chore: remove update-server workflow [skip ci]

chore: remove updates.xml from main [skip ci]
chore(release): build 02.34.00 [skip ci]
2026-06-05 00:07:22 +00:00 · 2026-06-04 23:23:22 +00:00 · 2026-06-04 23:14:10 +00:00 · 2026-06-04 22:02:42 +00:00 · 2026-06-04 17:57:03 +00:00 · 2026-06-04 17:20:12 +00:00
70 changed files with 3581 additions and 1920 deletions
@@ -0,0 +1,4 @@
+[submodule "src/packages/tpl_mokoonyx"]
+	path = src/packages/tpl_mokoonyx
+	url = https://git.mokoconsulting.tech/MokoConsulting/MokoOnyx.git
+	branch = main
@@ -9,7 +9,7 @@
    <display-name>Package - MokoWaaS</display-name>
    <org>MokoConsulting</org>
    <description>White-label identity, security hardening, and tenant restriction layer for WaaS-managed Joomla environments</description>
-    <version>02.32.10</version>
+    <version>02.34.00</version>
    <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
  </identity>
  <governance>
@@ -1,270 +1,285 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 09.23.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
-#
-# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
-# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
-# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
-# |                                                                        |
-# +========================================================================+
-
-name: "Universal: Build & Release"
-
-on:
-  pull_request:
-    types: [opened, closed]
-    branches:
-      - main
-  workflow_dispatch:
-    inputs:
-      action:
-        description: 'Action to perform'
-        required: false
-        type: choice
-        default: release
-        options:
-          - release
-          - promote-rc
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
-  promote-rc:
-    name: Promote to RC
-    runs-on: release
-    if: >-
-      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
-      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-      - name: Rename branch to rc
-        run: |
-          php /tmp/moko-platform-api/cli/branch_rename.php \
-            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
-            --pr "${{ github.event.pull_request.number }}"
-
-      - name: Checkout rc and configure git
-        run: |
-          git fetch origin rc
-          git checkout rc
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-      - name: Publish RC release
-        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability rc --bump minor --branch rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-          echo "Branch renamed to rc, minor bump, RC + lesser stream releases built, updates.xml synced" >> $GITHUB_STEP_SUMMARY
-
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
-  release:
-    name: Build & Release Pipeline
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true ||
-      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Configure git for bot pushes
-        run: |
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
-        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-
-      - name: "Publish stable release"
-        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability stable --bump minor --branch main \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_mirror.php \
-            --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
-            --branch main 2>&1 || true
-          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
-
-      - name: "Step 11: Delete rc branch and recreate dev from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          # Delete rc branch (ephemeral — created by promote-rc)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/rc" 2>/dev/null \
-            && echo "Deleted rc branch" || echo "rc branch not found"
-
-          # Delete dev branch
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-
-          # Recreate dev from main (now includes version bump + changelog promotion)
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-
-          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
-
-      - name: "Step 12: Create version branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          BRANCH_NAME="version/${VERSION}"
-          MAIN_SHA=$(git rev-parse HEAD)
-
-          # Delete old version branch if it exists (same version re-release)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-
-          # Create version/XX.YY.ZZ from main
-          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-
-          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
-
-
-
-      # -- Dolibarr post-release: Reset dev version -----------------------------
-      - name: "Post-release: Reset dev version"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/version_reset_dev.php \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
-            --branch dev --path . 2>&1 || true
-
-      # -- Summary --------------------------------------------------------------
-      - name: Pipeline Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-          fi
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Release
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/universal/auto-release.yml.template
+# VERSION: 05.00.00
+# BRIEF: Universal build & release � detects platform from manifest.xml
+#
+# +========================================================================+
+# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
+# +========================================================================+
+# |                                                                        |
+# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
+# |                                                                        |
+# |  Platform-specific:                                                    |
+# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
+# |    generic:  README-only, no update stream                             |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Build & Release"
+
+on:
+  pull_request:
+    types: [opened, closed]
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      action:
+        description: 'Action to perform'
+        required: false
+        type: choice
+        default: release
+        options:
+          - release
+          - promote-rc
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+
+jobs:
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
+  promote-rc:
+    name: Promote to RC
+    runs-on: release
+    if: >-
+      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
+      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          fetch-depth: 1
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          # Always fetch latest CLI tools — never use stale cache from previous runs
+          rm -rf /tmp/moko-platform-api
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api
+          cd /tmp/moko-platform-api
+          composer install --no-dev --no-interaction --quiet
+
+      - name: Rename branch to rc
+        run: |
+          php /tmp/moko-platform-api/cli/branch_rename.php \
+            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
+            --pr "${{ github.event.pull_request.number }}"
+
+      - name: Checkout rc and configure git
+        run: |
+          git fetch origin rc
+          git checkout rc
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+
+      - name: Publish RC release
+        run: |
+          php /tmp/moko-platform-api/cli/release_publish.php \
+            --path . --stability rc --bump minor --branch rc \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+            --skip-update-stream
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
+          echo "Branch renamed to rc, minor bump, RC release built (updates.xml managed by Gitea Pages)" >> $GITHUB_STEP_SUMMARY
+
+  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
+  release:
+    name: Build & Release Pipeline
+    runs-on: release
+    if: >-
+      github.event.pull_request.merged == true ||
+      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          fetch-depth: 0
+
+      - name: Configure git for bot pushes
+        run: |
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+
+      - name: Check for merge conflict markers
+        run: |
+          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
+          if [ -n "$CONFLICTS" ]; then
+            echo "::error::Merge conflict markers found — aborting release"
+            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "No conflict markers found"
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
+        run: |
+          # Ensure PHP + Composer are available
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          # Always fetch latest CLI tools — never use stale cache from previous runs
+          rm -rf /tmp/moko-platform-api
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api
+          cd /tmp/moko-platform-api
+          composer install --no-dev --no-interaction --quiet
+
+
+      - name: "Publish stable release"
+        run: |
+          php /tmp/moko-platform-api/cli/release_publish.php \
+            --path . --stability stable --bump minor --branch main \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+            --skip-update-stream
+
+      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
+      - name: "Step 9: Mirror release to GitHub"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          secrets.GH_MIRROR_TOKEN != ''
+        continue-on-error: true
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/release_mirror.php \
+            --version "$VERSION" --tag "$RELEASE_TAG" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
+            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
+            --branch main 2>&1 || true
+          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
+      - name: "Step 10: Push main to GitHub mirror"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          secrets.GH_MIRROR_TOKEN != ''
+        continue-on-error: true
+        run: |
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
+          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
+          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git fetch origin main --depth=1
+          git push github origin/main:refs/heads/main --force 2>/dev/null \
+            && echo "main branch pushed to GitHub mirror" \
+            || echo "WARNING: GitHub mirror push failed"
+
+      - name: "Step 11: Delete rc branch and recreate dev from main"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Delete rc branch (ephemeral — created by promote-rc)
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/branches/rc" 2>/dev/null \
+            && echo "Deleted rc branch" || echo "rc branch not found"
+
+          # Delete dev branch
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
+
+          # Recreate dev from main (now includes version bump + changelog promotion)
+          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/branches" \
+            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
+
+          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
+
+      - name: "Step 12: Create version branch from main"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          BRANCH_NAME="version/${VERSION}"
+          MAIN_SHA=$(git rev-parse HEAD)
+
+          # Delete old version branch if it exists (same version re-release)
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
+
+          # Create version/XX.YY.ZZ from main
+          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
+
+          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
+
+
+
+      # -- Dolibarr post-release: Reset dev version -----------------------------
+      - name: "Post-release: Reset dev version"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/version_reset_dev.php \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
+            --branch dev --path . 2>&1 || true
+
+      # -- Summary --------------------------------------------------------------
+      - name: Pipeline Summary
+        if: always()
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
+            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
+            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
+            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
+            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
+          fi
@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
-# VERSION: 02.32.10
+# VERSION: 02.34.00
 # BRIEF: Auto-create feature branch when an issue is opened

