING}"
+  else
+    echo "WARNING: Failed to comment on issue #${EXISTING} (HTTP ${HTTP})"
+  fi
+else
+  # Create new issue
+  ISSUE_BODY=$(build_body)
+  ISSUE_JSON=$(python3 -c "
+import sys, json
+body = sys.stdin.read()
+print(json.dumps({
+    'title': sys.argv[1],
+    'body': body,
+    'labels': []
+}))" "$TITLE" <<< "$ISSUE_BODY" 2>/dev/null)
+
+  # Create the issue
+  RESPONSE=$(curl -sf -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${API}/issues" \
+    -d "${ISSUE_JSON}" 2>/dev/null || echo "{}")
+
+  ISSUE_NUM=$(echo "$RESPONSE" | grep -oP '"number":\s*\K[0-9]+' | head -1)
+
+  if [[ -n "$ISSUE_NUM" ]]; then
+    # Apply label (separate call — more reliable across Gitea versions)
+    LABEL_ID=$(curl -sf \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      "${API}/labels" 2>/dev/null \
+      | grep -oP "\"id\":\s*\K[0-9]+(?=[^}]*\"name\":\s*\"${LABEL_NAME}\")" \
+      | head -1 || true)
+
+    if [[ -n "$LABEL_ID" ]]; then
+      curl -sf -X POST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        "${API}/issues/${ISSUE_NUM}/labels" \
+        -d "{\"labels\":[${LABEL_ID}]}" \
+        > /dev/null 2>&1 || true
+    fi
+
+    echo "Created issue #${ISSUE_NUM}: ${TITLE}"
+  else
+    echo "WARNING: Failed to create issue"
+    echo "Response: ${RESPONSE}"
+  fi
+fi
@@ -17,8 +17,10 @@
    "require-dev": {
        "squizlabs/php_codesniffer": "^3.7",
        "phpstan/phpstan": "^1.10",
-        "joomla/coding-standards": "^4.0"
+        "joomla/coding-standards": "^3.0"
    },
+    "minimum-stability": "alpha",
+    "prefer-stable": true,
    "config": {
        "sort-packages": true
    }
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -8,7 +8,7 @@
 -->
 <extension type="component" method="upgrade">
    <name>com_mokoog</name>
-    <version>01.00.01-rc</version>
+    <version>01.02.00</version>
    <creationDate>2026-05-23</creationDate>
    <author>Moko Consulting</author>
    <authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -1,7 +1,7 @@
 <?php

 /**
- * @package     MokoJoomOpenGraph
+ * @package     MokoSuiteOpenGraph
 * @subpackage  com_mokoog
 * @author      Moko Consulting <hello@mokoconsulting.tech>
 * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
@@ -67,8 +67,7 @@ class BatchController extends BaseController
        }

        $app    = Factory::getApplication();
-        $offset = $app->getInput()->getInt('offset', 0);
-        $limit  = $app->getInput()->getInt('limit', 50);
+        $limit  = min($app->getInput()->getInt('limit', 50), 200);

        $db    = Factory::getDbo();
        $query = $db->getQuery(true)
@@ -85,10 +84,13 @@ class BatchController extends BaseController
            ->where($db->quoteName('t.id') . ' IS NULL')
            ->order($db->quoteName('c.id') . ' ASC');

-        $db->setQuery($query, $offset, $limit);
+        // Always offset=0: processed articles now have #__mokoog_tags rows
+        // and are excluded by the LEFT JOIN ... IS NULL filter automatically.
+        $db->setQuery($query, 0, $limit);
        $articles = $db->loadObjectList();

        $created = 0;
+        $skipped = 0;
        $now     = Factory::getDate()->toSql();

        foreach ($articles as $article) {
@@ -97,29 +99,32 @@ class BatchController extends BaseController
            $ogImage       = $this->extractImage($article);

            $record = (object) [
-                'content_type'   => 'com_content',
-                'content_id'     => (int) $article->id,
-                'og_title'       => $ogTitle,
-                'og_description' => $ogDescription,
-                'og_image'       => $ogImage,
-                'og_type'        => 'article',
-                'seo_title'      => '',
+                'content_type'     => 'com_content',
+                'content_id'       => (int) $article->id,
+                'og_title'         => $ogTitle,
+                'og_description'   => $ogDescription,
+                'og_image'         => $ogImage,
+                'og_type'          => 'article',
+                'seo_title'        => '',
                'meta_description' => $article->metadesc ?: '',
-                'robots'         => '',
-                'canonical_url'  => '',
-                'published'      => 1,
-                'created'        => $now,
-                'modified'       => $now,
+                'robots'           => '',
+                'canonical_url'    => '',
+                'language'         => '*',
+                'published'        => 1,
+                'created'          => $now,
+                'modified'         => $now,
            ];