 name: "Universal: Issue Branch"
@@ -1,236 +1,508 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.CI
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/pr-check.yml.template
-# VERSION: 09.23.00
-# BRIEF: PR gate — branch policy + code validation before merge
-
-name: "Universal: PR Check"
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, edited]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  # ── Branch Policy ──────────────────────────────────────────────────────
-  branch-policy:
-    name: Branch Policy
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check branch merge target
-        run: |
-          HEAD="${{ github.head_ref }}"
-          BASE="${{ github.base_ref }}"
-
-          echo "PR: ${HEAD} → ${BASE}"
-
-          ALLOWED=true
-          REASON=""
-
-          case "$HEAD" in
-            feature/*|feat/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Feature branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            fix/*|bugfix/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Fix branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            patch/*)
-              if [ "$BASE" != "dev" ] && [ "$BASE" != "rc" ]; then
-                ALLOWED=false
-                REASON="Patch branches must target 'dev' or 'rc', not '${BASE}'"
-              fi
-              ;;
-            hotfix/*)
-              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
-              fi
-              ;;
-            rc)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="RC branch can only merge into 'main', not '${BASE}'"
-              fi
-              ;;
-            dev)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Dev branch can only merge into 'main', not '${BASE}'"
-              fi
-              ;;
-          esac
-
-          if [ "$ALLOWED" = false ]; then
-            echo "::error::${REASON}"
-            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
-            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-
-          echo "Branch policy: OK (${HEAD} → ${BASE})"
-          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
-
-  # ── Code Validation ────────────────────────────────────────────────────
-  validate:
-    name: Validate PR
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Detect platform
-        id: platform
-        run: |
-          # Read platform from XML manifest (<platform> tag) or plain text fallback
-          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
-          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
-          [ -z "$PLATFORM" ] && PLATFORM="generic"
-          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
-
-      - name: Setup PHP
-        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
-          fi
-
-      - name: PHP syntax check
-        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
-        run: |
-          ERRORS=0
-          while IFS= read -r -d '' file; do
-            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
-              ERRORS=$((ERRORS + 1))
-            fi
-          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
-          echo "PHP lint: ${ERRORS} error(s)"
-          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
-
-      - name: Validate platform manifest
-        run: |
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          case "$PLATFORM" in
-            joomla)
-              MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-              if [ -z "$MANIFEST" ]; then
-                echo "::warning::No Joomla manifest found (WaaS site)"
-                exit 0
-              fi
-              echo "Manifest: ${MANIFEST}"
-              if command -v php &> /dev/null; then
-                php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
-              fi
-              for ELEMENT in name version description; do
-                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
-              done
-              echo "Joomla manifest valid"
-              ;;
-            dolibarr)
-              MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
-              if [ -z "$MOD_FILE" ]; then
-                echo "::error::No mod*.class.php found"
-                exit 1
-              fi
-              echo "Dolibarr module: ${MOD_FILE}"
-              ;;
-            *)
-              echo "Generic platform — no manifest validation"
-              ;;
-          esac
-
-      - name: Check update stream format
-        run: |
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          case "$PLATFORM" in
-            joomla)
-              if [ -f "updates.xml" ]; then
-                if command -v php &> /dev/null; then
-                  php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
-                fi
-                echo "updates.xml valid"
-              fi
-              ;;
-            dolibarr)
-              [ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
-              ;;
-          esac
-
-      - name: Check changelog has unreleased entry
-        run: |
-          if [ ! -f "CHANGELOG.md" ]; then
-            echo "::warning::No CHANGELOG.md found"
-            exit 0
-          fi
-          # Check for content under [Unreleased] section
-          if ! grep -q "## \[Unreleased\]" CHANGELOG.md; then
-            echo "::error::CHANGELOG.md missing [Unreleased] section"
-            exit 1
-          fi
-          # Check there's at least one entry (Added/Changed/Fixed/Removed) under Unreleased
-          UNRELEASED_CONTENT=$(sed -n '/## \[Unreleased\]/,/## \[/p' CHANGELOG.md | grep -cE '^\s*-\s' || true)
-          if [ "$UNRELEASED_CONTENT" -eq 0 ]; then
-            echo "::error::CHANGELOG.md [Unreleased] section has no entries. Add a changelog entry describing your changes."
-            echo "## Changelog Check: Failed" >> $GITHUB_STEP_SUMMARY
-            echo "The \`[Unreleased]\` section in CHANGELOG.md has no entries." >> $GITHUB_STEP_SUMMARY
-            echo "Add a line like \`- Description of your change\` under a heading (\`### Added\`, \`### Changed\`, \`### Fixed\`, etc.)" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-          echo "Changelog: ${UNRELEASED_CONTENT} entry/entries in [Unreleased]"
-
-      - name: Verify package source
-        run: |
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ ! -d "$SOURCE_DIR" ]; then
-            echo "::warning::No src/ or htdocs/ directory"
-            exit 0
-          fi
-          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
-          echo "Source: ${FILE_COUNT} files"
-          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
-
-  # ── Pre-Release RC Build ─────────────────────────────────────────────────
-  pre-release:
-    name: Build RC Package
-    runs-on: ubuntu-latest
-    needs: [branch-policy, validate]
-
-    steps:
-      - name: Trigger RC pre-release
-        env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          REPO: ${{ github.repository }}
-          BRANCH: ${{ github.head_ref }}
-          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-        run: |
-          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
-          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
-          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/universal/pr-check.yml.template
+# VERSION: 09.23.00
+# BRIEF: PR gate — branch policy + code validation before merge
+
+name: "Universal: PR Check"
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Branch Policy ──────────────────────────────────────────────────────
+  branch-policy:
+    name: Branch Policy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch merge target
+        run: |
+          HEAD="${{ github.head_ref }}"
+          BASE="${{ github.base_ref }}"
+
+          echo "PR: ${HEAD} → ${BASE}"
+
+          ALLOWED=true
+          REASON=""
+
+          case "$HEAD" in
+            feature/*|feat/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Feature branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            fix/*|bugfix/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Fix branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            patch/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "rc" ]; then
+                ALLOWED=false
+                REASON="Patch branches must target 'dev' or 'rc', not '${BASE}'"
+              fi
+              ;;
+            hotfix/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
+              fi
+              ;;
+            rc)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="RC branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+            dev)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Dev branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+          esac
+
+          if [ "$ALLOWED" = false ]; then
+            echo "::error::${REASON}"
+            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
+            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "Branch policy: OK (${HEAD} → ${BASE})"
+          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
+
+  # ── Code Validation ────────────────────────────────────────────────────
+  validate:
+    name: Validate PR
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check for merge conflict markers
+        run: |
+          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
+          if [ -n "$CONFLICTS" ]; then
+            echo "::error::Merge conflict markers found in source files"
+            echo "## Conflict Markers Found" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "No conflict markers found"
+
+      - name: Detect platform
+        id: platform
+        run: |
+          # Read platform from XML manifest (<platform> tag) or plain text fallback
+          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
+          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
+          [ -z "$PLATFORM" ] && PLATFORM="generic"
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+
+      - name: Setup PHP
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+
+      - name: PHP syntax check
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
+          echo "PHP lint: ${ERRORS} error(s)"
+          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
+
+      - name: Joomla JEXEC guard check
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            # Skip vendor, node_modules, and index.html stub files
+            case "$file" in ./vendor/*|./node_modules/*) continue ;; esac
+            # Check first 10 lines for JEXEC or JPATH guard
+            if ! head -20 "$file" | grep -qE "defined\s*\(\s*['\"](_JEXEC|JPATH_BASE|\\\\JPATH_PLATFORM)['\"]"; then
+              echo "::error file=${file}::Missing JEXEC guard: ${file}"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -path "*/src/*" -not -path "./.git/*" -not -path "./vendor/*" -print0)
+          if [ "$ERRORS" -gt 0 ]; then
+            echo "::error::${ERRORS} PHP file(s) missing defined('_JEXEC') or die guard"
+            echo "## JEXEC Guard Check: Failed" >> $GITHUB_STEP_SUMMARY
+            echo "${ERRORS} file(s) in src/ are missing the Joomla execution guard." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "JEXEC guard: OK"
+
+      - name: Joomla directory listing protection
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          MISSING=0
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && exit 0
+          while IFS= read -r dir; do
+            if [ ! -f "${dir}/index.html" ]; then
+              echo "::warning::Missing index.html in ${dir} (directory listing protection)"
+              MISSING=$((MISSING + 1))
+            fi
+          done < <(find "$SOURCE_DIR" -type d -not -path "./.git/*" -not -path "*/vendor/*" -not -path "*/node_modules/*")
+          if [ "$MISSING" -gt 0 ]; then
+            echo "## Directory Protection" >> $GITHUB_STEP_SUMMARY
+            echo "${MISSING} director(ies) missing index.html" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "Directory protection: ${MISSING} missing (advisory)"
+
+      - name: Joomla script file and asset checks
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          ERRORS=0
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          [ -z "$MANIFEST" ] && exit 0
+          MANIFEST_DIR=$(dirname "$MANIFEST")
+
+          # Check scriptfile exists if declared
+          SCRIPTFILE=$(sed -n 's/.*<scriptfile>\([^<]*\)<\/scriptfile>.*/\1/p' "$MANIFEST" 2>/dev/null)
+          if [ -n "$SCRIPTFILE" ]; then
+            if [ ! -f "${MANIFEST_DIR}/${SCRIPTFILE}" ]; then
+              echo "::error::Manifest declares <scriptfile>${SCRIPTFILE}</scriptfile> but file not found at ${MANIFEST_DIR}/${SCRIPTFILE}"
+              ERRORS=$((ERRORS + 1))
+            else
+              echo "Script file: ${MANIFEST_DIR}/${SCRIPTFILE} (OK)"
+            fi
+          fi
+
+          # Require joomla.asset.json and validate it
+          ASSET_JSON=$(find "$MANIFEST_DIR" -name "joomla.asset.json" -not -path "./.git/*" 2>/dev/null | head -1)
+          if [ -z "$ASSET_JSON" ]; then
+            echo "::error::joomla.asset.json not found — Joomla asset system is required"
+            ERRORS=$((ERRORS + 1))
+          else
+            if command -v php &> /dev/null; then
+              php -r "json_decode(file_get_contents('$ASSET_JSON')); if(json_last_error()!==JSON_ERROR_NONE){echo json_last_error_msg();exit(1);}" 2>&1 || {
+                echo "::error::joomla.asset.json is not valid JSON"
+                ERRORS=$((ERRORS + 1))
+              }
+            fi
+            echo "joomla.asset.json: valid"
+          fi
+
+          # Validate all XML files in src/ are well-formed
+          XML_ERRORS=0
+          if command -v php &> /dev/null; then
+            while IFS= read -r -d '' xmlfile; do
+              if ! php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$xmlfile'); if(!\$x){foreach(libxml_get_errors() as \$e) echo trim(\$e->message) . ' in $xmlfile'; exit(1);}" 2>&1; then
+                XML_ERRORS=$((XML_ERRORS + 1))
+              fi
+            done < <(find "$MANIFEST_DIR" -name "*.xml" -not -path "./.git/*" -print0)
+          fi
+          if [ "$XML_ERRORS" -gt 0 ]; then
+            echo "::error::${XML_ERRORS} XML file(s) are malformed"
+            ERRORS=$((ERRORS + 1))
+          else
+            echo "XML well-formedness: OK"
+          fi
+
+          [ "$ERRORS" -gt 0 ] && exit 1
+          echo "Joomla asset checks: OK"
+
+      - name: Validate platform manifest
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+              if [ -z "$MANIFEST" ]; then
+                echo "::warning::No Joomla manifest found (WaaS site)"
+                exit 0
+              fi
+              echo "Manifest: ${MANIFEST}"
+              if command -v php &> /dev/null; then
+                php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
+              fi
+              for ELEMENT in name version description; do
+                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
+              done
+              # Block legacy raw/branch update server URLs on MokoGitea
+              RAW_URLS=$(grep -n 'raw/branch' "$MANIFEST" | grep -i 'mokoconsulting\|mokogitea\|git\.mokoconsulting\.tech' || true)
+              if [ -n "$RAW_URLS" ]; then
+                echo "::error::Manifest contains legacy raw/branch update server URL on MokoGitea. Use the Gitea Pages URL instead (e.g. /{REPO}/updates.xml not /{REPO}/raw/branch/main/updates.xml)"
+                echo "$RAW_URLS"
+                exit 1
+              fi
+              echo "Joomla manifest valid"
+              ;;
+            dolibarr)
+              MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
+              if [ -z "$MOD_FILE" ]; then
+                echo "::error::No mod*.class.php found"
+                exit 1
+              fi
+              echo "Dolibarr module: ${MOD_FILE}"
+              ;;
+            *)
+              echo "Generic platform — no manifest validation"
+              ;;
+          esac
+
+      - name: Check update stream format
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              if [ -f "updates.xml" ]; then
+                if command -v php &> /dev/null; then
+                  php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
+                fi
+                echo "updates.xml valid"
+              fi
+              ;;
+            dolibarr)
+              [ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
+              ;;
+          esac
+
+      - name: Validate Joomla language files
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          ERRORS=0
+          WARNINGS=0
+
+          # Require both en-GB and en-US language directories
+          LANG_ROOT=$(find . -path "*/language" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+          if [ -z "$LANG_ROOT" ]; then
+            echo "No language/ directory found — skipping"
+            exit 0
+          fi
+
+          if [ ! -d "$LANG_ROOT/en-GB" ]; then
+            echo "::error::Missing en-GB language directory (${LANG_ROOT}/en-GB)"
+            ERRORS=$((ERRORS + 1))
+          fi
+          if [ ! -d "$LANG_ROOT/en-US" ]; then
+            echo "::error::Missing en-US language directory (${LANG_ROOT}/en-US)"
+            ERRORS=$((ERRORS + 1))
+          fi
+
+          # Check that en-GB and en-US have matching .ini files
+          if [ -d "$LANG_ROOT/en-GB" ] && [ -d "$LANG_ROOT/en-US" ]; then
+            for GB_INI in "$LANG_ROOT/en-GB"/*.ini; do
+              [ ! -f "$GB_INI" ] && continue
+              US_INI="$LANG_ROOT/en-US/$(basename "$GB_INI")"
+              if [ ! -f "$US_INI" ]; then
+                echo "::error::$(basename "$GB_INI") exists in en-GB but missing from en-US"
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+            for US_INI in "$LANG_ROOT/en-US"/*.ini; do
+              [ ! -f "$US_INI" ] && continue
+              GB_INI="$LANG_ROOT/en-GB/$(basename "$US_INI")"
+              if [ ! -f "$GB_INI" ]; then
+                echo "::error::$(basename "$US_INI") exists in en-US but missing from en-GB"
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+          fi
+
+          # Find all .ini language files
+          INI_FILES=$(find . -path "*/language/*/*.ini" -not -path "./.git/*" 2>/dev/null)
+          if [ -z "$INI_FILES" ]; then
+            echo "No .ini language files found"
+            [ "$ERRORS" -gt 0 ] && exit 1
+            exit 0
+          fi
+
+          echo "Found $(echo "$INI_FILES" | wc -l) language file(s)"
+
+          for FILE in $INI_FILES; do
+            FNAME=$(basename "$FILE")
+            LINENUM=0
+            SEEN_KEYS=""
+
+            while IFS= read -r line || [ -n "$line" ]; do
+              LINENUM=$((LINENUM + 1))
+
+              # Skip empty lines and comments
+              [ -z "$line" ] && continue
+              echo "$line" | grep -qE '^\s*;' && continue
+              echo "$line" | grep -qE '^\s*$' && continue
+
+              # Must match KEY="VALUE" format
+              if ! echo "$line" | grep -qE '^[A-Z_][A-Z0-9_]*=".*"$'; then
+                echo "::error file=${FILE},line=${LINENUM}::Malformed line: ${line}"
+                ERRORS=$((ERRORS + 1))
+                continue
+              fi
+
+              # Extract key and check for duplicates
+              KEY=$(echo "$line" | sed 's/=.*//')
+              if echo "$SEEN_KEYS" | grep -qx "$KEY"; then
+                echo "::error file=${FILE},line=${LINENUM}::Duplicate key: ${KEY}"
+                ERRORS=$((ERRORS + 1))
+              fi
+              SEEN_KEYS="${SEEN_KEYS}
+          ${KEY}"
+            done < "$FILE"
+
+            echo "  ${FILE}: checked ${LINENUM} lines"
+          done
+
+          # Cross-check en-GB vs en-US key consistency
+          GB_DIR=$(find . -path "*/language/en-GB" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+          US_DIR=$(find . -path "*/language/en-US" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+
+          if [ -n "$GB_DIR" ] && [ -n "$US_DIR" ]; then
+            for GB_FILE in "$GB_DIR"/*.ini; do
+              [ ! -f "$GB_FILE" ] && continue
+              FNAME=$(basename "$GB_FILE")
+              US_FILE="$US_DIR/$FNAME"
+              [ ! -f "$US_FILE" ] && continue
+
+              GB_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$GB_FILE" 2>/dev/null | sort)
+              US_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$US_FILE" 2>/dev/null | sort)
+
+              # Keys in en-GB but not en-US
+              MISSING_US=$(comm -23 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
+              if [ -n "$MISSING_US" ]; then
+                echo "::warning::Keys in en-GB/$FNAME but missing from en-US/$FNAME:"
+                echo "$MISSING_US" | while read -r k; do echo "  - $k"; done
+                WARNINGS=$((WARNINGS + 1))
+              fi
+
+              # Keys in en-US but not en-GB
+              MISSING_GB=$(comm -13 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
+              if [ -n "$MISSING_GB" ]; then
+                echo "::warning::Keys in en-US/$FNAME but missing from en-GB/$FNAME:"
+                echo "$MISSING_GB" | while read -r k; do echo "  - $k"; done
+                WARNINGS=$((WARNINGS + 1))
+              fi
+            done
+          fi
+
+          {
+            echo "### Language File Validation"
+            echo "| Metric | Count |"
+            echo "|---|---|"
+            echo "| Files checked | $(echo "$INI_FILES" | wc -l) |"
+            echo "| Errors | ${ERRORS} |"
+            echo "| Warnings | ${WARNINGS} |"
+          } >> $GITHUB_STEP_SUMMARY
+
+          if [ "$ERRORS" -gt 0 ]; then
+            echo "::error::Language validation failed with ${ERRORS} error(s)"
+            exit 1
+          fi
+          echo "Language files: OK (${WARNINGS} warning(s))"
+
+      - name: Check changelog has unreleased entry
+        run: |
+          if [ ! -f "CHANGELOG.md" ]; then
+            echo "::warning::No CHANGELOG.md found"
+            exit 0
+          fi
+          # Check for content under [Unreleased] section
+          if ! grep -q "## \[Unreleased\]" CHANGELOG.md; then
+            echo "::error::CHANGELOG.md missing [Unreleased] section"
+            exit 1
+          fi
+          # Check there's at least one entry (Added/Changed/Fixed/Removed) under Unreleased
+          UNRELEASED_CONTENT=$(sed -n '/## \[Unreleased\]/,/## \[/p' CHANGELOG.md | grep -cE '^\s*-\s' || true)
+          if [ "$UNRELEASED_CONTENT" -eq 0 ]; then
+            echo "::error::CHANGELOG.md [Unreleased] section has no entries. Add a changelog entry describing your changes."
+            echo "## Changelog Check: Failed" >> $GITHUB_STEP_SUMMARY
+            echo "The \`[Unreleased]\` section in CHANGELOG.md has no entries." >> $GITHUB_STEP_SUMMARY
+            echo "Add a line like \`- Description of your change\` under a heading (\`### Added\`, \`### Changed\`, \`### Fixed\`, etc.)" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "Changelog: ${UNRELEASED_CONTENT} entry/entries in [Unreleased]"
+
+      - name: Verify package source
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          if [ ! -d "$SOURCE_DIR" ]; then
+            echo "::warning::No src/ or htdocs/ directory"
+            exit 0
+          fi
+          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
+          echo "Source: ${FILE_COUNT} files"
+          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
+
+  # ── Pre-Release RC Build ─────────────────────────────────────────────────
+  pre-release:
+    name: Build RC Package
+    runs-on: ubuntu-latest
+    needs: [branch-policy, validate]
+
+    steps:
+      - name: Trigger RC pre-release
+        env:
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ github.head_ref }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+        run: |
+          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
+          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
+          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
+
+  # ── Issue Reporter ──────────────────────────────────────────────────────
+  report-issues:
+    name: Report Issues
+    runs-on: ubuntu-latest
+    needs: [branch-policy, validate]
+    if: >-
+      always() &&
+      needs.validate.result == 'failure'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: automation/ci-issue-reporter.sh
+          sparse-checkout-cone-mode: false
+
+      - name: "File issue for PR validation failure"
+        env:
+          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+        run: |
+          chmod +x automation/ci-issue-reporter.sh
+          ./automation/ci-issue-reporter.sh \
+            --gate "PR Validation" \
+            --workflow "PR Check" \
+            --severity error \
+            --details "PR validation failed (syntax, manifest, changelog, or source checks). See the CI run for the specific check that failed."
@@ -7,7 +7,7 @@
 # INGROUP: moko-platform.Release
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 09.23.00
+# VERSION: 05.01.00
 # BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch

 name: "Universal: Pre-Release"
@@ -17,6 +17,10 @@ on:
    types: [closed]
    branches:
      - dev
+  pull_request_target:
+    types: [synchronize, opened, reopened]
+    branches:
+      - main
  workflow_dispatch:
    inputs:
      stability:
@@ -43,7 +47,8 @@ jobs:
    runs-on: release
    if: >-
      github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev')
+      (github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev') ||
+      (github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main')

    steps:
      - name: Checkout
@@ -51,6 +56,7 @@ jobs:
        with:
          fetch-depth: 0
          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}

      - name: Setup moko-platform tools
        env:
@@ -60,7 +66,7 @@ jobs:
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
+          # Always fetch latest CLI tools â€” never use stale cache from previous runs
          rm -rf /tmp/moko-platform-api
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
@@ -76,25 +82,38 @@ jobs:
      - name: Resolve metadata and bump version
        id: meta
        run: |
-          STABILITY="${{ inputs.stability || 'development' }}"
+          # Auto-detect stability: RC for PRs targeting main, else use input or default to development
+          if [ "${{ github.event_name }}" = "pull_request_target" ] && [ "${{ github.event.pull_request.base.ref }}" = "main" ]; then
+            STABILITY="release-candidate"
+          else
+            STABILITY="${{ inputs.stability || 'development' }}"
+          fi

          case "$STABILITY" in
-            development)        TAG="development" ;;
-            alpha)              TAG="alpha" ;;
-            beta)               TAG="beta" ;;
-            release-candidate)  TAG="release-candidate" ;;
+            development)        SUFFIX="-dev";   TAG="development" ;;
+            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
+            beta)               SUFFIX="-beta";  TAG="beta" ;;
+            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
          esac

-          # Set stability suffix, bump preserves it, fix consistency
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo '00.00.01')" \
-            --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Read final version (includes suffix, e.g. 01.02.15-dev)
+          # Read current version (bump already handled by push workflow)
          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
          [ -z "$VERSION" ] && VERSION="00.00.01"

+          # Strip any existing suffix from version before applying stability
+          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
+
+          php ${MOKO_CLI}/version_set_platform.php \
+            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
+
+          # Verify version consistency across all files
+          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
+
+          # Update VERSION variable with suffix
+          if [ -n "$SUFFIX" ]; then
+            VERSION="${VERSION}${SUFFIX}"
+          fi
+
          # Commit version bump
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
@@ -118,11 +137,12 @@ jobs:

          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"

-          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION} ==="
+          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="

      - name: Create release
        id: release
@@ -135,6 +155,21 @@ jobs:
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch dev --prerelease

+      - name: Ensure prerelease flag
+        run: |
+          TAG="${{ steps.meta.outputs.tag }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          # Get release ID by tag and force prerelease=true
+          RELEASE_ID=$(curl -s "${API_BASE}/releases/tags/${TAG}" \
+            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" | jq -r '.id // empty')
+          if [ -n "$RELEASE_ID" ]; then
+            curl -s -X PATCH "${API_BASE}/releases/${RELEASE_ID}" \
+              -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              -d '{"prerelease": true}'
+            echo "Marked release ${TAG} (id=${RELEASE_ID}) as prerelease"
+          fi
+
      - name: Build package and upload
        id: package
        run: |
@@ -1,302 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/update-server.yml
-# VERSION: 09.23.00
-# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
-#
-# Thin wrapper around moko-platform CLI tools.
-# Builds packages, updates updates.xml, and optionally deploys via SFTP.
-#
-# Joomla filters update entries by the user's "Minimum Stability" setting.
-
-name: "Update Server"
-
-on:
-  push:
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  pull_request:
-    types: [closed]
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'development'
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - rc
-          - stable
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  update-xml:
-    name: Update Server
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform 2>/dev/null || true
-          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
-            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve stability and bump version
-        id: meta
-        run: |
-          BRANCH="${{ github.ref_name }}"
-
-          # Configure git for bot pushes
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-          # Determine stability from branch or manual input
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          elif [[ "$BRANCH" == rc/* ]]; then
-            STABILITY="rc"
-          elif [[ "$BRANCH" == beta/* ]]; then
-            STABILITY="beta"
-          elif [[ "$BRANCH" == alpha/* ]]; then
-            STABILITY="alpha"
-          else
-            STABILITY="development"
-          fi
-
-          # Gitea release tag per stability
-          case "$STABILITY" in
-            development) TAG="development" ;;
-            alpha)       TAG="alpha" ;;
-            beta)        TAG="beta" ;;
-            rc)          TAG="release-candidate" ;;
-            *)           TAG="stable" ;;
-          esac
-
-          # Bump patch, set platform suffix, fix consistency — version_bump preserves suffix
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo '00.00.01')" \
-            --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
-          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Read final version (includes suffix, e.g. 01.02.15-dev)
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "00.00.01")
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-
-          # Commit version bump if changed
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push
-          }
-
-      - name: Create release and upload package
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Create or update Gitea release
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
-
-          # Build package and upload
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml — skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push updates.xml
-          git add updates.xml
-          git diff --cached --quiet || {
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push
-          }
-
-      - name: Sync updates.xml to main
-        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-
-          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
-            python3 -c "
-          import base64, json, urllib.request, sys
-          with open('updates.xml', 'rb') as f:
-              content = base64.b64encode(f.read()).decode()
-          payload = json.dumps({
-              'content': content,
-              'sha': '${FILE_SHA}',
-              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
-              'branch': 'main'
-          }).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/contents/updates.xml',
-              data=payload, method='PUT',
-              headers={
-                  'Authorization': 'token ${GITEA_TOKEN}',
-                  'Content-Type': 'application/json'
-              })
-          try:
-              urllib.request.urlopen(req)
-              print('updates.xml synced to main')
-          except Exception as e:
-              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
-          "
-          fi
-
-      - name: SFTP deploy to dev server
-        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
-        env:
-          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
-          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
-          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
-          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
-          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
-          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-        run: |
-          # Permission check: admin or maintain role required
-          ACTOR="${{ github.actor }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
-          case "$PERMISSION" in
-            admin|maintain|write) ;;
-            *)
-              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
-              exit 0
-              ;;
-          esac
-
-          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
-
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && exit 0
-
-          PORT="${DEV_PORT:-22}"
-          REMOTE="${DEV_PATH%/}"
-          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
-          if [ -n "$DEV_KEY" ]; then
-            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
-          fi
-
-          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          fi
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          DISPLAY="${VERSION}"
-          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
@@ -14,12 +14,11 @@
 INGROUP: MokoWaaS.Documentation
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 PATH: ./CHANGELOG.md
- VERSION: 02.32.10
+ VERSION: 02.34.00
 BRIEF: Version history using `Keep a Changelog`
 -->

-# Changelog
-## [02.32.00] - 2026-06-02
+# Changelog## [02.32.00] - 2026-06-02
 ### Added
 - Admin control panel dashboard in com_mokowaas with site info bar, feature plugin grid, and quick actions
 - Feature plugin architecture — MokoWaaS features split into toggleable plugins managed from the dashboard
@@ -108,13 +107,3 @@
 ## [02.20.00] --- 2026-05-28

 ## [02.20.00] --- 2026-05-28
-
-## [02.19.00] --- 2026-05-28
-
-## [02.18.00] --- 2026-05-28
-
-
-All notable changes to the MokoWaaS plugin will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
@@ -14,7 +14,7 @@
 	DEFGROUP: Joomla.Plugin
 	INGROUP: MokoWaaS.Documentation
 	REPO: https://github.com/mokoconsulting-tech/mokowaas
-	VERSION: 02.32.10
+	VERSION: 02.34.00
 	PATH: ./CODE_OF_CONDUCT.md
 	BRIEF: Reference + packaging repo for Moko Consulting Developer GPT Other Default
 -->
@@ -19,7 +19,7 @@
 DEFGROUP: mokoconsulting-tech.MokoWaaSBrand
 INGROUP: MokoStandards.Governance
 REPO: https://github.com/mokoconsulting-tech/MokoWaaSBrand
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /GOVERNANCE.md
 BRIEF: Project governance rules, roles, and decision process for MokoWaaSBrand
 -->
@@ -15,7 +15,7 @@
 	INGROUP: MokoWaaS.Documentation
  REPO: https://github.com/mokoconsulting-tech/mokowaas
 	PATH: ./LICENSE.md
-	VERSION: 02.32.10
+	VERSION: 02.34.00
 	BRIEF: Project license (GPL-3.0-or-later)
 -->
 										GNU GENERAL PUBLIC LICENSE
@@ -9,7 +9,7 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS
 REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /README.md
 BRIEF: MokoWaaS platform plugin for Joomla
 -->
@@ -23,7 +23,7 @@ DEFGROUP: [PROJECT_NAME]
 INGROUP: [PROJECT_NAME].Documentation
 REPO: [REPOSITORY_URL]
 PATH: /SECURITY.md
-VERSION: 02.32.10
+VERSION: 02.34.00
 BRIEF: Security vulnerability reporting and handling policy
 -->

@@ -0,0 +1,237 @@
+#!/usr/bin/env bash
+# ============================================================================
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Automation.CI
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /automation/ci-issue-reporter.sh
+# VERSION: 09.23.00
+# BRIEF: Creates or updates a Gitea issue when a CI gate fails.
+#        Deduplicates by searching open issues with the "ci-auto" label
+#        whose title matches the gate. If a matching issue exists, a comment
+#        is appended instead of opening a duplicate.
+# ============================================================================
+
+set -euo pipefail
+
+# ── Defaults ────────────────────────────────────────────────────────────────
+GITEA_URL="${GITEA_URL:-https://git.mokoconsulting.tech}"
+GITEA_TOKEN="${GITEA_TOKEN:-}"
+REPO="${GITHUB_REPOSITORY:-}"
+RUN_URL="${GITHUB_SERVER_URL:-${GITEA_URL}}/${REPO}/actions/runs/${GITHUB_RUN_ID:-0}"
+LABEL_NAME="ci-auto"
+LABEL_COLOR="#e11d48"
+
+GATE=""
+DETAILS=""
+SEVERITY="error"
+WORKFLOW=""
+
+# ── Parse arguments ─────────────────────────────────────────────────────────
+usage() {
+  cat <<EOF
+Usage: ci-issue-reporter.sh --gate NAME --details TEXT [OPTIONS]
+
+Required:
+  --gate      CI gate name (e.g. "Code Quality", "Self-Health")
+  --details   Human-readable failure description
+
+Optional:
+  --severity  "error" (default) or "warning"
+  --workflow  Workflow name for the issue title
+  --repo      owner/repo (default: \$GITHUB_REPOSITORY)
+  --run-url   URL to the CI run (auto-detected from env)
+  --token     Gitea API token (default: \$GITEA_TOKEN)
+  --url       Gitea base URL (default: \$GITEA_URL)
+EOF
+  exit 1
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --gate)     GATE="$2";       shift 2 ;;
+    --details)  DETAILS="$2";    shift 2 ;;
+    --severity) SEVERITY="$2";   shift 2 ;;
+    --workflow) WORKFLOW="$2";   shift 2 ;;
+    --repo)     REPO="$2";      shift 2 ;;
+    --run-url)  RUN_URL="$2";   shift 2 ;;
+    --token)    GITEA_TOKEN="$2"; shift 2 ;;
+    --url)      GITEA_URL="$2"; shift 2 ;;
+    -h|--help)  usage ;;
+    *)          echo "Unknown option: $1"; usage ;;
+  esac
+done
+
+[[ -z "$GATE" ]]         && { echo "ERROR: --gate is required"; usage; }
+[[ -z "$DETAILS" ]]      && { echo "ERROR: --details is required"; usage; }
+[[ -z "$GITEA_TOKEN" ]]  && { echo "ERROR: GITEA_TOKEN not set"; exit 1; }
+[[ -z "$REPO" ]]         && { echo "ERROR: GITHUB_REPOSITORY not set"; exit 1; }
+
+API="${GITEA_URL}/api/v1/repos/${REPO}"
+
+# ── Build title ─────────────────────────────────────────────────────────────
+if [[ -n "$WORKFLOW" ]]; then
+  TITLE="[CI] ${WORKFLOW}: ${GATE} failed"
+else
+  TITLE="[CI] ${GATE} failed"
+fi
+
+# ── Ensure label exists ─────────────────────────────────────────────────────
+ensure_label() {
+  local exists
+  exists=$(curl -sf -o /dev/null -w '%{http_code}' \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API}/labels" 2>/dev/null || echo "000")
+
+  if [[ "$exists" == "200" ]]; then
+    # Check if label already exists
+    local found
+    found=$(curl -sf \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      "${API}/labels" 2>/dev/null \
+      | grep -o "\"name\":\"${LABEL_NAME}\"" || true)
+
+    if [[ -z "$found" ]]; then
+      curl -sf -X POST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        "${API}/labels" \
+        -d "{\"name\":\"${LABEL_NAME}\",\"color\":\"${LABEL_COLOR}\",\"description\":\"Auto-created by CI issue reporter\"}" \
+        > /dev/null 2>&1 || true
+    fi
+  fi
+}
+
+# ── Search for existing open issue ──────────────────────────────────────────
+find_existing_issue() {
+  # URL-encode the gate name for the query
+  local query
+  query=$(printf '%s' "[CI] ${GATE}" | sed 's/ /%20/g; s/\[/%5B/g; s/\]/%5D/g')
+
+  local response
+  response=$(curl -sf \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API}/issues?type=issues&state=open&labels=${LABEL_NAME}&q=${query}&limit=5" \
+    2>/dev/null || echo "[]")
+
+  # Extract the first matching issue number
+  echo "$response" \
+    | grep -oP '"number":\s*\K[0-9]+' \
+    | head -1
+}
+
+# ── Build issue body ────────────────────────────────────────────────────────
+build_body() {
+  local severity_badge
+  if [[ "$SEVERITY" == "error" ]]; then
+    severity_badge="**Severity:** Error"
+  else
+    severity_badge="**Severity:** Warning"
+  fi
+
+  cat <<BODY
+## CI Gate Failure: ${GATE}
+
+${severity_badge}
+**Workflow:** ${WORKFLOW:-unknown}
+**Branch:** ${GITHUB_REF_NAME:-unknown}
+**Commit:** \`${GITHUB_SHA:0:8}\`
+**Run:** [View CI run](${RUN_URL})
+
+### Details
+
+${DETAILS}
+
+### Resolution
+
+Fix the issue described above and push a new commit. This issue will be closed automatically when the gate passes, or can be closed manually.
+
+---
+*Auto-created by [ci-issue-reporter](${GITEA_URL}/${REPO}/src/branch/main/automation/ci-issue-reporter.sh)*
+BODY
+}
+
+# ── Build comment body (for existing issues) ────────────────────────────────
+build_comment() {
+  cat <<COMMENT
+### CI failure recurrence
+
+**Branch:** ${GITHUB_REF_NAME:-unknown}
+**Commit:** \`${GITHUB_SHA:0:8}\`
+**Run:** [View CI run](${RUN_URL})
+
+${DETAILS}
+COMMENT
+}
+
+# ── Main ────────────────────────────────────────────────────────────────────
+ensure_label
+
+EXISTING=$(find_existing_issue)
+
+if [[ -n "$EXISTING" ]]; then
+  # Append comment to existing issue
+  COMMENT_BODY=$(build_comment)
+  COMMENT_JSON=$(printf '%s' "$COMMENT_BODY" | python3 -c "
+import sys, json
+print(json.dumps({'body': sys.stdin.read()}))" 2>/dev/null)
+
+  HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${API}/issues/${EXISTING}/comments" \
+    -d "${COMMENT_JSON}" 2>/dev/null || echo "000")
+
+  if [[ "$HTTP" == "201" ]]; then
+    echo "Commented on existing issue #${EXISTING}"
+  else
+    echo "WARNING: Failed to comment on issue #${EXISTING} (HTTP ${HTTP})"
+  fi
+else
+  # Create new issue
+  ISSUE_BODY=$(build_body)
+  ISSUE_JSON=$(python3 -c "
+import sys, json
+body = sys.stdin.read()
+print(json.dumps({
+    'title': sys.argv[1],
+    'body': body,
+    'labels': []
+}))" "$TITLE" <<< "$ISSUE_BODY" 2>/dev/null)
+
+  # Create the issue
+  RESPONSE=$(curl -sf -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${API}/issues" \
+    -d "${ISSUE_JSON}" 2>/dev/null || echo "{}")
+
+  ISSUE_NUM=$(echo "$RESPONSE" | grep -oP '"number":\s*\K[0-9]+' | head -1)
+
+  if [[ -n "$ISSUE_NUM" ]]; then
+    # Apply label (separate call — more reliable across Gitea versions)
+    LABEL_ID=$(curl -sf \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      "${API}/labels" 2>/dev/null \
+      | grep -oP "\"id\":\s*\K[0-9]+(?=[^}]*\"name\":\s*\"${LABEL_NAME}\")" \
+      | head -1 || true)
+
+    if [[ -n "$LABEL_ID" ]]; then
+      curl -sf -X POST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        "${API}/issues/${ISSUE_NUM}/labels" \
+        -d "{\"labels\":[${LABEL_ID}]}" \
+        > /dev/null 2>&1 || true
+    fi
+
+    echo "Created issue #${ISSUE_NUM}: ${TITLE}"
+  else
+    echo "WARNING: Failed to create issue"
+    echo "Response: ${RESPONSE}"
+  fi
+fi
@@ -11,13 +11,13 @@
 INGROUP: MokoWaaS.Build
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 FILE: build-guide.md
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/
 BRIEF: Build and packaging guide for the MokoWaaS system plugin
 NOTE: Defines environment setup, repository layout, packaging rules, and release preparation
 -->

-# MokoWaaS Build Guide (VERSION: 02.32.10)
+# MokoWaaS Build Guide (VERSION: 02.34.00)

 ## 1. Purpose

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/configuration-guide.md
 BRIEF: Configuration guide for the MokoWaaS system plugin
 NOTE: Defines plugin parameters, expected behaviors, and recommended defaults
 -->

-# MokoWaaS Configuration Guide (VERSION: 02.32.10)
+# MokoWaaS Configuration Guide (VERSION: 02.34.00)

 ## 1. Objective

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/installation-guide.md
 BRIEF: Installation guide for the MokoWaaS system plugin
 NOTE: First document in the guide set
 -->

-# MokoWaaS Installation Guide (VERSION: 02.32.10)
+# MokoWaaS Installation Guide (VERSION: 02.34.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/operations-guide.md
 BRIEF: Operational guide for administering and managing the MokoWaaS system plugin
 NOTE: Defines lifecycle, responsibilities, and operational behaviors
 -->

-# MokoWaaS Operations Guide (VERSION: 02.32.10)
+# MokoWaaS Operations Guide (VERSION: 02.34.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/rollback-and-recovery-guide.md
 BRIEF: Rollback and recovery guide for restoring stable operation after plugin related incidents
 NOTE: Completes the core guide set for WaaS plugin governance
 -->

-# MokoWaaS Rollback and Recovery Guide (VERSION: 02.32.10)
+# MokoWaaS Rollback and Recovery Guide (VERSION: 02.34.00)

 ## Introduction

@@ -7,13 +7,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/testing-guide.md
 BRIEF: Testing guide for MokoWaaS v02.01.08
 NOTE: Covers manual test procedures for language overrides, install/uninstall, and configuration
 -->

-# MokoWaaS Testing Guide (VERSION: 02.32.10)
+# MokoWaaS Testing Guide (VERSION: 02.34.00)

 ## 1. Prerequisites

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/troubleshooting-guide.md
 BRIEF: Troubleshooting guide for diagnosing and resolving issues related to the MokoWaaS plugin
 NOTE: Designed for administrators and WaaS operations teams
 -->

-# MokoWaaS Troubleshooting Guide (VERSION: 02.32.10)
+# MokoWaaS Troubleshooting Guide (VERSION: 02.34.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/guides/upgrade-and-versioning-guide.md
 BRIEF: Guide for updating, versioning, and maintaining the MokoWaaS plugin
 NOTE: Defines release flow, version rules, and upgrade validation
 -->

-# MokoWaaS Upgrade and Versioning Guide (VERSION: 02.32.10)
+# MokoWaaS Upgrade and Versioning Guide (VERSION: 02.34.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Documentation
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.32.10
+ VERSION: 02.34.00
 PATH: /docs/index.md
 BRIEF: Master index of all documentation for the MokoWaaS plugin
 NOTE: Automatically maintained index for all guide canvases
 -->

-# MokoWaaS Documentation Index (VERSION: 02.32.10)
+# MokoWaaS Documentation Index (VERSION: 02.34.00)

 ## Introduction

@@ -11,12 +11,12 @@
 INGROUP: MokoWaaS
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 PATH: /docs/plugin-basic.md
- VERSION: 02.32.10
+ VERSION: 02.34.00
 BRIEF: Baseline documentation for the MokoWaaS system plugin
 NOTE: Foundational reference for internal and external stakeholders
 -->

-# MokoWaaS Plugin Overview (VERSION: 02.32.10)
+# MokoWaaS Plugin Overview (VERSION: 02.34.00)

 ## Introduction

@@ -10,7 +10,7 @@ DEFGROUP: MokoWaaS.Documentation
 INGROUP: MokoStandards.Templates
 REPO: https://github.com/mokoconsulting-tech/MokoWaaS
 PATH: /docs/update-server.md
-VERSION: 02.32.10
+VERSION: 02.34.00
 BRIEF: How this extension's Joomla update server file (update.xml) is managed
 -->

@@ -16,3 +16,6 @@ COM_MOKOWAAS_CONFIGURE="Configure"
 COM_MOKOWAAS_TOGGLE_SUCCESS="Plugin state updated."
 COM_MOKOWAAS_TOGGLE_FAIL="Failed to update plugin state."
 COM_MOKOWAAS_CACHE_CLEARED="Cache cleared successfully."
+COM_MOKOWAAS_EXTENSIONS_TITLE="Moko Extensions"
+COM_MOKOWAAS_EXTENSIONS_INFO="Install Moko Consulting Joomla packages from the official release server. Updates are handled through Joomla's native System > Update mechanism — each package registers its own update server."
+COM_MOKOWAAS_EXTENSIONS_LINK="Moko Extensions"
@@ -88,4 +88,38 @@ class DisplayController extends BaseController
 		echo json_encode($result);
 		$app->close();
 	}
+
+	/**
+	 * Install a Moko extension from a download URL.
+	 */
+	public function installExtension()
+	{
+		Session::checkToken() or die(Text::_('JINVALID_TOKEN'));
+
+		$app  = Factory::getApplication();
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.admin'))
+		{
+			$app->setHeader('Content-Type', 'application/json');
+			echo json_encode(['success' => false, 'message' => Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN')]);
+			$app->close();
+		}
+
+		$downloadUrl = $app->getInput()->getString('download_url', '');
+
+		if (empty($downloadUrl))
+		{
+			$app->setHeader('Content-Type', 'application/json');
+			echo json_encode(['success' => false, 'message' => 'Missing download URL.']);
+			$app->close();
+		}
+
+		$model  = $this->getModel('Extensions');
+		$result = $model->installFromUrl($downloadUrl);
+
+		$app->setHeader('Content-Type', 'application/json');
+		echo json_encode($result);
+		$app->close();
+	}
 }
@@ -32,7 +32,7 @@ class DashboardModel extends BaseDatabaseModel
 			'icon'        => 'icon-lock',
 			'category'    => 'security',
 			'label'       => 'Firewall',
-			'description' => 'HTTPS enforcement, trusted IPs, session timeout, upload restrictions, and password policy.',
+			'description' => 'Web Application Firewall — SQLi, XSS, RFI, DFI shields, IP blocklist, admin secret URL, file protection.',
 			'protected'   => false,
 		],
 		'mokowaas_tenant' => [
@@ -302,4 +302,124 @@ class DashboardModel extends BaseDatabaseModel