-            $db->insertObject('#__mokoog_tags', $record);
-            $created++;
+            try {
+                $db->insertObject('#__mokoog_tags', $record);
+                $created++;
+            } catch (\RuntimeException $e) {
+                $skipped++;
+            }
        }

        echo new JsonResponse([
            'created'   => $created,
-            'offset'    => $offset,
-            'processed' => $offset + $created,
        ]);

        $app->close();
@@ -144,7 +149,7 @@ class BatchController extends BaseController
        $text = strip_tags($text);
        $text = trim(preg_replace('/\s+/', ' ', $text));

-        if (\strlen($text) > 160) {
+        if (mb_strlen($text) > 160) {
            $text = mb_substr($text, 0, 157) . '...';
        }

@@ -1,7 +1,7 @@
 <?php

 /**
- * @package     MokoJoomOpenGraph
+ * @package     MokoSuiteOpenGraph
 * @subpackage  com_mokoog
 * @author      Moko Consulting <hello@mokoconsulting.tech>
 * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
@@ -59,6 +59,7 @@ class ImportExportController extends BaseController
                $db->quoteName('t.meta_description'),
                $db->quoteName('t.robots'),
                $db->quoteName('t.canonical_url'),
+                $db->quoteName('t.language'),
            ])
            ->from($db->quoteName('#__mokoog_tags', 't'))
            ->leftJoin(
@@ -83,6 +84,7 @@ class ImportExportController extends BaseController
            'content_type', 'content_id', 'article_title',
            'og_title', 'og_description', 'og_image', 'og_type',
            'seo_title', 'meta_description', 'robots', 'canonical_url',
+            'language',
        ]);

        foreach ($rows as $row) {
@@ -184,6 +186,12 @@ class ImportExportController extends BaseController
            $metaDesc      = trim($row[8] ?? '');
            $robots        = trim($row[9] ?? '');
            $canonicalUrl  = trim($row[10] ?? '');
+            $language      = trim($row[11] ?? '*');
+
+            // Validate language tag format (e.g., 'en-GB', '*')
+            if ($language !== '*' && !preg_match('/^[a-z]{2,3}-[A-Z]{2}$/', $language)) {
+                $language = '*';
+            }

            if (empty($contentType) || $contentId <= 0) {
                $skipped++;
@@ -198,12 +206,13 @@ class ImportExportController extends BaseController
                continue;
            }

-            // Check for existing record
+            // Check for existing record (unique key includes language)
            $query = $db->getQuery(true)
                ->select($db->quoteName('id'))
                ->from($db->quoteName('#__mokoog_tags'))
                ->where($db->quoteName('content_type') . ' = ' . $db->quote($contentType))
-                ->where($db->quoteName('content_id') . ' = ' . $contentId);
+                ->where($db->quoteName('content_id') . ' = ' . $contentId)
+                ->where($db->quoteName('language') . ' = ' . $db->quote($language));