 		return $meta;
 	}
+
+	/**
+	 * Get recent admin login attempts from action logs.
+	 */
+	public function getRecentLogins(int $limit = 10): array
+	{
+		try
+		{
+			$db    = $this->getDatabase();
+			$query = $db->getQuery(true)
+				->select([
+					$db->quoteName('a.message'),
+					$db->quoteName('a.log_date'),
+					$db->quoteName('a.ip_address'),
+					$db->quoteName('u.username'),
+				])
+				->from($db->quoteName('#__action_logs', 'a'))
+				->leftJoin($db->quoteName('#__users', 'u') . ' ON ' . $db->quoteName('u.id') . ' = ' . $db->quoteName('a.user_id'))
+				->where($db->quoteName('a.message_language_key') . ' LIKE ' . $db->quote('%LOGIN%'))
+				->order($db->quoteName('a.log_date') . ' DESC')
+				->setLimit($limit);
+			$db->setQuery($query);
+
+			return $db->loadObjectList() ?: [];
+		}
+		catch (\Throwable $e)
+		{
+			return [];
+		}
+	}
+
+	/**
+	 * Get pending extension updates.
+	 */
+	public function getPendingUpdates(): array
+	{
+		try
+		{
+			$db    = $this->getDatabase();
+			$query = $db->getQuery(true)
+				->select([
+					$db->quoteName('u.name'),
+					$db->quoteName('u.version'),
+					$db->quoteName('u.type'),
+					$db->quoteName('e.manifest_cache'),
+				])
+				->from($db->quoteName('#__updates', 'u'))
+				->leftJoin($db->quoteName('#__extensions', 'e') . ' ON ' . $db->quoteName('e.extension_id') . ' = ' . $db->quoteName('u.extension_id'))
+				->where($db->quoteName('u.extension_id') . ' != 0')
+				->order($db->quoteName('u.name') . ' ASC');
+			$db->setQuery($query);
+			$rows = $db->loadObjectList() ?: [];
+
+			foreach ($rows as $row)
+			{
+				$mc = json_decode($row->manifest_cache ?? '{}');
+				$row->current_version = $mc->version ?? '';
+			}
+
+			return $rows;
+		}
+		catch (\Throwable $e)
+		{
+			return [];
+		}
+	}
+
+	/**
+	 * Get checked-out items count and details.
+	 */
+	public function getCheckedOutItems(): array
+	{
+		try
+		{
+			$db    = $this->getDatabase();
+			$query = $db->getQuery(true)
+				->select([
+					$db->quoteName('c.title'),
+					$db->quoteName('c.checked_out'),
+					$db->quoteName('c.checked_out_time'),
+					$db->quoteName('u.username'),
+				])
+				->from($db->quoteName('#__content', 'c'))
+				->leftJoin($db->quoteName('#__users', 'u') . ' ON ' . $db->quoteName('u.id') . ' = ' . $db->quoteName('c.checked_out'))
+				->where($db->quoteName('c.checked_out') . ' IS NOT NULL')
+				->where($db->quoteName('c.checked_out') . ' != 0')
+				->order($db->quoteName('c.checked_out_time') . ' DESC')
+				->setLimit(10);
+			$db->setQuery($query);
+
+			return $db->loadObjectList() ?: [];
+		}
+		catch (\Throwable $e)
+		{
+			return [];
+		}
+	}
+
+	/**
+	 * Get recent WAF blocks from the log table.
+	 */
+	public function getRecentWafBlocks(int $limit = 10): array
+	{
+		try
+		{
+			$db    = $this->getDatabase();
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__mokowaas_waf_log'))
+				->order($db->quoteName('created') . ' DESC')
+				->setLimit($limit);
+			$db->setQuery($query);
+
+			return $db->loadObjectList() ?: [];
+		}
+		catch (\Throwable $e)
+		{
+			return [];
+		}
+	}
 }
@@ -0,0 +1,305 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Administrator\Model;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\MVC\Model\BaseDatabaseModel;
+
+/**
+ * Extension manager model — fetches Moko Consulting Joomla packages
+ * from the Gitea API and checks local install status.
+ *
+ * @since  02.32.00
+ */
+class ExtensionsModel extends BaseDatabaseModel
+{
+	/**
+	 * Curated catalog of Moko Consulting Joomla packages.
+	 * Each entry maps a Gitea repo name to local extension metadata.
+	 */
+	private const CATALOG = [
+		'MokoWaaS' => [
+			'label'       => 'MokoWaaS',
+			'description' => 'Admin dashboard, security firewall, tenant restrictions, health monitoring, and REST API.',
+			'element'     => 'pkg_mokowaas',
+			'type'        => 'package',
+			'icon'        => 'icon-shield-alt',
+			'category'    => 'Platform',
+			'article'     => 'https://mokoconsulting.tech/kb/mokowaas-platform',
+			'protected'   => true,
+		],
+		'MokoOnyx' => [
+			'label'       => 'MokoOnyx',
+			'description' => 'Modern Joomla site template with dark mode, custom layouts, and MokoWaaS integration.',
+			'element'     => 'mokoonyx',
+			'type'        => 'template',
+			'icon'        => 'icon-paint-brush',
+			'category'    => 'Templates',
+			'article'     => 'https://mokoconsulting.tech/kb/mokoonyx-template',
+			'protected'   => false,
+		],
+		'MokoJoomTOS' => [
+			'label'       => 'MokoJoomTOS',
+			'description' => 'Terms of Service and privacy policy component with consent tracking.',
+			'element'     => 'com_mokojoomtos',
+			'type'        => 'component',
+			'icon'        => 'icon-file-contract',
+			'category'    => 'Components',
+			'article'     => 'https://mokoconsulting.tech/kb/mokojoomtos',
+			'protected'   => false,
+		],
+		'MokoJoomHero' => [
+			'label'       => 'MokoJoomHero',
+			'description' => 'Random hero image module from a configurable folder.',
+			'element'     => 'mod_mokojoomhero',
+			'type'        => 'module',
+			'icon'        => 'icon-image',
+			'category'    => 'Modules',
+			'article'     => 'https://mokoconsulting.tech/kb/mokojoomhero',
+			'protected'   => false,
+		],
+		'MokoWaaSAnnounce' => [
+			'label'       => 'MokoWaaS Announce',
+			'description' => 'Centralized announcement system via admin module.',
+			'element'     => 'mod_mokowaas_announce',
+			'type'        => 'module',
+			'icon'        => 'icon-bullhorn',
+			'category'    => 'Modules',
+			'article'     => 'https://mokoconsulting.tech/kb/mokowaas-announce',
+			'protected'   => false,
+		],
+		'MokoDPCalendarAPI' => [
+			'label'       => 'DPCalendar API',
+			'description' => 'Web Services plugin exposing DPCalendar events and calendars via REST API.',
+			'element'     => 'mokodpcalendarapi',
+			'type'        => 'plugin',
+			'icon'        => 'icon-calendar',
+			'category'    => 'Plugins',
+			'article'     => 'https://mokoconsulting.tech/kb/mokodpcalendarapi',
+			'protected'   => false,
+		],
+		'MokoGalleryCalendar' => [
+			'label'       => 'Gallery Calendar',
+			'description' => 'JoomGallery and DPCalendar integration — link galleries to events.',
+			'element'     => 'mokogallerycalendar',
+			'type'        => 'plugin',
+			'icon'        => 'icon-images',
+			'category'    => 'Plugins',
+			'article'     => 'https://mokoconsulting.tech/kb/mokogallerycalendar',
+			'protected'   => false,
+		],
+	];
+
+	private const GITEA_URL = 'https://git.mokoconsulting.tech';
+	private const GITEA_ORG = 'MokoConsulting';
+
+	/**
+	 * Get the full catalog with install status and release info.
+	 *
+	 * @return  array
+	 */
+	public function getCatalog(): array
+	{
+		$installed = $this->getInstalledVersions();
+		$packages  = [];
+
+		foreach (self::CATALOG as $repo => $meta)
+		{
+			$release = $this->fetchLatestRelease($repo);
+
+			$localVersion  = $installed[$meta['element']] ?? null;
+			$remoteVersion = $release['version'] ?? '';
+			$downloadUrl   = $release['download_url'] ?? '';
+
+			$status = ($localVersion !== null) ? 'installed' : 'not_installed';
+
+			// Get extension_id for uninstall link
+			$extensionId = $this->getExtensionId($meta['element']);
+
+			$packages[] = (object) [
+				'repo'           => $repo,
+				'label'          => $meta['label'],
+				'description'    => $meta['description'],
+				'element'        => $meta['element'],
+				'type'           => $meta['type'],
+				'icon'           => $meta['icon'],
+				'category'       => $meta['category'],
+				'local_version'  => $localVersion ?? '',
+				'remote_version' => $remoteVersion,
+				'download_url'   => $downloadUrl,
+				'status'         => $status,
+				'article_url'    => $meta['article'] ?? '',
+				'protected'      => $meta['protected'] ?? false,
+				'extension_id'   => $extensionId,
+			];
+		}
+
+		return $packages;
+	}
+
+	/**
+	 * Install an extension from a remote ZIP URL.
+	 *
+	 * @param   string  $url  The download URL.
+	 *
+	 * @return  array  Result with success, message, and extension info.
+	 */
+	public function installFromUrl(string $url): array
+	{
+		$tmpPath = Factory::getConfig()->get('tmp_path', JPATH_ROOT . '/tmp');
+		$tmpFile = $tmpPath . '/mokowaas_install_' . md5($url) . '.zip';
+
+		try
+		{
+			// Download
+			$ch = curl_init($url);
+			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+			curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+			curl_setopt($ch, CURLOPT_TIMEOUT, 120);
+			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+			$data = curl_exec($ch);
+			$code = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+			$error = curl_error($ch);
+			curl_close($ch);
+
+			if ($error || $code !== 200 || empty($data))
+			{
+				return ['success' => false, 'message' => 'Download failed: ' . ($error ?: "HTTP {$code}")];
+			}
+
+			file_put_contents($tmpFile, $data);
+
+			// Install via Joomla Installer
+			$installer = new \Joomla\CMS\Installer\Installer();
+			$result    = $installer->install($tmpFile);
+
+			@unlink($tmpFile);
+
+			if (!$result)
+			{
+				return ['success' => false, 'message' => 'Installation failed.'];
+			}
+
+			return [
+				'success' => true,
+				'message' => 'Installed successfully.',
+			];
+		}
+		catch (\Throwable $e)
+		{
+			@unlink($tmpFile);
+
+			return ['success' => false, 'message' => 'Error: ' . $e->getMessage()];
+		}
+	}
+
+	/**
+	 * Get installed versions of all Moko extensions.
+	 *
+	 * @return  array  element => version
+	 */
+	private function getInstalledVersions(): array
+	{
+		$db       = $this->getDatabase();
+		$elements = [];
+
+		foreach (self::CATALOG as $meta)
+		{
+			$elements[] = $db->quote($meta['element']);
+		}
+
+		$query = $db->getQuery(true)
+			->select([$db->quoteName('element'), $db->quoteName('manifest_cache')])
+			->from($db->quoteName('#__extensions'))
+			->where($db->quoteName('element') . ' IN (' . implode(',', $elements) . ')');
+		$db->setQuery($query);
+		$rows = $db->loadObjectList() ?: [];
+
+		$versions = [];
+
+		foreach ($rows as $row)
+		{
+			$mc = json_decode($row->manifest_cache ?? '{}');
+			$versions[$row->element] = $mc->version ?? '0.0.0';
+		}
+
+		return $versions;
+	}
+
+	/**
+	 * Fetch the latest release from Gitea for a repo.
+	 *
+	 * @param   string  $repo  Repository name.
+	 *
+	 * @return  array  [version, download_url] or empty.
+	 */
+	private function fetchLatestRelease(string $repo): array
+	{
+		$url = self::GITEA_URL . '/api/v1/repos/' . self::GITEA_ORG . '/' . $repo . '/releases?limit=1';
+
+		$ch = curl_init($url);
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, ['Accept: application/json']);
+		$response = curl_exec($ch);
+		$code     = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+		curl_close($ch);
+
+		if ($code !== 200 || empty($response))
+		{
+			return [];
+		}
+
+		$releases = json_decode($response, true);
+
+		if (empty($releases[0]))
+		{
+			return [];
+		}
+
+		$release = $releases[0];
+		$version = $release['tag_name'] ?? '';
+
+		// Find the first .zip asset
+		$downloadUrl = '';
+
+		foreach ($release['assets'] ?? [] as $asset)
+		{
+			if (str_ends_with(strtolower($asset['name'] ?? ''), '.zip'))
+			{
+				$downloadUrl = $asset['browser_download_url'] ?? '';
+				break;
+			}
+		}
+
+		return [
+			'version'      => $version,
+			'download_url' => $downloadUrl,
+		];
+	}
+
+	/**
+	 * Get the extension_id for an element (for uninstall links).
+	 */
+	private function getExtensionId(string $element): int
+	{
+		$db    = $this->getDatabase();
+		$query = $db->getQuery(true)
+			->select($db->quoteName('extension_id'))
+			->from($db->quoteName('#__extensions'))
+			->where($db->quoteName('element') . ' = ' . $db->quote($element))
+			->setLimit(1);
+		$db->setQuery($query);
+
+		return (int) $db->loadResult();
+	}
+}
@@ -17,26 +17,26 @@ use Joomla\CMS\Toolbar\ToolbarHelper;

 class HtmlView extends BaseHtmlView
 {
-	/**
-	 * @var  array  Discovered MokoWaaS feature plugins.
-	 */
 	protected $plugins = [];
-
-	/**
-	 * @var  object  Site info (Joomla version, PHP version, etc.).
-	 */
 	protected $siteInfo;
+	protected $recentLogins = [];
+	protected $pendingUpdates = [];
+	protected $checkedOutItems = [];
+	protected $wafBlocks = [];

 	public function display($tpl = null)
 	{
 		$model = $this->getModel();

-		$this->plugins  = $model->getFeaturePlugins();
-		$this->siteInfo = $model->getSiteInfo();
+		$this->plugins         = $model->getFeaturePlugins();
+		$this->siteInfo        = $model->getSiteInfo();
+		$this->recentLogins    = $model->getRecentLogins(5);
+		$this->pendingUpdates  = $model->getPendingUpdates();
+		$this->checkedOutItems = $model->getCheckedOutItems();
+		$this->wafBlocks       = $model->getRecentWafBlocks(5);

 		$this->addToolbar();

-		// Load dashboard assets
 		$wa = Factory::getApplication()->getDocument()->getWebAssetManager();
 		$wa->registerAndUseStyle('com_mokowaas.dashboard', 'com_mokowaas/dashboard.css');
 		$wa->registerAndUseScript('com_mokowaas.dashboard', 'com_mokowaas/dashboard.js', [], ['defer' => true]);
@@ -0,0 +1,41 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Administrator\View\Extensions;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\MVC\View\HtmlView as BaseHtmlView;
+use Joomla\CMS\Toolbar\ToolbarHelper;
+
+class HtmlView extends BaseHtmlView
+{
+	protected $packages = [];
+
+	public function display($tpl = null)
+	{
+		$model = $this->getModel();
+
+		$this->packages = $model->getCatalog();
+
+		$this->addToolbar();
+
+		$wa = Factory::getApplication()->getDocument()->getWebAssetManager();
+		$wa->registerAndUseStyle('com_mokowaas.dashboard', 'com_mokowaas/dashboard.css');
+
+		parent::display($tpl);
+	}
+
+	protected function addToolbar(): void
+	{
+		ToolbarHelper::title(Text::_('COM_MOKOWAAS_EXTENSIONS_TITLE'), 'puzzle-piece');
+		ToolbarHelper::back('JTOOLBAR_BACK', 'index.php?option=com_mokowaas');
+	}
+}
@@ -8,15 +8,20 @@

 defined('_JEXEC') or die;

+use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Router\Route;
 use Joomla\CMS\Session\Session;

 /** @var \Moko\Component\MokoWaaS\Administrator\View\Dashboard\HtmlView $this */

-$siteInfo = $this->siteInfo;
-$plugins  = $this->plugins;
-$token    = Session::getFormToken();
+$siteInfo       = $this->siteInfo;
+$plugins        = $this->plugins;
+$recentLogins   = $this->recentLogins;
+$pendingUpdates = $this->pendingUpdates;
+$checkedOut     = $this->checkedOutItems;
+$wafBlocks      = $this->wafBlocks;
+$token          = Session::getFormToken();

 // Group plugins by category
 $grouped = [];
@@ -25,7 +30,6 @@ foreach ($plugins as $plugin)
 	$grouped[$plugin->category][] = $plugin;
 }

-// Category display order
 $categoryOrder = ['core', 'security', 'monitoring', 'content', 'tools', 'api'];
 ?>

@@ -54,101 +58,212 @@ $categoryOrder = ['core', 'security', 'monitoring', 'content', 'tools', 'api'];
 				<span class="mokowaas-info-value"><span class="badge bg-secondary"><?php echo $this->escape($siteInfo->db_type); ?></span></span>
 			</div>
 			<?php if ($siteInfo->debug): ?>
-			<div class="mokowaas-info-item">
-				<span class="badge bg-warning text-dark"><?php echo Text::_('COM_MOKOWAAS_DEBUG_ON'); ?></span>
-			</div>
+			<span class="badge bg-warning text-dark"><?php echo Text::_('COM_MOKOWAAS_DEBUG_ON'); ?></span>
 			<?php endif; ?>
 			<?php if ($siteInfo->offline): ?>
-			<div class="mokowaas-info-item">
-				<span class="badge bg-danger"><?php echo Text::_('COM_MOKOWAAS_OFFLINE'); ?></span>
-			</div>
+			<span class="badge bg-danger"><?php echo Text::_('COM_MOKOWAAS_OFFLINE'); ?></span>
 			<?php endif; ?>
 		</div>
 	</div>

-	<!-- Quick Actions -->
-	<div class="mokowaas-quick-actions mb-4">
-		<div class="d-flex flex-wrap gap-2">
-			<button type="button" class="btn btn-outline-primary btn-sm" id="mokowaas-btn-cache"
+	<!-- Quick Actions (large buttons) -->
+	<div class="row g-3 mb-4">
+		<div class="col-12 col-md-4">
+			<button type="button" class="btn btn-outline-primary w-100 py-3" id="mokowaas-btn-cache"
 				data-url="<?php echo Route::_('index.php?option=com_mokowaas&task=display.clearCache&format=json'); ?>"
 				data-token="<?php echo $token; ?>">
-				<span class="icon-trash" aria-hidden="true"></span>
+				<span class="icon-trash d-block mb-1" aria-hidden="true" style="font-size:1.5rem"></span>
 				<?php echo Text::_('COM_MOKOWAAS_CLEAR_CACHE'); ?>
 			</button>
-			<a href="<?php echo Route::_('index.php?option=com_installer&view=update'); ?>" class="btn btn-outline-primary btn-sm">
-				<span class="icon-refresh" aria-hidden="true"></span>
+		</div>
+		<div class="col-12 col-md-4">
+			<a href="<?php echo Route::_('index.php?option=com_installer&view=update'); ?>" class="btn btn-outline-primary w-100 py-3">
+				<span class="icon-refresh d-block mb-1" aria-hidden="true" style="font-size:1.5rem"></span>
 				<?php echo Text::_('COM_MOKOWAAS_CHECK_UPDATES'); ?>
 			</a>
 		</div>
+		<div class="col-12 col-md-4">
+			<a href="<?php echo Route::_('index.php?option=com_mokowaas&view=extensions'); ?>" class="btn btn-outline-primary w-100 py-3">
+				<span class="icon-puzzle-piece d-block mb-1" aria-hidden="true" style="font-size:1.5rem"></span>
+				<?php echo Text::_('COM_MOKOWAAS_EXTENSIONS_LINK'); ?>
+			</a>
+		</div>
 	</div>

-	<!-- Feature Plugin Grid -->
-	<?php foreach ($categoryOrder as $catKey): ?>
-		<?php if (empty($grouped[$catKey])) continue; ?>
-		<?php
-			$catPlugins = $grouped[$catKey];
-			$first      = $catPlugins[0];
-		?>
-		<h3 class="mokowaas-category-heading mb-3">
-			<span class="badge <?php echo $this->escape($first->categoryBadge); ?>"><?php echo $this->escape($first->categoryLabel); ?></span>
-		</h3>
-		<div class="mokowaas-plugin-grid row g-3 mb-4">
-			<?php foreach ($catPlugins as $plugin): ?>
-			<div class="col-12 col-md-6 col-xl-4">
-				<div class="card mokowaas-plugin-card h-100 <?php echo $plugin->enabled ? '' : 'mokowaas-plugin-disabled'; ?>"
-					data-extension-id="<?php echo $plugin->extension_id; ?>">
-					<div class="card-body d-flex flex-column">
-						<div class="d-flex align-items-start justify-content-between mb-2">
-							<div class="d-flex align-items-center gap-2">
-								<span class="<?php echo $this->escape($plugin->icon); ?> mokowaas-plugin-icon" aria-hidden="true"></span>
-								<h5 class="card-title mb-0"><?php echo $this->escape($plugin->name); ?></h5>
-							</div>
-							<?php if ($plugin->version): ?>
-								<span class="badge bg-light text-dark"><?php echo $this->escape($plugin->version); ?></span>
-							<?php endif; ?>
-						</div>
-						<p class="card-text text-muted small flex-grow-1"><?php echo $this->escape($plugin->description); ?></p>
-						<div class="d-flex align-items-center justify-content-between mt-auto pt-2 border-top">
-							<div class="d-flex align-items-center gap-2">
-								<?php if ($plugin->protected): ?>
-									<span class="badge bg-dark" title="<?php echo Text::_('COM_MOKOWAAS_PROTECTED'); ?>"><?php echo Text::_('COM_MOKOWAAS_PROTECTED'); ?></span>
-								<?php else: ?>
-									<div class="form-check form-switch">
-										<input
-											type="checkbox"
-											class="form-check-input mokowaas-toggle"
-											role="switch"
-											id="toggle-<?php echo $plugin->extension_id; ?>"
-											data-extension-id="<?php echo $plugin->extension_id; ?>"
-											data-url="<?php echo Route::_('index.php?option=com_mokowaas&task=display.togglePlugin&format=json'); ?>"
-											data-token="<?php echo $token; ?>"
-											<?php echo $plugin->enabled ? 'checked' : ''; ?>
-										>
-										<label class="form-check-label small" for="toggle-<?php echo $plugin->extension_id; ?>">
-											<?php echo $plugin->enabled ? Text::_('COM_MOKOWAAS_ENABLED') : Text::_('COM_MOKOWAAS_DISABLED'); ?>
-										</label>
+	<!-- Three-column layout: plugins left, tables right -->
+	<div class="row">
+		<!-- Left: Feature Plugin Grid (8 cols) -->
+		<div class="col-12 col-xl-8">
+			<?php foreach ($categoryOrder as $catKey): ?>
+				<?php if (empty($grouped[$catKey])) continue; ?>
+				<?php
+					$catPlugins = $grouped[$catKey];
+					$first      = $catPlugins[0];
+				?>
+				<h3 class="mokowaas-category-heading mb-3">
+					<span class="badge <?php echo $this->escape($first->categoryBadge); ?>"><?php echo $this->escape($first->categoryLabel); ?></span>
+				</h3>
+				<div class="mokowaas-plugin-grid row g-3 mb-4">
+					<?php foreach ($catPlugins as $plugin): ?>
+					<div class="col-12 col-md-6">
+						<div class="card mokowaas-plugin-card h-100 <?php echo $plugin->enabled ? '' : 'mokowaas-plugin-disabled'; ?>"
+							data-extension-id="<?php echo $plugin->extension_id; ?>">
+							<div class="card-body d-flex flex-column">
+								<div class="d-flex align-items-start justify-content-between mb-2">
+									<div class="d-flex align-items-center gap-2">
+										<span class="<?php echo $this->escape($plugin->icon); ?> mokowaas-plugin-icon" aria-hidden="true"></span>
+										<h5 class="card-title mb-0"><?php echo $this->escape($plugin->name); ?></h5>
 									</div>
-								<?php endif; ?>
+									<?php if ($plugin->version): ?>
+										<span class="badge bg-light text-dark"><?php echo $this->escape($plugin->version); ?></span>
+									<?php endif; ?>
+								</div>
+								<p class="card-text text-muted small flex-grow-1"><?php echo $this->escape($plugin->description); ?></p>
+								<div class="d-flex align-items-center justify-content-between mt-auto pt-2 border-top">
+									<?php if ($plugin->protected): ?>
+										<span class="badge bg-dark"><?php echo Text::_('COM_MOKOWAAS_PROTECTED'); ?></span>
+									<?php else: ?>
+										<div class="form-check form-switch">
+											<input type="checkbox" class="form-check-input mokowaas-toggle" role="switch"
+												id="toggle-<?php echo $plugin->extension_id; ?>"
+												data-extension-id="<?php echo $plugin->extension_id; ?>"
+												data-url="<?php echo Route::_('index.php?option=com_mokowaas&task=display.togglePlugin&format=json'); ?>"
+												data-token="<?php echo $token; ?>"
+												<?php echo $plugin->enabled ? 'checked' : ''; ?>>
+											<label class="form-check-label small" for="toggle-<?php echo $plugin->extension_id; ?>">
+												<?php echo $plugin->enabled ? Text::_('COM_MOKOWAAS_ENABLED') : Text::_('COM_MOKOWAAS_DISABLED'); ?>
+											</label>
+										</div>
+									<?php endif; ?>
+									<?php if ($plugin->type === 'plugin'): ?>
+										<a href="<?php echo Route::_('index.php?option=com_plugins&task=plugin.edit&extension_id=' . $plugin->extension_id); ?>" class="btn btn-sm btn-outline-secondary">
+											<span class="icon-cog" aria-hidden="true"></span> <?php echo Text::_('COM_MOKOWAAS_CONFIGURE'); ?>
+										</a>
+									<?php endif; ?>
+								</div>
 							</div>
-							<?php
-								// Build configure link
-								$configUrl = '';
-								if ($plugin->type === 'plugin')
-								{
-									$configUrl = Route::_('index.php?option=com_plugins&task=plugin.edit&extension_id=' . $plugin->extension_id);
-								}
-							?>
-							<?php if ($configUrl): ?>
-								<a href="<?php echo $configUrl; ?>" class="btn btn-sm btn-outline-secondary">
-									<span class="icon-cog" aria-hidden="true"></span>
-									<?php echo Text::_('COM_MOKOWAAS_CONFIGURE'); ?>
-								</a>
-							<?php endif; ?>
 						</div>
 					</div>
+					<?php endforeach; ?>
 				</div>
-			</div>
 			<?php endforeach; ?>
 		</div>
-	<?php endforeach; ?>
+
+		<!-- Right: Information Tables (4 cols) -->
+		<div class="col-12 col-xl-4">
+
+			<!-- Pending Updates -->
+			<div class="card mb-3">
+				<div class="card-header d-flex justify-content-between align-items-center">
+					<strong><span class="icon-refresh" aria-hidden="true"></span> Pending Updates</strong>
+					<span class="badge bg-<?php echo count($pendingUpdates) > 0 ? 'warning text-dark' : 'success'; ?>"><?php echo count($pendingUpdates); ?></span>
+				</div>
+				<?php if (!empty($pendingUpdates)): ?>
+				<div class="table-responsive">
+					<table class="table table-sm table-striped mb-0">
+						<thead><tr><th>Extension</th><th>Current</th><th>Available</th></tr></thead>
+						<tbody>
+						<?php foreach ($pendingUpdates as $upd): ?>
+							<tr>
+								<td class="small"><?php echo $this->escape($upd->name); ?></td>
+								<td class="small text-muted"><?php echo $this->escape($upd->current_version); ?></td>
+								<td class="small text-success"><?php echo $this->escape($upd->version); ?></td>
+							</tr>
+						<?php endforeach; ?>
+						</tbody>
+					</table>
+				</div>
+				<?php else: ?>
+				<div class="card-body text-center text-muted small py-3">
+					<span class="icon-check-circle text-success"></span> All extensions up to date
+				</div>
+				<?php endif; ?>
+			</div>
+
+			<!-- Checked Out Items -->
+			<div class="card mb-3">
+				<div class="card-header d-flex justify-content-between align-items-center">
+					<strong><span class="icon-lock" aria-hidden="true"></span> Checked Out Items</strong>
+					<span class="badge bg-<?php echo count($checkedOut) > 0 ? 'info' : 'success'; ?>"><?php echo count($checkedOut); ?></span>
+				</div>
+				<?php if (!empty($checkedOut)): ?>
+				<div class="table-responsive">
+					<table class="table table-sm table-striped mb-0">
+						<thead><tr><th>Article</th><th>User</th><th>Since</th></tr></thead>
+						<tbody>
+						<?php foreach ($checkedOut as $item): ?>
+							<tr>
+								<td class="small"><?php echo $this->escape(mb_substr($item->title, 0, 30)); ?></td>
+								<td class="small"><?php echo $this->escape($item->username ?? ''); ?></td>
+								<td class="small text-muted"><?php echo HTMLHelper::_('date', $item->checked_out_time, 'M d H:i'); ?></td>
+							</tr>
+						<?php endforeach; ?>
+						</tbody>
+					</table>
+				</div>
+				<div class="card-footer text-center py-1">
+					<a href="<?php echo Route::_('index.php?option=com_checkin'); ?>" class="small">Global Check-in</a>
+				</div>
+				<?php else: ?>
+				<div class="card-body text-center text-muted small py-3">
+					<span class="icon-check-circle text-success"></span> No checked out items
+				</div>
+				<?php endif; ?>
+			</div>
+
+			<!-- WAF Blocks -->
+			<div class="card mb-3">
+				<div class="card-header d-flex justify-content-between align-items-center">
+					<strong><span class="icon-shield-alt" aria-hidden="true"></span> Recent WAF Blocks</strong>
+					<span class="badge bg-<?php echo count($wafBlocks) > 0 ? 'danger' : 'success'; ?>"><?php echo count($wafBlocks); ?></span>
+				</div>
+				<?php if (!empty($wafBlocks)): ?>
+				<div class="table-responsive">
+					<table class="table table-sm table-striped mb-0">
+						<thead><tr><th>IP</th><th>Rule</th><th>Time</th></tr></thead>
+						<tbody>
+						<?php foreach ($wafBlocks as $block): ?>
+							<tr>
+								<td class="small"><code><?php echo $this->escape($block->ip); ?></code></td>
+								<td class="small"><span class="badge bg-danger"><?php echo $this->escape($block->rule); ?></span></td>
+								<td class="small text-muted"><?php echo HTMLHelper::_('date', $block->created, 'M d H:i'); ?></td>
+							</tr>
+						<?php endforeach; ?>
+						</tbody>
+					</table>
+				</div>
+				<?php else: ?>
+				<div class="card-body text-center text-muted small py-3">
+					<span class="icon-check-circle text-success"></span> No recent blocks
+				</div>
+				<?php endif; ?>
+			</div>
+
+			<!-- Recent Logins -->
+			<div class="card mb-3">
+				<div class="card-header">
+					<strong><span class="icon-user" aria-hidden="true"></span> Recent Logins</strong>
+				</div>
+				<?php if (!empty($recentLogins)): ?>
+				<div class="table-responsive">
+					<table class="table table-sm table-striped mb-0">
+						<thead><tr><th>User</th><th>IP</th><th>Time</th></tr></thead>
+						<tbody>
+						<?php foreach ($recentLogins as $login): ?>
+							<tr>
+								<td class="small"><?php echo $this->escape($login->username ?? ''); ?></td>
+								<td class="small"><code><?php echo $this->escape($login->ip_address ?? ''); ?></code></td>
+								<td class="small text-muted"><?php echo HTMLHelper::_('date', $login->log_date, 'M d H:i'); ?></td>
+							</tr>
+						<?php endforeach; ?>
+						</tbody>
+					</table>
+				</div>
+				<?php else: ?>
+				<div class="card-body text-center text-muted small py-3">No login activity recorded</div>
+				<?php endif; ?>
+			</div>
+
+		</div><!-- /.col-xl-4 -->
+	</div><!-- /.row -->
 </div>
@@ -0,0 +1,154 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Router\Route;
+use Joomla\CMS\Session\Session;
+
+/** @var \Moko\Component\MokoWaaS\Administrator\View\Extensions\HtmlView $this */
+
+$packages = $this->packages;
+$token    = Session::getFormToken();
+
+// Group by category
+$grouped = [];
+foreach ($packages as $pkg)
+{
+	$grouped[$pkg->category][] = $pkg;
+}
+
+$statusBadge = [
+	'installed'     => ['bg-success', 'Installed'],
+	'not_installed' => ['bg-secondary', 'Not Installed'],
+];
+?>
+
+<div id="mokowaas-extensions">
+	<div class="alert alert-info">
+		<span class="icon-info-circle" aria-hidden="true"></span>
+		<?php echo Text::_('COM_MOKOWAAS_EXTENSIONS_INFO'); ?>
+	</div>
+
+	<?php foreach ($grouped as $category => $pkgs): ?>
+	<h3 class="mb-3"><?php echo htmlspecialchars($category); ?></h3>
+	<div class="row g-3 mb-4">
+		<?php foreach ($pkgs as $pkg): ?>
+		<?php
+			$badge = $statusBadge[$pkg->status] ?? $statusBadge['not_installed'];
+		?>
+		<div class="col-12 col-md-6 col-xl-4">
+			<div class="card h-100">
+				<div class="card-body d-flex flex-column">
+					<div class="d-flex align-items-start justify-content-between mb-2">
+						<div class="d-flex align-items-center gap-2">
+							<span class="<?php echo htmlspecialchars($pkg->icon); ?>" aria-hidden="true" style="font-size:1.5rem;color:#1a2744"></span>
+							<div>
+								<h5 class="card-title mb-0"><?php echo htmlspecialchars($pkg->label); ?></h5>
+								<small class="text-muted"><?php echo htmlspecialchars($pkg->type); ?></small>
+							</div>
+						</div>
+						<span class="badge <?php echo $badge[0]; ?>"><?php echo $badge[1]; ?></span>
+					</div>
+
+					<p class="card-text text-muted flex-grow-1"><?php echo htmlspecialchars($pkg->description); ?></p>
+
+					<div class="d-flex align-items-center justify-content-between mt-auto pt-2 border-top">
+						<div class="small text-muted">
+							<?php if ($pkg->local_version): ?>
+								v<?php echo htmlspecialchars($pkg->local_version); ?>
+							<?php elseif ($pkg->remote_version): ?>
+								Latest: <?php echo htmlspecialchars($pkg->remote_version); ?>
+							<?php endif; ?>
+						</div>
+						<div class="d-flex gap-1">
+							<?php if ($pkg->article_url): ?>
+							<a href="<?php echo htmlspecialchars($pkg->article_url); ?>" target="_blank" class="btn btn-sm btn-outline-secondary" title="Documentation">
+								<span class="icon-book" aria-hidden="true"></span>
+							</a>
+							<?php endif; ?>
+							<?php if ($pkg->download_url && $pkg->status === 'not_installed'): ?>
+							<button type="button" class="btn btn-sm btn-primary mokowaas-install-btn"
+								data-url="<?php echo Route::_('index.php?option=com_mokowaas&task=display.installExtension&format=json'); ?>"
+								data-download="<?php echo htmlspecialchars($pkg->download_url); ?>"
+								data-token="<?php echo $token; ?>"
+								data-label="<?php echo htmlspecialchars($pkg->label); ?>">
+								<span class="icon-download" aria-hidden="true"></span>
+								Install
+							</button>
+							<?php elseif ($pkg->status === 'installed'): ?>
+							<span class="btn btn-sm btn-outline-success disabled">
+								<span class="icon-check" aria-hidden="true"></span> Installed
+							</span>
+							<?php if (!$pkg->protected && $pkg->extension_id): ?>
+							<a href="<?php echo Route::_('index.php?option=com_installer&task=manage.remove&cid[]=' . $pkg->extension_id . '&' . $token . '=1'); ?>"
+								class="btn btn-sm btn-outline-danger"
+								onclick="return confirm('Uninstall <?php echo htmlspecialchars($pkg->label); ?>?')"
+								title="Uninstall">
+								<span class="icon-times" aria-hidden="true"></span>
+							</a>
+							<?php endif; ?>
+							<?php else: ?>
+							<span class="btn btn-sm btn-outline-secondary disabled">No release</span>
+							<?php endif; ?>
+						</div>
+					</div>
+				</div>
+			</div>
+		</div>
+		<?php endforeach; ?>
+	</div>
+	<?php endforeach; ?>
+</div>
+
+<script>
+document.addEventListener('DOMContentLoaded', function() {
+	document.querySelectorAll('.mokowaas-install-btn').forEach(function(btn) {
+		btn.addEventListener('click', function() {
+			var el = this;
+			var url = el.dataset.url;
+			var downloadUrl = el.dataset.download;
+			var token = el.dataset.token;
+			var label = el.dataset.label;
+
+			if (!confirm('Install ' + label + '?')) return;
+
+			el.disabled = true;
+			var origHtml = el.textContent;
+			el.textContent = ' Installing...';
+
+			var fd = new FormData();
+			fd.append('download_url', downloadUrl);
+			fd.append(token, '1');
+
+			fetch(url, {
+				method: 'POST',
+				body: fd,
+				headers: {'X-Requested-With': 'XMLHttpRequest'}
+			})
+			.then(function(r) { return r.json(); })
+			.then(function(d) {
+				if (d.success) {
+					Joomla.renderMessages({message: [label + ': ' + d.message]});
+					location.reload();
+				} else {
+					Joomla.renderMessages({error: [label + ': ' + (d.message || 'Failed')]});
+					el.disabled = false;
+					el.textContent = origHtml;
+				}
+			})
+			.catch(function() {
+				Joomla.renderMessages({error: ['Network error']});
+				el.disabled = false;
+				el.textContent = origHtml;
+			});
+		});
+	});
+});
+</script>
@@ -20,7 +20,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>MokoWaaS admin dashboard and REST API. Provides a control panel for managing MokoWaaS feature plugins, site health monitoring, and remote management endpoints.</description>

 	<namespace path="src">Moko\Component\MokoWaaS</namespace>
@@ -5,8 +5,22 @@
 MOD_MOKOWAAS_CPANEL="MokoWaaS"
 MOD_MOKOWAAS_CPANEL_DESC="Displays MokoWaaS feature plugin status and site health on the admin dashboard."