            $db->setQuery($query);
            $existingId = $db->loadResult();
@@ -219,6 +228,7 @@ class ImportExportController extends BaseController
                'meta_description' => $metaDesc,
                'robots'           => $robots,
                'canonical_url'    => $canonicalUrl,
+                'language'         => $language,
                'published'        => 1,
                'modified'         => $now,
            ];
@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * @package     MokoSuiteOpenGraph
+ * @subpackage  com_mokoog
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Joomla\Component\MokoOG\Administrator\Controller;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\MVC\Controller\AdminController;
+use Joomla\CMS\MVC\Model\BaseDatabaseModel;
+
+class TagsController extends AdminController
+{
+    /**
+     * Proxy for getModel.
+     *
+     * @param   string  $name    Model name
+     * @param   string  $prefix  Model prefix
+     * @param   array   $config  Configuration array
+     *
+     * @return  BaseDatabaseModel
+     */
+    public function getModel($name = 'Tag', $prefix = 'Administrator', $config = ['ignore_request' => true])
+    {
+        return parent::getModel($name, $prefix, $config);
+    }
+}
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1,107 @@
+<?php
+
+/**
+ * @package     MokoSuiteOpenGraph
+ * @subpackage  com_mokoog
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Joomla\Component\MokoOG\Administrator\Table;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Table\Table;
+use Joomla\Database\DatabaseDriver;
+
+class TagTable extends Table
+{
+    /**
+     * Constructor.
+     *
+     * @param   DatabaseDriver  $db  Database driver instance
+     */
+    public function __construct(DatabaseDriver $db)
+    {
+        parent::__construct('#__mokoog_tags', 'id', $db);
+    }
+
+    /**
+     * Perform checks before store.
+     *
+     * @return  bool
+     */
+    private const VALID_OG_TYPES = [
+        'article', 'website', 'product', 'profile', 'book', 'music.song',
+        'music.album', 'video.movie', 'video.episode', 'video.other',
+    ];
+
+    private const VALID_ROBOTS = [
+        'index', 'noindex', 'follow', 'nofollow', 'none', 'noarchive',
+        'nosnippet', 'noimageindex', 'max-snippet', 'max-image-preview',
+    ];
+
+    public function check(): bool
+    {
+        if (empty($this->content_type)) {
+            $this->setError('Content type is required.');
+
+            return false;
+        }
+
+        if (!preg_match('/^[a-z][a-z0-9_.]*$/', $this->content_type)) {
+            $this->setError('Content type contains invalid characters.');
+
+            return false;
+        }
+
+        if (empty($this->content_id)) {
+            $this->setError('Content ID is required.');
+
+            return false;
+        }
+
+        // Validate og_type against known values
+        if (!empty($this->og_type) && !\in_array($this->og_type, self::VALID_OG_TYPES, true)) {
+            $this->og_type = 'article';
+        }
+
+        // Truncate fields to schema max lengths
+        if (mb_strlen($this->og_title ?? '') > 255) {
+            $this->og_title = mb_substr($this->og_title, 0, 255);
+        }
+
+        if (mb_strlen($this->seo_title ?? '') > 70) {
+            $this->seo_title = mb_substr($this->seo_title, 0, 70);
+        }
+
+        if (mb_strlen($this->meta_description ?? '') > 200) {
+            $this->meta_description = mb_substr($this->meta_description, 0, 200);
+        }
+
+        // Validate canonical_url format if non-empty
+        if (!empty($this->canonical_url) && !filter_var($this->canonical_url, FILTER_VALIDATE_URL)) {
+            $this->canonical_url = '';
+        }
+
+        // Validate robots directives
+        if (!empty($this->robots)) {
+            $parts = array_map('trim', explode(',', strtolower($this->robots)));
+            $valid = array_filter($parts, function ($part) {
+                // Allow directives with values like "max-snippet:-1"
+                $directive = explode(':', $part)[0];
+
+                return \in_array($directive, self::VALID_ROBOTS, true);
+            });
+            $this->robots = $valid ? implode(', ', $valid) : '';
+        }
+
+        // Default language to '*' if not set
+        if (empty($this->language)) {
+            $this->language = '*';
+        }
+
+        return true;
+    }
+}
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -215,22 +215,23 @@ document.addEventListener('DOMContentLoaded', function() {
            });
    }

-    function processChunk(offset, total, chunkSize, token, bar, status) {
-        fetch('index.php?option=com_mokoog&task=batch.process&format=json&offset=' + offset + '&limit=' + chunkSize + '&' + token + '=1')
+    function processChunk(processed, total, chunkSize, token, bar, status) {
+        // Always offset=0: processed items are excluded by the IS NULL filter
+        fetch('index.php?option=com_mokoog&task=batch.process&format=json&limit=' + chunkSize + '&' + token + '=1')
            .then(function(r) { return r.json(); })
            .then(function(resp) {
-                var processed = resp.data.processed;
+                processed += resp.data.created;
                var pct = Math.min(100, Math.round((processed / total) * 100));
                bar.style.width = pct + '%';
                bar.textContent = pct + '%';
                status.textContent = processed + ' / ' + total + ' <?php echo Text::_('COM_MOKOOG_BATCH_PROCESSED', true); ?>';

-                if (processed < total) {
+                if (resp.data.created > 0 && processed < total) {
                    processChunk(processed, total, chunkSize, token, bar, status);
                } else {
                    bar.classList.remove('progress-bar-animated');
                    bar.classList.add('bg-success');
-                    status.textContent = '<?php echo Text::_('COM_MOKOOG_BATCH_COMPLETE', true); ?> ' + total + ' articles.';
+                    status.textContent = '<?php echo Text::_('COM_MOKOOG_BATCH_COMPLETE', true); ?> ' + processed + ' articles.';
                    setTimeout(function() { location.reload(); }, 2000);
                }
            })
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
@@ -0,0 +1 @@
+<html><body bgcolor="#FFFFFF"></body></html>
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`<html><body bgcolor="#FFFFFF"></body></html>`