-MOD_MOKOWAAS_CPANEL_SHOW_HEALTH_LABEL="Show Health Status"
-MOD_MOKOWAAS_CPANEL_SHOW_PLUGINS_LABEL="Show Feature Plugins"
+MOD_MOKOWAAS_CPANEL_FIELDSET_DISPLAY="Display Options"
+MOD_MOKOWAAS_CPANEL_FIELDSET_DISPLAY_DESC="Choose which sections to show in the module."
+
+MOD_MOKOWAAS_CPANEL_COLLAPSED_LABEL="Collapsed by Default"
+MOD_MOKOWAAS_CPANEL_COLLAPSED_DESC="Start the module body collapsed. Click the header to expand."
+MOD_MOKOWAAS_CPANEL_SHOW_HEALTH_LABEL="Health Status"
+MOD_MOKOWAAS_CPANEL_SHOW_STATS_LABEL="Stats Cards"
+MOD_MOKOWAAS_CPANEL_SHOW_STATS_DESC="Article count, user count, and pending updates."
+MOD_MOKOWAAS_CPANEL_SHOW_DISK_LABEL="Disk Usage"
+MOD_MOKOWAAS_CPANEL_SHOW_IP_LABEL="Current IP"
+MOD_MOKOWAAS_CPANEL_SHOW_PLUGINS_LABEL="Feature Plugins"
+MOD_MOKOWAAS_CPANEL_SHOW_ACTIONS_LABEL="Quick Actions"
+MOD_MOKOWAAS_CPANEL_SHOW_ACTIONS_DESC="Clear cache, check updates buttons."
+MOD_MOKOWAAS_CPANEL_SHOW_VERSIONS_LABEL="Joomla/PHP Versions"
+MOD_MOKOWAAS_CPANEL_SHOW_VERSIONS_DESC="Show Joomla and PHP version numbers."
+
 MOD_MOKOWAAS_CPANEL_OPEN_DASHBOARD="Control Panel"
 MOD_MOKOWAAS_CPANEL_DEBUG="Debug ON"
 MOD_MOKOWAAS_CPANEL_OFFLINE="Offline"
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>MOD_MOKOWAAS_CPANEL_DESC</description>
 	<namespace path="src">Moko\Module\MokoWaaSCpanel</namespace>

@@ -24,19 +24,69 @@

 	<config>
 		<fields name="params">
-			<fieldset name="basic">
+			<fieldset name="basic"
+				label="MOD_MOKOWAAS_CPANEL_FIELDSET_DISPLAY"
+				description="MOD_MOKOWAAS_CPANEL_FIELDSET_DISPLAY_DESC">
+
+				<field name="collapsed" type="radio" default="1"
+					label="MOD_MOKOWAAS_CPANEL_COLLAPSED_LABEL"
+					description="MOD_MOKOWAAS_CPANEL_COLLAPSED_DESC"
+					layout="joomla.form.field.radio.switcher">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
 				<field name="show_health" type="radio" default="1"
 					label="MOD_MOKOWAAS_CPANEL_SHOW_HEALTH_LABEL"
 					layout="joomla.form.field.radio.switcher">
 					<option value="0">JHIDE</option>
 					<option value="1">JSHOW</option>
 				</field>
+
+				<field name="show_stats" type="radio" default="1"
+					label="MOD_MOKOWAAS_CPANEL_SHOW_STATS_LABEL"
+					description="MOD_MOKOWAAS_CPANEL_SHOW_STATS_DESC"
+					layout="joomla.form.field.radio.switcher">
+					<option value="0">JHIDE</option>
+					<option value="1">JSHOW</option>
+				</field>
+
+				<field name="show_disk" type="radio" default="1"
+					label="MOD_MOKOWAAS_CPANEL_SHOW_DISK_LABEL"
+					layout="joomla.form.field.radio.switcher">
+					<option value="0">JHIDE</option>
+					<option value="1">JSHOW</option>
+				</field>
+
+				<field name="show_ip" type="radio" default="1"
+					label="MOD_MOKOWAAS_CPANEL_SHOW_IP_LABEL"
+					layout="joomla.form.field.radio.switcher">
+					<option value="0">JHIDE</option>
+					<option value="1">JSHOW</option>
+				</field>
+
 				<field name="show_plugins" type="radio" default="1"
 					label="MOD_MOKOWAAS_CPANEL_SHOW_PLUGINS_LABEL"
 					layout="joomla.form.field.radio.switcher">
 					<option value="0">JHIDE</option>
 					<option value="1">JSHOW</option>
 				</field>
+
+				<field name="show_actions" type="radio" default="1"
+					label="MOD_MOKOWAAS_CPANEL_SHOW_ACTIONS_LABEL"
+					description="MOD_MOKOWAAS_CPANEL_SHOW_ACTIONS_DESC"
+					layout="joomla.form.field.radio.switcher">
+					<option value="0">JHIDE</option>
+					<option value="1">JSHOW</option>
+				</field>
+
+				<field name="show_versions" type="radio" default="1"
+					label="MOD_MOKOWAAS_CPANEL_SHOW_VERSIONS_LABEL"
+					description="MOD_MOKOWAAS_CPANEL_SHOW_VERSIONS_DESC"
+					layout="joomla.form.field.radio.switcher">
+					<option value="0">JHIDE</option>
+					<option value="1">JSHOW</option>
+				</field>
 			</fieldset>
 		</fields>
 	</config>
@@ -47,6 +47,7 @@ class CpanelHelper
 	{
 		$query = $db->getQuery(true)
 			->select([
+				$db->quoteName('extension_id'),
 				$db->quoteName('name'),
 				$db->quoteName('element'),
 				$db->quoteName('enabled'),
@@ -19,9 +19,15 @@ $healthOk    = $healthOk ?? true;
 $counts      = $counts ?? (object) ['articles' => 0, 'users' => 0, 'extensions' => 0, 'updates' => 0];
 $disk        = $disk ?? (object) ['free_mb' => null, 'total_mb' => null];
 $currentIp   = $currentIp ?? '';
-$showHealth  = $params->get('show_health', 1);
-$showPlugins = $params->get('show_plugins', 1);
-$token       = Session::getFormToken();
+$collapsed    = $params->get('collapsed', 1);
+$showHealth   = $params->get('show_health', 1);
+$showStats    = $params->get('show_stats', 1);
+$showDisk     = $params->get('show_disk', 1);
+$showIp       = $params->get('show_ip', 1);
+$showPlugins  = $params->get('show_plugins', 1);
+$showActions  = $params->get('show_actions', 1);
+$showVersions = $params->get('show_versions', 1);
+$token        = Session::getFormToken();

 $enabledCount = 0;
 $totalCount   = count($plugins);
@@ -48,10 +54,10 @@ $diskPct = ($disk->total_mb && $disk->total_mb > 0)
 $diskColor = ($diskPct !== null && $diskPct > 90) ? 'bg-danger' : (($diskPct !== null && $diskPct > 75) ? 'bg-warning' : 'bg-success');
 ?>

-<div class="mod-mokowaas-cpanel p-3">
-	<!-- Header row -->
-	<div class="d-flex align-items-center justify-content-between mb-3">
-		<div class="d-flex align-items-center gap-2">
+<div class="mod-mokowaas-cpanel card p-3 mb-4">
+	<!-- Header row (always visible, acts as collapse toggle) -->
+	<div class="d-flex align-items-center justify-content-between">
+		<a class="d-flex align-items-center gap-2 text-decoration-none text-reset" data-bs-toggle="collapse" href="#mokowaas-cpanel-body" role="button" aria-expanded="<?php echo $collapsed ? 'false' : 'true'; ?>" aria-controls="mokowaas-cpanel-body">
 			<span class="icon-shield-alt" aria-hidden="true" style="font-size:1.25rem;color:#1a2744"></span>
 			<strong>MokoWaaS</strong>
 			<span class="badge bg-primary"><?php echo htmlspecialchars($siteInfo->mokowaas_version ?? ''); ?></span>
@@ -61,14 +67,18 @@ $diskColor = ($diskPct !== null && $diskPct > 90) ? 'bg-danger' : (($diskPct !==
 			<?php if (!empty($siteInfo->offline)): ?>
 				<span class="badge bg-danger">Offline</span>
 			<?php endif; ?>
-		</div>
+			<span class="icon-chevron-down small text-muted" aria-hidden="true"></span>
+		</a>
 		<a href="<?php echo Route::_('index.php?option=com_mokowaas'); ?>" class="btn btn-sm btn-primary">
 			<span class="icon-cogs" aria-hidden="true"></span>
 			<?php echo Text::_('MOD_MOKOWAAS_CPANEL_OPEN_DASHBOARD'); ?>
 		</a>
 	</div>

-	<?php if ($showHealth): ?>
+	<!-- Collapsible body -->
+	<div class="collapse<?php echo $collapsed ? '' : ' show'; ?> mt-3" id="mokowaas-cpanel-body">
+
+	<?php if ($showHealth && $showStats): ?>
 	<!-- Health + stats row -->
 	<div class="row g-2 mb-3">
 		<div class="col-6 col-md-3">
@@ -107,52 +117,38 @@ $diskColor = ($diskPct !== null && $diskPct > 90) ? 'bg-danger' : (($diskPct !==
 		</div>
 	</div>

-	<!-- Disk + IP row -->
-	<div class="d-flex flex-wrap align-items-center gap-3 mb-3 small text-muted">
-		<?php if ($diskPct !== null): ?>
-		<div class="d-flex align-items-center gap-1">
+	<!-- Info + plugins + actions (consolidated) -->
+	<div class="d-flex flex-wrap align-items-center gap-2">
+		<?php if ($showDisk && $diskPct !== null): ?>
+		<span class="text-muted d-inline-flex align-items-center gap-1">
 			<span class="icon-hdd" aria-hidden="true"></span>
-			<span>Disk <?php echo $diskPct; ?>%</span>
-			<div class="progress" style="width:60px;height:6px">
-				<div class="progress-bar <?php echo $diskColor; ?>" style="width:<?php echo $diskPct; ?>%"></div>
-			</div>
-			<span><?php echo number_format(($disk->free_mb ?? 0) / 1024, 1); ?> GB free</span>
-		</div>
+			<?php echo $diskPct; ?>%
+			<span class="progress d-inline-flex" style="width:40px;height:5px"><span class="progress-bar <?php echo $diskColor; ?>" style="width:<?php echo $diskPct; ?>%"></span></span>
+			<?php echo number_format(($disk->free_mb ?? 0) / 1024, 1); ?>G free
+		</span>
 		<?php endif; ?>
-		<?php if ($currentIp): ?>
-		<div>
-			<span class="icon-globe" aria-hidden="true"></span>
-			Your IP: <code><?php echo htmlspecialchars($currentIp); ?></code>
-		</div>
+		<?php if ($showIp && $currentIp): ?>
+		<span class="text-muted"><span class="icon-globe" aria-hidden="true"></span> <code><?php echo htmlspecialchars($currentIp); ?></code></span>
 		<?php endif; ?>
-		<div class="ms-auto">
-			Joomla <?php echo htmlspecialchars($siteInfo->joomla_version ?? ''); ?> / PHP <?php echo htmlspecialchars($siteInfo->php_version ?? ''); ?>
-		</div>
-	</div>
-	<?php endif; ?>
-
-	<?php if ($showPlugins && !empty($plugins)): ?>
-	<!-- Feature plugin badges -->
-	<div class="d-flex align-items-center gap-2 mb-3">
-		<small class="text-muted"><?php echo Text::sprintf('MOD_MOKOWAAS_CPANEL_PLUGINS_SUMMARY', $enabledCount, $totalCount); ?></small>
-		<div class="d-flex flex-wrap gap-1">
-			<?php foreach ($plugins as $p): ?>
-				<?php
-					$label = $labels[$p->element] ?? $p->element;
-					$badge = $p->enabled ? 'bg-success' : 'bg-secondary';
-					$icon  = $p->enabled ? 'icon-check' : 'icon-times';
-				?>
-				<span class="badge <?php echo $badge; ?>" title="<?php echo htmlspecialchars($p->name); ?>">
-					<span class="<?php echo $icon; ?>" aria-hidden="true"></span>
-					<?php echo htmlspecialchars($label); ?>
-				</span>
-			<?php endforeach; ?>
-		</div>
-	</div>
-	<?php endif; ?>
-
-	<!-- Quick action buttons -->
-	<div class="d-flex flex-wrap gap-2">
+		<?php if ($showVersions): ?>
+		<span class="text-muted">J<?php echo htmlspecialchars($siteInfo->joomla_version ?? ''); ?> / PHP <?php echo htmlspecialchars($siteInfo->php_version ?? ''); ?></span>
+		<?php endif; ?>
+		<?php if ($showPlugins && !empty($plugins)): ?>
+		<span class="border-start ps-2 ms-1"></span>
+		<?php foreach ($plugins as $p): ?>
+			<?php
+				$label     = $labels[$p->element] ?? $p->element;
+				$badge     = $p->enabled ? 'bg-success' : 'bg-secondary';
+				$icon      = $p->enabled ? 'icon-check' : 'icon-times';
+				$configUrl = Route::_('index.php?option=com_plugins&task=plugin.edit&extension_id=' . (int) $p->extension_id);
+			?>
+			<a href="<?php echo $configUrl; ?>" class="badge <?php echo $badge; ?> text-decoration-none" title="<?php echo htmlspecialchars($p->name); ?>">
+				<span class="<?php echo $icon; ?>" aria-hidden="true"></span> <?php echo htmlspecialchars($label); ?>
+			</a>
+		<?php endforeach; ?>
+		<?php endif; ?>
+		<?php if ($showActions): ?>
+		<span class="border-start ps-2 ms-1"></span>
 		<button type="button" class="btn btn-sm btn-outline-secondary" id="mokowaas-cpanel-cache"
 			data-url="<?php echo Route::_('index.php?option=com_mokowaas&task=display.clearCache&format=json'); ?>"
 			data-token="<?php echo $token; ?>">
@@ -162,11 +158,15 @@ $diskColor = ($diskPct !== null && $diskPct > 90) ? 'bg-danger' : (($diskPct !==
 			<span class="icon-refresh" aria-hidden="true"></span> Check Updates
 		</a>
 		<?php if ($counts->updates > 0): ?>
-		<a href="<?php echo Route::_('index.php?option=com_installer&view=update'); ?>" class="btn btn-sm btn-warning">
-			<span class="icon-upload" aria-hidden="true"></span> <?php echo $counts->updates; ?> Update<?php echo $counts->updates > 1 ? 's' : ''; ?> Available
+		<a href="<?php echo Route::_('index.php?option=com_installer&view=update'); ?>" class="badge bg-warning text-dark text-decoration-none">
+			<span class="icon-upload" aria-hidden="true"></span> <?php echo $counts->updates; ?> update<?php echo $counts->updates > 1 ? 's' : ''; ?>
 		</a>
 		<?php endif; ?>
+		<?php endif; ?>
 	</div>
+	<?php endif; ?>
+
+	</div><!-- /.collapse -->
 </div>

 <script>
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/Extension/MokoWaaS.php
 * NOTE: Handles Joomla system events for rebranding functionality
 */
@@ -1463,6 +1463,96 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 		return true;
 	}

+	/**
+	 * Cascade enable/disable state across all MokoWaaS extensions.
+	 *
+	 * When the core system plugin (plg_system_mokowaas) is disabled,
+	 * all feature plugins and the cpanel module are also disabled.
+	 * When re-enabled, they are re-enabled too.
+	 *
+	 * @param   string  $context      The extension context
+	 * @param   array   $pks          Extension IDs being changed
+	 * @param   int     $value        New state (1=enabled, 0=disabled)
+	 *
+	 * @return  void
+	 *
+	 * @since   02.32.00
+	 */
+	public function onExtensionChangeState($context, $pks, $value)
+	{
+		if (empty($pks))
+		{
+			return;
+		}
+
+		try
+		{
+			$db = Factory::getDbo();
+
+			// Check if the core MokoWaaS plugin is among the changed extensions
+			$query = $db->getQuery(true)
+				->select($db->quoteName('extension_id'))
+				->from($db->quoteName('#__extensions'))
+				->where($db->quoteName('element') . ' = ' . $db->quote('mokowaas'))
+				->where($db->quoteName('type') . ' = ' . $db->quote('plugin'))
+				->where($db->quoteName('folder') . ' = ' . $db->quote('system'));
+			$db->setQuery($query);
+			$coreId = (int) $db->loadResult();
+
+			if (!$coreId || !\in_array($coreId, array_map('intval', $pks), true))
+			{
+				return;
+			}
+
+			// Cascade to all MokoWaaS feature plugins + module
+			$mokoElements = [
+				$db->quote('mokowaas_firewall'),
+				$db->quote('mokowaas_tenant'),
+				$db->quote('mokowaas_devtools'),
+				$db->quote('mokowaas_monitor'),
+				$db->quote('mod_mokowaas_cpanel'),
+			];
+
+			$query = $db->getQuery(true)
+				->update($db->quoteName('#__extensions'))
+				->set($db->quoteName('enabled') . ' = ' . (int) $value)
+				->where($db->quoteName('element') . ' IN (' . implode(',', $mokoElements) . ')');
+			$db->setQuery($query);
+			$db->execute();
+			$affected = $db->getAffectedRows();
+
+			// Also update module published state
+			if ($value == 0)
+			{
+				$db->setQuery(
+					$db->getQuery(true)
+						->update($db->quoteName('#__modules'))
+						->set($db->quoteName('published') . ' = 0')
+						->where($db->quoteName('module') . ' = ' . $db->quote('mod_mokowaas_cpanel'))
+				)->execute();
+			}
+			else
+			{
+				$db->setQuery(
+					$db->getQuery(true)
+						->update($db->quoteName('#__modules'))
+						->set($db->quoteName('published') . ' = 1')
+						->where($db->quoteName('module') . ' = ' . $db->quote('mod_mokowaas_cpanel'))
+				)->execute();
+			}
+
+			$state = $value ? 'enabled' : 'disabled';
+			$this->app->enqueueMessage(
+				"MokoWaaS: {$state} {$affected} associated extensions.",
+				'message'
+			);
+		}
+		catch (\Throwable $e)
+		{
+			Log::add('MokoWaaS cascade state error: ' . $e->getMessage(), Log::WARNING, 'mokowaas');
+		}
+	}
+
 	/**
 	 * Filter admin menu items for non-master users.
 	 *
@@ -7,7 +7,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/Field/AllowedIpsField.php
 * BRIEF: Custom form field that displays the current IP whitelist
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/Field/CopyableTokenField.php
 * BRIEF: Read-only token field with a copy-to-clipboard button
 */
@@ -7,7 +7,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/Field/CurrentIpField.php
 * BRIEF: Read-only field that displays the current user's IP address
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/Field/DemoTaskInfoField.php
 * BRIEF: Read-only field showing scheduled task info with link to manage it
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/Field/NextResetField.php
 * BRIEF: Read-only field showing next reset time from Joomla scheduled task
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/Field/SnapshotTablesField.php
 * BRIEF: Multi-select list field that loads DB tables with sensible defaults
 */
@@ -10,7 +10,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_system_mokowaas/Service/ContentSyncReceiver.php
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * BRIEF: Receiver-side content sync — applies incoming payload to local DB
 */

@@ -10,7 +10,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_system_mokowaas/Service/ContentSyncService.php
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * BRIEF: Sender-side content sync — builds payload and pushes to remote sites
 */

@@ -10,7 +10,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_system_mokowaas/Service/DemoResetService.php
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * BRIEF: Content-only snapshot/restore for demo site reset
 */

@@ -30,7 +30,7 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/script.php
 * BRIEF: Installation script for MokoWaaS plugin
 * NOTE: Handles installation, update, and uninstallation tasks including language override deployment
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * PATH: /src/services/provider.php
 * BRIEF: Service provider for dependency injection in Joomla 5.x
 * NOTE: Registers the plugin with Joomla's DI container
@@ -8,7 +8,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>PLG_SYSTEM_MOKOWAAS_DEVTOOLS_DESC</description>
 	<namespace path="src">Moko\Plugin\System\MokoWaaSDevTools</namespace>

@@ -3,28 +3,65 @@
 ; License: GPL-3.0-or-later

 PLG_SYSTEM_MOKOWAAS_FIREWALL="System - MokoWaaS Firewall"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_DESC="HTTPS enforcement, trusted IPs, session timeout, upload restrictions, and password policy."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_DESC="Web Application Firewall with security shields, IP management, request inspection, and access control."

 PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_BASIC="Network &amp; Session"
 PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_BASIC_DESC="HTTPS, session timeout, and trusted IP settings."
 PLG_SYSTEM_MOKOWAAS_FIREWALL_FORCE_HTTPS_LABEL="Force HTTPS"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_FORCE_HTTPS_DESC="Redirect all HTTP requests to HTTPS. Recommended for production sites."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FORCE_HTTPS_DESC="Redirect all HTTP requests to HTTPS."
 PLG_SYSTEM_MOKOWAAS_FIREWALL_SESSION_TIMEOUT_LABEL="Admin Session Timeout (minutes)"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_SESSION_TIMEOUT_DESC="Idle timeout in minutes for admin sessions. 0 = use Joomla default. Master users and trusted IPs are exempt."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_SESSION_TIMEOUT_DESC="Idle timeout for admin sessions. 0 = Joomla default. Master users and trusted IPs exempt."
 PLG_SYSTEM_MOKOWAAS_FIREWALL_TRUSTED_IPS_LABEL="Trusted IPs"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_TRUSTED_IPS_DESC="IP addresses or CIDR blocks that bypass session timeout. Supports exact IPs, CIDR (10.0.0.0/8), and wildcards (192.168.1.*)."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_TRUSTED_IPS_DESC="IPs that bypass session timeout and WAF shields. Supports exact, CIDR, and wildcard."
+
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_WAF="Web Application Firewall"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_WAF_DESC="Threat detection shields that inspect incoming requests."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_ENABLED_LABEL="Enable WAF"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_ENABLED_DESC="Master toggle for all WAF shields."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_SQLI_LABEL="SQLiShield"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_SQLI_DESC="Block SQL injection patterns in GET, POST, and COOKIE data."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_XSS_LABEL="XSSShield"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_XSS_DESC="Block cross-site scripting patterns in GET and POST data."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_LABEL="MUAShield"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_DESC="Block known malicious user agents (scanners, bots, attack tools)."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_LIST_LABEL="User Agent Blocklist"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_LIST_DESC="Comma-separated user agent fragments to block."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_RFI_LABEL="RFIShield"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_RFI_DESC="Block remote file inclusion attempts (URLs in GET parameters)."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_DFI_LABEL="DFIShield"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_DFI_DESC="Block directory traversal and local file inclusion attempts."
+
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_ACCESS="Access Control"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_ACCESS_DESC="IP blocking, admin secret URL, and login restrictions."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_IP_BLOCKLIST_LABEL="IP Deny List"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_IP_BLOCKLIST_DESC="Block specific IPs or CIDR ranges. Checked before all other shields."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_LABEL="Admin Secret URL Parameter"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_DESC="Require ?secret=VALUE to access /administrator. Leave empty to disable."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_REDIRECT_LABEL="Secret Failure Redirect"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_REDIRECT_DESC="URL to redirect when admin secret is missing. Empty = 403 Forbidden."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FE_SU_LABEL="Forbid Frontend Super User Login"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FE_SU_DESC="Prevent Super User accounts from logging in on the frontend."
+
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PROTECTION="File &amp; Template Protection"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PROTECTION_DESC="Block access to sensitive files and prevent template switching."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FILES_LABEL="Block Sensitive Files"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FILES_DESC="Block access to htaccess.txt, configuration.php-dist, and similar files."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_PHP_LABEL="Block Direct PHP Access"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_PHP_DESC="Block PHP execution in images/, media/, tmp/, cache/, logs/ directories."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_TMPL_LABEL="Block Template Switching"
+PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_TMPL_DESC="Block tmpl= and template= URL parameters (tmpl=component allowed)."

 PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PASSWORD="Password Policy"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PASSWORD_DESC="Minimum password complexity requirements for all users."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PASSWORD_DESC="Minimum password complexity requirements."
 PLG_SYSTEM_MOKOWAAS_FIREWALL_PASSWORD_LENGTH_LABEL="Minimum Password Length"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_PASSWORD_LENGTH_DESC="Minimum number of characters required."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_PASSWORD_LENGTH_DESC="Minimum characters required."
 PLG_SYSTEM_MOKOWAAS_FIREWALL_PASSWORD_UPPER_LABEL="Require Uppercase"
 PLG_SYSTEM_MOKOWAAS_FIREWALL_PASSWORD_NUMBER_LABEL="Require Number"
 PLG_SYSTEM_MOKOWAAS_FIREWALL_PASSWORD_SPECIAL_LABEL="Require Special Character"

 PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_UPLOADS="Upload Restrictions"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_UPLOADS_DESC="Override Joomla's upload settings at runtime."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_UPLOADS_DESC="Override Joomla upload settings at runtime."
 PLG_SYSTEM_MOKOWAAS_FIREWALL_UPLOAD_TYPES_LABEL="Allowed File Types"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_UPLOAD_TYPES_DESC="Comma-separated list of permitted file extensions."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_UPLOAD_TYPES_DESC="Comma-separated permitted file extensions."
 PLG_SYSTEM_MOKOWAAS_FIREWALL_UPLOAD_SIZE_LABEL="Max Upload Size (MB)"
-PLG_SYSTEM_MOKOWAAS_FIREWALL_UPLOAD_SIZE_DESC="Maximum file upload size in megabytes."
+PLG_SYSTEM_MOKOWAAS_FIREWALL_UPLOAD_SIZE_DESC="Maximum upload size in megabytes."
@@ -8,16 +8,24 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>PLG_SYSTEM_MOKOWAAS_FIREWALL_DESC</description>
 	<namespace path="src">Moko\Plugin\System\MokoWaaSFirewall</namespace>

 	<files>
 		<folder>src</folder>
+		<folder>sql</folder>
 		<folder>services</folder>
 		<folder>language</folder>
 	</files>

+	<install>
+		<sql><file driver="mysql" charset="utf8">sql/install.mysql.sql</file></sql>
+	</install>
+	<uninstall>
+		<sql><file driver="mysql" charset="utf8">sql/uninstall.mysql.sql</file></sql>
+	</uninstall>
+
 	<languages folder="language">
 		<language tag="en-GB">en-GB/plg_system_mokowaas_firewall.ini</language>
 		<language tag="en-GB">en-GB/plg_system_mokowaas_firewall.sys.ini</language>
@@ -25,6 +33,7 @@

 	<config>
 		<fields name="params">
+			<!-- Network & Session -->
 			<fieldset name="basic"
 				label="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_BASIC"
 				description="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_BASIC_DESC">
@@ -52,6 +61,137 @@
 					buttons="add,remove,move" />
 			</fieldset>

+			<!-- WAF Shields -->
+			<fieldset name="waf"
+				label="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_WAF"
+				description="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_WAF_DESC">
+
+				<field name="waf_enabled" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_ENABLED_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_ENABLED_DESC"
+					class="btn-group btn-group-yesno">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
+				<field name="waf_sqli" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_SQLI_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_SQLI_DESC"
+					class="btn-group btn-group-yesno"
+					showon="waf_enabled:1">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
+				<field name="waf_xss" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_XSS_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_XSS_DESC"
+					class="btn-group btn-group-yesno"
+					showon="waf_enabled:1">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
+				<field name="waf_mua" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_DESC"
+					class="btn-group btn-group-yesno"
+					showon="waf_enabled:1">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
+				<field name="waf_mua_blocklist" type="textarea"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_LIST_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_MUA_LIST_DESC"
+					rows="4" filter="raw"
+					default="sqlmap,nikto,nmap,havij,w3af,acunetix,nessus,openvas,masscan,gobuster,dirbuster,wpscan,joomscan"
+					showon="waf_enabled:1[AND]waf_mua:1" />
+
+				<field name="waf_rfi" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_RFI_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_RFI_DESC"
+					class="btn-group btn-group-yesno"
+					showon="waf_enabled:1">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
+				<field name="waf_dfi" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_DFI_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_WAF_DFI_DESC"
+					class="btn-group btn-group-yesno"
+					showon="waf_enabled:1">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+			</fieldset>
+
+			<!-- Access Control -->
+			<fieldset name="access_control"
+				label="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_ACCESS"
+				description="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_ACCESS_DESC">
+
+				<field name="ip_blocklist" type="subform"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_IP_BLOCKLIST_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_IP_BLOCKLIST_DESC"
+					formsource="plugins/system/mokowaas/forms/trusted_ip_entry.xml"
+					multiple="true"
+					layout="joomla.form.field.subform.repeatable-table"
+					groupByFieldset="false"
+					buttons="add,remove,move" />
+
+				<field name="admin_secret" type="text"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_DESC"
+					default="" filter="raw" hint="Leave empty to disable" />
+
+				<field name="admin_secret_redirect" type="text"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_REDIRECT_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_ADMIN_SECRET_REDIRECT_DESC"
+					default="" filter="url" hint="Empty = 403 Forbidden"
+					showon="admin_secret!:" />
+
+				<field name="block_frontend_superuser" type="radio" default="0"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FE_SU_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FE_SU_DESC"
+					class="btn-group btn-group-yesno">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+			</fieldset>
+
+			<!-- File & Template Protection -->
+			<fieldset name="protection"
+				label="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PROTECTION"
+				description="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PROTECTION_DESC">
+
+				<field name="block_sensitive_files" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FILES_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_FILES_DESC"
+					class="btn-group btn-group-yesno">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
+				<field name="block_direct_php" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_PHP_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_PHP_DESC"
+					class="btn-group btn-group-yesno">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+
+				<field name="block_template_switch" type="radio" default="1"
+					label="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_TMPL_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_FIREWALL_BLOCK_TMPL_DESC"
+					class="btn-group btn-group-yesno">
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+			</fieldset>
+
+			<!-- Password Policy -->
 			<fieldset name="password_policy"
 				label="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PASSWORD"
 				description="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_PASSWORD_DESC">
@@ -82,6 +222,7 @@
 				</field>
 			</fieldset>

+			<!-- Upload Restrictions -->
 			<fieldset name="uploads"
 				label="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_UPLOADS"
 				description="PLG_SYSTEM_MOKOWAAS_FIREWALL_FIELDSET_UPLOADS_DESC">
@@ -0,0 +1,13 @@
+CREATE TABLE IF NOT EXISTS `#__mokowaas_waf_log` (
+  `id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+  `ip` VARCHAR(45) NOT NULL,
+  `uri` VARCHAR(2048) NOT NULL DEFAULT '',
+  `rule` VARCHAR(50) NOT NULL,
+  `detail` VARCHAR(512) NOT NULL DEFAULT '',
+  `user_agent` VARCHAR(512) NOT NULL DEFAULT '',
+  `created` DATETIME NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `idx_ip` (`ip`),
+  KEY `idx_rule` (`rule`),
+  KEY `idx_created` (`created`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS `#__mokowaas_waf_log`;
@@ -11,6 +11,7 @@ namespace Moko\Plugin\System\MokoWaaSFirewall\Extension;
 defined('_JEXEC') or die;

 use Joomla\CMS\Factory;
+use Joomla\CMS\Log\Log;
 use Joomla\CMS\Plugin\CMSPlugin;
 use Joomla\CMS\Router\Route;
 use Joomla\Event\SubscriberInterface;
@@ -19,8 +20,8 @@ use Moko\Plugin\System\MokoWaaS\Helper\MokoWaaSHelper;
 /**
 * MokoWaaS Firewall Plugin
 *
- * Provides HTTPS enforcement, trusted IP management, admin session timeout,
- * upload restrictions, and password policy enforcement.
+ * Web Application Firewall with security shields, IP management,
+ * request inspection, and access control.
 *
 * @since  02.32.00
 */
@@ -28,6 +29,17 @@ class Firewall extends CMSPlugin implements SubscriberInterface
 {
 	protected $autoloadLanguage = true;

+	private const BLOCKED_FILES = [
+		'htaccess.txt', 'web.config.txt', 'configuration.php-dist',
+		'README.txt', 'LICENSE.txt', 'joomla.xml', 'robots.txt.dist',
+	];
+
+	private const BLOCKED_PHP_DIRS = [
+		'/images/', '/media/', '/tmp/', '/cache/', '/logs/',
+	];
+
+	private const DEFAULT_MUA_BLOCKLIST = 'sqlmap,nikto,nmap,havij,w3af,acunetix,nessus,openvas,masscan,gobuster,dirbuster,wpscan,joomscan';
+
 	public static function getSubscribedEvents(): array
 	{
 		return [
@@ -36,24 +48,447 @@ class Firewall extends CMSPlugin implements SubscriberInterface
 		];
 	}

+	// ==================================================================
+	// Main entry point
+	// ==================================================================
+
 	public function onAfterInitialise(): void
 	{
+		$app = $this->getApplication();
+
+		if ($app->isClient('cli'))
+		{
+			return;
+		}
+
+		$bypass = MokoWaaSHelper::isMasterUser() || $this->ipIsTrusted();
+
+		// IP blocklist runs first — explicit deny even for trusted
+		$this->checkIpBlocklist();
+
+		// Admin secret
+		if ($app->isClient('administrator'))
+		{
+			$this->checkAdminSecret();
+		}
+
+		// WAF shields — skip for trusted/master
+		if (!$bypass && $this->params->get('waf_enabled', 1))
+		{
+			$this->checkSqlInjection();
+			$this->checkXss();
+			$this->checkMaliciousUserAgent();
+			$this->checkRemoteFileInclusion();
+			$this->checkDirectFileInclusion();
+		}
+
+		// File/template protection — skip for trusted/master
+		if (!$bypass)
+		{
+			$this->checkBlockedFiles();
+			$this->checkTemplateSwitch();
+			$this->checkDirectPhpAccess();
+		}
+
+		// Existing features
 		$this->enforceHttps();
 		$this->enforceUploadRestrictions();

-		if ($this->getApplication()->isClient('administrator'))
+		if ($app->isClient('administrator'))
 		{
 			$this->enforceAdminSessionTimeout();
 		}
 	}

-	/**
-	 * Enforce password complexity rules before user save.
-	 */
+	// ==================================================================
+	// WAF Shields
+	// ==================================================================
+
+	private function checkSqlInjection(): void
+	{
+		if (!$this->params->get('waf_sqli', 1))
+		{
+			return;
+		}
+
+		$pattern = '#'
+			. 'union\s+(all\s+)?select'
+			. '|\bor\b\s+\d+=\d+'
+			. '|\band\b\s+\d+=\d+'
+			. "|\bor\b\s+['\"][^'\"]*['\"]\\s*=\\s*['\"]"
+			. '|;\s*(drop|delete|insert|update|alter|create|truncate)\b'
+			. '|/\*.*?\*/'
+			. '|--\s'
+			. '|\b(benchmark|sleep|load_file|outfile|dumpfile)\s*\('
+			. '|0x[0-9a-f]{8,}'
+			. '#i';
+
+		$match = $this->scanInput($_GET, $pattern)
+			?? $this->scanInput($_POST, $pattern)
+			?? $this->scanInput($_COOKIE, $pattern);
+
+		if ($match !== null)
+		{
+			$this->logAndBlock('sqli', $match);
+		}
+	}
+
+	private function checkXss(): void
+	{
+		if (!$this->params->get('waf_xss', 1))
+		{
+			return;
+		}
+
+		$pattern = '#'
+			. '<\s*script'
+			. '|javascript\s*:'
+			. '|vbscript\s*:'
+			. '|\bon\w+\s*='
+			. '|<\s*(iframe|object|embed|applet|form)\b'
+			. '|document\s*\.\s*(cookie|domain)'
+			. '|\beval\s*\('
+			. '|expression\s*\('
+			. '#i';
+
+		$match = $this->scanInput($_GET, $pattern)
+			?? $this->scanInput($_POST, $pattern);
+
+		if ($match !== null)
+		{
+			$this->logAndBlock('xss', $match);
+		}
+	}
+
+	private function checkMaliciousUserAgent(): void
+	{
+		if (!$this->params->get('waf_mua', 1))
+		{
+			return;
+		}
+
+		$ua = $_SERVER['HTTP_USER_AGENT'] ?? '';
+
+		if (empty($ua))
+		{
+			return;
+		}
+
+		$blocklist = $this->params->get('waf_mua_blocklist', self::DEFAULT_MUA_BLOCKLIST);
+		$agents    = array_filter(array_map('trim', explode(',', $blocklist)));
+		$uaLower   = strtolower($ua);
+
+		foreach ($agents as $agent)
+		{
+			if (!empty($agent) && str_contains($uaLower, strtolower($agent)))
+			{
+				$this->logAndBlock('mua', $agent);
+			}
+		}
+	}
+
+	private function checkRemoteFileInclusion(): void
+	{
+		if (!$this->params->get('waf_rfi', 1))
+		{
+			return;
+		}
+
+		$pattern = '#https?://|ftp://|php://|data://|expect://|%00#i';
+		$match   = $this->scanInput($_GET, $pattern);
+
+		if ($match !== null)
+		{
+			$this->logAndBlock('rfi', $match);
+		}
+	}
+
+	private function checkDirectFileInclusion(): void
+	{
+		if (!$this->params->get('waf_dfi', 1))
+		{
+			return;
+		}
+
+		$pattern = '#\.\.[/\\\\]|/etc/(passwd|shadow|hosts)|[A-Z]:\\\\(windows|winnt)|php://(filter|input)#i';
+		$match   = $this->scanInput($_GET, $pattern);
+
+		if ($match !== null)
+		{
+			$this->logAndBlock('dfi', $match);
+		}
+	}
+
+	// ==================================================================
+	// File & Template Protection
+	// ==================================================================
+
+	private function checkBlockedFiles(): void
+	{
+		if (!$this->params->get('block_sensitive_files', 1))
+		{
+			return;
+		}
+
+		$path = strtolower(parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH) ?? '');
+
+		foreach (self::BLOCKED_FILES as $file)
+		{
+			if (str_ends_with($path, '/' . strtolower($file)))
+			{
+				$this->logAndBlock('blocked_file', $file);
+			}
+		}
+	}
+
+	private function checkDirectPhpAccess(): void
+	{
+		if (!$this->params->get('block_direct_php', 1))
+		{
+			return;
+		}
+
+		$path = strtolower(parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH) ?? '');
+
+		if (!str_ends_with($path, '.php'))
+		{
+			return;
+		}
+
+		foreach (self::BLOCKED_PHP_DIRS as $dir)
+		{
+			if (str_contains($path, strtolower($dir)))
+			{
+				$this->logAndBlock('blocked_php', $path);
+			}
+		}
+	}
+
+	private function checkTemplateSwitch(): void
+	{
+		if (!$this->params->get('block_template_switch', 1))
+		{
+			return;
+		}
+
+		$tmpl     = $_GET['tmpl'] ?? '';
+		$template = $_GET['template'] ?? '';
+
+		if (!empty($tmpl) && $tmpl !== 'component')
+		{
+			$this->logAndBlock('tmpl_switch', 'tmpl=' . $tmpl);
+		}
+
+		if (!empty($template))
+		{
+			$this->logAndBlock('tmpl_switch', 'template=' . $template);
+		}
+	}
+
+	// ==================================================================
+	// Access Control
+	// ==================================================================
+
+	private function checkIpBlocklist(): void
+	{
+		$entries = $this->params->get('ip_blocklist', '');
+
+		if (empty($entries))
+		{
+			return;
+		}
+
+		if (\is_string($entries))
+		{
+			$entries = json_decode($entries, true);
+		}
+
+		if (!\is_array($entries))
+		{
+			return;
+		}
+
+		$ip = $_SERVER['REMOTE_ADDR'] ?? '';
+
+		if ($this->ipMatchesList($ip, $entries))
+		{
+			$this->logAndBlock('ip_blocklist', $ip);
+		}
+	}
+
+	private function checkAdminSecret(): void
+	{
+		$secret = $this->params->get('admin_secret', '');
+
+		if (empty($secret))
+		{
+			return;
+		}
+
+		if (MokoWaaSHelper::isMasterUser() || $this->ipIsTrusted())
+		{
+			return;
+		}
+
+		$provided = $_GET['secret'] ?? '';
+
+		if ($provided === $secret)
+		{
+			Factory::getSession()->set('mokowaas.admin_secret_ok', true);
+
+			return;
+		}
+
+		if (Factory::getSession()->get('mokowaas.admin_secret_ok', false))
+		{
+			return;
+		}
+
+		$redirect = $this->params->get('admin_secret_redirect', '');
+
+		if (!empty($redirect))
+		{
+			$this->getApplication()->redirect($redirect);
+		}
+		else
+		{
+			$this->logAndBlock('admin_secret', 'missing or invalid');
+		}
+	}
+
+	// ==================================================================
+	// Logging
+	// ==================================================================
+
+	private function logAndBlock(string $rule, string $detail): void
+	{
+		$ip  = $_SERVER['REMOTE_ADDR'] ?? '';
+		$ua  = $_SERVER['HTTP_USER_AGENT'] ?? '';
+		$uri = $_SERVER['REQUEST_URI'] ?? '';
+
+		// Log to database (best-effort — don't let log failures prevent the block)
+		try
+		{
+			$db  = Factory::getDbo();
+			$row = (object) [
+				'ip'         => substr($ip, 0, 45),
+				'uri'        => substr($uri, 0, 2048),
+				'rule'       => substr($rule, 0, 50),
+				'detail'     => substr($detail, 0, 512),
+				'user_agent' => substr($ua, 0, 512),
+				'created'    => gmdate('Y-m-d H:i:s'),
+			];
+			$db->insertObject('#__mokowaas_waf_log', $row);
+		}
+		catch (\Throwable $e)
+		{
+			// Silent — blocking is more important than logging
+		}
+
+		// Hard 403 — bypass Joomla's response stack to avoid boot-order issues
+		http_response_code(403);
+		header('Content-Type: text/html; charset=utf-8');
+		echo '<!DOCTYPE html><html><head><title>403 Forbidden</title></head>'
+			. '<body><h1>403 Forbidden</h1><p>Your request has been blocked by the security firewall.</p></body></html>';
+		exit;
+	}
+
+	// ==================================================================
+	// Input Scanning
+	// ==================================================================
+
+	private function scanInput(array $input, string $pattern): ?string
+	{
+		foreach ($input as $key => $value)
+		{
+			if (\is_array($value))
+			{
+				$match = $this->scanInput($value, $pattern);
+
+				if ($match !== null)
+				{
+					return $match;
+				}
+
+				continue;
+			}
+
+			$value   = (string) $value;
+			$decoded = urldecode($value);
+
+			if (preg_match($pattern, $value) || preg_match($pattern, $decoded))
+			{
+				return substr($value, 0, 200);
+			}
+
+			if (preg_match($pattern, (string) $key))
+			{
+				return substr((string) $key, 0, 200);
+			}
+		}
+
+		return null;
+	}
+
+	private function ipMatchesList(string $ip, array $entries): bool
+	{
+		$ipLong = ip2long($ip);
+
+		if ($ipLong === false)
+		{
+			return false;
+		}
+
+		foreach ($entries as $entry)
+		{
+			if (empty($entry['enabled']) || empty($entry['ip']))
+			{
+				continue;
+			}
+
+			$range = trim($entry['ip']);
+
+			if (str_contains($range, '*'))
+			{
+				$pattern = '/^' . str_replace(['.', '*'], ['\\.', '\\d+'], $range) . '$/';
+
+				if (preg_match($pattern, $ip))
+				{
+					return true;
+				}
+
+				continue;
+			}
+
+			if (str_contains($range, '/'))
+			{
+				[$subnet, $bits] = explode('/', $range, 2);
+				$subnetLong      = ip2long($subnet);
+				$mask            = -1 << (32 - (int) $bits);
+
+				if ($subnetLong !== false && ($ipLong & $mask) === ($subnetLong & $mask))
+				{
+					return true;
+				}
+
+				continue;
+			}
+
+			if ($ip === $range)
+			{
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	// ==================================================================
+	// Existing Features
+	// ==================================================================
+
 	public function onUserBeforeSave($event): void
 	{
-		$oldUser = $event[0] ?? $event->getArgument(0, []);
-		$isNew   = $event[1] ?? $event->getArgument(1, false);
 		$newUser = $event[2] ?? $event->getArgument(2, []);

 		if (empty($newUser['password_clear']))
@@ -91,9 +526,6 @@ class Firewall extends CMSPlugin implements SubscriberInterface
 		}
 	}

-	/**
-	 * Redirect non-HTTPS requests to HTTPS.
-	 */
 	private function enforceHttps(): void
 	{
 		if (!$this->params->get('force_https', 0))
@@ -117,9 +549,6 @@ class Firewall extends CMSPlugin implements SubscriberInterface
 		}
 	}

-	/**
-	 * Enforce admin session idle timeout.
-	 */
 	private function enforceAdminSessionTimeout(): void
 	{
 		$timeout = (int) $this->params->get('admin_session_timeout', 0);
@@ -129,12 +558,7 @@ class Firewall extends CMSPlugin implements SubscriberInterface
 			return;
 		}

-		if (MokoWaaSHelper::isMasterUser())
-		{
-			return;
-		}
-
-		if ($this->ipIsTrusted())
+		if (MokoWaaSHelper::isMasterUser() || $this->ipIsTrusted())
 		{
 			return;
 		}
@@ -154,9 +578,6 @@ class Firewall extends CMSPlugin implements SubscriberInterface
 		$session->set('mokowaas.last_activity', $now);
 	}

-	/**
-	 * Check whether the current request IP matches any trusted IP entry.
-	 */
 	private function ipIsTrusted(): bool
 	{
 		$entries = $this->params->get('trusted_ips', '');
@@ -176,64 +597,9 @@ class Firewall extends CMSPlugin implements SubscriberInterface
 			return false;
 		}

-		$ip     = $_SERVER['REMOTE_ADDR'] ?? '';
-		$ipLong = ip2long($ip);
-
-		if ($ipLong === false)
-		{
-			return false;
-		}
-
-		foreach ($entries as $entry)
-		{
-			if (empty($entry['enabled']) || empty($entry['ip']))
-			{
-				continue;
-			}
-
-			$range = trim($entry['ip']);
-
-			// Wildcard: 192.168.1.*
-			if (str_contains($range, '*'))
-			{
-				$pattern = '/^' . str_replace(['.', '*'], ['\\.', '\\d+'], $range) . '$/';
-
-				if (preg_match($pattern, $ip))
-				{
-					return true;
-				}
-
-				continue;
-			}
-
-			// CIDR: 10.0.0.0/8
-			if (str_contains($range, '/'))
-			{
-				[$subnet, $bits] = explode('/', $range, 2);
-				$subnetLong      = ip2long($subnet);
-				$mask            = -1 << (32 - (int) $bits);
-
-				if ($subnetLong !== false && ($ipLong & $mask) === ($subnetLong & $mask))
-				{
-					return true;
-				}
-
-				continue;
-			}
-
-			// Exact match
-			if ($ip === $range)
-			{
-				return true;
-			}
-		}
-
-		return false;
+		return $this->ipMatchesList($_SERVER['REMOTE_ADDR'] ?? '', $entries);
 	}

-	/**
-	 * Override Joomla upload restrictions at runtime.
-	 */
 	private function enforceUploadRestrictions(): void
 	{
 		$types = $this->params->get('upload_allowed_types', '');
@@ -8,7 +8,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>PLG_SYSTEM_MOKOWAAS_MONITOR_DESC</description>
 	<namespace path="src">Moko\Plugin\System\MokoWaaSMonitor</namespace>

@@ -8,7 +8,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>PLG_SYSTEM_MOKOWAAS_TENANT_DESC</description>
 	<namespace path="src">Moko\Plugin\System\MokoWaaSTenant</namespace>

@@ -12,8 +12,8 @@
 	<license>GNU General Public License version 3 or later; see LICENSE</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
+	<version>02.34.00</version>
 	<description>PLG_TASK_MOKOWAASDEMO_DESC</description>
 	<namespace path="src">Moko\Plugin\Task\MokoWaaSDemo</namespace>

@@ -12,7 +12,7 @@
 	<license>GNU General Public License version 3 or later; see LICENSE</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<description>PLG_TASK_MOKOWAASSYNC_DESC</description>
 	<namespace path="src">Moko\Plugin\Task\MokoWaaSSync</namespace>

@@ -7,8 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
+	<version>02.34.00</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>
@@ -7,8 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.32.10</version>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
+	<version>02.34.00</version>
 	<description>Joomla Web Services API routes for Perfect Publisher (com_autotweet) — channels, posts, requests, rules, and feeds.</description>
 	<namespace path="src">Moko\Plugin\WebServices\PerfectPublisher</namespace>
 	<files>
@@ -8,7 +8,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_webservices_perfectpublisher/services/provider.php
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * BRIEF: DI service provider for Perfect Publisher Web Services plugin
 */

@@ -8,7 +8,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_webservices_perfectpublisher/src/Extension/PerfectPublisherApi.php
- * VERSION: 02.32.10
+ * VERSION: 02.34.00
 * BRIEF: Web Services API plugin for Perfect Publisher (com_autotweet)
 */

@@ -2,7 +2,7 @@
 <extension type="package" method="upgrade">
 	<name>Package - MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.32.10</version>
+	<version>02.34.00</version>
 	<creationDate>2026-06-02</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -24,9 +24,12 @@
 		<file type="plugin" id="plg_webservices_perfectpublisher" group="webservices">plg_webservices_perfectpublisher.zip</file>
 		<file type="plugin" id="plg_task_mokowaasdemo" group="task">plg_task_mokowaasdemo.zip</file>
 		<file type="plugin" id="plg_task_mokowaassync" group="task">plg_task_mokowaassync.zip</file>
+		<file type="template" id="mokoonyx" client="site">tpl_mokoonyx.zip</file>
 	</files>

 	<updateservers>
 		<server type="extension" priority="1" name="MokoWaaS Update Server">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/raw/branch/main/updates.xml</server>
 	</updateservers>
+	<dlid prefix="dlid=" suffix=""/>
+	<blockChildUninstall>true</blockChildUninstall>
 </extension>
@@ -217,6 +217,7 @@ class Pkg_MokowaasInstallerScript
 				$db->quote('mokowaasdemo'),
 				$db->quote('mokowaassync'),
 				$db->quote('perfectpublisher'),
+				$db->quote('mokoonyx'),
 			];

 			$query = $db->getQuery(true)
@@ -481,7 +482,7 @@ class Pkg_MokowaasInstallerScript
 				'published' => 1,
 				'module'    => 'mod_mokowaas_cpanel',
 				'access'    => 6, // Super Users only
-				'showtitle' => 1,
+				'showtitle' => 0,
 				'params'    => '{"show_health":"1","show_plugins":"1"}',
 				'client_id' => 1, // Administrator
 				'language'  => '*',
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<updates>
-	<update>
-		<name>Package - MokoWaaS</name>
-		<description>MokoWaaS site management suite</description>
-		<element>pkg_mokowaas</element>
-		<type>package</type>
-		<version>02.32.00</version>
-		<infourl title="MokoWaaS">https://mokoconsulting.tech</infourl>
-		<downloads>
-			<downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/v02.32.00/pkg_mokowaas-02.32.00.zip</downloadurl>
-		</downloads>
-		<tags>
-			<tag>stable</tag>
-		</tags>
-		<maintainer>Moko Consulting</maintainer>
-		<maintainerurl>https://mokoconsulting.tech</maintainerurl>
-		<targetplatform name="joomla" version="5\.[0-9]" />
-		<php_minimum>8.1</php_minimum>
-	</update>
-</updates>